diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 897fdda1fd267..86d672d12eced 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -21,7 +21,9 @@ "version": 0 } ], - "notification_subscribers": [], + "notification_subscribers": [ + "azure-docs-publish@microsoft.com" + ], "sync_notification_subscribers": [ "tysonn@microsoft.com" ], @@ -74,11 +76,13 @@ "path_to_root": "policy-templates", "url": "https://github.com/Azure/azure-policy", "branch": "master", - "branch_mapping": { - "release-build-mysql": "release-build", - "release-build-postgresql": "release-build", - "release-build-stellar": "release-build" - } + "branch_mapping": {} + }, + { + "path_to_root": "blueprints-templates", + "url": "https://github.com/Azure/azure-blueprints", + "branch": "master", + "branch_mapping": {} }, { "path_to_root": "azure-docs-json-samples", diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 665c34fcf1a6a..e7e5551e92b25 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -855,6 +855,11 @@ "redirect_url": "/azure/avere-vfxt/avere-vfxt-additional-resources", "redirect_document_id": true }, + { + "source_path": "articles/avere-vfxt/avere-vfxt-controller-role.md", + "redirect_url": "/azure/avere-vfxt/avere-vfxt-deploy-plan#vm-access-roles", + "redirect_document_id": true + }, { "source_path": "articles/machine-learning/service/how-to-choose-a-dev-environment.md", "redirect_url": "/azure/machine-learning/service/how-to-configure-environment", @@ -1250,6 +1255,16 @@ "redirect_url": "/azure/iot-fundamentals/iot-introduction", "redirect_document_id": false }, + { + "source_path": "articles/iot-hub/iot-hub-auto-device-config.md", + "redirect_url": "/azure/iot-hub/iot-hub-automatic-device-management", + "redirect_document_id": true + }, + { + "source_path": "articles/iot-hub/iot-hub-auto-device-config-cli.md", + "redirect_url": "/azure/iot-hub/iot-hub-automatic-device-management-cli", + "redirect_document_id": true + }, { "source_path": "articles/iot-hub/iot-hub-create-using-cli-nodejs.md", "redirect_url": "/azure/iot-hub/iot-hub-create-using-cli", @@ -1635,6 +1650,11 @@ "redirect_url": "/azure/active-directory/managed-service-identity/how-to-use-vm-sdk", "redirect_document_id": false }, + { + "source_path": "articles/machine-learning/service/support-for-aml-services.md", + "redirect_url": "https://aka.ms/aml-forum-service", + "redirect_document_id": true + }, { "source_path": "articles/machine-learning/preview/model-management-service-deploy.md", "redirect_url": "/azure/machine-learning/desktop-workbench/model-management-service-deploy", @@ -2850,6 +2870,11 @@ "redirect_url": "/azure/azure-portal/azure-portal-dashboards", "redirect_document_id": false }, + { + "source_path": "articles/azure-resource-manager/resource-manager-tutorial-move-resources.md", + "redirect_url": "/azure/azure-resource-manager/resource-group-move-resources", + "redirect_document_id": false + }, { "source_path": "articles/azure-resource-manager/resource-manager-templates-parameters.md", "redirect_url": "/azure/azure-resource-manager/resource-group-authoring-templates#parameters", @@ -4655,6 +4680,12 @@ "redirect_url": "/azure/automation/source-control-integration", "redirect_document_id": false }, + + { + "source_path": "articles/automation/automation-credentials.md", + "redirect_url": "/azure/automation/shared-resources/credentials", + "redirect_document_id": false + }, { "source_path": "articles/automation/automation-certificates.md", "redirect_url": "/azure/automation/shared-resources/certificates", @@ -10853,6 +10884,11 @@ "redirect_url": "https://azure.microsoft.com/services/data-factory/", "redirect_document_id": false }, + { + "source_path": "articles/hdinsight/hdinsight-hadoop-install-mono.md", + "redirect_url": "/azure/hdinsight/hdinsight-hadoop-migrate-dotnet-to-linux", + "redirect_document_id": false + }, { "source_path": "articles/hdinsight/hdinsight-hadoop-r-scripts.md", "redirect_url": "/azure/hdinsight/r-server/r-server-get-started", @@ -27598,9 +27634,14 @@ }, { "source_path": "articles/active-directory/active-directory-tou.md", - "redirect_url": "/azure/active-directory/governance/active-directory-tou", + "redirect_url": "/azure/active-directory/conditional-access/terms-of-use", "redirect_document_id": true }, + { + "source_path": "articles/active-directory/governance/active-directory-tou.md", + "redirect_url": "/azure/active-directory/conditional-access/terms-of-use", + "redirect_document_id": false + }, { "source_path": "articles/cosmos-db/troubleshoot-azure-cosmosdb.md", "redirect_url": "/azure/cosmos-db/storage-explorer", @@ -30516,6 +30557,11 @@ "redirect_url": "/azure/active-directory/saas-apps/ms-confluence-jira-plugin-adminguide", "redirect_document_id": false }, + { + "source_path": "articles/active-directory/saas-apps/alibaba-cloud-service-(role-based-sso)-tutorial.md", + "redirect_url": "/azure/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial", + "redirect_document_id": false + }, { "source_path": "articles/active-directory/saas-apps/index.md", "redirect_url": "/azure/active-directory/saas-apps/tutorial-list", @@ -30621,6 +30667,11 @@ "redirect_url": "/azure/active-directory/b2b/what-is-b2b", "redirect_document_id": true }, + { + "source_path": "articles/active-directory/b2b/b2b-tutorial-bulk-invite.md", + "redirect_url": "/azure/active-directory/b2b/tutorial-bulk-invite", + "redirect_document_id": false + }, { "source_path": "articles/security/manage-personal-data-azure.md", "redirect_url": "/azure/security", @@ -35365,6 +35416,11 @@ "redirect_url": "/azure/storage/common/storage-lifecycle-management-concepts", "redirect_document_id": true }, + { + "source_path": "articles/storage/common/storage-enable-and-view-metrics.md", + "redirect_url": "/azure/storage/common/storage-metrics-in-azure-monitor", + "redirect_document_id": true + }, { "source_path": "articles/azure-stack/partner/azure-stack-vaas-set-up-account.md", "redirect_url": "/azure/azure-stack/partner/azure-stack-vaas-set-up-resources", @@ -36746,8 +36802,6 @@ "redirect_url": "/azure/hdinsight/hbase/apache-hbase-overview", "redirect_document_id": false }, - - { "source_path": "articles/spatial-anchors/concepts/create-locate-anchors-unity.md", "redirect_url": "/azure/spatial-anchors/how-tos/create-locate-anchors-unity", @@ -36763,8 +36817,6 @@ "redirect_url": "/azure/spatial-anchors/how-tos/create-locate-anchors-cpp-ndk", "redirect_document_id": false }, - - { "source_path": "articles/cognitive-services/LUIS/luis-how-to-review-endoint-utt.md", "redirect_url": "/azure/cognitive-services/LUIS/luis-how-to-review-endpoint-utterances", @@ -36772,8 +36824,113 @@ }, { "source_path": "articles/cognitive-services/Custom-Vision-Service/rest-api-tutorial.md", - "redirect_url": "/azure/cognitive-services/Custom-Vision-Service/getting-started-build-a-classifier", + "redirect_url": "/azure/cognitive-services/Custom-Vision-Service/getting-started-build-a-classifier", + "redirect_document_id": false + }, + { + "source_path": "articles/data-catalog/data-catalog-prerequisites.md", + "redirect_url": "/azure/data-catalog/data-catalog-get-started", + "redirect_document_id": false + }, + { + "source_path": "articles/data-catalog/data-catalog-release-notes.md", + "redirect_url": "/azure/data-catalog/data-catalog-get-started", + "redirect_document_id": false + }, + { + "source_path": "articles/data-catalog/data-catalog-whats-new.md", + "redirect_url": "/azure/data-catalog/data-catalog-get-started", + "redirect_document_id": false + }, + { + "source_path": "articles/data-catalog/data-catalog-what-is-data-catalog.md", + "redirect_url": "/azure/data-catalog/overview", + "redirect_document_id": true + }, + { + "source_path": "articles/biztalk-services/biztalk-backup-restore.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-dashboard-monitor-scale-tabs.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-editions-feature-chart.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-issuer-name-issuer-key.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-migrating-to-edi-guide.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-process-edifact-invoice.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-provision-services.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-release-notes.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-services-administration-and-development-task-list.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-service-state-chart.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-throttling-thresholds.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/biztalk-troubleshoot-using-ops-logs.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/index.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", "redirect_document_id": false - } + }, + { + "source_path": "articles/biztalk-services/integration-hybrid-connection-create-manage.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/biztalk-services/integration-hybrid-connection-overview.md", + "redirect_url": "/azure/logic-apps/logic-apps-move-from-mabs", + "redirect_document_id": false + }, + { + "source_path": "articles/cognitive-services/QnAMaker/How-To/publish-knowledge-base.md", + "redirect_url": "/azure/cognitive-services/QnAMaker/quickstarts/create-publish-knowledge-base", + "redirect_document_id": true + }, + { + "source_path": "articles/cognitive-services/LUIS/luis-quickstart-intent-and-hier-entity.md", + "redirect_url": "/azure/cognitive-services/LUIS/tutorial-entity-roles", + "redirect_document_id": true + } ] } \ No newline at end of file diff --git a/articles/active-directory-b2c/active-directory-b2c-reference-password-complexity.md b/articles/active-directory-b2c/active-directory-b2c-reference-password-complexity.md index 7093517f6d5ba..b8cd4e48489d4 100644 --- a/articles/active-directory-b2c/active-directory-b2c-reference-password-complexity.md +++ b/articles/active-directory-b2c/active-directory-b2c-reference-password-complexity.md @@ -19,7 +19,7 @@ Azure Active Directory (Azure AD) B2C supports changing the complexity requireme ## Password rule enforcement -During sign-up or password reset, an end user must supply a password that meets the complexity rules. Password complexity rules are enforced per user flow. It is possible to have one user flow require a four-digit pin during sign-up while another user flow requires a eight character string during sign-up. For example, you may use a user flow with different password complexity for adults than for children. +During sign-up or password reset, an end user must supply a password that meets the complexity rules. Password complexity rules are enforced per user flow. It is possible to have one user flow require a four-digit pin during sign-up while another user flow requires an eight character string during sign-up. For example, you may use a user flow with different password complexity for adults than for children. Password complexity is never enforced during sign-in. Users are never prompted during sign-in to change their password because it doesn't meet the current complexity requirement. diff --git a/articles/active-directory-b2c/active-directory-b2c-ui-customization-custom.md b/articles/active-directory-b2c/active-directory-b2c-ui-customization-custom.md index 35a37271fb548..dfc70df5da3c7 100644 --- a/articles/active-directory-b2c/active-directory-b2c-ui-customization-custom.md +++ b/articles/active-directory-b2c/active-directory-b2c-ui-customization-custom.md @@ -92,7 +92,7 @@ To create a public container in Blob storage, do the following: Configure Blob storage for Cross-Origin Resource Sharing by doing the following: 1. In the menu, select **CORS**. -2. For **Allowed origins**, enter `your-tenant-name.b2clogin.com`. Replace `your-tenant-name` with the name of your Azure AD B2C tenant. For example, `fabrikam.b2clogin.com`. You need to use all lowercase letters when entering your tenant name. +2. For **Allowed origins**, enter `https://your-tenant-name.b2clogin.com`. Replace `your-tenant-name` with the name of your Azure AD B2C tenant. For example, `https://fabrikam.b2clogin.com`. You need to use all lowercase letters when entering your tenant name. 3. For **Allowed Methods**, select both `GET` and `OPTIONS`. 4. For **Allowed Headers**, enter an asterisk (*). 5. For **Exposed Headers**, enter an asterisk (*). diff --git a/articles/active-directory-b2c/tutorial-register-applications.md b/articles/active-directory-b2c/tutorial-register-applications.md index 085847e98575c..952f7b06c38c8 100644 --- a/articles/active-directory-b2c/tutorial-register-applications.md +++ b/articles/active-directory-b2c/tutorial-register-applications.md @@ -44,7 +44,7 @@ If you haven't already created your own [Azure AD B2C Tenant](tutorial-create-te ## Create a client secret -If you’re application exchanges a code for a token, you need to create an application secret. +If your application exchanges a code for a token, you need to create an application secret. 1. Select **Keys** and then click **Generate key**. 2. Select **Save** to view the key. Make note of the **App key** value. You use the value as the application secret in your application's code. @@ -58,4 +58,4 @@ In this article, you learned how to: > * Create a client secret > [!div class="nextstepaction"] -> [Create user flows in Azure Active Directory B2C](tutorial-create-user-flows.md) \ No newline at end of file +> [Create user flows in Azure Active Directory B2C](tutorial-create-user-flows.md) diff --git a/articles/active-directory-b2c/userjourneys.md b/articles/active-directory-b2c/userjourneys.md index 2f64cd5c46426..6e57377c67d54 100644 --- a/articles/active-directory-b2c/userjourneys.md +++ b/articles/active-directory-b2c/userjourneys.md @@ -173,7 +173,7 @@ The **ClaimsProviderSelection** element contains the following attributes: ### ClaimsProviderSelection example -In the following orchestration step, the user can choose to sign in with, Facebook, LinkIn, Twitter, Google, or a local account. If the user selects one of the social identity providers, the second orchestration step executes with the selected claim exchange specified in the `TargetClaimsExchangeId` attribute. The second orchestration step redirects the user to the social identity provider to complete the sign-in process. If the user chooses to sign in with the local account, Azure AD B2C stays on the same orchestration step (the same sign-up page or sign-in page) and skips the second orchestration step. +In the following orchestration step, the user can choose to sign in with, Facebook, LinkedIn, Twitter, Google, or a local account. If the user selects one of the social identity providers, the second orchestration step executes with the selected claim exchange specified in the `TargetClaimsExchangeId` attribute. The second orchestration step redirects the user to the social identity provider to complete the sign-in process. If the user chooses to sign in with the local account, Azure AD B2C stays on the same orchestration step (the same sign-up page or sign-in page) and skips the second orchestration step. ```XML diff --git a/articles/active-directory/authentication/active-directory-passwords-troubleshoot.md b/articles/active-directory/authentication/active-directory-passwords-troubleshoot.md index a3edf6b30e397..19f45a6a2d475 100644 --- a/articles/active-directory/authentication/active-directory-passwords-troubleshoot.md +++ b/articles/active-directory/authentication/active-directory-passwords-troubleshoot.md @@ -165,8 +165,8 @@ The most common point of failure is that firewall and or proxy ports and idle ti For Azure AD Connect version 1.1.443.0 and above, you need outbound HTTPS access to the following: -* passwordreset.microsoftonline.com -* servicebus.windows.net +* \*.passwordreset.microsoftonline.com +* \*.servicebus.windows.net For more granularity, reference the updated list of [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=41653) updated every Wednesday and put into effect the next Monday. diff --git a/articles/active-directory/authentication/concept-authentication-methods.md b/articles/active-directory/authentication/concept-authentication-methods.md index 81d303ed47a8a..42be5dd0c39a8 100644 --- a/articles/active-directory/authentication/concept-authentication-methods.md +++ b/articles/active-directory/authentication/concept-authentication-methods.md @@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management --- # What are authentication methods? -As an administrator choosing authentication methods for Azure Multi-Factor Authentication and self-service password reset (SSPR) it is recommended that you require users to register multiple authentication methods. When an authentication method is not available for a user, they can choose to authenticate with another method. +As an administrator, choosing authentication methods for Azure Multi-Factor Authentication and self-service password reset (SSPR) it is recommended that you require users to register multiple authentication methods. When an authentication method is not available for a user, they can choose to authenticate with another method. Administrators can define in policy which authentication methods are available to users of SSPR and MFA. Some authentication methods may not be available to all features. For more information about configuring your policies see the articles [How to successfully roll out self-service password reset](howto-sspr-deployment.md) and [Planning a cloud-based Azure Multi-Factor Authentication](howto-mfa-getstarted.md) @@ -138,6 +138,9 @@ The Microsoft Authenticator app can help prevent unauthorized access to accounts If you enable the use of both notification through mobile app and verification code from mobile app, users who register the Microsoft Authenticator app using a notification are able to use both notification and code to verify their identity. +> [!NOTE] +> If your organization has staff working in or traveling to China, the **Notification through mobile app** method on **Android devices** does not work in that country. Alternate methods should be made available for those users. + ### Verification code from mobile app The Microsoft Authenticator app or other third-party apps can be used as a software token to generate an OATH verification code. After entering your username and password, you enter the code provided by the app into the sign-in screen. The verification code provides a second form of authentication. @@ -146,11 +149,11 @@ The Microsoft Authenticator app or other third-party apps can be used as a softw > For self-service password reset when only one method is required for reset verification code is the only option available to users **to ensure the highest level of security**. > -Users may have a combination of up to 5 OATH hardware tokens or authenticator applications such as the Microsoft Authenticator app configured for use at any time. +Users may have a combination of up to five OATH hardware tokens or authenticator applications such as the Microsoft Authenticator app configured for use at any time. ## OATH hardware tokens (public preview) -OATH is an open standard that specifies how one-time password (OTP) codes are generated. Azure AD will support the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety. Customers can procure these tokens from the vendor of their choice. Note that secret keys are limited to 128 characters, which may not be compatible with all tokens. +OATH is an open standard that specifies how one-time password (OTP) codes are generated. Azure AD will support the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety. Customers can procure these tokens from the vendor of their choice. Secret keys are limited to 128 characters, which may not be compatible with all tokens. ![Uploading OATH tokens to the MFA Server OATH tokens blade](media/concept-authentication-methods/oath-tokens-azure-ad.png) @@ -172,7 +175,7 @@ Depending on the size of the CSV file, it may take a few minutes to process. Cli Once any errors have been addressed, the administrator then can activate each key by clicking **Activate** for the token to be activated and entering the OTP displayed on the token. -Users may have a combination of up to 5 OATH hardware tokens or authenticator applications such as the Microsoft Authenticator app configured for use at any time. +Users may have a combination of up to five OATH hardware tokens or authenticator applications such as the Microsoft Authenticator app configured for use at any time. ## Mobile phone diff --git a/articles/active-directory/authentication/concept-password-ban-bad-on-premises.md b/articles/active-directory/authentication/concept-password-ban-bad-on-premises.md index 55fa5278aca25..3433c84ceff20 100644 --- a/articles/active-directory/authentication/concept-password-ban-bad-on-premises.md +++ b/articles/active-directory/authentication/concept-password-ban-bad-on-premises.md @@ -28,7 +28,8 @@ Azure AD password protection is designed with these principles in mind: * No Active Directory schema changes are required. The software uses the existing Active Directory **container** and **serviceConnectionPoint** schema objects. * No minimum Active Directory domain or forest functional level (DFL/FFL) is required. * The software doesn't create or require accounts in the Active Directory domains that it protects. -* User clear-text passwords don't leave the domain controller during password validation operations or at any other time. +* User clear-text passwords never leave the domain controller, either during password validation operations or at any other time. +* The software is not dependent on other Azure AD features; for example Azure AD password hash sync is not related and is not required in order for Azure AD password protection to function. * Incremental deployment is supported, however the password policy is only enforced where the Domain Controller Agent (DC Agent) is installed. See next topic for more details. ## Incremental deployment @@ -59,7 +60,7 @@ The DC Agent service is responsible for initiating the download of a new passwor After the DC Agent service receives a new password policy from Azure AD, the service stores the policy in a dedicated folder at the root of its domain *sysvol* folder share. The DC Agent service also monitors this folder in case newer policies replicate in from other DC Agent services in the domain. -The DC Agent service always requests a new policy at service startup. After the DC Agent service is started, it checks the age of the current locally available policy hourly. If the policy is older than one hour, the DC Agent requests a new policy from Azure AD, as described previously. If the current policy isn't older than one hour, the DC Agent continues to use that policy. +The DC Agent service always requests a new policy at service startup. After the DC Agent service is started, it checks the age of the current locally available policy hourly. If the policy is older than one hour, the DC Agent requests a new policy from Azure AD via the proxy service, as described previously. If the current policy isn't older than one hour, the DC Agent continues to use that policy. Whenever an Azure AD password protection password policy is downloaded, that policy is specific to a tenant. In other words, password policies are always a combination of the Microsoft global banned-password list and the per-tenant custom banned-password list. @@ -75,6 +76,8 @@ The DC Agent service always uses the most recent locally available password poli Azure AD password protection isn't a real-time policy application engine. There can be a delay between when a password policy configuration change is made in Azure AD and when that change reaches and is enforced on all domain controllers. +Azure AD password protection acts as a supplement to the existing Active Directory password policies, not a replacement. This includes any other 3rd-party password filter dlls that may be installed. Active Directory always requires that all password validation components agree before accepting a password. + ## Forest/tenant binding for password protection Deployment of Azure AD password protection in an Active Directory forest requires registration of that forest with Azure AD. Each proxy service that is deployed must also be registered with Azure AD. These forest and proxy registrations are associated with a specific Azure AD tenant, which is identified implicitly by the credentials that are used during registration. diff --git a/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md b/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md index a3413e1902b4e..36b2e2639bb07 100644 --- a/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md +++ b/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md @@ -1,5 +1,5 @@ --- -title: Combined registration for Azure AD SSPR and MFA (preview) - Azure Active Directory +title: Combined registration for Azure AD SSPR and Multi-Factor Authentication (preview) - Azure Active Directory description: Azure AD Multi-Factor Authentication and self-service password reset registration (preview) services: active-directory @@ -17,32 +17,34 @@ ms.collection: M365-identity-device-management --- # Combined security information registration (preview) -Before combined registration, users registered authentication methods for Azure Multi-Factor Authentication (MFA) and self-service password reset (SSPR) through two different experiences. People were confused that similar methods were used for both Azure MFA and SSPR but they had to register for each feature separately. Now, with combined registration, users can register once and get the benefits of both Azure MFA and SSPR. +Before combined registration, users registered authentication methods for Azure Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Multi-Factor Authentication and SSPR. ![My Profile showing registered Security info for a user](media/concept-registration-mfa-sspr-combined/combined-security-info-defualts-registered.png) -Before enabling the new experience, review this administrator-focused documentation and the user-focused documentation to ensure you understand the functionality and impact of this feature. Base your training on the user documentation to prepare your users for the new experience and help to ensure a successful rollout. +Before enabling the new experience, review this administrator-focused documentation and the user-focused documentation to ensure you understand the functionality and effect of this feature. Base your training on the user documentation to prepare your users for the new experience and help to ensure a successful rollout. + +Azure AD combined security information registration is not currently available to national clouds like Azure US Government, Azure Germany, or Azure China 21Vianet. | | | --- | -| Combined security information registration for Azure Multi-Factor Authentication and Azure AD self-service password reset is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)| +| Combined security information registration for Multi-Factor Authentication and Azure Active Directory (Azure AD) self-service password reset is a public preview feature of Azure AD. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).| | | > [!IMPORTANT] -> If a user is enabled for both the original preview and the enhanced combined registration experience, they will see the new experience. Users who are enabled for both experiences will only see the new My Profile experience. The new My Profile aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Profile by going to [https://myprofile.microsoft.com](https://myprofile.microsoft.com). +> Users who are enabled for both the original preview and the enhanced combined registration experience will see the new behavior. Users who are enabled for both experiences will see only the new My Profile experience. The new My Profile aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Profile by going to [https://myprofile.microsoft.com](https://myprofile.microsoft.com). -The MyProfile pages are localized based on the current language settings on the machine accessing the page. Microsoft stores the most recent language utilized in the browser cache so subsequent attempts to access will continue to render in the last language used. Clearing the cache will cause the pages to re-render. If you would like to force a specific language adding a `?lng=de-DE` to the end of the URL where `de-DE` is set to the appropriate language code will force the pages to render in that language. +My Profile pages are localized based on the language settings of the computer accessing the page. Microsoft stores the most recent language used in the browser cache, so subsequent attempts to access the pages will continue to render in the last language used. If you clear the cache, the pages will re-render. If you want to force a specific language, you can add `?lng=` to the end of the URL, where `` is the code of the language you want to render. -![Setup SSPR or other additional security verification methods](media/howto-registration-mfa-sspr-combined/combined-security-info-my-profile.png) +![Set up SSPR or other security verification methods](media/howto-registration-mfa-sspr-combined/combined-security-info-my-profile.png) -## Methods available in converged registration +## Methods available in combined registration -At this time, combined registration supports the following methods and actions for those methods: +Combined registration supports the following authentication methods and actions: | | Register | Change | Delete | | --- | --- | --- | --- | -| Microsoft Authenticator | Yes (max 5) | No | Yes | -| Other authenticator app | Yes (max 5) | No | Yes | +| Microsoft Authenticator | Yes (maximum of 5) | No | Yes | +| Other authenticator app | Yes (maximum of 5) | No | Yes | | Hardware token | No | No | Yes | | Phone | Yes | Yes | Yes | | Alternate phone | Yes | Yes | Yes | @@ -52,87 +54,87 @@ At this time, combined registration supports the following methods and actions f | App passwords | Yes | No | Yes | > [!NOTE] -> App passwords are only available to users who have been enforced for MFA. App passwords are not available to users who are enabled for MFA via a conditional access policy. +> App passwords are available only to users who have been enforced for Multi-Factor Authentication. App passwords are not available to users who are enabled for Multi-Factor Authentication via a conditional access policy. -Users can set the following options as their default method for MFA: +Users can set one of the following options as the default Multi-Factor Authentication method: -- Microsoft Authenticator – notification -- Authenticator app or hardware token – code -- Phone call -- Text message +- Microsoft Authenticator – notification. +- Authenticator app or hardware token – code. +- Phone call. +- Text message. -As we continue to add more authentication methods such to Azure AD, those methods will be available in combined registration. +As we continue to add more authentication methods to Azure AD, those methods will be available in combined registration. -## Combined registration Modes +## Combined registration modes -There are two “modes” of combined registration: interrupt and manage. +There are two modes of combined registration: interrupt and manage. -Interrupt mode, is a wizard-like experience, shown to a user when they register or refresh their security info at sign in. +- **Interrupt mode** is a wizard-like experience, presented to users when they register or refresh their security info at sign-in. -Manage mode is part of the user’s profile and allows them to manage their security info. +- **Manage mode** is part of the user profile and allows users to manage their security info. -For both modes, if a user has previously registered a method that can be used for MFA, they will need to perform MFA before they can access their security info. +For both modes, users who have previously registered a method that can be used for Multi-Factor Authentication will need to perform Multi-Factor Authentication before they can access their security info. ### Interrupt mode -Combined registration respects both MFA and SSPR policies, if both are enabled for your tenant. These policies control, whether a user is interrupted to register during sign in, and which methods are available to register. +Combined registration respects both Multi-Factor Authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration. -The following list several scenarios where a user may be prompted to register or refresh their security info: +Here are several scenarios in which users might be prompted to register or refresh their security info: -* MFA registration enforced through Identity Protection: Users will be asked to register during sign in. They register MFA methods and SSPR methods (if the user is enabled for SSPR). -* MFA registration enforced through per-user MFA: Users will be asked to register during sign in. They register MFA methods and SSPR methods (if the user is enabled for SSPR). -* MFA registration enforced through conditional access or other policies: Users are asked to register when accessing a resource that requires MFA. Users will register MFA methods and SSPR methods (if the user is enabled for SSPR). -* SSPR registration enforced: Users are asked to register during sign in. They only register SSPR methods -* SSPR refresh enforced: Users are required to review their security info at an interval set by the admin. Users are shown their info and can choose "Looks good" or make changes if needed. +* Multi-Factor Authentication registration enforced through Identity Protection: Users are asked to register during sign-in. They register Multi-Factor Authentication methods and SSPR methods (if the user is enabled for SSPR). +* Multi-Factor Authentication registration enforced through per-user Multi-Factor Authentication: Users are asked to register during sign-in. They register Multi-Factor Authentication methods and SSPR methods (if the user is enabled for SSPR). +* Multi-Factor Authentication registration enforced through conditional access or other policies: Users are asked to register when they use a resource that requires Multi-Factor Authentication. They register Multi-Factor Authentication methods and SSPR methods (if the user is enabled for SSPR). +* SSPR registration enforced: Users are asked to register during sign-in. They register only SSPR methods. +* SSPR refresh enforced: Users are required to review their security info at an interval set by the admin. Users are shown their info and can confirm the current info or make changes if needed. -When registration is enforced, users are shown the minimum number of methods needed to be compliant with both MFA and SSPR policies from most to least secure. +When registration is enforced, users are shown the minimum number of methods needed to be compliant with both Multi-Factor Authentication and SSPR policies, from most to least secure. -Example: +For example: * A user is enabled for SSPR. The SSPR policy required two methods to reset and has enabled mobile app code, email, and phone. * This user is required to register two methods. - * They're shown authenticator app and phone by default. + * The user is shown authenticator app and phone by default. * The user can choose to register email instead of authenticator app or phone. -The following flowchart describes which methods are shown to a user when interrupted to register during sign in: +This flowchart describes which methods are shown to a user when interrupted to register during sign-in: -![Combined security info flow chart](media/concept-registration-mfa-sspr-combined/combined-security-info-flow-chart.png) +![Combined security info flowchart](media/concept-registration-mfa-sspr-combined/combined-security-info-flow-chart.png) -If you have both MFA and SSPR enabled, we recommend that you enforce MFA registration. +If you have both Multi-Factor Authentication and SSPR enabled, we recommend that you enforce Multi-Factor Authentication registration. -If the SSPR policy requires users to review their security info at a regular interval, users are interrupted during sign in and shown all their registered methods. They can choose “Looks good” if the info is up-to-date or they can choose “Edit info” to make changes. +If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up-to-date, or they can make changes if they need to. ### Manage mode -Users can access manage mode by going to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) or by choosing “Security info” from My Profile. From there, users can add methods, delete or change existing methods, change their default method, and more. +Users can access manage mode by going to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) or by selecting **Security info** from My Profile. From there, users can add methods, delete or change existing methods, change the default method, and more. ## Key usage scenarios -### Set up security info during sign in +### Set up security info during sign-in An admin has enforced registration. -A user has not set up all required security info and navigates to the Azure portal. After entering their username and password, the user is prompted to set up security info. The user then follows the steps shown in the wizard to set up the required security info. The user can choose to set up methods other than what is shown by default if your settings allow. At the end of the wizard, the user reviews the methods they set up and their default method for MFA. To complete the setup process, the user confirms the info and continues to the Azure portal. +A user has not set up all required security info and goes to the Azure portal. After entering the user name and password, the user is prompted to set up security info. The user then follows the steps shown in the wizard to set up the required security info. If your settings allow it, the user can choose to set up methods other than those shown by default. After completing the wizard, users review the methods they set up and their default method for Multi-Factor Authentication. To complete the setup process, the user confirms the info and continues to the Azure portal. ### Set up security info from My Profile An admin has not enforced registration. -A user who has not yet set up all required security info navigates to [https://myprofile.microsoft.com](https://myprofile.microsoft.com). The user then chooses **Security info** from the left-hand navigation. From there, the user chooses to add a method, selects any of the methods available to them, and follows the steps to set up that method. When finished, the user sees the method they just set up on the security info page. +A user who hasn't yet set up all required security info goes to [https://myprofile.microsoft.com](https://myprofile.microsoft.com). The user selects **Security info** in the left pane. From there, the user chooses to add a method, selects any of the methods available, and follows the steps to set up that method. When finished, the user sees the method that was just set up on the Security info page. ### Delete security info from My Profile -A user who has previously set up at least one method navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user chooses to delete one of the previously registered methods. When finished, the user no longer sees that method on the security info page. +A user who has previously set up at least one method navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user chooses to delete one of the previously registered methods. When finished, the user no longer sees that method on the Security info page. -### Change default method from My Profile +### Change the default method from My Profile -A user who has previously set up at least one method that can be used for MFA navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user changes their current default method to a different default method. When finished, the user sees their new default method on the security info page. +A user who has previously set up at least one method that can be used for Multi-Factor Authentication navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user changes the current default method to a different default method. When finished, the user sees the new default method on the Security info page. ## Next steps [Enable combined registration in your tenant](howto-registration-mfa-sspr-combined.md) -[Available methods for MFA and SSPR](concept-authentication-methods.md) +[Available methods for Multi-Factor Authentication and SSPR](concept-authentication-methods.md) [Configure self-service password reset](howto-sspr-deployment.md) diff --git a/articles/active-directory/authentication/howto-mfa-getstarted.md b/articles/active-directory/authentication/howto-mfa-getstarted.md index eca726076dae5..772eb8f18022b 100644 --- a/articles/active-directory/authentication/howto-mfa-getstarted.md +++ b/articles/active-directory/authentication/howto-mfa-getstarted.md @@ -57,9 +57,15 @@ Azure Multi-factor Authentication is deployed by enforcing policies with conditi * Compliant device * Hybrid Azure AD joined device * Approved client application + + +Use the customizable posters and email templates in [multi-factor authentication rollout materials] to roll out multi-factor authentication to your organization. (https://www.microsoft.com/en-us/download/details.aspx?id=57600&WT.mc_id=rss_alldownloads_all) + +## Enable Multi-Factor Authentication with Conditional Access Conditional access policies enforce registration, requiring unregistered users to complete registration at first sign-in, an important security consideration. + [Azure AD Identity Protection](../identity-protection/howto-configure-risk-policies.md) contributes both a registration policy for and automated risk detection and remediation policies to the Azure Multi-Factor Authentication story. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed risky by the following [events](../reports-monitoring/concept-risk-events.md): * Leaked credentials @@ -99,6 +105,9 @@ Administrators can choose the [authentication methods](../authentication/concept A push notification is sent to the Microsoft Authenticator app on your mobile device. The user views the notification and selects **Approve** to complete verification. Push notifications through a mobile app provide the least intrusive option for users. They are also the most reliable and secure option because they use a data connection rather than telephony. +> [!NOTE] +> If your organization has staff working in or traveling to China, the **Notification through mobile app** method on **Android devices** does not work in that country. Alternate methods should be made available for those users. + ### Verification code from mobile app A mobile app like the Microsoft Authenticator app generates a new OATH verification code every 30 seconds. The user enters the verification code into the sign-in interface. The mobile app option can be used whether or not the phone has a data or cellular signal. @@ -304,4 +313,4 @@ Find solutions for common issues with Azure MFA at the [Troubleshooting Azure Mu * [What are authentication methods?](concept-authentication-methods.md) * [Enable converged registration for Azure Multi-Factor Authentication and Azure AD self-service password reset](concept-registration-mfa-sspr-converged.md) -* Why was a user prompted or not prompted to perform MFA? See the section [Azure AD sign-ins report in the Reports in Azure Multi-Factor Authentication document](howto-mfa-reporting.md#azure-ad-sign-ins-report). \ No newline at end of file +* Why was a user prompted or not prompted to perform MFA? See the section [Azure AD sign-ins report in the Reports in Azure Multi-Factor Authentication document](howto-mfa-reporting.md#azure-ad-sign-ins-report). diff --git a/articles/active-directory/authentication/howto-mfa-nps-extension.md b/articles/active-directory/authentication/howto-mfa-nps-extension.md index 01e348ccb86f4..22506706a5856 100644 --- a/articles/active-directory/authentication/howto-mfa-nps-extension.md +++ b/articles/active-directory/authentication/howto-mfa-nps-extension.md @@ -6,7 +6,7 @@ services: multi-factor-authentication ms.service: active-directory ms.subservice: authentication ms.topic: conceptual -ms.date: 07/11/2018 +ms.date: 04/12/2019 ms.author: joflore author: MicrosoftGuyJFlo @@ -76,6 +76,12 @@ The NPS server needs to be able to communicate with the following URLs over port * https://adnotifications.windowsazure.com * https://login.microsoftonline.com +Additionally, connectivity to the following URLs is required to complete the [setup of the adapter using the provided PowerShell script](#run-the-powershell-script) + +- https://login.microsoftonline.com +- https://provisioningapi.microsoftonline.com +- https://aadcdn.msauth.net + ## Prepare your environment Before you install the NPS extension, you want to prepare you environment to handle the authentication traffic. @@ -140,6 +146,14 @@ Your users also need to follow these steps to enroll before they can authenticat 2. Copy the binary to the Network Policy Server you want to configure. 3. Run *setup.exe* and follow the installation instructions. If you encounter errors, double-check that the two libraries from the prerequisite section were successfully installed. +#### Upgrade the NPS extension + +When upgrading an existing NPS extension install, to avoid a reboot of the underlying server complete the following steps: + +1. Uninstall the existing version +1. Run the new installer +1. Restart the Network Policy Server (IAS) service + ### Run the PowerShell script The installer creates a PowerShell script in this location: `C:\Program Files\Microsoft\AzureMfa\Config` (where C:\ is your installation drive). This PowerShell script performs the following actions each time it is run: @@ -204,6 +218,8 @@ You can choose to create this key and set it to FALSE while your users are onboa Look for the self-signed certificate created by the installer in the cert store, and check that the private key has permissions granted to user **NETWORK SERVICE**. The cert has a subject name of **CN \, OU = Microsoft NPS Extension** +Self-signed certificates generated by the *AzureMfaNpsExtnConfigSetup.ps1* script also have a validity lifetime of two years. When verifying that the certificate is installed, you should also check that the certificate has not expired. + ------------------------------------------------------------- ### How can I verify that my client cert is associated to my tenant in Azure Active Directory? @@ -226,7 +242,7 @@ Connect-MsolService Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues 1 | select -ExpandProperty "value" | out-file c:\npscertficicate.cer ``` -Once you run this command, go to your C drive, locate the file and double click on it. Go to details and scroll down to "thumbprint", compare the thumbprint of the certificate installed on the server to this one. The certificate thumbprints should match. +Once you run this command, go to your C drive, locate the file and double-click on it. Go to details and scroll down to "thumbprint", compare the thumbprint of the certificate installed on the server to this one. The certificate thumbprints should match. Valid-From and Valid-Until timestamps, which are in human-readable form, can be used to filter out obvious misfits if the command returns more than one cert. @@ -234,7 +250,7 @@ Valid-From and Valid-Until timestamps, which are in human-readable form, can be ### Why cant I sign in? -Check that your password hasn't expired. The NPS Extension does not support changing passwords as part of the sign-in workflow. Please contact your organization's IT Staff for further assistance. +Check that your password hasn't expired. The NPS Extension does not support changing passwords as part of the sign-in workflow. Contact your organization's IT Staff for further assistance. ------------------------------------------------------------- @@ -259,6 +275,14 @@ Verify that AD Connect is running, and that the user is present in both Windows Verify that https://adnotifications.windowsazure.com is reachable from the server running the NPS extension. +------------------------------------------------------------- + +### Why is authentication not working, despite a valid certificate being present? + +If your previous computer certificate has expired, and a new certificate has been generated, you should delete any expired certificates. Having expired certificates can cause issues with the NPS Extension starting. + +To check if you have a valid certificate, check the local Computer Account's Certificate Store using MMC, and ensure the certificate has not passed its expiry date. To generate a newly valid certificate, rerun the steps under the section "[Run the PowerShell script](#run-the-powershell-script)" + ## Managing the TLS/SSL Protocols and Cipher Suites It is recommended that older and weaker cipher suites be disabled or removed unless required by your organization. Information on how to complete this task can be found in the article [Managing SSL/TLS Protocols and Cipher Suites for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs) diff --git a/articles/active-directory/authentication/howto-mfaserver-adfs-2012.md b/articles/active-directory/authentication/howto-mfaserver-adfs-2012.md index ff9427b3b6cc1..3a34621dd5253 100644 --- a/articles/active-directory/authentication/howto-mfaserver-adfs-2012.md +++ b/articles/active-directory/authentication/howto-mfaserver-adfs-2012.md @@ -78,7 +78,7 @@ At this point, Multi-Factor Authentication Server is set up to be an additional Follow these steps to edit the MultiFactorAuthenticationAdfsAdapter.config file: 1. Set the **UseWebServiceSdk** node to **true**. -2. Set the value for **WebServiceSdkUrl** to the URL of the Multi-Factor Authentication Web Service SDK. For example: **, Where *certificatename* is the name of your certificate. +2. Set the value for **WebServiceSdkUrl** to the URL of the Multi-Factor Authentication Web Service SDK. For example: *https:\/\/contoso.com/\/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx*, Where *\* is the name of your certificate. 3. Edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding `-ConfigurationFilePath <path>` to the end of the `Register-AdfsAuthenticationProvider` command, where *<path>* is the full path to the MultiFactorAuthenticationAdfsAdapter.config file. ### Configure the Web Service SDK with a username and password diff --git a/articles/active-directory/authentication/howto-mfaserver-deploy-ha.md b/articles/active-directory/authentication/howto-mfaserver-deploy-ha.md index be9868b62195f..ac0b252774d11 100644 --- a/articles/active-directory/authentication/howto-mfaserver-deploy-ha.md +++ b/articles/active-directory/authentication/howto-mfaserver-deploy-ha.md @@ -33,7 +33,7 @@ Both MFA master and subordinate MFA Servers communicate with the MFA Service whe After successful authentication with AD, the MFA Server will communicate with the MFA Service. The MFA Server waits for notification from the MFA Service to allow or deny the user access to the application. -If the MFA master server goes offline, authentications can still be processed, but operations that require changes to the MFA database cannot be processed. (Examples include: the addition of users, self-service PIN changes, and changing user information) +If the MFA master server goes offline, authentications can still be processed, but operations that require changes to the MFA database cannot be processed. (Examples include: the addition of users, self-service PIN changes, changing user information, or access to the user portal) ## Deployment diff --git a/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md b/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md index a0ca70752a24e..b2d7c54154d03 100644 --- a/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md +++ b/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot combined registration for Azure AD SSPR and MFA (preview) - Azure Active Directory +title: Troubleshoot combined registration for Azure AD SSPR and Multi-Factor Authentication (preview) - Azure Active Directory description: Troubleshoot Azure AD Multi-Factor Authentication and self-service password reset combined registration (preview) services: active-directory @@ -17,145 +17,145 @@ ms.collection: M365-identity-device-management --- # Troubleshooting combined security information registration (preview) -The information provided in this article can guide administrators who are troubleshooting issues with the combined registration experience reported by their end-users. +The information in this article is meant to guide admins who are troubleshooting issues reported by users of the combined registration experience. | | | --- | -| Combined security information registration for Azure Multi-Factor Authentication and Azure AD self-service password reset is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)| +| Combined security information registration for Azure Multi-Factor Authentication and Azure Active Directory (Azure AD) self-service password reset is a public preview feature of Azure AD. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).| | | ## Audit logs -The events logged for combined registration are under the “Authentication Methods” category in the Azure AD audit logs. +The events logged for combined registration are in the Authentication Methods category in the Azure AD audit logs. ![Azure AD Audit logs interface showing registration events](media/howto-registration-mfa-sspr-combined-troubleshoot/combined-security-info-audit-log.png) -The following lists all audit events generated by combined registration: +The following table lists all audit events generated by combined registration: | Activity | Status | Reason | Description | | --- | --- | --- | --- | | User registered all required security info | Success | User registered all required security info. | This event occurs when a user has successfully completed registration.| | User registered all required security info | Failure | User canceled security info registration. | This event occurs when a user cancels registration from interrupt mode.| -| User registered security info | Success | User registered "method". | This event occurs when a user registers an individual method. "Method" can be Authenticator app, Phone, Email, Security questions, App password, Alternate phone, etc.| -| User reviewed security info | Success | User successfully reviewed security info. | This event occurs when a user clicks "Looks good" on the security info review page.| -| User reviewed security info | Failure | User failed to review security info. | This event occurs when a user clicks “Looks good” on the security info review page but something fails in the backend.| -| User deleted security info | Success | User deleted "method". | This event occurs when a user deletes an individual method. "Method" can be Authenticator app, Phone, Email, Security questions, App password, Alternate phone, etc.| -| User deleted security info | Failure | User failed to delete "method". | This event occurs when a user tries to delete a method but it fails for some reason. "Method" can be Authenticator app, Phone, Email, Security questions, App password, Alternate phone, etc.| -| User changed default security info | Success | User changed default security info to "method". | This event occurs when a user changes their default method. "Method" can be Authenticator app notification, code from my authenticator app or token, Call +X XXXXXXXXXX, Text a code to +X XXXXXXXXX, etc.| -| User changed default security info | Failure | User failed to change default security info to "method". | This event occurs when a user tries to change their default method but it fails for some reason. "Method" can be Authenticator app notification, a code from my authenticator app or token, Call +X XXXXXXXXXX, Text a code to +X XXXXXXXXX, etc.| +| User registered security info | Success | User registered *method*. | This event occurs when a user registers an individual method. *Method* can be Authenticator app, Phone, Email, Security questions, App password, Alternate phone, and so on.| +| User reviewed security info | Success | User successfully reviewed security info. | This event occurs when a user selects **Looks good** on the security info review page.| +| User reviewed security info | Failure | User failed to review security info. | This event occurs when a user selects **Looks good** on the security info review page but something fails on the backend.| +| User deleted security info | Success | User deleted *method*. | This event occurs when a user deletes an individual method. *Method* can be Authenticator app, Phone, Email, Security questions, App password, Alternate phone, and so on.| +| User deleted security info | Failure | User failed to delete *method*. | This event occurs when a user tries to delete a method but the attempt fails for some reason. *Method* can be Authenticator app, Phone, Email, Security questions, App password, Alternate phone, and so on.| +| User changed default security info | Success | User changed the default security info for *method*. | This event occurs when a user changes the default method. *Method* can be Authenticator app notification, A code from my authenticator app or token, Call +X XXXXXXXXXX, Text a code to +X XXXXXXXXX, and so on.| +| User changed default security info | Failure | User failed to change the default security info for *method*. | This event occurs when a user tries to change the default method but the attempt fails for some reason. *Method* can be Authenticator app notification, A code from my authenticator app or token, Call +X XXXXXXXXXX, Text a code to +X XXXXXXXXX, and so on.| ## Troubleshooting interrupt mode | Symptom | Troubleshooting steps | | --- | --- | -| I’m not seeing the methods I expected to see. | 1. Check if the user has an Azure AD administrator role. If yes, review the SSPR administrator policy differences.
2. Determine whether the user is being interrupted due to MFA registration enforcement or SSPR registration enforcement. Review the flowchart under combined registration modes to determine which methods should be shown.
3. Determine how recently the MFA or SSPR policy was changed. If the change was recent, it may take some time for the updated policy to propagate.| +| I’m not seeing the methods I expected to see. | 1. Check if the user has an Azure AD admin role. If yes, view the SSPR admin policy differences.
2. Determine whether the user is being interrupted because of Multi-Factor Authentication registration enforcement or SSPR registration enforcement. See the [flowchart](../../active-directory/authentication/concept-registration-mfa-sspr-combined.md#combined-registration-modes) under "Combined registration modes" to determine which methods should be shown.
3. Determine how recently the Multi-Factor Authentication or SSPR policy was changed. If the change was recent, it might take some time for the updated policy to propagate.| ## Troubleshooting manage mode | Symptom | Troubleshooting steps | | --- | --- | -| I don’t have the option to add a particular method. | 1. Determine whether the method is enabled for MFA or for SSPR.
2. If the method is enabled, resave the policies and wait 1-2 hours before testing again.
3. If the method is enabled, ensure that the user hasn’t already set up the maximum number of that method that they're allowed to set up.| +| I don’t have the option to add a particular method. | 1. Determine whether the method is enabled for Multi-Factor Authentication or for SSPR.
2. If the method is enabled, save the policies again and wait 1-2 hours before testing again.
3. If the method is enabled, ensure that the user hasn’t already set up the maximum number of that method that they're allowed to set up.| ## Disable combined registration -When a user registers their phone number and/or mobile app in the new combined experience, our service stamps a set of flags (StrongAuthenticationMethods) for those methods on that user. This functionality allows the user to perform Azure Multi-Factor Authentication (MFA) with those methods whenever MFA is required. +When a user registers a phone number and/or mobile app in the new combined experience, our service stamps a set of flags (StrongAuthenticationMethods) for those methods on that user. This functionality allows the user to perform Multi-Factor Authentication with those methods whenever Multi-Factor Authentication is required. -The methods that users register through the new experience have the StrongAuthenticationMethods property set. If an admin enables the preview, users register through the new experience, and then the admin disables the preview, users may unknowingly be registered for MFA also. +If an admin enables the preview, users register through the new experience, and then the admin disables the preview, users might unknowingly be registered for Multi-Factor Authentication also. -If a user who has completed combined registration navigates to the current self-service password reset (SSPR) registration page, at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup), they will be prompted to perform MFA before they can access that page. This step is an expected behavior from a technical standpoint, but for users who were previously registered for SSPR only, this step is a new behavior. Although this extra step does improve the user’s security posture by providing an additional level of security, admins may want to roll back their users so that they are no longer capable of performing MFA. +If a user who has completed combined registration goes to the current self-service password reset (SSPR) registration page at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup), the user will be prompted to perform Multi-Factor Authentication before they can access that page. This step is expected from a technical standpoint, but it's new for users who were previously registered for SSPR only. Though this extra step does improve the user’s security posture by providing another level of security, admins might want to roll back their users so that they're no longer able to perform Multi-Factor Authentication. ### How to roll back users -If you as an administrator want to reset a user's MFA settings, we have created a PowerShell script that will clear the StrongAuthenticationMethods property for a user’s mobile app and/or phone number. Running this script for your users means that they will need to re-register for MFA if needed. We recommend testing rollback with one or two users before rolling back all the affected users. +If you, as an admin, want to reset a user's Multi-Factor Authentication settings, you can use the PowerShell script provided in the next section. The script will clear the StrongAuthenticationMethods property for a user’s mobile app and/or phone number. If you run this script for your users, they'll need to re-register for Multi-Factor Authentication if they need it. We recommend testing rollback with one or two users before rolling back all affected users. -The steps that follow will help you roll back a user or group of users: +The steps that follow will help you roll back a user or group of users. #### Prerequisites -1. You will need to install the appropriate Azure AD PowerShell modules. In a PowerShell window, run these commands to install the modules: +1. Install the appropriate Azure AD PowerShell modules. In a PowerShell window, run these commands to install the modules: ```powershell Install-Module -Name MSOnline Import-Module MSOnline ``` -1. Save the list of affected user object ID/IDs to your machine as a text file with one ID per line. Make note of the location of the file. -1. Save the following script to your machine and make note of the location of the script: - -```powershell -<# -//******************************************************** -//* * -//* Copyright (C) Microsoft. All rights reserved. * -//* * -//******************************************************** -#> - -param($path) - -# Define Remediation Fn -function RemediateUser { - - param - ( - $ObjectId - ) - - $user = Get-MsolUser -ObjectId $ObjectId - - Write-Host "Checking if user is eligible for rollback: UPN: " $user.UserPrincipalName " ObjectId: " $user.ObjectId -ForegroundColor Yellow - - $hasMfaRelyingParty = $false - foreach($p in $user.StrongAuthenticationRequirements) - { - if ($p.RelyingParty -eq "*") - { - $hasMfaRelyingParty = $true - Write-Host "User was enabled for per-user MFA." -ForegroundColor Yellow - } - } - - if ($user.StrongAuthenticationMethods.Count -gt 0 -and -not $hasMfaRelyingParty) - { - Write-Host $user.UserPrincipalName " is eligible for rollback" -ForegroundColor Yellow - Write-Host "Rolling back user ..." -ForegroundColor Yellow - Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user.UserPrincipalName - Write-Host "Successfully rolled back user " $user.UserPrincipalName -ForegroundColor Green - } - else - { - Write-Host $user.UserPrincipalName " is not eligible for rollback. No action required." - } - - Write-Host "" - Start-Sleep -Milliseconds 750 -} - -# Connect -Import-Module MSOnline -Connect-MsolService - -foreach($line in Get-Content $path) -{ - RemediateUser -ObjectId $line -} -``` +1. Save the list of affected user object IDs to your computer as a text file with one ID per line. Make note of the location of the file. +1. Save the following script to your computer and make note of the location of the script: + + ```powershell + <# + //******************************************************** + //* * + //* Copyright (C) Microsoft. All rights reserved. * + //* * + //******************************************************** + #> + + param($path) + + # Define Remediation Fn + function RemediateUser { + + param + ( + $ObjectId + ) + + $user = Get-MsolUser -ObjectId $ObjectId + + Write-Host "Checking if user is eligible for rollback: UPN: " $user.UserPrincipalName " ObjectId: " $user.ObjectId -ForegroundColor Yellow + + $hasMfaRelyingParty = $false + foreach($p in $user.StrongAuthenticationRequirements) + { + if ($p.RelyingParty -eq "*") + { + $hasMfaRelyingParty = $true + Write-Host "User was enabled for per-user MFA." -ForegroundColor Yellow + } + } + + if ($user.StrongAuthenticationMethods.Count -gt 0 -and -not $hasMfaRelyingParty) + { + Write-Host $user.UserPrincipalName " is eligible for rollback" -ForegroundColor Yellow + Write-Host "Rolling back user ..." -ForegroundColor Yellow + Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $user.UserPrincipalName + Write-Host "Successfully rolled back user " $user.UserPrincipalName -ForegroundColor Green + } + else + { + Write-Host $user.UserPrincipalName " is not eligible for rollback. No action required." + } + + Write-Host "" + Start-Sleep -Milliseconds 750 + } + + # Connect + Import-Module MSOnline + Connect-MsolService + + foreach($line in Get-Content $path) + { + RemediateUser -ObjectId $line + } + ``` #### Rollback -In a PowerShell window, run the following command after updating the highlighted locations. Enter global administrator credentials when prompted. The script will output the outcome of each user update operation. +In a PowerShell window, run the following command, providing the script and user file locations. Enter global administrator credentials when prompted. The script will output the outcome of each user update operation. ` + ``` Alternatively, if you have Node installed, you can download it through npm: @@ -187,14 +200,14 @@ myMSALObj.acquireTokenSilent(applicationConfig.graphScopes).then(function (acces #### Get a user token interactively -There are situations where you need to force users to interact with Azure AD v2.0 endpoint. For example: +There are situations where you need to force users to interact with Microsoft identity platform endpoint. For example: * Users may need to reenter their credentials because their password has expired * Your application is requesting access to additional resource scopes that the user needs to consent to * Two factor authentication is required The usual recommended pattern for most applications is to call `acquireTokenSilent` first, then catch the exception and then call `acquireTokenRedirect` (or `acquireTokenPopup`) to start an interactive request. -Calling the `acquireTokenPopup(scope)` results in a popup window to sign in (or `acquireTokenRedirect(scope)` results in redirecting users to the Azure AD v2.0 endpoint) where users need to interact by either confirming their credentials, giving the consent to the required resource, or completing the two factor authentication. +Calling the `acquireTokenPopup(scope)` results in a popup window to sign in (or `acquireTokenRedirect(scope)` results in redirecting users to the Microsoft identity platform endpoint) where users need to interact by either confirming their credentials, giving the consent to the required resource, or completing the two factor authentication. ```javascript myMSALObj.acquireTokenPopup(applicationConfig.graphScopes).then(function (accessToken) { diff --git a/articles/active-directory/develop/quickstart-v2-netcore-daemon.md b/articles/active-directory/develop/quickstart-v2-netcore-daemon.md index 81302e3ff9d70..56f8d168bf714 100644 --- a/articles/active-directory/develop/quickstart-v2-netcore-daemon.md +++ b/articles/active-directory/develop/quickstart-v2-netcore-daemon.md @@ -1,6 +1,6 @@ --- -title: Azure AD v2 .NET Core daemon | Microsoft Docs -description: Learn how a .NET Core process can get an access token and call an API protected by an Azure Active Directory v2.0 endpoint using the app's own identity +title: Microsoft identity platform .NET Core daemon | Azure +description: Learn how a .NET Core process can get an access token and call an API protected by Microsoft identity platform endpoint using the app's own identity services: active-directory documentationcenter: dev-center-name author: jmprieur @@ -14,10 +14,10 @@ ms.devlang: na ms.topic: quickstart ms.tgt_pltfrm: na ms.workload: identity -ms.date: 03/20/2019 +ms.date: 04/10/2019 ms.author: jmprieur ms.custom: aaddev -#Customer intent: As an application developer, I want to learn how my .NET Core app can get an access token and call an API that's protected by an Azure AD v2.0 endpoint using client credentials flow. +#Customer intent: As an application developer, I want to learn how my .NET Core app can get an access token and call an API that's protected by an Microsoft identity platform endpoint using client credentials flow. ms.collection: M365-identity-device-management --- @@ -27,11 +27,11 @@ ms.collection: M365-identity-device-management In this quickstart, you'll learn how to write a .NET Core application that can get an access token using the app's own identity and then call the Microsoft Graph API to display a [list of users](https://docs.microsoft.com/graph/api/user-list) in the directory. This scenario is useful for situations where headless, unattended job or a windows service needs to run with an application identity, instead of a user's identity. -![Shows how the sample app generated by this quickstart works](media/quickstart-v2-netcore-daemon/netcore-daemon-intro-updated.png) +![Shows how the sample app generated by this quickstart works](media/quickstart-v2-netcore-daemon/netcore-daemon-intro.svg) ## Prerequisites -This quickstart requires [.NET Core 2.1](https://www.microsoft.com/net/download/dotnet-core/2.1). +This quickstart requires [.NET Core 2.2](https://www.microsoft.com/net/download/dotnet-core/2.2). > [!div renderon="docs"] > ## Register and download your quickstart app @@ -44,7 +44,7 @@ This quickstart requires [.NET Core 2.1](https://www.microsoft.com/net/download/ > > ### Option 1: Register and auto configure your app and then download your code sample > -> 1. Go to the [Azure portal - Application Registration (Preview)](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/DotNetCoreDaemonQuickstartPage/sourceType/docs). +> 1. Go to the new [Azure portal - App registrations](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/DotNetCoreDaemonQuickstartPage/sourceType/docs) pane. > 1. Enter a name for your application and select **Register**. > 1. Follow the instructions to download and automatically configure your new application with just one click. > @@ -54,9 +54,11 @@ This quickstart requires [.NET Core 2.1](https://www.microsoft.com/net/download/ > #### Step 1: Register your application > To register your application and add the app's registration information to your solution manually, follow these steps: > -> 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account or a personal Microsoft account. +> 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account. > 1. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant. -> 1. In the left-hand navigation pane, select the **Azure Active Directory** service, and then select **App registrations (Preview)** > **New registration**. +> 1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page. +> 1. Select **New registration**. +> 1. When the **Register an application** page appears, enter your application's registration information. > 1. In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `Daemon-console`, then select **Register** to create the application. > 1. Once registered, select the **Certificates & secrets** menu. > 1. Under **Client secrets**, select **+ New client secret**. Give it a name and select **Add**. Copy the secret on a safe location. You will need it to use in your code. @@ -77,7 +79,7 @@ This quickstart requires [.NET Core 2.1](https://www.microsoft.com/net/download/ #### Step 2: Download your Visual Studio project -[Download the Visual Studio project](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/archive/master.zip) +[Download the Visual Studio project](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/archive/msal3x.zip) #### Step 3: Configure your Visual Studio project @@ -105,7 +107,7 @@ This quickstart requires [.NET Core 2.1](https://www.microsoft.com/net/download/ #### Step 4: Admin consent -If you try to run the application at this point, you will receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This happens because any *app-only permission* requires Admin consent, which means that an global administrator of your directory must give consent to your application. Select one of the options below depending your role: +If you try to run the application at this point, you will receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This happens because any *app-only permission* requires Admin consent, which means that a global administrator of your directory must give consent to your application. Select one of the options below depending on your role: ##### Global tenant administrator @@ -154,12 +156,12 @@ You should see a list of users in your Azure AD directory as result. ### MSAL.NET -MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request tokens used to access an API protected by Microsoft Azure Active Directory (Azure AD). As described, this quickstart request tokens by using the application own identity instead of delegated permissions. The authentication flow used in this case is known as *[client credentials oauth flow](v2-oauth2-client-creds-grant-flow.md)*. For more information on how to use MSAL.NET with client credentials flow, please see [this article](https://aka.ms/msal-net-client-credentials). +MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by using the application own identity instead of delegated permissions. The authentication flow used in this case is known as *[client credentials oauth flow](v2-oauth2-client-creds-grant-flow.md)*. For more information on how to use MSAL.NET with client credentials flow, see [this article](https://aka.ms/msal-net-client-credentials). You can install MSAL.NET by running the following command in Visual Studio's **Package Manager Console**: ```powershell -Install-Package Microsoft.Identity.Client +Install-Package Microsoft.Identity.Client -Pre ``` Alternatively, if you are not using Visual Studio, you can run the following command to add MSAL to your project: @@ -179,48 +181,44 @@ using Microsoft.Identity.Client; Then, initialize MSAL using the following code: ```csharp -ClientCredential clientCredentials = new ClientCredential(secret: config.ClientSecret); - -var app = new ConfidentialClientApplication( - clientId: config.ClientId, - authority: config.Authority, - redirectUri: "https://daemon", - clientCredential: clientCredentials, - userTokenCache: null, - appTokenCache: new TokenCache() +IConfidentialClientApplication app; +app = ConfidentialClientApplicationBuilder.Create(config.ClientId) + .WithClientSecret(config.ClientSecret) + .WithAuthority(new Uri(config.Authority)) + .Build(); ); ``` > | Where: || > |---------|---------| -> | `secret` | Is the client secret created for the application in Azure Portal. | -> | `clientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. | -> | `Authority` | (Optional) The STS endpoint for user to authenticate. Usually for public cloud, where {tenant} is the name of your tenant or your tenant Id.| -> | `redirectUri` | URL where users are sent after authentication. In this case, because this is a console/non-interactive application, this parameter is not used | -> | `clientCredentials` | The client credentials object, containing either the secret or certificate | -> | `userTokenCache` | Instance of a token cache for the user. In this case, because this app runs in context of the app, and not the user, this value is null| -> | `appTokenCache` | Instance of a token cache for the app| +> | `config.ClientSecret` | Is the client secret created for the application in Azure Portal. | +> | `config.ClientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. | +> | `config.Authority` | (Optional) The STS endpoint for user to authenticate. Usually for public cloud, where {tenant} is the name of your tenant or your tenant Id.| -For more information, please see the [reference documentation for `ConfidentialClientApplication`](https://docs.microsoft.com/dotnet/api/microsoft.identity.client.confidentialclientapplication.-ctor?view=azure-dotnet) +For more information, please see the [reference documentation for `ConfidentialClientApplication`](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identity.client.iconfidentialclientapplication?view=azure-dotnet) ### Requesting tokens -To request a token using app's identity, use `AcquireTokenForClientAsync` method: +To request a token using app's identity, use `AcquireTokenForClient` method: ```csharp -result = await app.AcquireTokenForClientAsync(scopes); +result = await app.AcquireTokenForClient(scopes) + .ExecuteAsync(); ``` > |Where:| | > |---------|---------| > | `scopes` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure Portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom Web APIs, `{Application ID URI}` is defined under **Expose an API** section in Azure Portal's Application Registration (Preview). | -For more information, please see the [reference documentation for `AcquireTokenForClientAsync`](https://docs.microsoft.com/dotnet/api/microsoft.identity.client.confidentialclientapplication.acquiretokenforclientasync?view=azure-dotnet#Microsoft_Identity_Client_ConfidentialClientApplication_AcquireTokenForClientAsync_System_Collections_Generic_IEnumerable_System_String__) +For more information, please see the [reference documentation for `AcquireTokenForClient`](https://docs.microsoft.com/dotnet/api/microsoft.identity.client.confidentialclientapplication.acquiretokenforclientasync?view=azure-dotnet#Microsoft_Identity_Client_ConfidentialClientApplication_AcquireTokenForClientAsync_System_Collections_Generic_IEnumerable_System_String__) [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)] ## Next steps +> [!div class="nextstepaction"] +> [.NET Core daemon sample](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) + Learn more about permissions and consent: > [!div class="nextstepaction"] diff --git a/articles/active-directory/develop/quickstart-v2-uwp.md b/articles/active-directory/develop/quickstart-v2-uwp.md index c963186a21f7b..bef83bacf57ba 100644 --- a/articles/active-directory/develop/quickstart-v2-uwp.md +++ b/articles/active-directory/develop/quickstart-v2-uwp.md @@ -1,6 +1,6 @@ --- -title: Azure AD v2 Windows UWP quickstart | Microsoft Docs -description: Learn how a Universal Windows Platform (XAML) application can get an access token and call an API protected by an Azure Active Directory v2.0 endpoint. +title: Microsoft identity platform Windows UWP quickstart | Azure +description: Learn how a Universal Windows Platform (XAML) application can get an access token and call an API protected by Microsoft identity platform endpoint. services: active-directory documentationcenter: dev-center-name author: jmprieur @@ -14,10 +14,10 @@ ms.devlang: na ms.topic: quickstart ms.tgt_pltfrm: na ms.workload: identity -ms.date: 04/01/2019 +ms.date: 04/12/2019 ms.author: jmprieur ms.custom: aaddev -#Customer intent: As an application developer, I want to learn how my Universal Windows Platform (XAML) application can get an access token and call an API that's protected by an Azure AD v2.0 endpoint. +#Customer intent: As an application developer, I want to learn how my Universal Windows Platform (XAML) application can get an access token and call an API that's protected by an Microsoft identity platform endpoint. ms.collection: M365-identity-device-management --- @@ -27,7 +27,7 @@ ms.collection: M365-identity-device-management This quickstart contains a code sample that demonstrates how a Universal Windows Platform (UWP) application can sign in users with personal or work and school accounts, get an access token, and call the Microsoft Graph API. -![Shows how the sample app generated by this quickstart works](media/quickstart-v2-uwp/uwp-intro-updated.png) +![Shows how the sample app generated by this quickstart works](media/quickstart-v2-uwp/uwp-intro.svg) > [!div renderon="docs"] > ## Register and download your quickstart app @@ -38,7 +38,7 @@ This quickstart contains a code sample that demonstrates how a Universal Windows > > ### Option 1: Register and auto configure your app and then download your code sample > -> 1. Go to the [Azure portal - Application Registration](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/UwpQuickstartPage/sourceType/docs) +> 1. Go to the new [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/UwpQuickstartPage/sourceType/docs) pane. > 1. Enter a name for your application and click **Register**. > 1. Follow the instructions to download and automatically configure your new application for you in one click. > @@ -48,7 +48,8 @@ This quickstart contains a code sample that demonstrates how a Universal Windows > To register your application and add the app's registration information to your solution, follow these steps: > 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account. > 1. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant. -> 1. In the left-hand navigation pane, select the **Azure Active Directory** service, and then select **App registrations (Preview)** > **New registration**. +> 1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page. +> 1. Select **New registration**. > 1. When the **Register an application** page appears, enter your application's registration information: > - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `UWP-App-calling-MsGraph`. > - In the **Supported account types** section, select **Accounts in any organizational directory and personal Microsoft accounts (for example, Skype, Xbox, Outlook.com)**. @@ -68,29 +69,32 @@ This quickstart contains a code sample that demonstrates how a Universal Windows #### Step 2: Download your Visual Studio project - - [Download the Visual Studio 2017 project](https://github.com/Azure-Samples/active-directory-dotnet-native-uwp-v2/archive/master.zip) + - [Download the Visual Studio 2017 project](https://github.com/Azure-Samples/active-directory-dotnet-native-uwp-v2/archive/msal3x.zip) #### Step 3: Configure your Visual Studio project 1. Extract the zip file to a local folder close to the root of the disk, for example, **C:\Azure-Samples**. -1. Open the project in Visual Studio. -1. Edit **App.Xaml.cs** and replace the values of the fields `ClientId` and `Tenant` with: +1. Open the project in Visual Studio. You might be prompted to install a UWP SDK. In that case, accept. +1. Edit **MainPage.Xaml.cs** and replace the values of the `ClientId` field: ```csharp - private static string ClientId = "Enter_the_Application_Id_here"; - private static string Tenant = "Enter_the_Tenant_Info_Here"; + private const string ClientId = "Enter_the_Application_Id_here"; ``` > [!div renderon="docs"] > Where: > - `Enter_the_Application_Id_here` - is the Application Id for the application you registered. -> - `Enter_the_Tenant_Info_Here` - is one of the options below: -> - If your application supports **My organization only**, replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com) -> - If your application supports **Accounts in any organizational directory**, replace this value with `organizations` -> - If your application supports **All Microsoft account users**, replace this value with `common` > > > [!TIP] -> > To find the values of *Application ID*, *Directory (tenant) ID*, and *Supported account types*, go to the **Overview** page +> > To find the values of *Application ID*, go to the **Overview** page + +#### Step 4: Run your application + +If you want to try the quickstart on your Windows machine: + +1. In the Visual Studio toolbar, choose the right platform (probably **x64** or **x86**, not ARM). + > Observe that the target device changes from *Device* to *Local Machine* +1. select Debug | **Start Without Debugging** ## More information @@ -98,10 +102,10 @@ This section provides more information about the quickstart. ### MSAL.NET -MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request tokens used to access an API protected by Microsoft Azure Active Directory. You can install MSAL by running the following command in Visual Studio's *Package Manager Console*: +MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request security tokens. The security tokens are used to access an API protected by Microsoft Identity platform for developers. You can install MSAL by running the following command in Visual Studio's *Package Manager Console*: ```powershell -Install-Package Microsoft.Identity.Client -Pre +Install-Package Microsoft.Identity.Client -IncludePrerelease ``` ### MSAL initialization @@ -115,7 +119,9 @@ using Microsoft.Identity.Client; Then, initialize MSAL using the following code: ```csharp -public static PublicClientApplication PublicClientApp = new PublicClientApplication(ClientId); +public static IPublicClientApplication PublicClientApp; +PublicClientApp = new PublicClientApplicationBuilder.Create(ClientId) + .Build(); ``` > |Where: || @@ -124,19 +130,20 @@ public static PublicClientApplication PublicClientApp = new PublicClientApplicat ### Requesting tokens -MSAL has two methods for acquiring tokens: `AcquireTokenAsync` and `AcquireTokenSilentAsync`. +MSAL has two methods used to acquiring tokens interactively: `AcquireTokenInteractive` and `AcquireTokenSilent`. #### Get a user token interactively -Some situations require forcing users interact with the Azure AD v2.0 endpoint through a popup window to either validate their credentials or to give consent. Some examples include: +Some situations require forcing users interact with the Microsoft identity platform endpoint through a popup window to either validate their credentials or to give consent. Some examples include: -- The first time users sign in to the application +- The first-time users sign in to the application - When users may need to reenter their credentials because the password has expired -- When your application is requesting access to a resource that the user needs to consent to +- When your application is requesting access to a resource, that the user needs to consent to - When two factor authentication is required ```csharp -authResult = await App.PublicClientApp.AcquireTokenAsync(scopes); +authResult = await App.PublicClientApp.AcquireTokenInteractive(scopes) + .ExecuteAsync(); ``` > |Where:|| @@ -145,17 +152,19 @@ authResult = await App.PublicClientApp.AcquireTokenAsync(scopes); #### Get a user token silently -You don't want to require the user to validate their credentials every time they need to access a resource. Most of the time you want token acquisitions and renewal without any user interaction. You can use the `AcquireTokenSilentAsync` method to obtain tokens to access protected resources after the initial `AcquireTokenAsync` method: +You don't want to require the user to validate their credentials every time they need to access a resource. Most of the time you want token acquisitions and renewal without any user interaction. You can use the `AcquireTokenSilent` method to obtain tokens to access protected resources after the initial `AcquireTokenAsync` method: ```csharp var accounts = await App.PublicClientApp.GetAccountsAsync(); -authResult = await App.PublicClientApp.AcquireTokenSilentAsync(scopes, accounts.FirstOrDefault()); +var firstAccount = accounts.FirstOrDefault(); +authResult = await App.PublicClientApp.AcquireTokenSilent(scopes, firstAccount) + .ExecuteAsync(); ``` > |Where: || > |---------|---------| > | `scopes` | Contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api:///access_as_user" }` for custom Web APIs | -> | `accounts.FirstOrDefault()` | Specifies the first user in the cache (MSAL supports multiple users in a single app) | +> | `firstAccount` | Specifies the first user account in the cache (MSAL supports multiple users in a single app) | [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)] diff --git a/articles/active-directory/develop/quickstart-v2-windows-desktop.md b/articles/active-directory/develop/quickstart-v2-windows-desktop.md index 8178d3dd576e7..45b7a06a4971e 100644 --- a/articles/active-directory/develop/quickstart-v2-windows-desktop.md +++ b/articles/active-directory/develop/quickstart-v2-windows-desktop.md @@ -1,6 +1,6 @@ --- -title: Azure AD v2 Windows desktop quickstart | Microsoft Docs -description: Learn how a Windows desktop .NET (XAML) application can get an access token and call an API protected by an Azure Active Directory v2.0 endpoint +title: Microsoft identity platform Windows desktop quickstart | Microsoft Docs +description: Learn how a Windows desktop .NET (XAML) application can get an access token and call an API protected by an Microsoft identity platform endpoint services: active-directory documentationcenter: dev-center-name author: jmprieur @@ -14,10 +14,10 @@ ms.devlang: na ms.topic: quickstart ms.tgt_pltfrm: na ms.workload: identity -ms.date: 04/01/2019 +ms.date: 04/11/2019 ms.author: jmprieur ms.custom: aaddev -#Customer intent: As an application developer, I want to learn how my Windows desktop .NET application can get an access token and call an API that's protected by an Azure AD v2.0 endpoint. +#Customer intent: As an application developer, I want to learn how my Windows desktop .NET application can get an access token and call an API that's protected by an Microsoft identity platform endpoint. ms.collection: M365-identity-device-management --- @@ -27,7 +27,7 @@ ms.collection: M365-identity-device-management In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) application that can sign in personal, work and school accounts, get an access token, and call the Microsoft Graph API. -![Shows how the sample app generated by this quickstart works](media/quickstart-v2-windows-desktop/windesktop-intro-updated.png) +![Shows how the sample app generated by this quickstart works](media/quickstart-v2-windows-desktop/windesktop-intro.svg) > [!div renderon="docs"] > ## Register and download your quickstart app @@ -37,7 +37,7 @@ In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) appli > > ### Option 1: Register and auto configure your app and then download your code sample > -> 1. Go to the [Azure portal - Application Registration](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/WinDesktopQuickstartPage/sourceType/docs). +> 1. Go to the new [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/WinDesktopQuickstartPage/sourceType/docs). > 1. Enter a name for your application and select **Register**. > 1. Follow the instructions to download and automatically configure your new application with just one click. > @@ -46,10 +46,10 @@ In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) appli > #### Step 1: Register your application > To register your application and add the app's registration information to your solution manually, follow these steps: > -> 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account or a personal Microsoft account. +> 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account. > 1. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant. -> 1. In the left-hand navigation pane, select the **Azure Active Directory** service, and then select **App registrations (Preview)** > **New registration**. -> 1. When the **Register an application** page appears, enter your application's registration information: +> 1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page. +> 1. Select **New registration**. > - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `Win-App-calling-MsGraph`. > - In the **Supported account types** section, select **Accounts in any organizational directory and personal Microsoft accounts (for example, Skype, Xbox, Outlook.com)**. > - Select **Register** to create the application. @@ -68,7 +68,7 @@ In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) appli #### Step 2: Download your Visual Studio project -[Download the Visual Studio 2017 project](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/archive/master.zip) +[Download the Visual Studio 2017 project](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/archive/msal3x.zip) #### Step 3: Configure your Visual Studio project @@ -96,10 +96,10 @@ In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) appli ### MSAL.NET -MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request tokens used to access an API protected by Microsoft Azure Active Directory (Azure AD). You can install MSAL by running the following command in Visual Studio's **Package Manager Console**: +MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. You can install MSAL by running the following command in Visual Studio's **Package Manager Console**: ```powershell -Install-Package Microsoft.Identity.Client +Install-Package Microsoft.Identity.Client -IncludePrerelease ``` ### MSAL initialization @@ -113,7 +113,10 @@ using Microsoft.Identity.Client; Then, initialize MSAL using the following code: ```csharp -public static PublicClientApplication PublicClientApp = new PublicClientApplication(ClientId); +public static IPublicClientApplication PublicClientApp; +PublicClientApplicationBuilder.Create(ClientId) + .WithAuthority(AzureCloudInstance.AzurePublic, Tenant) + .Build(); ``` > |Where: || @@ -122,11 +125,11 @@ public static PublicClientApplication PublicClientApp = new PublicClientApplicat ### Requesting tokens -MSAL has two methods for acquiring tokens: `AcquireTokenAsync` and `AcquireTokenSilentAsync`. +MSAL has two methods for acquiring tokens: `AcquireTokenInteractive` and `AcquireTokenSilent`. #### Get a user token interactively -Some situations require forcing users interact with the Azure AD v2.0 endpoint through a popup window to either validate their credentials or to give consent. Some examples include: +Some situations require forcing users interact with the Microsoft identity platform endpoint through a popup window to either validate their credentials or to give consent. Some examples include: - The first time users sign in to the application - When users may need to reenter their credentials because the password has expired @@ -134,7 +137,8 @@ Some situations require forcing users interact with the Azure AD v2.0 endpoint t - When two factor authentication is required ```csharp -authResult = await App.PublicClientApp.AcquireTokenAsync(_scopes); +authResult = await App.PublicClientApp.AcquireTokenInteractive(_scopes) + .ExecuteAsync(); ``` > |Where:|| @@ -143,17 +147,19 @@ authResult = await App.PublicClientApp.AcquireTokenAsync(_scopes); #### Get a user token silently -You don't want to require the user to validate their credentials every time they need to access a resource. Most of the time you want token acquisitions and renewal without any user interaction. You can use the `AcquireTokenSilentAsync` method to obtain tokens to access protected resources after the initial `AcquireTokenAsync` method: +You don't want to require the user to validate their credentials every time they need to access a resource. Most of the time you want token acquisitions and renewal without any user interaction. You can use the `AcquireTokenSilentAsync` method to obtain tokens to access protected resources after the initial `AcquireTokenInteractive` method: ```csharp var accounts = await App.PublicClientApp.GetAccountsAsync(); -authResult = await App.PublicClientApp.AcquireTokenSilentAsync(scopes, accounts.FirstOrDefault()); +var firstAccount = accounts.FirstOrDefault(); +authResult = await App.PublicClientApp.AcquireTokenSilent(scopes, firstAccount) + .ExecuteAsync(); ``` > |Where: || > |---------|---------| > | `scopes` | Contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api:///access_as_user" }` for custom Web APIs. | -> | `accounts.FirstOrDefault()` | Specifies the first user in the cache (MSAL support multiple users in a single app). | +> | `firstAccount` | Specifies the first user in the cache (MSAL support multiple users in a single app). | [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)] diff --git a/articles/active-directory/develop/reference-aadsts-error-codes.md b/articles/active-directory/develop/reference-aadsts-error-codes.md index 3f6b16c9f0de2..c3ef69c6f5d56 100644 --- a/articles/active-directory/develop/reference-aadsts-error-codes.md +++ b/articles/active-directory/develop/reference-aadsts-error-codes.md @@ -54,7 +54,7 @@ Looking for info about the AADSTS error codes that are returned from the Azure A | AADSTS50007 | PartnerEncryptionCertificateMissing - The partner encryption certificate was not found for this app. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Microsoft to get this fixed. | | AADSTS50008 | InvalidSamlToken - SAML assertion is missing or misconfigured in the token. Contact your federation provider. | | AADSTS50010 | AudienceUriValidationFailed - Audience URI validation for the app failed since no token audiences were configured. | -| AADSTS50011 | InvalidReplyTo - The reply address is missing, misconfigured, or does not match reply addresses configured for the app. Try out the resolution listed at [https://docs.microsoft.com/azure/active-directory/application-sign-in-problem-federated-sso-gallery#the-reply-address-does-not-match-the-reply-addresses-configured-for-the-application](https://docs.microsoft.com/azure/active-directory/application-sign-in-problem-federated-sso-gallery#the-reply-address-does-not-match-the-reply-addresses-configured-for-the-application). If you still see issues, contact the app owner or app admin. | +| AADSTS50011 | InvalidReplyTo - The reply address is missing, misconfigured, or does not match reply addresses configured for the app. As a resolution ensure to add this missing reply address to the Azure Active Directory application or have someone with the permissions to manage your application in Active Directory do this for you.| | AADSTS50012 | AuthenticationFailed - Authentication failed for one of the following reasons:
  • The subject name of the signing certificate is not authorized
  • A matching trusted authority policy was not found for the authorized subject name
  • The certificate chain is not valid
  • The signing certificate is not valid
  • Policy is not configured on the tenant
  • Thumbprint of the signing certificate is not authorized
  • Client assertion contains an invalid signature
| | AADSTS50013 | InvalidAssertion - Assertion is invalid because of various reasons - The token issuer doesn't match the api version within its valid time range -expired -malformed - Refresh token in the assertion is not a primary refresh token. | | AADSTS50014 | GuestUserInPendingState - The user's redemption is in a pending state. The guest user account is not fully created yet. | diff --git a/articles/active-directory/develop/reference-app-manifest.md b/articles/active-directory/develop/reference-app-manifest.md index 8fca79bf24d7a..5886f34adcaf7 100644 --- a/articles/active-directory/develop/reference-app-manifest.md +++ b/articles/active-directory/develop/reference-app-manifest.md @@ -45,7 +45,7 @@ To configure the application manifest: | Key | Value type | Description | Example value | |---------|---------|---------|---------| -| `accessTokenAcceptedVersion` | Nullable Int32 | Specifies the access token version expected by the resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.

The endpoint used, v1.0 or v2.0, is chosen by the client and only impacts the version of id_tokens. Resources need to explicitly configure `accesstokenAcceptedVersion` to indicate the supported access token format.

Possible values for `accesstokenAcceptedVersion` are 1, 2, or null. If the value is null, this defaults to 1, which corresponds to the v1.0 endpoint. | `2` | +| `accessTokenAcceptedVersion` | Nullable Int32 | Specifies the access token version expected by the resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.

The endpoint used, v1.0 or v2.0, is chosen by the client and only impacts the version of id_tokens. Resources need to explicitly configure `accesstokenAcceptedVersion` to indicate the supported access token format.

Possible values for `accesstokenAcceptedVersion` are 1, 2, or null. If the value is null, this defaults to 1, which corresponds to the v1.0 endpoint.

If `signInAudience` is `AzureADandPersonalMicrosoftAccount`, the value must be `2` | `2` | | `allowPublicClient` | boolean | Specifies the fallback application type. Azure AD infers the application type from the replyUrlsWithType by default. There are certain scenarios where Azure AD cannot determine the client app type (e.g. [ROPC](https://tools.ietf.org/html/rfc6749#section-4.3) flow where HTTP request happens without a URL redirection). In those cases Azure AD will interpret the application type based on the value of this property. If this value is set to true the fallback application type is set as public client, such as an installed app running on a mobile device. The default value is false which means the fallback application type is confidential client such as web app. | `false` | | `appId` | Identifier string | Specifies the unique identifier for the app that is assigned to an app by Azure AD. | `"601790de-b632-4f57-9523-ee7cb6ceba95"` | | `appRoles` | Type of array | Specifies the collection of roles that an app may declare. These roles can be assigned to users, groups, or service principals. For more examples and info, see [Add app roles in your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md) | [
  {
   "allowedMemberTypes": [
    "User"
   ],
   "description":"Read-only access to device information",
   "displayName":"Read Only",
   "id":guid,
   "isEnabled":true,
   "value":"ReadOnly"
  }
] | diff --git a/articles/active-directory/develop/registration-config-change-token-lifetime-how-to.md b/articles/active-directory/develop/registration-config-change-token-lifetime-how-to.md index fbf0a41a3388e..7940f143d63a3 100644 --- a/articles/active-directory/develop/registration-config-change-token-lifetime-how-to.md +++ b/articles/active-directory/develop/registration-config-change-token-lifetime-how-to.md @@ -13,16 +13,16 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 09/11/2018 +ms.date: 04/08/2019 ms.author: celested - +ms.custom: seoapril2019 ms.collection: M365-identity-device-management --- # How to change the token lifetime defaults for a custom-developed application -Azure AD Premium allows app developers and tenant admins to configure the lifetime of tokens issued for non-confidential clients. Token lifetime policies are set on a tenant-wide basis or the resources being accessed. +This article shows how to use Azure AD PowerShell to set a token lifetime policy. Azure AD Premium allows app developers and tenant admins to configure the lifetime of tokens issued for non-confidential clients. Token lifetime policies are set on a tenant-wide basis or the resources being accessed. 1. To set a token lifetime policy, you need to download the [Azure AD PowerShell Module](https://www.powershellgallery.com/packages/AzureADPreview). 1. Run the **Connect-AzureAD -Confirm** command. diff --git a/articles/active-directory/develop/sample-v2-code.md b/articles/active-directory/develop/sample-v2-code.md index e78c41af6d490..60fa75921888f 100644 --- a/articles/active-directory/develop/sample-v2-code.md +++ b/articles/active-directory/develop/sample-v2-code.md @@ -1,6 +1,6 @@ --- -title: Azure Active Directory code samples | Microsoft Docs -description: Provides an index of available Azure Active Directory (V2 endpoint) code samples, organized by scenario. +title: Microsoft identity platform code samples | Microsoft Docs +description: Provides an index of available Microsoft identity platform (V2 endpoint) code samples, organized by scenario. services: active-directory documentationcenter: dev-center-name author: CelesteDG @@ -21,7 +21,7 @@ ms.custom: aaddev ms.collection: M365-identity-device-management --- -# Azure Active Directory code samples (v2.0 endpoint) +# Microsoft identity platform code samples (v2.0 endpoint) [!INCLUDE [active-directory-develop-applies-v2-msal](../../../includes/active-directory-develop-applies-v2-msal.md)] @@ -30,78 +30,77 @@ You can use Microsoft identity platform to: - Add authentication and authorization to your web applications and web APIs. - Require an access token to access a protected web API. -This article briefly describes and provides you with links to samples for the Azure AD v2.0 endpoint. These samples show you how it's done, along with code snippets that you can use in your applications. On the code sample page, you'll find detailed readme topics that help with requirements, installation, and set up. Comments within the code are there to help you understand the critical sections. +This article briefly describes and provides you with links to samples for the Microsoft identity platform endpoint. These samples show you how it's done, along with code snippets that you can use in your applications. On the code sample page, you'll find detailed readme topics that help with requirements, installation, and set up. Comments within the code are there to help you understand the critical sections. > [!NOTE] > If you are interested in v1.0 samples, see [Azure AD code samples (v1.0 endpoint)](sample-v1-code.md). -To understand the basic scenario for each sample type, see [App types for the Azure Active Directory v2.0 endpoint](v2-app-types.md). +To understand the basic scenario for each sample type, see [App types for the Microsoft identity platform endpoint](v2-app-types.md). You can also contribute to the samples on GitHub. To learn how, see [Microsoft Azure Active Directory samples and documentation](https://github.com/Azure-Samples?page=3&query=active-directory). ## Single-page applications (SPA) -These samples show how to write a single-page application secured with Azure AD. These samples use one of the flavors of MSAL.js: +These samples show how to write a single-page application secured with Microsoft identity platform. These samples use one of the flavors of MSAL.js: * [Microsoft Authentication Library for JavaScript](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core) * [Microsoft Authentication Library for Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) * [Microsoft Authentication Library for AngularJS](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angularjs) - Platform | Calls Microsoft Graph - -------- | --------------------- - ![JavaScript](media/sample-v2-code/logo_js.png) JavaScript (msal.js) | [javascript-graphapi-web-v2](https://github.com/Azure-Samples/active-directory-javascript-graphapi-web-v2) - ![Angular JS](media/sample-v2-code/logo_angular.png) JavaScript (MSAL AngularJS) | [MsalAngularjsDemoApp](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angularjs/samples/MsalAngularjsDemoApp) - ![Angular](media/sample-v2-code/logo_angular.png) JavaScript (MSAL Angular) | [MSALAngularDemoApp](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular/samples/MSALAngularDemoApp) +| Platform | Calls Microsoft Graph | +| -------- | --------------------- | +| ![JavaScript](media/sample-v2-code/logo_js.png) JavaScript (msal.js) | [javascript-graphapi-web-v2](https://github.com/Azure-Samples/active-directory-javascript-graphapi-web-v2) | +| ![Angular JS](media/sample-v2-code/logo_angular.png) JavaScript (MSAL AngularJS) | [MsalAngularjsDemoApp](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angularjs/samples/MsalAngularjsDemoApp) +| ![Angular](media/sample-v2-code/logo_angular.png) JavaScript (MSAL Angular) | [MSALAngularDemoApp](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular/samples/MSALAngularDemoApp) | ## Web applications The following samples illustrate web applications that sign in users. Some samples also demonstrate the application calling Microsoft Graph, or your own web API with the user's identity. - Platform | Only signs in users | Signs in users and calls Microsoft Graph - -------- | ------------------- | --------------------------------- -![ASP.NET Core](media/sample-v2-code/logo_NETcore.png)

ASP.NET Core 2.1 | [ASP.NET Core WebApp signs-in users tutorial](https://aka.ms/aspnetcore-webapp-sign-in) | Same sample in the [ASP.NET Core Web App calls Microsoft Graph](https://aka.ms/aspnetcore-webapp-call-msgraph) phase -![ASP.NET](media/sample-v2-code/logo_NETframework.png)

ASP.NET | [ASP.NET Quickstart](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet)

[dotnet-webapp-openidconnect-v2](https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2) | [dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)

[msgraph-training-aspnetmvcapp](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) -![Node.js](media/sample-v2-code/logo_nodejs.png) | | [Node.js Quickstart](https://github.com/azureadquickstarts/appmodelv2-webapp-openidconnect-nodejs) -![Ruby](media/sample-v2-code/logo_ruby.png) | | [msgraph-training-rubyrailsapp](https://github.com/microsoftgraph/msgraph-training-rubyrailsapp) +| Platform | Only signs in users | Signs in users and calls Microsoft Graph | +| -------- | ------------------- | --------------------------------- | +| ![ASP.NET Core](media/sample-v2-code/logo_NETcore.png)

ASP.NET Core 2.1 | [ASP.NET Core WebApp signs-in users tutorial](https://aka.ms/aspnetcore-webapp-sign-in) | Same sample in the [ASP.NET Core Web App calls Microsoft Graph](https://aka.ms/aspnetcore-webapp-call-msgraph) phase | +| ![ASP.NET](media/sample-v2-code/logo_NETframework.png)

ASP.NET | [ASP.NET Quickstart](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet)

[dotnet-webapp-openidconnect-v2](https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2) | [dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)

|[msgraph-training-aspnetmvcapp](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) +| ![Node.js](media/sample-v2-code/logo_nodejs.png) | | [Node.js Quickstart](https://github.com/azureadquickstarts/appmodelv2-webapp-openidconnect-nodejs) | +| ![Ruby](media/sample-v2-code/logo_ruby.png) | | [msgraph-training-rubyrailsapp](https://github.com/microsoftgraph/msgraph-training-rubyrailsapp) | ## Desktop and mobile public client apps The following samples show public client applications (desktop/mobile applications) that access the Microsoft Graph API or your own Web API in the name of a user. All these client applications use Microsoft Authentication Libraries (MSAL). -Client application | Platform | Flow/Grant | Calls Microsoft Graph | Calls an ASP.NET Core 2.0 Web API ------------------- | -------- | ----------| ---------- | ------------------------- -Desktop (WPF) | ![.NET/C#](media/sample-v2-code/logo_NET.png) | interactive | [dotnet-desktop-msgraph-v2](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi) -Desktop (Console) | ![.NET/C# (Desktop)](media/sample-v2-code/logo_NET.png) | Integrated Windows Authentication |[dotnet-iwa-v2](https://github.com/azure-samples/active-directory-dotnet-iwa-v2) -Desktop (Console) | ![.NET/C# (Desktop)](media/sample-v2-code/logo_NETcore.png) | Username/Password |[dotnetcore-up-v2](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) -Mobile (UWP) | ![.NET/C# (UWP)](media/sample-v2-code/logo_windows.png) | interactive |[dotnet-native-uwp-v2](https://github.com/azure-samples/active-directory-dotnet-native-uwp-v2) | -Mobile (Android, iOS, UWP) | ![.NET/C# (Xamarin)](media/sample-v2-code/logo_xamarin.png) | interactive |[xamarin-native-v2](https://github.com/azure-samples/active-directory-xamarin-native-v2) | -Mobile (iOS) | ![iOS / Objective C or swift](media/sample-v2-code/logo_iOS.png) | interactive |[ios-swift-native-v2](https://github.com/azure-samples/active-directory-ios-swift-native-v2)

[ios-native-nxoauth2-v2](https://github.com/azure-samples/active-directory-ios-native-nxoauth2-v2) | -Mobile (Android) | ![Android / Java](media/sample-v2-code/logo_Android.png) | interactive | [android-native-v2](https://github.com/azure-samples/active-directory-android-native-v2 ) | +| Client application | Platform | Flow/Grant | Calls Microsoft Graph | Calls an ASP.NET Core 2.0 Web API | +| ------------------ | -------- | ----------| ---------- | ------------------------- | +| Desktop (WPF) | ![.NET/C#](media/sample-v2-code/logo_NET.png) | interactive | [dotnet-desktop-msgraph-v2](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi) | +| Desktop (Console) | ![.NET/C# (Desktop)](media/sample-v2-code/logo_NET.png) | Integrated Windows Authentication | [dotnet-iwa-v2](https://github.com/azure-samples/active-directory-dotnet-iwa-v2) | | +| Desktop (Console) | ![.NET/C# (Desktop)](media/sample-v2-code/logo_NETcore.png) | Username/Password |[dotnetcore-up-v2](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | | +| Mobile (Android, iOS, UWP) | ![.NET/C# (Xamarin)](media/sample-v2-code/logo_xamarin.png) | interactive |[xamarin-native-v2](https://github.com/azure-samples/active-directory-xamarin-native-v2) | | +| Mobile (iOS) | ![iOS / Objective C or swift](media/sample-v2-code/logo_iOS.png) | interactive |[ios-swift-native-v2](https://github.com/azure-samples/active-directory-ios-swift-native-v2)

[ios-native-nxoauth2-v2](https://github.com/azure-samples/active-directory-ios-native-nxoauth2-v2) | | +| Mobile (Android) | ![Android / Java](media/sample-v2-code/logo_Android.png) | interactive | [android-native-v2](https://github.com/azure-samples/active-directory-android-native-v2 ) | | ## Daemon applications The following samples show an application that accesses the Microsoft Graph API with its own identity (with no user). -Client application | Platform | Flow/Grant | Calls Microsoft Graph ------------------- | -------- | ---------- | -------------------- -Console | ![.NET Core](media/sample-v2-code/logo_NETcore.png)

ASP.NET | Client Credentials | [dotnetcore-daemon-v2](https://github.com/azure-samples/active-directory-dotnetcore-daemon-v2) -Web app | ![ASP.NET](media/sample-v2-code/logo_NETframework.png)

ASP.NET | Client Credentials | [dotnet-daemon-v2](https://github.com/azure-samples/active-directory-dotnet-daemon-v2) +| Client application | Platform | Flow/Grant | Calls Microsoft Graph | +| ------------------ | -------- | ---------- | -------------------- | +| Console | ![.NET Core](media/sample-v2-code/logo_NETcore.png)

ASP.NET | Client Credentials | [dotnetcore-daemon-v2](https://github.com/azure-samples/active-directory-dotnetcore-daemon-v2) | +| Web app | ![ASP.NET](media/sample-v2-code/logo_NETframework.png)

ASP.NET | Client Credentials | [dotnet-daemon-v2](https://github.com/azure-samples/active-directory-dotnet-daemon-v2) | ## Headless applications The following sample shows a public client application running on a device without a web browser. The app can be a command-line tool, or running on Linux/Mac, or an IoT application. The sample features an app accessing the Microsoft Graph API in the name of a user who signs-in interactively on another device (such as a mobile phone). This client application uses MicroSoft Authentication Libraries (MSAL). -Client application | Platform | Flow/Grant | Calls Microsoft Graph ------------------- | -------- | ----------| ---------- -Desktop (Console) | ![.NET/C# (Desktop)](media/sample-v2-code/logo_NETcore.png) | Device code flow |[dotnetcore-devicecodeflow-v2](https://github.com/azure-samples/active-directory-dotnetcore-devicecodeflow-v2) +| Client application | Platform | Flow/Grant | Calls Microsoft Graph | +| ------------------ | -------- | ----------| ---------- | +| Desktop (Console) | ![.NET/C# (Desktop)](media/sample-v2-code/logo_NETcore.png) | Device code flow |[dotnetcore-devicecodeflow-v2](https://github.com/azure-samples/active-directory-dotnetcore-devicecodeflow-v2) | ## Web APIs -The following sample shows how to protect a web API with the Azure AD v2.0 endpoint. This API is exercised by a WPF application, but it can be called by any application. The web API also calls Microsoft Graph. +The following sample shows how to protect a web API with the Microsoft identity platform endpoint. This API is exercised by a WPF application, but it can be called by any application. The web API also calls Microsoft Graph. -Platform | Sample - -------- | ------------------- -![.NET/C#](media/sample-v2-code/logo_NET.png) | WebAPI (service) of [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi-calls-msgraph) +| Platform | Sample | +| -------- | ------------------- | +| ![.NET/C#](media/sample-v2-code/logo_NET.png) | WebAPI (service) of [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi-calls-msgraph) | ## Other Microsoft Graph samples @@ -109,8 +108,6 @@ To learn about [samples](https://github.com/microsoftgraph/msgraph-community-sam ## See also -[Azure Active Directory developer's guide](v1-overview.md) - -[Azure AD Graph API conceptual and reference](https://msdn.microsoft.com/library/azure/hh974476.aspx) - -[Azure AD Graph API Helper Library](https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient) +- [Azure Active Directory (v1.0) developer's guide](v1-overview.md) +- [Azure AD Graph API conceptual and reference](https://msdn.microsoft.com/library/azure/hh974476.aspx) +- [Azure AD Graph API Helper Library](https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient) diff --git a/articles/active-directory/develop/setup-multi-tenant-app.md b/articles/active-directory/develop/setup-multi-tenant-app.md index e7c07a619273b..81d02741e2788 100644 --- a/articles/active-directory/develop/setup-multi-tenant-app.md +++ b/articles/active-directory/develop/setup-multi-tenant-app.md @@ -24,7 +24,7 @@ ms.collection: M365-identity-device-management Here is a list of recommended topics to learn more about multi-tenant applications: - Get a general understanding of [what it means to be a multi-tenant application](https://docs.microsoft.com/azure/active-directory/develop/active-directory-dev-glossary#multi-tenant-application) -- Get a general understanding of [how to configure an application to be multi-tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-integrating-applications) +- Get a general understanding of [how to configure an application to be multi-tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant) - Get a step-by-step overview of [how the Azure AD consent framework is used to implement consent](https://docs.microsoft.com/azure/active-directory/develop/active-directory-integrating-applications), which is required for multi-tenant applications - For more depth, learn [how a multi-tenant application is configured and coded end-to-end](https://docs.microsoft.com/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview), including how to register, use the "common" endpoint, implement "user" and "admin" consent, how to implement more advanced multi-tier scenarios diff --git a/articles/active-directory/develop/tutorial-v2-asp-webapp.md b/articles/active-directory/develop/tutorial-v2-asp-webapp.md index 53e64e7d52bfe..36d4466eadba1 100644 --- a/articles/active-directory/develop/tutorial-v2-asp-webapp.md +++ b/articles/active-directory/develop/tutorial-v2-asp-webapp.md @@ -13,7 +13,7 @@ ms.devlang: na ms.topic: tutorial ms.tgt_pltfrm: na ms.workload: identity -ms.date: 03/20/2019 +ms.date: 04/11/2019 ms.author: jmprieur ms.custom: aaddev ms.collection: M365-identity-device-management @@ -24,3 +24,14 @@ ms.collection: M365-identity-device-management [!INCLUDE [3. Use](../../../includes/active-directory-develop-guidedsetup-aspnetwebapp-use.md)] [!INCLUDE [4. Configure](../../../includes/active-directory-develop-guidedsetup-aspnetwebapp-configure.md)] [!INCLUDE [5. Test and Validate](../../../includes/active-directory-develop-guidedsetup-aspnetwebapp-test.md)] + +## Next steps + +Learn about Web apps calling web APIs:. + +### Learn the steps to create the application used in this quickstart + +> [!div class="nextstepaction"] +> [Web apps calling Web APIs]( https://aka.ms/msal-net-authorization-code) + +[!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)] \ No newline at end of file diff --git a/articles/active-directory/develop/tutorial-v2-windows-desktop.md b/articles/active-directory/develop/tutorial-v2-windows-desktop.md index eca112e021650..48f14e3810923 100644 --- a/articles/active-directory/develop/tutorial-v2-windows-desktop.md +++ b/articles/active-directory/develop/tutorial-v2-windows-desktop.md @@ -1,6 +1,6 @@ --- -title: Get started with Azure Active Directory v2.0 Windows desktop | Microsoft Docs -description: How a Windows Desktop .NET (XAML) application can get an access token and call an API protected by an Azure Active Directory v2.0 endpoint. +title: Get started with Microsoft identity platform Windows desktop | Microsoft Docs +description: How a Windows Desktop .NET (XAML) application can get an access token and call an API protected by the Microsoft identity platform. services: active-directory documentationcenter: dev-center-name author: jmprieur @@ -13,7 +13,7 @@ ms.devlang: na ms.topic: tutorial ms.tgt_pltfrm: na ms.workload: identity -ms.date: 03/20/2019 +ms.date: 04/10/2019 ms.author: jmprieur ms.custom: aaddev ms.collection: M365-identity-device-management diff --git a/articles/active-directory/develop/tutorial-v2-windows-uwp.md b/articles/active-directory/develop/tutorial-v2-windows-uwp.md index a77abf45393fd..986e11fddeabc 100644 --- a/articles/active-directory/develop/tutorial-v2-windows-uwp.md +++ b/articles/active-directory/develop/tutorial-v2-windows-uwp.md @@ -1,6 +1,6 @@ --- -title: Azure AD v2.0 UWP getting started | Microsoft Docs -description: How Universal Windows Platform applications (UWP) can call an API that requires access tokens by the Azure Active Directory v2.0 endpoint +title: Microsoft identity platform UWP getting started | Azure +description: How Universal Windows Platform applications (UWP) can call an API that requires access tokens by the Microsoft identity platform endpoint. services: active-directory documentationcenter: dev-center-name author: jmprieur @@ -13,7 +13,7 @@ ms.devlang: na ms.topic: tutorial ms.tgt_pltfrm: na ms.workload: identity -ms.date: 03/20/2019 +ms.date: 04/11/2019 ms.author: jmprieur ms.custom: aaddev ms.collection: M365-identity-device-management @@ -24,18 +24,18 @@ ms.collection: M365-identity-device-management > [!div renderon="docs"] > [!INCLUDE [active-directory-develop-applies-v2-msal](../../../includes/active-directory-develop-applies-v2-msal.md)] -This guide explains how a native Universal Windows Platform (UWP) application can request an access token and then call Microsoft Graph API. The guide also applies to other APIs that require access tokens from the Azure Active Directory v2.0 endpoint. +This guide explains how a native Universal Windows Platform (UWP) application can request an access token and then call Microsoft Graph API. The guide also applies to other APIs that require access tokens from the Microsoft identity platform endpoint. -At the end of this guide, your application calls a protected API by using personal accounts. Examples are outlook.com, live.com, and others. Your application also calls work and school accounts from any company or organization that has Azure Active Directory. +At the end of this guide, your application calls a protected API by using personal accounts. Examples are outlook.com, live.com, and others. Your application also calls work and school accounts from any company or organization that has Azure Active Directory (Azure AD). >[!NOTE] > This guide requires Visual Studio 2017 with Universal Windows Platform development installed. See [Get set up](https://docs.microsoft.com/windows/uwp/get-started/get-set-up) for instructions to download and configure Visual Studio to develop Universal Windows Platform apps. ## How this guide works -![Shows how the sample app generated by this tutorial works](./media/tutorial-v2-windows-uwp/uwp-intro-updated.png) +![Shows how the sample app generated by this tutorial works](./media/tutorial-v2-windows-uwp/uwp-intro.svg) -This guide creates a sample UWP application that queries Microsoft Graph API or a Web API that accepts tokens from the Azure Active Directory v2.0 endpoint. For this scenario, a token is added to HTTP requests via the Authorization header. Microsoft Authentication Library (MSAL) handles token acquisitions and renewals. +This guide creates a sample UWP application that queries Microsoft Graph API or a Web API that accepts tokens from the Microsoft identity platform endpoint. For this scenario, a token is added to HTTP requests via the Authorization header. Microsoft Authentication Library (MSAL) handles token acquisitions and renewals. ## NuGet packages @@ -52,8 +52,7 @@ This section provides step-by-step instructions to integrate a Windows Desktop . This guide creates an application that displays a button that queries Graph API, a sign-out button, and text boxes that display the results of the calls. > [!NOTE] -> Do you want to download this sample's Visual Studio project instead? [Download a project](https://github.com/Azure-Samples/active-directory-dotnet-native-uwp-v2/archive/master.zip) and skip to the [application registration](#register-your-application "application registration step") step to configure the code sample before it runs. - +> Do you want to download this sample's Visual Studio project instead? [Download a project](https://github.com/Azure-Samples/active-directory-dotnet-native-uwp-v2/archive/msal3x.zip) and skip to the [application registration](#register-your-application "application registration step") step to configure the code sample before it runs. ### Create your application @@ -70,30 +69,11 @@ This guide creates an application that displays a button that queries Graph API, 2. Copy and paste the following command in the **Package Manager Console** window: ```powershell - Install-Package Microsoft.Identity.Client + Install-Package Microsoft.Identity.Client -IncludePrerelease ``` > [!NOTE] -> This command installs [Microsoft Authentication Library](https://aka.ms/msal-net). MSAL acquires, caches, and refreshes user tokens that access APIs protected by Azure Active Directory v2.0. - -## Initialize MSAL -This step helps you create a class to handle interaction with MSAL, such as handling tokens. - -1. Open the **App.xaml.cs** file and add the reference for MSAL to the class: - - ```csharp - using Microsoft.Identity.Client; - ``` - -2. Add the following two lines to the app's class (inside sealed partial class App : Application block): - - ```csharp - // Below is the clientId of your app registration. - // You have to replace the below with the Application Id for your app registration - private static string ClientId = "your_client_id_here"; - - public static PublicClientApplication PublicClientApp = new PublicClientApplication(ClientId); - ``` +> This command installs [Microsoft Authentication Library](https://aka.ms/msal-net). MSAL acquires, caches, and refreshes user tokens that access APIs protected by Microsoft identity platform. ## Create your application’s UI @@ -125,83 +105,118 @@ This section shows how to use MSAL to get a token for Microsoft Graph API. ```csharp using Microsoft.Identity.Client; ``` + 2. Replace the code of your MainPage class with the following code: ```csharp public sealed partial class MainPage : Page { - // Set the API Endpoint to Graph 'me' endpoint + //Set the API Endpoint to Graph 'me' endpoint string graphAPIEndpoint = "https://graph.microsoft.com/v1.0/me"; - - // Set the scope for API call to user.read + + //Set the scope for API call to user.read string[] scopes = new string[] { "user.read" }; - + + // Below are the clientId (Application Id) of your app registration and the tenant information. + // You have to replace: + // - the content of ClientID with the Application Id for your app registration + // - Te content of Tenant by the information about the accounts allowed to sign-in in your application: + // - For Work or School account in your org, use your tenant ID, or domain + // - for any Work or School accounts, use organizations + // - for any Work or School accounts, or Microsoft personal account, use common + // - for Microsoft Personal account, use consumers + private const string ClientId = "0b8b0665-bc13-4fdc-bd72-e0227b9fc011"; + + public IPublicClientApplication PublicClientApp { get; } + public MainPage() { - this.InitializeComponent(); + this.InitializeComponent(); + + PublicClientApp = PublicClientApplicationBuilder.Create(ClientId) + .WithAuthority(AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount) + .WithLogging((level, message, containsPii) => + { + Debug.WriteLine($"MSAL: {level} {message} "); + }, LogLevel.Warning, enablePiiLogging:false,enableDefaultPlatformLogging:true) + .WithUseCorporateNetwork(true) + .Build(); } - + /// /// Call AcquireTokenAsync - to acquire a token requiring user to sign-in /// private async void CallGraphButton_Click(object sender, RoutedEventArgs e) { - AuthenticationResult authResult = null; - ResultText.Text = string.Empty; - TokenInfoText.Text = string.Empty; - - try - { - var accounts = await App.PublicClientApp.GetAccountsAsync(); - authResult = await App.PublicClientApp.AcquireTokenSilentAsync(scopes, accounts.FirstOrDefault()); - } - catch (MsalUiRequiredException ex) - { - // A MsalUiRequiredException happened on AcquireTokenSilentAsync. This indicates you need to call AcquireTokenAsync to acquire a token - System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}"); - - try - { - authResult = await App.PublicClientApp.AcquireTokenAsync(scopes); - } - catch (MsalException msalex) - { - ResultText.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}"; - } - } - catch (Exception ex) - { - ResultText.Text = $"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}"; - return; - } - - if (authResult != null) - { - ResultText.Text = await GetHttpContentWithToken(graphAPIEndpoint, authResult.AccessToken); - DisplayBasicTokenInfo(authResult); - this.SignOutButton.Visibility = Visibility.Visible; - } + AuthenticationResult authResult = null; + ResultText.Text = string.Empty; + TokenInfoText.Text = string.Empty; + + // It's good practice to not do work on the UI thread, so use ConfigureAwait(false) whenever possible. + IEnumerable accounts = await PublicClientApp.GetAccountsAsync().ConfigureAwait(false); + IAccount firstAccount = accounts.FirstOrDefault(); + + try + { + authResult = await PublicClientApp.AcquireTokenSilent(scopes, firstAccount) + .ExecuteAsync(); + } + catch (MsalUiRequiredException ex) + { + // A MsalUiRequiredException happened on AcquireTokenSilent. + // This indicates you need to call AcquireTokenInteractive to acquire a token + System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}"); + + try + { + authResult = await PublicClientApp.AcquireTokenInteractive(scopes) + .ExecuteAsync() + .ConfigureAwait(false); + } + catch (MsalException msalex) + { + await DisplayMessageAsync($"Error Acquiring Token:{System.Environment.NewLine}{msalex}"); + } + } + catch (Exception ex) + { + await DisplayMessageAsync($"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}"); + return; + } + + if (authResult != null) + { + var content = await GetHttpContentWithToken(graphAPIEndpoint, + authResult.AccessToken).ConfigureAwait(false); + + // Go back to the UI thread to make changes to the UI + await Dispatcher.RunAsync(Windows.UI.Core.CoreDispatcherPriority.Normal, () => + { + ResultText.Text = content; + DisplayBasicTokenInfo(authResult); + this.SignOutButton.Visibility = Visibility.Visible; + }); + } } - } ``` ### More information #### Get a user token interactively -A call to the `AcquireTokenAsync` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time they need to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails. An example is when a user’s password is expired. +A call to the `AcquireTokenInteractive` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time they need to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails. An example is when a user’s password is expired. #### Get a user token silently -The `AcquireTokenSilentAsync` method handles token acquisitions and renewals without any user interaction. After `AcquireTokenAsync` is executed for the first time and the user is prompted for credentials, the `AcquireTokenSilentAsync` method should be used to request tokens for subsequent calls because it acquire tokens silently. MSAL will handle token cache and renewal. +The `AcquireTokenSilent` method handles token acquisitions and renewals without any user interaction. After `AcquireTokenInteractive` is executed for the first time and the user is prompted for credentials, the `AcquireTokenSilent` method should be used to request tokens for subsequent calls because it acquires tokens silently. MSAL will handle token cache and renewal. -Eventually, the `AcquireTokenSilentAsync` method fails. Reasons for failure might be that users have either signed out or changed their password on another device. When MSAL detects that the issue can be resolved by requiring an interactive action, it fires an `MsalUiRequiredException` exception. Your application can handle this exception in two ways: +Eventually, the `AcquireTokenSilent` method fails. Reasons for failure might be that users have either signed out or changed their password on another device. When MSAL detects that the issue can be resolved by requiring an interactive action, it fires an `MsalUiRequiredException` exception. Your application can handle this exception in two ways: -* It can make a call against `AcquireTokenAsync` immediately. This call results in prompting the user to sign in. Normally, this pattern is used in online applications where there's no available offline content for the user. The sample generated by this guided setup follows the pattern. You see it in action the first time you run the sample. +* It can make a call against `AcquireTokenInteractive` immediately. This call results in prompting the user to sign in. Normally, this pattern is used in online applications where there's no available offline content for the user. The sample generated by this guided setup follows the pattern. You see it in action the first time you run the sample. * Because no user has used the application, `accounts.FirstOrDefault()` contains a null value, and an `MsalUiRequiredException` exception is thrown. - * The code in the sample then handles the exception by calling `AcquireTokenAsync`. This call results in prompting the user to sign in. + * The code in the sample then handles the exception by calling `AcquireTokenInteractive`. This call results in prompting the user to sign in. -* Or instead, it presents a visual indication to users that an interactive sign in is required. Then they can select the right time to sign in. Or the application can retry `AcquireTokenSilentAsync` later. Frequently, this pattern is used when users can use other application functionality without disruption. An example is when offline content is available in the application. In this case, users can decide when they want to sign in to either access the protected resource or refresh the outdated information. Or else the application can decide to retry `AcquireTokenSilentAsync` when the network is restored after it was temporarily unavailable. +* Or instead, it presents a visual indication to users that an interactive sign in is required. Then they can select the right time to sign in. Or the application can retry `AcquireTokenSilent` later. Frequently, this pattern is used when users can use other application functionality without disruption. An example is when offline content is available in the application. In this case, users can decide when they want to sign in to either access the protected resource or refresh the outdated information. Or else the application can decide to retry `AcquireTokenSilent` when the network is restored after it was temporarily unavailable. ## Call Microsoft Graph API by using the token you just obtained @@ -222,7 +237,8 @@ Eventually, the `AcquireTokenSilentAsync` method fails. Reasons for failure migh { var request = new System.Net.Http.HttpRequestMessage(System.Net.Http.HttpMethod.Get, url); // Add the token in Authorization header - request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token); + request.Headers.Authorization = + new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token); response = await httpClient.SendAsync(request); var content = await response.Content.ReadAsStringAsync(); return content; @@ -247,26 +263,33 @@ In this sample application, the `GetHttpContentWithToken` method is used to make /// /// Sign out the current user /// - private void SignOutButton_Click(object sender, RoutedEventArgs e) + private async void SignOutButton_Click(object sender, RoutedEventArgs e) { - var accounts = await App.PublicClientApp.GetAccountsAsync(); - if (accounts.Any()) + IEnumerable accounts = await PublicClientApp.GetAccountsAsync + .ConfigureAwait(false); + IAccount firstAccount = accounts.FirstOrDefault(); + + try { - try + await PublicClientApp.RemoveAsync(firstAccount).ConfigureAwait(false); + await Dispatcher.RunAsync(Windows.UI.Core.CoreDispatcherPriority.Normal, () => { - App.PublicClientApp.RemoveAsync(accounts.FirstOrDefault()); - this.ResultText.Text = "User has signed-out"; + ResultText.Text = "User has signed-out"; this.CallGraphButton.Visibility = Visibility.Visible; - this.SignOutButton.Visibility = Visibility.Collapsed; + this.SignOutButton.Visibility = Visibility.Collapsed; + }); } catch (MsalException ex) { ResultText.Text = $"Error signing-out user: {ex.Message}"; } } - } ``` +> [!NOTE] +> MSAL.NET uses asynchronous methods to acquire tokens or manipulate accounts, and therefore you need to take care of doing UI-ed actions in the UI thread, hence the `Dispatcher.RunAsync`, +> and the precautions to call `ConfigureAwait(false)` + ### More information on sign-out The `SignOutButton_Click` method removes the user from the MSAL user cache. This method effectively tells MSAL to forget the current user. Then a future request to acquire a token succeeds only if it's made to be interactive. @@ -278,17 +301,15 @@ The application in this sample supports a single user. But MSAL supports scenari ```csharp /// - /// Display basic information contained in the token + /// Display basic information contained in the token. Needs to be called from the UI thead. /// private void DisplayBasicTokenInfo(AuthenticationResult authResult) { TokenInfoText.Text = ""; if (authResult != null) { - TokenInfoText.Text += $"Name: {authResult.User.Name}" + Environment.NewLine; - TokenInfoText.Text += $"Username: {authResult.User.DisplayableId}" + Environment.NewLine; + TokenInfoText.Text += $"User Name: {authResult.Account.Username}" + Environment.NewLine; TokenInfoText.Text += $"Token Expires: {authResult.ExpiresOn.ToLocalTime()}" + Environment.NewLine; - TokenInfoText.Text += $"Access Token: {authResult.AccessToken}" + Environment.NewLine; } } ``` @@ -300,19 +321,28 @@ ID tokens acquired via **OpenID Connect** also contain a small subset of informa ## Register your application Now you need to register your application in the Microsoft Application Registration Portal: -1. Go to the [Microsoft Application Registration Portal](https://apps.dev.microsoft.com/portal/register-app) to register an application. -2. Enter a name for your application. -3. Make sure that the option for **Guided Setup** is *not selected*. -4. Select **Add Platforms**, select **Native Application**, and then select **Save**. -5. Copy the GUID in **Application ID**, go back to Visual Studio, open **App.xaml.cs**, and replace `your_client_id_here` with the Application ID you just registered: - ```csharp - private static string ClientId = "your_application_id_here"; - ``` +1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account or a personal Microsoft account. +1. If your account is present in more than one Azure AD tenant, select `Directory + Subscription` at the top-right corner in the menu on top of the page, and switch your portal session to the desired Azure AD tenant. +1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page. +1. Select **New registration**. + - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `UWP-App-calling-MSGraph`. + - In the **Supported account types** section, select **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)**. + - Select **Register** to create the application. +1. On the app **Overview** page, find the **Application (client) ID** value and record it for later. Go back to Visual Studio, open **MainPage.xaml.cs**, and replace the value of ClientId with the Application ID you just registered: +1. In the list of pages for the app, select **Authentication**: + - In the **Redirect URIs** | **Suggested Redirect URIs for public clients (mobile, desktop)** section, check **urn:ietf:wg:oauth:2.0:oob** +1. Select **Save**. +1. In the list of pages for the app, select **API permissions** + - Click the **Add a permission** button and then, + - Ensure that the **Microsoft API's** tab is selected + - In the *Commonly used Microsoft APIs* section, click on **Microsoft Graph** + - In the **Delegated permissions** section, ensure that the right permissions are checked: **User.Read**. Use the search box if necessary. + - Select the **Add permissions** button ## Enable integrated authentication on federated domains (optional) -To enable Windows Integrated Authentication when it's used with a federated Azure Active Directory domain, the application manifest must enable additional capabilities: +To enable Windows-Integrated Authentication when it's used with a federated Azure AD domain, the application manifest must enable additional capabilities: 1. Double-click **Package.appxmanifest**. 2. Select the **Capabilities** tab and make sure that the following settings are enabled: @@ -321,14 +351,8 @@ To enable Windows Integrated Authentication when it's used with a federated Azur - Private Networks (Client & Server) - Shared User Certificates -3. Open **App.xaml.cs** and add the following line in the app constructor: - - ```csharp - App.PublicClientApp.UseCorporateNetwork = true; - ``` - > [!IMPORTANT] -> [Integrated Windows Authentication](https://aka.ms/msal-net-iwa) is not configured by default for this sample. Applications that request *Enterprise Authentication* or *Shared User Certificates* capabilities require a higher level of verification by the Windows Store. Also, not all developers want to perform the higher level of verification. Enable this setting only if you need Windows Integrated Authentication with a federated Azure Active Directory domain. +> [Integrated Windows Authentication](https://aka.ms/msal-net-iwa) is not configured by default for this sample. Applications that request *Enterprise Authentication* or *Shared User Certificates* capabilities require a higher level of verification by the Windows Store. Also, not all developers want to perform the higher level of verification. Enable this setting only if you need Windows Integrated Authentication with a federated Azure AD domain. ## Test your code @@ -336,30 +360,28 @@ To test your application, select F5 to run your project in Visual Studio. Your m ![Application's user interface](./media/tutorial-v2-windows-uwp/testapp-ui.png) -When you're ready to test, select **Call Microsoft Graph API**. Then use a Microsoft Azure Active Directory organizational account or a Microsoft account, such as live.com or outlook.com, to sign in. If it's your first time, you see a window asking the user to sign in: +When you're ready to test, select **Call Microsoft Graph API**. Then use an Azure AD organizational account or a Microsoft account, such as live.com or outlook.com, to sign in. If it's your first time, you see a window asking the user to sign in: ![Sign-in page](./media/tutorial-v2-windows-uwp/sign-in-page.png) ### Consent + The first time you sign in to your application, you're presented with a consent screen similar to the following. Select **Yes** to explicitly consent to access: ![Access consent screen](./media/tutorial-v2-windows-uwp/consentscreen.png) + ### Expected results + You see user profile information returned by the Microsoft Graph API call on the **API Call Results** screen: ![API Call Results screen](./media/tutorial-v2-windows-uwp/uwp-results-screen.PNG) -You also see basic information about the token acquired via `AcquireTokenAsync` or `AcquireTokenSilentAsync` in the **Token Info** box: +You also see basic information about the token acquired via `AcquireTokenInteractive` or `AcquireTokenSilent` in the **Token Info** box: |Property |Format |Description | |---------|---------|---------| -|**Name** |User's full name|The user’s first and last name.| |**Username** |user@domain.com |The username that identifies the user.| |**Token Expires** |DateTime |The time when the token expires. MSAL extends the expiration date by renewing the token as necessary.| -|**Access Token** |String |The token string that is sent to HTTP requests that require an *Authorization header*.| - -#### See what's in the access token (optional) -Optionally, copy the value in **Access Token** and paste it in https://jwt.ms to decode it and see the list of claims. ### More information about scopes and delegated permissions @@ -373,17 +395,20 @@ To access the user’s calendars in the context of an application, add the *Cale ## Known issues ### Issue 1 -You receive one of the following error messages when you sign in on your application on a federated Azure Active Directory domain: - - No valid client certificate found in the request. - - No valid certificates found in the user's certificate store. - - Try again choosing a different authentication method. + +You receive one of the following error messages when you sign in on your application on a federated Azure AD domain: + +* No valid client certificate found in the request. +* No valid certificates found in the user's certificate store. +* Try again choosing a different authentication method. **Cause:** Enterprise and certificate capabilities aren't enabled. **Solution:** Follow the steps in [integrated authentication on federated domains](#enable-integrated-authentication-on-federated-domains-optional). ### Issue 2 -You enable [integrated authentication on federated domains](#enable-integrated-authentication-on-federated-domains-optional) and try to use Windows Hello on a Windows 10 computer to sign in on an environment with multifactor authentication configured. The list of certificates is presented. However, if you choose to use your PIN, the PIN window is never presented. + +You enable [integrated authentication on federated domains](#enable-integrated-authentication-on-federated-domains-optional) and try to use Windows Hello on a Windows 10 computer to sign in on an environment with multi-factor authentication configured. The list of certificates is presented. However, if you choose to use your PIN, the PIN window is never presented. **Cause:** This issue is a known limitation of the web authentication broker in UWP applications that run on Windows 10 desktop. It works fine on Windows 10 Mobile. diff --git a/articles/active-directory/develop/v1-protocols-openid-connect-code.md b/articles/active-directory/develop/v1-protocols-openid-connect-code.md index 4e4edc50c06ca..1261b81b3b826 100644 --- a/articles/active-directory/develop/v1-protocols-openid-connect-code.md +++ b/articles/active-directory/develop/v1-protocols-openid-connect-code.md @@ -43,12 +43,12 @@ OpenID Connect describes a metadata document that contains most of the informati ``` https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration ``` -The metadata is a simple JavaScript Object Notation (JSON) document. See the following snippet for an example. The snippet's contents are fully described in the [OpenID Connect specification](https://openid.net). Note that providing tenant rather than `common` in place of {tenant} above will result in tenant-specific URIs in the JSON object returned. +The metadata is a simple JavaScript Object Notation (JSON) document. See the following snippet for an example. The snippet's contents are fully described in the [OpenID Connect specification](https://openid.net). Note that providing a tenant ID rather than `common` in place of {tenant} above will result in tenant-specific URIs in the JSON object returned. ``` { - "authorization_endpoint": "https://login.microsoftonline.com/common/oauth2/authorize", - "token_endpoint": "https://login.microsoftonline.com/common/oauth2/token", + "authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/authorize", + "token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/token", "token_endpoint_auth_methods_supported": [ "client_secret_post", @@ -61,6 +61,8 @@ The metadata is a simple JavaScript Object Notation (JSON) document. See the fol } ``` +If your app has custom signing keys as a result of using the [claims-mapping](active-directory-claims-mapping.md) feature, you must append an `appid` query parameter containing the app ID in order to get a `jwks_uri` pointing to your app's signing key information. For example: `https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e` contains a `jwks_uri` of `https://login.microsoftonline.com/{tenant}/discovery/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e`. + ## Send the sign-in request When your web application needs to authenticate the user, it must direct the user to the `/authorize` endpoint. This request is similar to the first leg of the [OAuth 2.0 Authorization Code Flow](v1-protocols-oauth-code.md), with a few important distinctions: @@ -87,7 +89,7 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | | Description | | --- | --- | --- | | tenant |required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are tenant identifiers, for example, `8eaef023-2b34-4da1-9baa-8bc8c9d6a490` or `contoso.onmicrosoft.com` or `common` for tenant-independent tokens | -| client_id |required |The Application Id assigned to your app when you registered it with Azure AD. You can find this in the Azure Portal. Click **Azure Active Directory**, click **App Registrations**, choose the application and locate the Application Id on the application page. | +| client_id |required |The Application ID assigned to your app when you registered it with Azure AD. You can find this in the Azure portal. Click **Azure Active Directory**, click **App Registrations**, choose the application and locate the Application ID on the application page. | | response_type |required |Must include `id_token` for OpenID Connect sign-in. It may also include other response_types, such as `code` or `token`. | | scope | recommended | The OpenID Connect specification requires the scope `openid`, which translates to the "Sign you in" permission in the consent UI. This and other OIDC scopes are ignored on the v1.0 endpoint, but is still a best practice for standards-compliant clients. | | nonce |required |A value included in the request, generated by the app, that is included in the resulting `id_token` as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string or GUID that can be used to identify the origin of the request. | @@ -175,13 +177,13 @@ post_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F | Parameter | | Description | | --- | --- | --- | -| post_logout_redirect_uri |recommended |The URL that the user should be redirected to after successful logout. If not included, the user is shown a generic message. | +| post_logout_redirect_uri |recommended |The URL that the user should be redirected to after successful sign out. If not included, the user is shown a generic message. | ## Single sign-out When you redirect the user to the `end_session_endpoint`, Azure AD clears the user's session from the browser. However, the user may still be signed in to other applications that use Azure AD for authentication. To enable those applications to sign the user out simultaneously, Azure AD sends an HTTP GET request to the registered `LogoutUrl` of all the applications that the user is currently signed in to. Applications must respond to this request by clearing any session that identifies the user and returning a `200` response. If you wish to support single sign out in your application, you must implement such a `LogoutUrl` in your application's code. You can set the `LogoutUrl` from the Azure portal: -1. Navigate to the [Azure Portal](https://portal.azure.com). +1. Navigate to the [Azure portal](https://portal.azure.com). 2. Choose your Active Directory by clicking on your account in the top right corner of the page. 3. From the left hand navigation panel, choose **Azure Active Directory**, then choose **App registrations** and select your application. 4. Click on **Settings**, then **Properties** and find the **Logout URL** text box. @@ -196,7 +198,7 @@ To acquire access tokens, you need to modify the sign-in request from above: // Line breaks for legibility only GET https://login.microsoftonline.com/{tenant}/oauth2/authorize? -client_id=6731de76-14a6-49ae-97bc-6eba6914391e // Your registered Application Id +client_id=6731de76-14a6-49ae-97bc-6eba6914391e // Your registered Application ID &response_type=id_token+code &redirect_uri=http%3A%2F%2Flocalhost%3a12345 // Your registered Redirect Uri, url encoded &response_mode=form_post // `form_post' or 'fragment' diff --git a/articles/active-directory/develop/v2-app-types.md b/articles/active-directory/develop/v2-app-types.md index f9f9b79e8cb22..841de925d9744 100644 --- a/articles/active-directory/develop/v2-app-types.md +++ b/articles/active-directory/develop/v2-app-types.md @@ -1,6 +1,6 @@ --- -title: Application types for v2.0 | Azure -description: The types of apps and scenarios supported by the Azure Active Directory v2.0 endpoint. +title: Application types for Microsoft identity platform | Azure +description: The types of apps and scenarios supported by the Microsoft identity platform (v2.0) endpoint. services: active-directory documentationcenter: '' author: CelesteDG @@ -14,31 +14,31 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 12/18/2018 +ms.date: 04/06/2019 ms.author: celested -ms.reviewer: saeeda, jmprieur, andret +ms.reviewer: saeeda, jmprieur ms.custom: aaddev ms.collection: M365-identity-device-management --- -# Application types for v2.0 +# Application types for Microsoft identity platform -The Azure Active Directory (Azure AD) v2.0 endpoint supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](active-directory-v2-protocols.md). This article describes the types of apps that you can build by using Azure AD v2.0, regardless of your preferred language or platform. The information in this article is designed to help you understand high-level scenarios before you [start working with the code](v2-overview.md#getting-started). +The Microsoft identity platform (v2.0) endpoint supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](active-directory-v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you [start working with the code](v2-overview.md#getting-started). > [!NOTE] -> The v2.0 endpoint doesn't support all Azure Active Directory scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). +> The Microsoft identity platform endpoint doesn't support all Azure Active Directory (Azure AD) scenarios and features. To determine whether you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). ## The basics -You must register each app that uses the v2.0 endpoint in the [Microsoft Application Registration Portal](https://apps.dev.microsoft.com). The app registration process collects and assigns these values for your app: +You must register each app that uses the Microsoft identity platform endpoint in the new [App registrations portal](https://go.microsoft.com/fwlink/?linkid=2083908). The app registration process collects and assigns these values for your app: -* An **Application ID** that uniquely identifies your app +* An **Application (client) ID** that uniquely identifies your app * A **Redirect URI** that you can use to direct responses back to your app -* A few other scenario-specific values +* A few other scenario-specific values such as supported account types -For details, learn how to [register an app](quickstart-v2-register-an-app.md). +For details, learn how to [register an app](quickstart-register-app.md). -After the app is registered, the app communicates with Azure AD by sending requests to the Azure AD v2.0 endpoint. We provide open-source frameworks and libraries that handle the details of these requests. You also have the option to implement the authentication logic yourself by creating requests to these endpoints: +After the app is registered, the app communicates with Microsoft identity platform by sending requests to the endpoint. We provide open-source frameworks and libraries that handle the details of these requests. You also have the option to implement the authentication logic yourself by creating requests to these endpoints: ``` https://login.microsoftonline.com/common/oauth2/v2.0/authorize @@ -47,13 +47,13 @@ https://login.microsoftonline.com/common/oauth2/v2.0/token ## Single-page apps (JavaScript) -Many modern apps have a single-page app front end that primarily is written in JavaScript. Often, it's written by using a framework like AngularJS, Ember.js, or Durandal.js. The Azure AD v2.0 endpoint supports these apps by using the [OAuth 2.0 implicit flow](v2-oauth2-implicit-grant-flow.md). +Many modern apps have a single-page app front end that primarily is written in JavaScript. Often, it's written by using a framework like AngularJS, Ember.js, or Durandal.js. The Microsoft identity platform endpoint supports these apps by using the [OAuth 2.0 implicit flow](v2-oauth2-implicit-grant-flow.md). -In this flow, the app receives tokens directly from the v2.0 authorize endpoint, without any server-to-server exchanges. All authentication logic and session handling takes place entirely in the JavaScript client, without extra page redirects. +In this flow, the app receives tokens directly from the Microsoft identity platform authorize endpoint, without any server-to-server exchanges. All authentication logic and session handling takes place entirely in the JavaScript client, without extra page redirects. -![Implicit authentication flow](./media/v2-app-types/convergence_scenarios_implicit.png) +![Implicit authentication flow](./media/v2-app-types/convergence-scenarios-implicit.svg) -To see this scenario in action, try one of the single-page app code samples in the [v2.0 getting started](v2-overview.md#getting-started) section. +To see this scenario in action, try one of the single-page app code samples in the [Microsoft identity platform getting started](v2-overview.md#getting-started) section. ## Web apps @@ -72,21 +72,21 @@ eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cd... } ``` -Further details of different types of tokens used in the v2.0 endpoint are available in the [access token](access-tokens.md) reference and [`id_token` reference](id-tokens.md) +Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the [access token](access-tokens.md) reference and [id_token reference](id-tokens.md) In web server apps, the sign-in authentication flow takes these high-level steps: -![Web app authentication flow](./media/v2-app-types/convergence_scenarios_webapp.png) +![Web app authentication flow](./media/v2-app-types/convergence-scenarios-webapp.svg) -You can ensure the user's identity by validating the ID token with a public signing key that is received from the v2.0 endpoint. A session cookie is set, which can be used to identify the user on subsequent page requests. +You can ensure the user's identity by validating the ID token with a public signing key that is received from the Microsoft identity platform endpoint. A session cookie is set, which can be used to identify the user on subsequent page requests. -To see this scenario in action, try one of the web app sign-in code samples in the [v2.0 getting started](v2-overview.md#getting-started) section. +To see this scenario in action, try one of the web app sign-in code samples in the [Microsoft identity platform getting started](v2-overview.md#getting-started) section. In addition to simple sign-in, a web server app might need to access another web service, such as a REST API. In this case, the web server app engages in a combined OpenID Connect and OAuth 2.0 flow, by using the [OAuth 2.0 authorization code flow](active-directory-v2-protocols.md). For more information about this scenario, read about [getting started with web apps and Web APIs](active-directory-v2-devquickstarts-webapp-webapi-dotnet.md). ## Web APIs -You can use the v2.0 endpoint to secure web services, such as your app's RESTful Web API. Instead of ID tokens and session cookies, a Web API uses an OAuth 2.0 access token to secure its data and to authenticate incoming requests. The caller of a Web API appends an access token in the authorization header of an HTTP request, like this: +You can use the Microsoft identity platform endpoint to secure web services, such as your app's RESTful Web API. Instead of ID tokens and session cookies, a Web API uses an OAuth 2.0 access token to secure its data and to authenticate incoming requests. The caller of a Web API appends an access token in the authorization header of an HTTP request, like this: ``` GET /api/items HTTP/1.1 @@ -96,32 +96,32 @@ Accept: application/json ... ``` -The Web API uses the access token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the access token. Further details of different types of tokens used in the v2.0 endpoint are available in the [access token](access-tokens.md) reference and [`id_token` reference](id-tokens.md) +The Web API uses the access token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the access token. Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the [access token](access-tokens.md) reference and [id_token reference](id-tokens.md) -A Web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as [scopes](v2-permissions-and-consent.md). For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. The v2.0 endpoint asks the user for permission, and then records permissions in all access tokens that the Web API receives. The Web API validates the access tokens it receives on each call and performs authorization checks. +A Web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as [scopes](v2-permissions-and-consent.md). For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. The Microsoft identity platform endpoint asks the user for permission, and then records permissions in all access tokens that the Web API receives. The Web API validates the access tokens it receives on each call and performs authorization checks. A Web API can receive access tokens from all types of apps, including web server apps, desktop and mobile apps, single-page apps, server-side daemons, and even other Web APIs. The high-level flow for a Web API looks like this: -![Web API authentication flow](./media/v2-app-types/convergence_scenarios_webapi.png) +![Web API authentication flow](./media/v2-app-types/convergence-scenarios-webapi.svg) -To learn how to secure a Web API by using OAuth2 access tokens, check out the Web API code samples in the [v2.0 getting started](v2-overview.md#getting-started) section. +To learn how to secure a Web API by using OAuth2 access tokens, check out the Web API code samples in the [Microsoft identity platform getting started](v2-overview.md#getting-started) section. -In many cases, web APIs also need to make outbound requests to other downstream web APIs secured by Azure Active Directory. To do so, web APIs can take advantage of Azure AD's **On Behalf Of** flow, which allows the web API to exchange an incoming access token for another access token to be used in outbound requests. The v2.0 endpoint's On Behalf Of flow is described in [detail here](v2-oauth2-on-behalf-of-flow.md). +In many cases, web APIs also need to make outbound requests to other downstream web APIs secured by Microsoft identity platform. To do so, web APIs can take advantage of the **On-Behalf-Of** flow, which allows the web API to exchange an incoming access token for another access token to be used in outbound requests. For more info, see [Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md). ## Mobile and native apps Device-installed apps, such as mobile and desktop apps, often need to access back-end services or Web APIs that store data and perform functions on behalf of a user. These apps can add sign-in and authorization to back-end services by using the [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md). -In this flow, the app receives an authorization code from the v2.0 endpoint when the user signs in. The authorization code represents the app's permission to call back-end services on behalf of the user who is signed in. The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. The app can use the access token to authenticate to Web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire. +In this flow, the app receives an authorization code from the Microsoft identity platform endpoint when the user signs in. The authorization code represents the app's permission to call back-end services on behalf of the user who is signed in. The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. The app can use the access token to authenticate to Web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire. -![Native app authentication flow](./media/v2-app-types/convergence_scenarios_native.png) +![Native app authentication flow](./media/v2-app-types/convergence-scenarios-native.svg) ## Daemons and server-side apps -Apps that have long-running processes or that operate without interaction with a user also need a way to access secured resources, such as Web APIs. These apps can authenticate and get tokens by using the app's identity, rather than a user's delegated identity, with the OAuth 2.0 client credentials flow. You can prove the app's identity using a client secret or certificate. For more info, see [Authenticating to Azure AD in daemon apps with certificates](https://azure.microsoft.com/resources/samples/active-directory-dotnet-daemon-certificate-credential/). +Apps that have long-running processes or that operate without interaction with a user also need a way to access secured resources, such as Web APIs. These apps can authenticate and get tokens by using the app's identity, rather than a user's delegated identity, with the OAuth 2.0 client credentials flow. You can prove the app's identity using a client secret or certificate. For more info, see [Authenticating to Microsoft identity platform in daemon apps with certificates](https://azure.microsoft.com/resources/samples/active-directory-dotnet-daemon-certificate-credential/). In this flow, the app interacts directly with the `/token` endpoint to obtain access: -![Daemon app authentication flow](./media/v2-app-types/convergence_scenarios_daemon.png) +![Daemon app authentication flow](./media/v2-app-types/convergence-scenarios-daemon.svg) To build a daemon app, see the [client credentials documentation](v2-oauth2-client-creds-grant-flow.md), or try a [.NET sample app](https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2). diff --git a/articles/active-directory/develop/v2-oauth-ropc.md b/articles/active-directory/develop/v2-oauth-ropc.md index 93f70eb874c51..180efaaf223d7 100644 --- a/articles/active-directory/develop/v2-oauth-ropc.md +++ b/articles/active-directory/develop/v2-oauth-ropc.md @@ -1,5 +1,5 @@ --- -title: Use Azure AD v2.0 to sign in users using ROPC | Microsoft Docs +title: Use Microsoft identity platform to sign in users using ROPC | Azure description: Support browser-less authentication flows using the resource owner password credential grant. services: active-directory documentationcenter: '' @@ -12,20 +12,20 @@ ms.subservice: develop ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 11/28/2018 +ms.topic: conceptual +ms.date: 04/12/2019 ms.author: celested ms.reviewer: hirsin ms.custom: aaddev ms.collection: M365-identity-device-management --- -# Azure Active Directory v2.0 and the OAuth 2.0 resource owner password credential +# Microsoft identity platform and the OAuth 2.0 resource owner password credential -Azure Active Directory (Azure AD) supports the [resource owner password credential (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password. The ROPC flow requires a high degree of trust and user exposure and developers should only use this flow when the other, more secure, flows can't be used. +Microsoft identity platform supports the [resource owner password credential (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password. The ROPC flow requires a high degree of trust and user exposure and developers should only use this flow when the other, more secure, flows can't be used. -> [!Important] -> * The Azure AD v2.0 endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint. +> [!IMPORTANT] +> * The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint. > * Personal accounts that are invited to an Azure AD tenant can't use ROPC. > * Accounts that don't have passwords can't sign in through ROPC. For this scenario, we recommend that you use a different flow for your app instead. > * If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead. @@ -40,14 +40,20 @@ The following diagram shows the ROPC flow. The ROPC flow is a single request—it sends the client identification and user's credentials to the IDP, and then receives tokens in return. The client must request the user's email address (UPN) and password before doing so. Immediately after a successful request, the client should securely release the user's credentials from memory. It must never save them. +> [!TIP] +> Try executing this request in Postman! +> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/f77994d794bab767596d) + + ``` // Line breaks and spaces are for legibility only. -POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token? +POST {tenant}/oauth2/v2.0/token +Host: login.microsoftonline.com +Content-Type: application/x-www-form-urlencoded client_id=6731de76-14a6-49ae-97bc-6eba6914391e &scope=user.read%20openid%20profile%20offline_access -&client_secret=wkubdywbc2894u &username=MyUsername@myTenant.com &password=SuperS3cret &grant_type=password @@ -93,11 +99,11 @@ If the user hasn't provided the correct username or password, or the client hasn | Error | Description | Client action | |------ | ----------- | -------------| -| `invalid_grant` | The authentication failed | The credentials were incorrect or the client doesn't have consent for the requested scopes. If the scopes aren't granted, a `consent_required` suberror will be returned. If this occurs, the client should send the user to an interactive prompt using a webview or browser. | -| `invalid_request` | The request was improperly constructed | The grant type is not supported on the `/common` or `/consumers` authentication contexts. Use `/organizations` instead. | -| `invalid_client` | The app is improperly set up | This can happen if the `allowPublicClient` property is not set to true in the [application manifest](reference-app-manifest.md). The `allowPublicClient` property is needed because the ROPC grant doesn't have a redirect URI. Azure AD can't determine if the app is a public client application or a confidential client application unless the property is set. Note that ROPC is only supported for public client apps. | +| `invalid_grant` | The authentication failed | The credentials were incorrect or the client doesn't have consent for the requested scopes. If the scopes aren't granted, a `consent_required` error will be returned. If this occurs, the client should send the user to an interactive prompt using a webview or browser. | +| `invalid_request` | The request was improperly constructed | The grant type isn't supported on the `/common` or `/consumers` authentication contexts. Use `/organizations` instead. | +| `invalid_client` | The app is improperly set up | This can happen if the `allowPublicClient` property isn't set to true in the [application manifest](reference-app-manifest.md). The `allowPublicClient` property is needed because the ROPC grant doesn't have a redirect URI. Azure AD can't determine if the app is a public client application or a confidential client application unless the property is set. Note that ROPC is only supported for public client apps. | ## Learn more * Try out ROPC for yourself using the [sample console application](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2). -* To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). +* To determine whether you should use the v2.0 endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). diff --git a/articles/active-directory/develop/v2-oauth2-auth-code-flow.md b/articles/active-directory/develop/v2-oauth2-auth-code-flow.md index d84aa269264ab..fb641f8cae367 100644 --- a/articles/active-directory/develop/v2-oauth2-auth-code-flow.md +++ b/articles/active-directory/develop/v2-oauth2-auth-code-flow.md @@ -1,6 +1,6 @@ --- -title: Azure AD v2.0 OAuth Authorization Code Flow | Microsoft Docs -description: Building web applications using Azure AD's implementation of the OAuth 2.0 authentication protocol. +title: Microsoft identity platform and OAuth Authorization Code Flow | Azure +description: Building web applications using the Microsoft identity platform implementation of the OAuth 2.0 authentication protocol. services: active-directory documentationcenter: '' author: CelesteDG @@ -13,30 +13,30 @@ ms.subservice: develop ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 03/24/2019 +ms.topic: conceptual +ms.date: 04/12/2019 ms.author: celested ms.reviewer: hirsin ms.custom: aaddev ms.collection: M365-identity-device-management --- -# v2.0 Protocols - OAuth 2.0 authorization code flow +# Microsoft identity platform and OAuth 2.0 authorization code flow [!INCLUDE [active-directory-develop-applies-v2](../../../includes/active-directory-develop-applies-v2.md)] -The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. Using the app model v2.0 's implementation of OAuth 2.0, you can add sign in and API access to your mobile and desktop apps. This guide is language-independent, and describes how to send and receive HTTP messages without using any of the [Azure open-source authentication libraries](active-directory-authentication-libraries.md). +The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. Using the Microsoft identity platform implementation of OAuth 2.0, you can add sign in and API access to your mobile and desktop apps. This guide is language-independent, and describes how to send and receive HTTP messages without using any of the [Azure open-source authentication libraries](active-directory-authentication-libraries.md). > [!NOTE] -> Not all Azure Active Directory scenarios & features are supported by the v2.0 endpoint. To determine if you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). +> Not all Azure Active Directory scenarios & features are supported by the Microsoft identity platform endpoint. To determine if you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). -The OAuth 2.0 authorization code flow is described in [section 4.1 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). It is used to perform authentication and authorization in the majority of app types, including [web apps](v2-app-types.md#web-apps) and [natively installed apps](v2-app-types.md#mobile-and-native-apps). The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the v2.0 endpoint. +The OAuth 2.0 authorization code flow is described in [section 4.1 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). It's used to perform authentication and authorization in the majority of app types, including [web apps](v2-app-types.md#web-apps) and [natively installed apps](v2-app-types.md#mobile-and-native-apps). The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint. ## Protocol diagram At a high level, the entire authentication flow for a native/mobile application looks a bit like this: -![OAuth Auth Code Flow](./media/v2-oauth2-auth-code-flow/convergence_scenarios_native.png) +![OAuth Auth Code Flow](./media/v2-oauth2-auth-code-flow/convergence-scenarios-native.svg) ## Request an authorization code @@ -57,27 +57,25 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e > [!TIP] > Click the link below to execute this request! After signing in, your browser should be redirected to `https://localhost/myapp/` with a `code` in the address bar. > https://login.microsoftonline.com/common/oauth2/v2.0/authorize... -> -> | Parameter | Required/optional | Description | |--------------|-------------|--------------| | `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `response_type` | required | Must include `code` for the authorization code flow. | -| `redirect_uri` | recommended | The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. For native & mobile apps, you should use the default value of `https://login.microsoftonline.com/common/oauth2/nativeclient`. | +| `redirect_uri` | required | The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. For native & mobile apps, you should use the default value of `https://login.microsoftonline.com/common/oauth2/nativeclient`. | | `scope` | required | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to. | -| `response_mode` | recommended | Specifies the method that should be used to send the resulting token back to your app. Can be one of the following:

- `query`
- `fragment`
- `form_post`

`query` provides the code as a query string parameter on your redirect URI. If you're requesting an ID token using the implicit flow, you cannot use `query` as specified in the [OpenID spec](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations). If you're requesting just the code, you can use `query`, `fragment`, or `form_post`. `form_post` executes a POST containing the code to your redirect URI. For more info, see [OpenID Connect protocol](https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-openid-connect-code). | +| `response_mode` | recommended | Specifies the method that should be used to send the resulting token back to your app. Can be one of the following:

- `query`
- `fragment`
- `form_post`

`query` provides the code as a query string parameter on your redirect URI. If you're requesting an ID token using the implicit flow, you can't use `query` as specified in the [OpenID spec](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations). If you're requesting just the code, you can use `query`, `fragment`, or `form_post`. `form_post` executes a POST containing the code to your redirect URI. For more info, see [OpenID Connect protocol](https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-openid-connect-code). | | `state` | recommended | A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The value can also encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. | -| `prompt` | optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`.

- `prompt=login` will force the user to enter their credentials on that request, negating single-sign on.
- `prompt=none` is the opposite - it will ensure that the user is not presented with any interactive prompt whatsoever. If the request cannot be completed silently via single-sign on, the v2.0 endpoint will return an `interaction_required` error.
- `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | +| `prompt` | optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`.

- `prompt=login` will force the user to enter their credentials on that request, negating single-sign on.
- `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform endpoint will return an `interaction_required` error.
- `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | | `login_hint` | optional | Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know their username ahead of time. Often apps will use this parameter during re-authentication, having already extracted the username from a previous sign-in using the `preferred_username` claim. | -| `domain_hint` | optional | Can be one of `consumers` or `organizations`.

If included, it will skip the email-based discovery process that user goes through on the v2.0 sign-in page, leading to a slightly more streamlined user experience. Often apps will use this parameter during re-authentication, by extracting the `tid` from a previous sign-in. If the `tid` claim value is `9188040d-6c67-4c5b-b112-36a304b66dad`, you should use `domain_hint=consumers`. Otherwise, use `domain_hint=organizations`. | -| `code_challenge_method` | optional | The method used to encode the `code_verifier` for the `code_challenge` parameter. Can be one of the following values:

- `plain`
- `S256`

If excluded, `code_challenge` is assumed to be plaintext if `code_challenge` is included. Azure AAD v2.0 supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). | +| `domain_hint` | optional | Can be one of `consumers` or `organizations`.

If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. Often apps will use this parameter during re-authentication, by extracting the `tid` from a previous sign-in. If the `tid` claim value is `9188040d-6c67-4c5b-b112-36a304b66dad`, you should use `domain_hint=consumers`. Otherwise, use `domain_hint=organizations`. | +| `code_challenge_method` | optional | The method used to encode the `code_verifier` for the `code_challenge` parameter. Can be one of the following values:

- `plain`
- `S256`

If excluded, `code_challenge` is assumed to be plaintext if `code_challenge` is included. Microsoft identity platform supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). | | `code_challenge` | optional | Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native client. Required if `code_challenge_method` is included. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). | -At this point, the user will be asked to enter their credentials and complete the authentication. The v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has not consented to any of those permissions, it will ask the user to consent to the required permissions. Details of [permissions, consent, and multi-tenant apps are provided here](v2-permissions-and-consent.md). +At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform endpoint will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has not consented to any of those permissions, it will ask the user to consent to the required permissions. Details of [permissions, consent, and multi-tenant apps are provided here](v2-permissions-and-consent.md). -Once the user authenticates and grants consent, the v2.0 endpoint will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter. +Once the user authenticates and grants consent, the Microsoft identity platform endpoint will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter. #### Successful response @@ -91,7 +89,7 @@ code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq... | Parameter | Description | |-----------|--------------| -| `code` | The authorization_code that the app requested. The app can use the authorization code to request an access token for the target resource. Authorization_codes are very short lived, typically they expire after about 10 minutes. | +| `code` | The authorization_code that the app requested. The app can use the authorization code to request an access token for the target resource. Authorization_codes are short lived, typically they expire after about 10 minutes. | | `state` | If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | #### Error response @@ -116,13 +114,13 @@ The following table describes the various error codes that can be returned in th | Error Code | Description | Client Action | |-------------|----------------|-----------------| | `invalid_request` | Protocol error, such as a missing required parameter. | Fix and resubmit the request. This is a development error typically caught during initial testing. | -| `unauthorized_client` | The client application is not permitted to request an authorization code. | This error usually occurs when the client application is not registered in Azure AD or is not added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | -| `access_denied` | Resource owner denied consent | The client application can notify the user that it cannot proceed unless the user consents. | -| `unsupported_response_type` | The authorization server does not support the response type in the request. | Fix and resubmit the request. This is a development error is typically caught during initial testing. | +| `unauthorized_client` | The client application isn't permitted to request an authorization code. | This error usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | +| `access_denied` | Resource owner denied consent | The client application can notify the user that it can't proceed unless the user consents. | +| `unsupported_response_type` | The authorization server does not support the response type in the request. | Fix and resubmit the request. This is a development error typically caught during initial testing. | | `server_error` | The server encountered an unexpected error.| Retry the request. These errors can result from temporary conditions. The client application might explain to the user that its response is delayed to a temporary error. | -| `temporarily_unavailable` | The server is temporarily too busy to handle the request. | Retry the request. The client application might explain to the user that its response is delayed due to a temporary condition. | -| `invalid_resource` | The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured. | This error indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | -| `login_required` | Too many or no users found | The client requested silent authentication (`prompt=none`), but a single user could not found. This may mean there are multiple users active in the session, or no users. This takes into account the tenant chosen (for example, if there are 2 AAD accounts active and one MSA, and `consumers` is chosen, silent authentication will work). | +| `temporarily_unavailable` | The server is temporarily too busy to handle the request. | Retry the request. The client application might explain to the user that its response is delayed because of a temporary condition. | +| `invalid_resource` | The target resource is invalid because it does not exist, Azure AD can't find it, or it's not correctly configured. | This error indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | +| `login_required` | Too many or no users found | The client requested silent authentication (`prompt=none`), but a single user could not found. This may mean there are multiple users active in the session, or no users. This takes into account the tenant chosen (for example, if there are two Azure AD accounts active and one Microsoft account, and `consumers` is chosen, silent authentication will work). | | `interaction_required` | The request requires user interaction. | An additional authentication step or consent is required. Retry the request without `prompt=none`. | ## Request an access token @@ -146,17 +144,17 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e > [!TIP] > Try executing this request in Postman! (Don't forget to replace the `code`) -> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/8f5715ec514865a07e6a) +> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/f77994d794bab767596d) | Parameter | Required/optional | Description | |------------|-------------------|----------------| | `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | | `client_id` | required | The Application (client) ID that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. | | `grant_type` | required | Must be `authorization_code` for the authorization code flow. | -| `scope` | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the first leg. If the scopes specified in this request span multiple resource server, then the v2.0 endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). | +| `scope` | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the first leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). | | `code` | required | The authorization_code that you acquired in the first leg of the flow. | | `redirect_uri` | required | The same redirect_uri value that was used to acquire the authorization_code. | -| `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native app, because client_secrets cannot be reliably stored on devices. It is required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. The client secret must be URL-encoded before being sent. | +| `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. You shouldn't use the application secret in a native app because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. The client secret must be URL-encoded before being sent. | | `code_verifier` | optional | The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). | ### Successful response @@ -215,12 +213,12 @@ Error responses will look like: |--------------------|--------------------|------------------| | `invalid_request` | Protocol error, such as a missing required parameter. | Fix and resubmit the request | | `invalid_grant` | The authorization code or PKCE code verifier is invalid or has expired. | Try a new request to the `/authorize` endpoint and verify that the code_verifier parameter was correct. | -| `unauthorized_client` | The authenticated client is not authorized to use this authorization grant type. | This usually occurs when the client application is not registered in Azure AD or is not added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | -| `invalid_client` | Client authentication failed. | The client credentials are not valid. To fix, the application administrator updates the credentials. | +| `unauthorized_client` | The authenticated client isn't authorized to use this authorization grant type. | This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | +| `invalid_client` | Client authentication failed. | The client credentials aren't valid. To fix, the application administrator updates the credentials. | | `unsupported_grant_type` | The authorization server does not support the authorization grant type. | Change the grant type in the request. This type of error should occur only during development and be detected during initial testing. | -| `invalid_resource` | The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured. | This indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | +| `invalid_resource` | The target resource is invalid because it does not exist, Azure AD can't find it, or it's not correctly configured. | This indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. | | `interaction_required` | The request requires user interaction. For example, an additional authentication step is required. | Retry the request with the same resource. | -| `temporarily_unavailable` | The server is temporarily too busy to handle the request. | Retry the request. The client application might explain to the user that its response is delayed due to a temporary condition. | +| `temporarily_unavailable` | The server is temporarily too busy to handle the request. | Retry the request. The client application might explain to the user that its response is delayed because of a temporary condition. | ## Use the access token @@ -228,7 +226,7 @@ Now that you've successfully acquired an `access_token`, you can use the token i > [!TIP] > Execute this request in Postman! (Replace the `Authorization` header first) -> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/8f5715ec514865a07e6a) +> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/f77994d794bab767596d) ``` GET /v1.0/me/messages @@ -240,7 +238,9 @@ Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZn Access_tokens are short lived, and you must refresh them after they expire to continue accessing resources. You can do so by submitting another `POST` request to the `/token` endpoint, this time providing the `refresh_token` instead of the `code`. Refresh tokens are valid for all permissions that your client has already received consent for - thus, a refresh token issued on a request for `scope=mail.read` can be used to request a new access token for `scope=api://contoso.com/api/UseResource`. -Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle [errors returned by the token issuance endpoint](#error-codes-for-token-endpoint-errors) correctly. Note that refresh tokens are not revoked when used to acquire new access tokens. +Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle [errors returned by the token issuance endpoint](#error-codes-for-token-endpoint-errors) correctly. + +Although refresh tokens aren't revoked when used to acquire new access tokens, you are expected to discard the old refresh token. The [OAuth 2.0 spec](https://tools.ietf.org/html/rfc6749#section-6) says: "The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client." ``` // Line breaks for legibility only @@ -252,15 +252,13 @@ Content-Type: application/x-www-form-urlencoded client_id=6731de76-14a6-49ae-97bc-6eba6914391e &scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq... -&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &grant_type=refresh_token &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps ``` > [!TIP] > Try executing this request in Postman! (Don't forget to replace the `refresh_token`) -> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/8f5715ec514865a07e6a) -> +> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/f77994d794bab767596d) > | Parameter | | Description | @@ -268,10 +266,9 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e | `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `grant_type` | required | Must be `refresh_token` for this leg of the authorization code flow. | -| `scope` | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the v2.0 endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). | +| `scope` | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). | | `refresh_token` | required | The refresh_token that you acquired in the second leg of the flow. | -| `redirect_uri` | required | A `redirect_uri`registered on the client application. | -| `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native app, because client_secrets cannot be reliably stored on devices. It is required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. | +| `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native app, because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. | #### Successful response diff --git a/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md b/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md index 8733dade9bcd4..44876c7d96efc 100644 --- a/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md +++ b/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md @@ -1,6 +1,6 @@ --- -title: Use Azure AD v2.0 to access secure resources without user interaction | Microsoft Docs -description: Build web applications by using the Azure AD implementation of the OAuth 2.0 authentication protocol. +title: Use Microsoft identity platform to access secure resources without user interaction | Azure +description: Build web applications by using the Microsoft identity platform implementation of the OAuth 2.0 authentication protocol. services: active-directory documentationcenter: '' author: CelesteDG @@ -14,14 +14,14 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 03/21/2019 +ms.date: 04/12/2019 ms.author: celested ms.reviewer: hirsin ms.custom: aaddev ms.collection: M365-identity-device-management --- -# Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow +# Microsoft identity platform and the OAuth 2.0 client credentials flow [!INCLUDE [active-directory-develop-applies-v2](../../../includes/active-directory-develop-applies-v2.md)] @@ -30,19 +30,19 @@ You can use the [OAuth 2.0 client credentials grant](https://tools.ietf.org/html The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. In this scenario, the client is typically a middle-tier web service, a daemon service, or a web site. For a higher level of assurance, the Microsoft identity platform also allows the calling service to use a certificate (instead of a shared secret) as a credential. > [!NOTE] -> The v2.0 endpoint doesn't support all Azure AD scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). +> The Microsoft identity platform endpoint doesn't support all Azure AD scenarios and features. To determine whether you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). -In the more typical *three-legged OAuth*, a client application is granted permission to access a resource on behalf of a specific user. The permission is delegated from the user to the application, usually during the [consent](v2-permissions-and-consent.md) process. However, in the client credentials (*two-legged OAuth*) flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action and not the user. +In the more typical *three-legged OAuth*, a client application is granted permission to access a resource on behalf of a specific user. The permission is delegated from the user to the application, usually during the [consent](v2-permissions-and-consent.md) process. However, in the client credentials (*two-legged OAuth*) flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action and not the user. ## Protocol diagram The entire client credentials flow looks similar to the following diagram. We describe each of the steps later in this article. -![Client credentials flow](./media/v2-oauth2-client-creds-grant-flow/convergence_scenarios_client_creds.png) +![Client credentials flow](./media/v2-oauth2-client-creds-grant-flow/convergence-scenarios-client-creds.svg) ## Get direct authorization -An app typically receives direct authorization to access a resource in one of two ways: +An app typically receives direct authorization to access a resource in one of two ways: * [Through an access control list (ACL) at the resource](#access-control-lists) * [Through application permission assignment in Azure AD](#application-permissions) @@ -51,9 +51,9 @@ These two methods are the most common in Azure AD and we recommend them for clie ### Access control lists -A resource provider might enforce an authorization check based on a list of application (client) IDs that it knows and grants a specific level of access to. When the resource receives a token from the v2.0 endpoint, it can decode the token and extract the client's application ID from the `appid` and `iss` claims. Then it compares the application against an access control list (ACL) that it maintains. The ACL's granularity and method might vary substantially between resources. +A resource provider might enforce an authorization check based on a list of application (client) IDs that it knows and grants a specific level of access to. When the resource receives a token from the Microsoft identity platform endpoint, it can decode the token and extract the client's application ID from the `appid` and `iss` claims. Then it compares the application against an access control list (ACL) that it maintains. The ACL's granularity and method might vary substantially between resources. -A common use case is to use an ACL to run tests for a web application or for a web API. The web API might grant only a subset of full permissions to a specific client. To run end-to-end tests on the API, create a test client that acquires tokens from the v2.0 endpoint and then sends them to the API. The API then checks the ACL for the test client's application ID for full access to the API's entire functionality. If you use this kind of ACL, be sure to validate not only the caller's `appid` value but also validate that the `iss` value of the token is trusted. +A common use case is to use an ACL to run tests for a web application or for a web API. The web API might grant only a subset of full permissions to a specific client. To run end-to-end tests on the API, create a test client that acquires tokens from the Microsoft identity platform endpoint and then sends them to the API. The API then checks the ACL for the test client's application ID for full access to the API's entire functionality. If you use this kind of ACL, be sure to validate not only the caller's `appid` value but also validate that the `iss` value of the token is trusted. This type of authorization is common for daemons and service accounts that need to access data owned by consumer users who have personal Microsoft accounts. For data owned by organizations, we recommend that you get the necessary authorization through application permissions. @@ -73,19 +73,23 @@ To use application permissions in your app, follow the steps discussed in the ne #### Request the permissions in the app registration portal 1. Register and create an app through the new [App registrations (Preview) experience](quickstart-register-app.md). -2. Go to your application in the App registrations (Preview) experience. Navigate to the **Certificates & secrets** section, and add a **new client secret**, because you'll need to use at least one client secret to request a token. +2. Go to your application in the App registrations (Preview) experience. Navigate to the **Certificates & secrets** section, and add a **new client secret**, because you'll need at least one client secret to request a token. 3. Locate the **API permissions** section, and then add the **application permissions** that your app requires. 4. **Save** the app registration. -#### Recommended: Sign the user in to your app +#### Recommended: Sign the user into your app Typically, when you build an application that uses application permissions, the app requires a page or view on which the admin approves the app's permissions. This page can be part of the app's sign-in flow, part of the app's settings, or it can be a dedicated "connect" flow. In many cases, it makes sense for the app to show this "connect" view only after a user has signed in with a work or school Microsoft account. -If you sign the user in to your app, you can identify the organization to which the user belongs to before you ask the user to approve the application permissions. Although not strictly necessary, it can help you create a more intuitive experience for your users. To sign the user in, follow our [v2.0 protocol tutorials](active-directory-v2-protocols.md). +If you sign the user into your app, you can identify the organization to which the user belongs to before you ask the user to approve the application permissions. Although not strictly necessary, it can help you create a more intuitive experience for your users. To sign the user in, follow our [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md). #### Request the permissions from a directory admin -When you're ready to request permissions from the organization's admin, you can redirect the user to the v2.0 *admin consent endpoint*. +When you're ready to request permissions from the organization's admin, you can redirect the user to the Microsoft identity platform *admin consent endpoint*. + +> [!TIP] +> Try executing this request in Postman! (Use your own app ID for best results - the tutorial application won't request useful permissions.) +> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/f77994d794bab767596d) ``` // Line breaks are for legibility only. @@ -107,11 +111,11 @@ https://login.microsoftonline.com/common/adminconsent?client_id=6731de76-14a6-49 | Parameter | Condition | Description | | --- | --- | --- | | `tenant` | Required | The directory tenant that you want to request permission from. This can be in GUID or friendly name format. If you don't know which tenant the user belongs to and you want to let them sign in with any tenant, use `common`. | -| `client_id` | Required | The application (client) ID that's assigned to your app. You can find this information in the portal where you registered your app. | +| `client_id` | Required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `redirect_uri` | Required | The redirect URI where you want the response to be sent for your app to handle. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL encoded, and it can have additional path segments. | | `state` | Recommended | A value that's included in the request that's also returned in the token response. It can be a string of any content that you want. The state is used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. | -At this point, Azure AD enforces that only a tenant administrator can sign in to complete the request. The administrator will be asked to approve all the direct application permissions that you have requested for your app in the app registration portal. +At this point, Azure AD enforces that only a tenant administrator can sign into complete the request. The administrator will be asked to approve all the direct application permissions that you have requested for your app in the app registration portal. ##### Successful response @@ -144,7 +148,11 @@ After you've received a successful response from the app provisioning endpoint, ## Get a token -After you've acquired the necessary authorization for your application, proceed with acquiring access tokens for APIs. To get a token by using the client credentials grant, send a POST request to the `/token` v2.0 endpoint: +After you've acquired the necessary authorization for your application, proceed with acquiring access tokens for APIs. To get a token by using the client credentials grant, send a POST request to the `/token` Microsoft identity platform endpoint: + +> [!TIP] +> Try executing this request in Postman! (Use your own app ID for best results - the tutorial application won't request useful permissions.) +> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/f77994d794bab767596d) ### First case: Access token request with a shared secret @@ -167,7 +175,7 @@ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id= | --- | --- | --- | | `tenant` | Required | The directory tenant the application plans to operate against, in GUID or domain-name format. | | `client_id` | Required | The application ID that's assigned to your app. You can find this information in the portal where you registered your app. | -| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`.
This value tells the v2.0 endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). | +| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`.
This value tells the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). | | `client_secret` | Required | The client secret that you generated for your app in the app registration portal. The client secret must be URL-encoded before being sent. | | `grant_type` | Required | Must be set to `client_credentials`. | @@ -189,7 +197,7 @@ scope=https%3A%2F%2Fgraph.microsoft.com%2F.default | --- | --- | --- | | `tenant` | Required | The directory tenant the application plans to operate against, in GUID or domain-name format. | | `client_id` | Required |The application (client) ID that's assigned to your app. | -| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`.
This value informs the v2.0 endpoint that of all the direct application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). | +| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`.
This value informs the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). | | `client_assertion_type` | Required | The value must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. | | `client_assertion` | Required | An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](active-directory-certificate-credentials.md) to learn how to register your certificate and the format of the assertion.| | `grant_type` | Required | Must be set to `client_credentials`. | @@ -211,7 +219,7 @@ A successful response looks like this: | Parameter | Description | | --- | --- | | `access_token` | The requested access token. The app can use this token to authenticate to the secured resource, such as to a Web API. | -| `token_type` | Indicates the token type value. The only type that Azure AD supports is `bearer`. | +| `token_type` | Indicates the token type value. The only type that Microsoft identity platform supports is `bearer`. | | `expires_in` | The amount of time that an access token is valid (in seconds). | ### Error response diff --git a/articles/active-directory/develop/v2-oauth2-device-code.md b/articles/active-directory/develop/v2-oauth2-device-code.md index 6077780b0a36a..947ebc8e9d025 100644 --- a/articles/active-directory/develop/v2-oauth2-device-code.md +++ b/articles/active-directory/develop/v2-oauth2-device-code.md @@ -1,5 +1,5 @@ --- -title: Use Azure AD v2.0 to sign in users on browser-less devices | Microsoft Docs +title: Use Microsoft identity platform to sign in users on browser-less devices | Azure description: Build embedded and browser-less authentication flows using the device code grant. services: active-directory documentationcenter: '' @@ -13,28 +13,27 @@ ms.subservice: develop ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 10/02/2018 +ms.topic: conceptual +ms.date: 04/12/2019 ms.author: celested ms.reviewer: hirsin ms.custom: aaddev ms.collection: M365-identity-device-management --- -# Azure Active Directory v2.0 and the OAuth 2.0 device code flow +# Microsoft identity platform and the OAuth 2.0 device code flow [!INCLUDE [active-directory-develop-applies-v2](../../../includes/active-directory-develop-applies-v2.md)] -Azure AD supports the [device code grant](https://tools.ietf.org/html/draft-ietf-oauth-device-flow-12), which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. To enable this flow, the device has the user visit a webpage in their browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed. +Microsoft identity platform supports the [device code grant](https://tools.ietf.org/html/draft-ietf-oauth-device-flow-12), which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. To enable this flow, the device has the user visit a webpage in their browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed. -> [!Important] -> At this time, the v2.0 endpoint only supports the device flow for Azure AD tenants, but not personal accounts. This means that you must use an endpoint set up as a tenant, or the organizations endpoint. +> [!IMPORTANT] +> At this time, the Microsoft identity platform endpoint only supports the device flow for Azure AD tenants, but not personal accounts. This means that you must use an endpoint set up as a tenant, or the `organizations` endpoint. > > Personal accounts that are invited to an Azure AD tenant will be able to use the device flow grant, but only in the context of the tenant. > [!NOTE] -> The v2.0 endpoint doesn't support all Azure Active Directory scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). -> +> The Microsoft identity platform endpoint doesn't support all Azure Active Directory scenarios and features. To determine whether you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). ## Protocol diagram @@ -46,6 +45,10 @@ The entire device code flow looks similar to the next diagram. We describe each The client must first check with the authentication server for a device and user code, used to initiate authentication. The client collects this request from the `/devicecode` endpoint. In this request, the client should also include the permissions it needs to acquire from the user. From the moment this request is sent, the user has only 15 minutes to sign in (the usual value for `expires_in`), so only make this request when the user has indicated they're ready to sign in. +> [!TIP] +> Try executing this request in Postman! +> [![Run in Postman](./media/v2-oauth2-auth-code-flow/runInPostman.png)](https://app.getpostman.com/run-collection/f77994d794bab767596d) + ``` // Line breaks are for legibility only. @@ -59,9 +62,9 @@ scope=user.read%20openid%20profile | Parameter | Condition | Description | | --- | --- | --- | -| tenant |Required |The directory tenant that you want to request permission from. This can be in GUID or friendly name format. | -| client_id |Required |The Application ID that the [Application Registration Portal](https://apps.dev.microsoft.com/?referrer=https://azure.microsoft.com/documentation/articles&deeplink=/appList) assigned to your app. | -| scope | Recommended | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to. | +| `tenant` | Required |The directory tenant that you want to request permission from. This can be in GUID or friendly name format. | +| `client_id` | Required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | +| `scope` | Recommended | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to. | ### Device authorization response @@ -69,17 +72,17 @@ A successful response will be a JSON object containing the required information | Parameter | Format | Description | | --- | --- | --- | -|`device_code` |String| A long string used to verify the session between the client and the authorization server. This is used by the client to request the access token from the authorization server. | -|`user_code` |String| A short string shown to the user, used to identify the session on a secondary device.| -|`verification_uri`|URI| The URI the user should go to with the `user_code` in order to sign in. | +|`device_code` | String | A long string used to verify the session between the client and the authorization server. This is used by the client to request the access token from the authorization server. | +|`user_code` | String | A short string shown to the user, used to identify the session on a secondary device.| +|`verification_uri`| URI | The URI the user should go to with the `user_code` in order to sign in. | |`verification_uri_complete`|URI| A URI combining the `user_code` and the `verification_uri`, used for non-textual transmission to the user (for example, via Bluetooth to a device, or through a QR code). | -|`expires_in` |int| The number of seconds before the `device_code` and `user_code` expire. | -|`interval` |int| The number of seconds the client should wait between polling requests. | -| `message` |String| A human-readable string with instructions for the user. This can be localized by including a **query parameter** in the request of the form `?mkt=xx-XX`, filling in the appropriate language culture code. | +|`expires_in` | int| The number of seconds before the `device_code` and `user_code` expire. | +|`interval` | int | The number of seconds the client should wait between polling requests. | +| `message` | String | A human-readable string with instructions for the user. This can be localized by including a **query parameter** in the request of the form `?mkt=xx-XX`, filling in the appropriate language culture code. | ## Authenticating the user -After receiving the `user_code` and `verification_uri`, the client displays these to the user, instructing them to log in using their mobile phone or PC browser. Additionally, the client can use a QR code or similar mechanism to display the `verfication_uri_complete`, which will take the step of entering the `user_code` for the user. +After receiving the `user_code` and `verification_uri`, the client displays these to the user, instructing them to sign in using their mobile phone or PC browser. Additionally, the client can use a QR code or similar mechanism to display the `verfication_uri_complete`, which will take the step of entering the `user_code` for the user. While the user is authenticating at the `verification_uri`, the client should be polling the `/token` endpoint for the requested token using the `device_code`. @@ -92,22 +95,22 @@ client_id: 6731de76-14a6-49ae-97bc-6eba6914391e device_code: GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8 ``` -|Parameter | Required | Description| +| Parameter | Required | Description| | -------- | -------- | ---------- | -|`grant_type` | Required| Must be `urn:ietf:params:oauth:grant-type:device_code`| -|`client_id` | Required| Must match the `client_id` used in the initial request. | -|`device_code`| Required| The `device_code` returned in the device authorization request. | +| `grant_type` | Required | Must be `urn:ietf:params:oauth:grant-type:device_code`| +| `client_id` | Required | Must match the `client_id` used in the initial request. | +| `device_code`| Required | The `device_code` returned in the device authorization request. | ### Expected errors Because the device code flow is a polling protocol, your client must expect to receive errors before the user has finished authenticating. | Error | Description | Client Action | -|------ | ----------- | -------------| -| `authorization_pending` | The user has not yet finished authenticating, but has not canceled the flow. | Repeat the request after at least `interval` seconds. | -| `authorization_declined`| The end user denied the authorization request.| Stop polling, and revert to an unauthenticated state. | +| ------ | ----------- | -------------| +| `authorization_pending` | The user has not yet finished authenticating, but has not canceled the flow. | Repeat the request after at least `interval` seconds. | +| `authorization_declined` | The end user denied the authorization request.| Stop polling, and revert to an unauthenticated state. | | `bad_verification_code`|The `device_code` sent to the `/token` endpoint was not recognized. | Verify that the client is sending the correct `device_code` in the request. | -| `expired_token`| At least `expires_in` seconds have passed, and authentication is no longer possible with this `device_code`. | Stop polling, and revert to an unauthenticated state. | +| `expired_token` | At least `expires_in` seconds have passed, and authentication is no longer possible with this `device_code`. | Stop polling, and revert to an unauthenticated state. | ### Successful authentication response @@ -127,11 +130,11 @@ A successful token response will look like: | Parameter | Format | Description | | --------- | ------ | ----------- | -|`token_type` | String| Always "Bearer. | -|`scope` | Space separated strings | If an access token was returned, this lists the scopes the access token is valid for. | -|`expires_in`| int | Number of seconds before the included access token is valid for. | -|`access_token`| Opaque string | Issued for the [scopes](v2-permissions-and-consent.md) that were requested. | -|`id_token` | JWT | Issued if the original `scope` parameter included the `openid` scope. | -|`refresh_token` | Opaque string | Issued if the original `scope` parameter included `offline_access`. | +| `token_type` | String| Always "Bearer. | +| `scope` | Space separated strings | If an access token was returned, this lists the scopes the access token is valid for. | +| `expires_in`| int | Number of seconds before the included access token is valid for. | +| `access_token`| Opaque string | Issued for the [scopes](v2-permissions-and-consent.md) that were requested. | +| `id_token` | JWT | Issued if the original `scope` parameter included the `openid` scope. | +| `refresh_token` | Opaque string | Issued if the original `scope` parameter included `offline_access`. | The refresh token can be used to acquire new access tokens and refresh tokens using the same flow detailed in the [OAuth Code flow documentation](v2-oauth2-auth-code-flow.md#refresh-the-access-token). diff --git a/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md b/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md index 95012e65e6af9..074d1c5d152fb 100644 --- a/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md +++ b/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md @@ -1,6 +1,6 @@ --- -title: Secure single-page applications using the Azure AD v2.0 implicit flow | Microsoft Docs -description: Building web applications using Azure AD's v2.0 implementation of the implicit flow for single-page apps. +title: Secure single-page applications using the Microsoft identity platform implicit flow | Azure +description: Building web applications using Microsoft identity platform implementation of the implicit flow for single-page apps. services: active-directory documentationcenter: '' author: CelesteDG @@ -13,45 +13,45 @@ ms.subservice: develop ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 10/02/2018 +ms.topic: conceptual +ms.date: 04/12/2019 ms.author: celested ms.reviewer: hirsin ms.custom: aaddev ms.collection: M365-identity-device-management --- -# v2.0 Protocols - SPAs using the implicit flow +# Microsoft identity platform and Implicit grant flow [!INCLUDE [active-directory-develop-applies-v2](../../../includes/active-directory-develop-applies-v2.md)] -With the v2.0 endpoint, you can sign users into your single-page apps with both personal and work or school accounts from Microsoft. Single-page and other JavaScript apps that run primarily in a browser face a few interesting challenges when it comes to authentication: +With the Microsoft identity platform endpoint, you can sign users into your single-page apps with both personal and work or school accounts from Microsoft. Single-page and other JavaScript apps that run primarily in a browser face a few interesting challenges when it comes to authentication: * The security characteristics of these apps are significantly different from traditional server-based web applications. * Many authorization servers and identity providers do not support CORS requests. * Full page browser redirects away from the app become particularly invasive to the user experience. -For these applications (AngularJS, Ember.js, React.js, etc), Azure Active Directory (Azure AD) supports the OAuth 2.0 Implicit Grant flow. The implicit flow is described in the [OAuth 2.0 Specification](https://tools.ietf.org/html/rfc6749#section-4.2). Its primary benefit is that it allows the app to get tokens from Azure AD without performing a backend server credential exchange. This allows the app to sign in the user, maintain session, and get tokens to other web APIs all within the client JavaScript code. There are a few important security considerations to take into account when using the implicit flow specifically around [client](https://tools.ietf.org/html/rfc6749#section-10.3) and [user impersonation](https://tools.ietf.org/html/rfc6749#section-10.3). +For these applications (AngularJS, Ember.js, React.js, and so on), Microsoft identity platform supports the OAuth 2.0 Implicit Grant flow. The implicit flow is described in the [OAuth 2.0 Specification](https://tools.ietf.org/html/rfc6749#section-4.2). Its primary benefit is that it allows the app to get tokens from Microsoft identity platform without performing a backend server credential exchange. This allows the app to sign in the user, maintain session, and get tokens to other web APIs all within the client JavaScript code. There are a few important security considerations to take into account when using the implicit flow specifically around [client](https://tools.ietf.org/html/rfc6749#section-10.3) and [user impersonation](https://tools.ietf.org/html/rfc6749#section-10.3). -If you want to use the implicit flow and Azure AD to add authentication to your JavaScript app, we recommend you use the open source JavaScript library, [msal.js](https://github.com/AzureAD/microsoft-authentication-library-for-js). +If you want to use the implicit flow and Microsoft identity platform to add authentication to your JavaScript app, we recommend you use the open-source JavaScript library, [msal.js](https://github.com/AzureAD/microsoft-authentication-library-for-js). However, if you prefer not to use a library in your single-page app and send protocol messages yourself, follow the general steps below. > [!NOTE] -> Not all Azure AD scenarios and features are supported by the v2.0 endpoint. To determine if you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). +> Not all Azure Active Directory (Azure AD) scenarios and features are supported by the Microsoft identity platform endpoint. To determine if you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). ## Protocol diagram The following diagram shows what the entire implicit sign-in flow looks like and the sections that follow describe each step in more detail. -![OpenId Connect Swimlanes](./media/v2-oauth2-implicit-grant-flow/convergence_scenarios_implicit.png) +![OpenID Connect swimlanes](./media/v2-oauth2-implicit-grant-flow/convergence-scenarios-implicit.svg) ## Send the sign-in request -To initially sign the user into your app, you can send an [OpenID Connect](v2-protocols-oidc.md) authorization request and get an `id_token` from the v2.0 endpoint. +To initially sign the user into your app, you can send an [OpenID Connect](v2-protocols-oidc.md) authorization request and get an `id_token` from the Microsoft identity platform endpoint. > [!IMPORTANT] -> To successfully request an ID token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the implicit grant flow enabled correctly, by selecting **Access tokens** and **ID tokens** under the **Implicit grant** section. If it is not enabled, an `unsupported_response` error will be returned: **The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'** +> To successfully request an ID token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the implicit grant flow enabled correctly, by selecting **Access tokens** and **ID tokens** under the **Implicit grant** section. If it's not enabled, an `unsupported_response` error will be returned: **The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'** ``` // Line breaks for legibility only @@ -73,20 +73,20 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | | Description | | --- | --- | --- | | `tenant` | required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | -| `client_id` | required |The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. | +| `client_id` | required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. | | `response_type` | required |Must include `id_token` for OpenID Connect sign-in. It may also include the response_type `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for. | | `redirect_uri` | recommended |The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. | | `scope` | required |A space-separated list of [scopes](v2-permissions-and-consent.md). For OpenID Connect, it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` or `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources. | | `response_mode` | optional |Specifies the method that should be used to send the resulting token back to your app. Defaults to query for an access token, but fragment if the request includes an id_token. | | `state` | recommended |A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. | | `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | -| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user is not presented with any interactive prompt whatsoever. If the request cannot be completed silently via single-sign on, the v2.0 endpoint will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | +| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform endpoint will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | | `login_hint` |optional |Can be used to pre-fill the username/email address field of the sign in page for the user, if you know their username ahead of time. Often apps will use this parameter during re-authentication, having already extracted the username from a previous sign-in using the `preferred_username` claim.| -| `domain_hint` | optional |Can be one of `consumers` or `organizations`. If included, it will skip the email-based discovery process that user goes through on the v2.0 sign in page, leading to a slightly more streamlined user experience. Often apps will use this parameter during re-authentication, by extracting the `tid` claim from the id_token. If the `tid` claim value is `9188040d-6c67-4c5b-b112-36a304b66dad` (the Microsoft Account consumer tenant), you should use `domain_hint=consumers`. Otherwise, you can use `domain_hint=organizations` during re-authentication. | +| `domain_hint` | optional |Can be one of `consumers` or `organizations`. If included, it will skip the email-based discovery process that user goes through on the sign in page, leading to a slightly more streamlined user experience. Often apps will use this parameter during re-authentication, by extracting the `tid` claim from the id_token. If the `tid` claim value is `9188040d-6c67-4c5b-b112-36a304b66dad` (the Microsoft Account consumer tenant), you should use `domain_hint=consumers`. Otherwise, you can use `domain_hint=organizations` during re-authentication. | -At this point, the user will be asked to enter their credentials and complete the authentication. The v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has consented to **none** of those permissions, it will ask the user to consent to the required permissions. For more info, see [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md). +At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform endpoint will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has consented to **none** of those permissions, it will ask the user to consent to the required permissions. For more info, see [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md). -Once the user authenticates and grants consent, the v2.0 endpoint will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter. +Once the user authenticates and grants consent, the Microsoft identity platform endpoint will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter. #### Successful response @@ -104,11 +104,11 @@ access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q.. | Parameter | Description | | --- | --- | -| `access_token` |Included if `response_type` includes `token`. The access token that the app requested, in this case for the Microsoft Graph. The access token should not be decoded or otherwise inspected, it should be treated as an opaque string. | +| `access_token` |Included if `response_type` includes `token`. The access token that the app requested, in this case for the Microsoft Graph. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. | | `token_type` |Included if `response_type` includes `token`. Will always be `Bearer`. | | `expires_in`|Included if `response_type` includes `token`. Indicates the number of seconds the token is valid, for caching purposes. | -| `scope` |Included if `response_type` includes `token`. Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they were not applicable to the user (in the case of AAD-only scopes being requested when an personal account is used to log in). | -| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token reference`](id-tokens.md).
**Note:** Only provided if `openid` scope was requested. | +| `scope` |Included if `response_type` includes `token`. Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they were not applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | +| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token reference`](id-tokens.md).
**Note:** Only provided if `openid` scope was requested. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | #### Error response @@ -128,9 +128,9 @@ error=access_denied ## Validate the id_token -Just receiving an id_token is not sufficient to authenticate the user; you must also validate the id_token's signature and verify the claims in the token based on your app's requirements. The v2.0 endpoint uses [JSON Web Tokens (JWTs)](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html) and public key cryptography to sign tokens and verify that they are valid. +Just receiving an id_token isn't sufficient to authenticate the user; you must also validate the id_token's signature and verify the claims in the token based on your app's requirements. The Microsoft identity platform endpoint uses [JSON Web Tokens (JWTs)](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html) and public key cryptography to sign tokens and verify that they're valid. -You can choose to validate the `id_token` in client code, but a common practice is to send the `id_token` to a backend server and perform the validation there. Once you've validated the signature of the id_token, there are a few claims you will be required to verify. See the [`id_token` reference](id-tokens.md) for more information, including [validating tokens](id-tokens.md#validating-an-id_token) and [important information about signing key rollover](active-directory-signing-key-rollover.md). We recommend making use of a library for parsing and validating tokens - there is at least one available for most languages and platforms. +You can choose to validate the `id_token` in client code, but a common practice is to send the `id_token` to a backend server and perform the validation there. Once you've validated the signature of the id_token, there are a few claims you'll be required to verify. See the [`id_token` reference](id-tokens.md) for more information, including [validating tokens](id-tokens.md#validating-an-id_token) and [important information about signing key rollover](active-directory-signing-key-rollover.md). We recommend making use of a library for parsing and validating tokens - there is at least one available for most languages and platforms. You may also wish to validate additional claims depending on your scenario. Some common validations include: @@ -138,13 +138,13 @@ You may also wish to validate additional claims depending on your scenario. Some * Ensuring the user has proper authorization/privileges. * Ensuring a certain strength of authentication has occurred, such as multi-factor authentication. -Once you have completely validated the id_token, you can begin a session with the user and use the claims in the id_token to obtain information about the user in your app. This information can be used for display, records, personalization, etc. +Once you have validated the id_token, you can begin a session with the user and use the claims in the id_token to obtain information about the user in your app. This information can be used for display, records, personalization, and more. ## Get access tokens -Now that you've signed the user into your single-page app, you can get access tokens for calling web APIs secured by Azure AD, such as the [Microsoft Graph](https://developer.microsoft.com/graph). Even if you already received a token using the `token` response_type, you can use this method to acquire tokens to additional resources without having to redirect the user to sign in again. +Now that you've signed the user into your single-page app, you can get access tokens for calling web APIs secured by Microsoft identity platform, such as the [Microsoft Graph](https://developer.microsoft.com/graph). Even if you already received a token using the `token` response_type, you can use this method to acquire tokens to additional resources without having to redirect the user to sign in again. -In the normal OpenID Connect/OAuth flow, you would do this by making a request to the v2.0 `/token` endpoint. However, the v2.0 endpoint does not support CORS requests, so making AJAX calls to get and refresh tokens is out of the question. Instead, you can use the implicit flow in a hidden iframe to get new tokens for other web APIs: +In the normal OpenID Connect/OAuth flow, you would do this by making a request to the Microsoft identity platform `/token` endpoint. However, the Microsoft identity platform endpoint does not support CORS requests, so making AJAX calls to get and refresh tokens is out of the question. Instead, you can use the implicit flow in a hidden iframe to get new tokens for other web APIs: ``` // Line breaks for legibility only @@ -186,14 +186,13 @@ access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q.. | Parameter | Description | | --- | --- | -| `access_token` |Included if `response_type` includes `token`. The access token that the app requested, in this case for the Microsoft Graph. The access token should not be decoded or otherwise inspected, it should be treated as an opaque string. | +| `access_token` |Included if `response_type` includes `token`. The access token that the app requested, in this case for the Microsoft Graph. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. | | `token_type` | Will always be `Bearer`. | | `expires_in` | Indicates the number of seconds the token is valid, for caching purposes. | -| `scope` | Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they were not applicable to the user (in the case of AAD-only scopes being requested when an personal account is used to log in). | -| `id_token` | A signed JSON Web Token (JWT). Included if `response_type` includes `id_token`. The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token` reference](id-tokens.md).
**Note:** Only provided if `openid` scope was requested. | +| `scope` | Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they were not applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | +| `id_token` | A signed JSON Web Token (JWT). Included if `response_type` includes `id_token`. The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token` reference](id-tokens.md).
**Note:** Only provided if `openid` scope was requested. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | - #### Error response Error responses may also be sent to the `redirect_uri` so the app can handle them appropriately. In the case of `prompt=none`, an expected error will be: @@ -213,21 +212,21 @@ If you receive this error in the iframe request, the user must interactively sig ## Validating access tokens -Once you receive an access_token, make sure to validate the signature of the token as well as the following claims. You may also choose to validate additional claims based on your scenario. +Once you receive an access_token, make sure to validate the signature of the token as well as the following claims. You may also choose to validate additional claims based on your scenario. * **audience** claim, to ensure that the token was intended to be given to your app -* **issuer** claim, to verify that the token was issued to your app by the v2.0 endpoint +* **issuer** claim, to verify that the token was issued to your app by the Microsoft identity platform endpoint * **not before** and **expiration time** claims, to verify that the token has not expired For more information about the claims present in the access token, see the [access token reference](access-tokens.md) ## Refreshing tokens -The implicit grant does not provide refresh tokens. Both `id_token`s and `access_token`s will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control Azure AD's behavior. If you want to receive a new `id_token`, be sure to use `response_type=id_token` and `scope=openid`, as well as a `nonce` parameter. +The implicit grant does not provide refresh tokens. Both `id_token`s and `access_token`s will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new `id_token`, be sure to use `response_type=id_token` and `scope=openid`, as well as a `nonce` parameter. ## Send a sign out request -The OpenIdConnect `end_session_endpoint` allows your app to send a request to the v2.0 endpoint to end a user's session and clear cookies set by the v2.0 endpoint. To fully sign a user out of a web application, your app should end its own session with the user (usually by clearing a token cache or dropping cookies), and then redirect the browser to: +The OpenID Connect `end_session_endpoint` allows your app to send a request to the Microsoft identity platform endpoint to end a user's session and clear cookies set by the Microsoft identity platform endpoint. To fully sign a user out of a web application, your app should end its own session with the user (usually by clearing a token cache or dropping cookies), and then redirect the browser to: ``` https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redirect_uri=https://localhost/myapp/ @@ -236,7 +235,7 @@ https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redire | Parameter | | Description | | --- | --- | --- | | `tenant` |required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | -| `post_logout_redirect_uri` | recommended | The URL that the user should be returned to after logout completes. This value must match one of the redirect URIs registered for the application. If not included, the user will be shown a generic message by the v2.0 endpoint. | +| `post_logout_redirect_uri` | recommended | The URL that the user should be returned to after logout completes. This value must match one of the redirect URIs registered for the application. If not included, the user will be shown a generic message by the Microsoft identity platform endpoint. | ## Next steps diff --git a/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md b/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md index 10328c4fba8f8..211529342c886 100644 --- a/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md +++ b/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md @@ -1,5 +1,5 @@ --- -title: Azure AD v2.0 OAuth2.0 On-Behalf-Of flow | Microsoft Docs +title: Microsoft identity platform and OAuth2.0 On-Behalf-Of flow | Azure description: This article describes how to use HTTP messages to implement service to service authentication using the OAuth2.0 On-Behalf-Of flow. services: active-directory documentationcenter: '' @@ -14,25 +14,23 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 02/07/2019 +ms.date: 04/05/2019 ms.author: celested ms.reviewer: hirsin ms.custom: aaddev ms.collection: M365-identity-device-management --- -# Azure Active Directory v2.0 and OAuth 2.0 On-Behalf-Of flow +# Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow [!INCLUDE [active-directory-develop-applies-v2](../../../includes/active-directory-develop-applies-v2.md)] -The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from Azure Active Directory (Azure AD), on behalf of the user. +The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user. > [!NOTE] -> The v2.0 endpoint doesn't support all Azure AD scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). Specifically, known client applications are not supported for apps with Microsoft account (MSA) and Azure AD audiences. Thus, a common consent pattern for OBO will not work for clients that sign in both personal and work or school accounts. To learn more about how to handle this step of the flow, see [Gaining consent for the middle-tier application](#gaining-consent-for-the-middle-tier-application). - - -> [!IMPORTANT] -> As of May 2018, some implicit-flow derived `id_token` can't be used for OBO flow. Single-page apps (SPAs) should pass an **access** token to a middle-tier confidential client to perform OBO flows instead. For more info about which clients can perform OBO calls, see [limitations](#client-limitations). +> +> - The Microsoft identity platform endpoint doesn't support all scenarios and features. To determine whether you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). Specifically, known client applications aren't supported for apps with Microsoft account (MSA) and Azure AD audiences. Thus, a common consent pattern for OBO will not work for clients that sign in both personal and work or school accounts. To learn more about how to handle this step of the flow, see [Gaining consent for the middle-tier application](#gaining-consent-for-the-middle-tier-application). +> - As of May 2018, some implicit-flow derived `id_token` can't be used for OBO flow. Single-page apps (SPAs) should pass an **access** token to a middle-tier confidential client to perform OBO flows instead. For more info about which clients can perform OBO calls, see [limitations](#client-limitations). ## Protocol diagram @@ -40,20 +38,20 @@ Assume that the user has been authenticated on an application using the [OAuth 2 The steps that follow constitute the OBO flow and are explained with the help of the following diagram. -![OAuth2.0 On-Behalf-Of flow](./media/v1-oauth2-on-behalf-of-flow/active-directory-protocols-oauth-on-behalf-of-flow.png) +![OAuth2.0 On-Behalf-Of flow](./media/v2-oauth2-on-behalf-of-flow/protocols-oauth-on-behalf-of-flow.png) 1. The client application makes a request to API A with token A (with an `aud` claim of API A). -1. API A authenticates to the Azure AD token issuance endpoint and requests a token to access API B. -1. The Azure AD token issuance endpoint validates API A's credentials with token A and issues the access token for API B (token B). +1. API A authenticates to the Microsoft identity platform token issuance endpoint and requests a token to access API B. +1. The Microsoft identity platform token issuance endpoint validates API A's credentials with token A and issues the access token for API B (token B). 1. Token B is set in the authorization header of the request to API B. 1. Data from the secured resource is returned by API B. > [!NOTE] -> In this scenario, the middle-tier service has no user interaction to obtain the user's consent to access the downstream API. Therefore, the option to grant access to the downstream API is presented upfront as a part of the consent step during authentication. To learn how to set this up for your app, see [Gaining consent for the middle-tier application](#gaining-consent-for-the-middle-tier-application). +> In this scenario, the middle-tier service has no user interaction to obtain the user's consent to access the downstream API. Therefore, the option to grant access to the downstream API is presented upfront as a part of the consent step during authentication. To learn how to set this up for your app, see [Gaining consent for the middle-tier application](#gaining-consent-for-the-middle-tier-application). ## Service-to-service access token request -To request an access token, make an HTTP POST to the tenant-specific v2.0 token endpoint with the following parameters. +To request an access token, make an HTTP POST to the tenant-specific Microsoft identity platform token endpoint with the following parameters. ``` https://login.microsoftonline.com//oauth2/v2.0/token @@ -135,7 +133,7 @@ A success response is a JSON OAuth 2.0 response with the following parameters. | Parameter | Description | | --- | --- | -| `token_type` | Indicates the token type value. The only type that Azure AD supports is `Bearer`. For more info about bearer tokens, see the [OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). | +| `token_type` | Indicates the token type value. The only type that Microsoft identity platform supports is `Bearer`. For more info about bearer tokens, see the [OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). | | `scope` | The scope of access granted in the token. | | `expires_in` | The length of time, in seconds, that the access token is valid. | | `access_token` | The requested access token. The calling service can use this token to authenticate to the receiving service. | @@ -157,7 +155,7 @@ The following example shows a success response to a request for an access token ``` > [!NOTE] -> The above access token is a v1.0-formatted token. This is because the token is provided based on the resource being accessed. The Microsoft Graph requests v1.0 tokens, so Azure AD produces v1.0 access tokens when a client requests tokens for Microsoft Graph. Only applications should look at access tokens. Clients should not need to inspect them. +> The above access token is a v1.0-formatted token. This is because the token is provided based on the resource being accessed. The Microsoft Graph requests v1.0 tokens, so Microsoft identity platform produces v1.0 access tokens when a client requests tokens for Microsoft Graph. Only applications should look at access tokens. Clients should not need to inspect them. ### Error response example @@ -189,15 +187,15 @@ Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCbmZpRy1tQTZOVG ## Gaining consent for the middle-tier application -Depending on the audience for your application, you may consider different strategies for ensuring that the OBO flow is successful. In all cases, the ultimate goal is to ensure proper consent is given. How that occurs, however, depends on which users your application supports. +Depending on the audience for your application, you may consider different strategies for ensuring that the OBO flow is successful. In all cases, the ultimate goal is to ensure proper consent is given. How that occurs, however, depends on which users your application supports. ### Consent for Azure AD-only applications #### /.default and combined consent -For applications that only need to sign in work or school accounts, the traditional "Known Client Applications" approach is sufficient. The middle tier application adds the client to the known client applications list in its manifest, and then the client can trigger a combined consent flow for both itself and the middle tier application. On the v2.0 endpoint, this is done using the [`/.default` scope](v2-permissions-and-consent.md#the-default-scope). When triggering a consent screen using known client applications and `/.default`, the consent screen will show permissions for both the client to the middle tier API, and also request whatever permissions are required by the middle-tier API. The user provides consent for both applications, and then the OBO flow works. +For applications that only need to sign in work or school accounts, the traditional "Known Client Applications" approach is sufficient. The middle tier application adds the client to the known client applications list in its manifest, and then the client can trigger a combined consent flow for both itself and the middle tier application. On the Microsoft identity platform endpoint, this is done using the [`/.default` scope](v2-permissions-and-consent.md#the-default-scope). When triggering a consent screen using known client applications and `/.default`, the consent screen will show permissions for both the client to the middle tier API, and also request whatever permissions are required by the middle-tier API. The user provides consent for both applications, and then the OBO flow works. -At this time, the personal Microsoft account system does not support combined consent and so this approach does not work for apps that want to specifically sign in personal accounts. Personal Microsoft accounts being used as guest accounts in a tenant are handled using the Azure AD system, and can go through combined consent. +At this time, the personal Microsoft account system does not support combined consent and so this approach does not work for apps that want to specifically sign in personal accounts. Personal Microsoft accounts being used as guest accounts in a tenant are handled using the Azure AD system, and can go through combined consent. #### Pre-authorized applications @@ -205,24 +203,24 @@ A feature of the application portal is "pre-authorized applications". In this wa #### Admin consent -A tenant admin can guarantee that applications have permission to call their required APIs by providing admin consent for the middle tier application. To do this, the admin can find the middle tier application in their tenant, open the required permissions page, and choose to give permission for the app. To learn more about admin consent, see the [consent and permissions documentation](v2-permissions-and-consent.md). +A tenant admin can guarantee that applications have permission to call their required APIs by providing admin consent for the middle tier application. To do this, the admin can find the middle tier application in their tenant, open the required permissions page, and choose to give permission for the app. To learn more about admin consent, see the [consent and permissions documentation](v2-permissions-and-consent.md). ### Consent for Azure AD + Microsoft account applications -Due to restrictions in the permissions model for personal accounts and the lack of a governing tenant, the consent requirements for personal accounts are a bit different from Azure AD. There is no tenant to provide tenant-wide consent for, nor is there the ability to do combined consent. Thus, other strategies present themselves - note that these work for applications that only need to support Azure AD accounts as well. +Because of restrictions in the permissions model for personal accounts and the lack of a governing tenant, the consent requirements for personal accounts are a bit different from Azure AD. There is no tenant to provide tenant-wide consent for, nor is there the ability to do combined consent. Thus, other strategies present themselves - note that these work for applications that only need to support Azure AD accounts as well. #### Use of a single application -In some scenarios, you may only have a single pairing of middle-tier and front-end client. In this scenario, you may find it easier to make this a single application, negating the need for a middle-tier application altogether. To authenticate between the front-end and the web API, you can use cookies, an id_token, or an access token requested for the application itself. Then, request consent from this single application to the back-end resource. +In some scenarios, you may only have a single pairing of middle-tier and front-end client. In this scenario, you may find it easier to make this a single application, negating the need for a middle-tier application altogether. To authenticate between the front-end and the web API, you can use cookies, an id_token, or an access token requested for the application itself. Then, request consent from this single application to the back-end resource. ## Client limitations -If a client uses the implicit flow to get an id_token, and that client also has wildcards in a reply URL, the id_token cannot be used for an OBO flow. However, access tokens acquired through the implicit grant flow can still be redeemed by a confidential client even if the initiating client has a wildcard reply URL registered. +If a client uses the implicit flow to get an id_token, and that client also has wildcards in a reply URL, the id_token can't be used for an OBO flow. However, access tokens acquired through the implicit grant flow can still be redeemed by a confidential client even if the initiating client has a wildcard reply URL registered. ## Next steps Learn more about the OAuth 2.0 protocol and another way to perform service to service auth using client credentials. -* [OAuth 2.0 client credentials grant in Azure AD v2.0](v2-oauth2-client-creds-grant-flow.md) -* [OAuth 2.0 code flow in Azure AD v2.0](v2-oauth2-auth-code-flow.md) -* [Using the `/.default` scope](v2-permissions-and-consent.md#the-default-scope) +* [OAuth 2.0 client credentials grant in Microsoft identity platform](v2-oauth2-client-creds-grant-flow.md) +* [OAuth 2.0 code flow in Microsoft identity platform](v2-oauth2-auth-code-flow.md) +* [Using the `/.default` scope](v2-permissions-and-consent.md#the-default-scope) diff --git a/articles/active-directory/develop/v2-permissions-and-consent.md b/articles/active-directory/develop/v2-permissions-and-consent.md index 52d0285f887c4..38547ae1336e4 100644 --- a/articles/active-directory/develop/v2-permissions-and-consent.md +++ b/articles/active-directory/develop/v2-permissions-and-consent.md @@ -1,6 +1,6 @@ --- -title: Azure Active Directory v2.0 scopes, permissions, and consent | Microsoft Docs -description: A description of authorization in the Azure AD v2.0 endpoint, including scopes, permissions, and consent. +title: Microsoft identity platform scopes, permissions, and consent | Microsoft Docs +description: A description of authorization in the Microsoft identity platform endpoint, including scopes, permissions, and consent. services: active-directory documentationcenter: '' author: CelesteDG @@ -14,22 +14,22 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 04/01/2019 +ms.date: 04/12/2019 ms.author: celested ms.reviewer: hirsin, jesakowi, jmprieur ms.custom: aaddev ms.custom: fasttrack-edit - ms.collection: M365-identity-device-management --- -# Permissions and consent in the Azure Active Directory v2.0 endpoint + +# Permissions and consent in the Microsoft identity platform endpoint [!INCLUDE [active-directory-develop-applies-v2](../../../includes/active-directory-develop-applies-v2.md)] -Applications that integrate with Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed. The implementation of the authorization model has been updated on the v2.0 endpoint, and it changes how an app must interact with the Microsoft identity platform. This article covers the basic concepts of this authorization model, including scopes, permissions, and consent. +Applications that integrate with Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed. The implementation of the authorization model has been updated on the Microsoft identity platform endpoint, and it changes how an app must interact with the Microsoft identity platform. This article covers the basic concepts of this authorization model, including scopes, permissions, and consent. > [!NOTE] -> The v2.0 endpoint does not support all scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). +> The Microsoft identity platform endpoint does not support all scenarios and features. To determine whether you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). ## Scopes and permissions @@ -48,54 +48,55 @@ The same is true for any third-party resources that have integrated with the Mic * Write to a user's calendar * Send mail as a user -By defining these types of permissions, the resource has fine-grained control over its data and how API functionality is exposed. A third-party app can request these permissions from users and administrators, who must approve the request before the app can access data or act on a user's behalf. By chunking the resource's functionality into smaller permission sets, third-party apps can be built to request only the specific permissions that they need to perform their function. Users and administrators can know exactly what data the app has access to, and they can be more confident that it is not behaving with malicious intent. Developers should always abide by the concept of least privilege, asking for only the permissions they need for their applications to function. +By defining these types of permissions, the resource has fine-grained control over its data and how API functionality is exposed. A third-party app can request these permissions from users and administrators, who must approve the request before the app can access data or act on a user's behalf. By chunking the resource's functionality into smaller permission sets, third-party apps can be built to request only the specific permissions that they need to perform their function. Users and administrators can know exactly what data the app has access to, and they can be more confident that it isn't behaving with malicious intent. Developers should always abide by the concept of least privilege, asking for only the permissions they need for their applications to function. -In OAuth 2.0, these types of permissions are called *scopes*. They also often simply referred to as *permissions*. A permission is represented in the Microsoft identity platform as a string value. Continuing with the Microsoft Graph example, the string value for each permission is: +In OAuth 2.0, these types of permissions are called *scopes*. They also often referred to as *permissions*. A permission is represented in the Microsoft identity platform as a string value. Continuing with the Microsoft Graph example, the string value for each permission is: * Read a user's calendar by using `Calendars.Read` * Write to a user's calendar by using `Calendars.ReadWrite` * Send mail as a user using by `Mail.Send` -An app most commonly requests these permissions by specifying the scopes in requests to the v2.0 authorize endpoint. However, certain high privilege permissions can only be granted through administrator consent and generally requested/granted using the [administrator consent endpoint](v2-permissions-and-consent.md#admin-restricted-permissions). Read on to learn more. +An app most commonly requests these permissions by specifying the scopes in requests to the Microsoft identity platform authorize endpoint. However, certain high privilege permissions can only be granted through administrator consent and requested/granted using the [administrator consent endpoint](v2-permissions-and-consent.md#admin-restricted-permissions). Read on to learn more. ## Permission types Microsoft identity platform supports two types of permissions: **delegated permissions** and **application permissions**. -* **Delegated permissions** are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to the target resource. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require [administrator consent](v2-permissions-and-consent.md#admin-restricted-permissions). To learn which administrator roles can consent to delegated permissions, see [Administrator role permissions in Azure AD](../users-groups-roles/directory-assign-admin-roles.md). +* **Delegated permissions** are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests, and the app is delegated permission to act as the signed-in user when making calls to the target resource. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require [administrator consent](v2-permissions-and-consent.md#admin-restricted-permissions). To learn which administrator roles can consent to delegated permissions, see [Administrator role permissions in Azure AD](../users-groups-roles/directory-assign-admin-roles.md). * **Application permissions** are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be [consented by an administrator](v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant). -_Effective permissions_ are the permissions that your app will have when making requests to the target resource. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to the target resource. +_Effective permissions_ are the permissions that your app will have when making requests to the target resource. It's important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to the target resource. - For delegated permissions, the _effective permissions_ of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. To learn which administrator roles can consent to delegated permissions, see [Administrator role permissions in Azure AD](../users-groups-roles/directory-assign-admin-roles.md). - For example, assume your app has been granted the _User.ReadWrite.All_ delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. + + For example, assume your app has been granted the _User.ReadWrite.All_ delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user isn't in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. - For application permissions, the _effective permissions_ of your app will be the full level of privileges implied by the permission. For example, an app that has the _User.ReadWrite.All_ application permission can update the profile of every user in the organization. ## OpenID Connect scopes -The v2.0 implementation of OpenID Connect has a few well-defined scopes that do not apply to a specific resource: `openid`, `email`, `profile`, and `offline_access`. The `address` and `phone` OpenID Connect scopes are not supported. +The Microsoft identity platform implementation of OpenID Connect has a few well-defined scopes that do not apply to a specific resource: `openid`, `email`, `profile`, and `offline_access`. The `address` and `phone` OpenID Connect scopes are not supported. ### openid -If an app performs sign-in by using [OpenID Connect](active-directory-v2-protocols.md), it must request the `openid` scope. The `openid` scope shows on the work account consent page as the "Sign you in" permission, and on the personal Microsoft account consent page as the "View your profile and connect to apps and services using your Microsoft account" permission. With this permission, an app can receive a unique identifier for the user in the form of the `sub` claim. It also gives the app access to the UserInfo endpoint. The `openid` scope can be used at the v2.0 token endpoint to acquire ID tokens, which can be used by the app for authentication. +If an app performs sign-in by using [OpenID Connect](active-directory-v2-protocols.md), it must request the `openid` scope. The `openid` scope shows on the work account consent page as the "Sign you in" permission, and on the personal Microsoft account consent page as the "View your profile and connect to apps and services using your Microsoft account" permission. With this permission, an app can receive a unique identifier for the user in the form of the `sub` claim. It also gives the app access to the UserInfo endpoint. The `openid` scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens, which can be used by the app for authentication. ### email -The `email` scope can be used with the `openid` scope and any others. It gives the app access to the user's primary email address in the form of the `email` claim. The `email` claim is included in a token only if an email address is associated with the user account, which is not always the case. If it uses the `email` scope, your app should be prepared to handle a case in which the `email` claim does not exist in the token. +The `email` scope can be used with the `openid` scope and any others. It gives the app access to the user's primary email address in the form of the `email` claim. The `email` claim is included in a token only if an email address is associated with the user account, which isn't always the case. If it uses the `email` scope, your app should be prepared to handle a case in which the `email` claim does not exist in the token. ### profile -The `profile` scope can be used with the `openid` scope and any others. It gives the app access to a substantial amount of information about the user. The information it can access includes, but is not limited to, the user's given name, surname, preferred username, and object ID. For a complete list of the profile claims available in the id_tokens parameter for a specific user, see the [`id_tokens` reference](id-tokens.md). +The `profile` scope can be used with the `openid` scope and any others. It gives the app access to a substantial amount of information about the user. The information it can access includes, but isn't limited to, the user's given name, surname, preferred username, and object ID. For a complete list of the profile claims available in the id_tokens parameter for a specific user, see the [`id_tokens` reference](id-tokens.md). ### offline_access -The [`offline_access` scope](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the "Maintain access to data you have given it access to" permission. When a user approves the `offline_access` scope, your app can receive refresh tokens from the v2.0 token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire. +The [`offline_access` scope](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the "Maintain access to data you have given it access to" permission. When a user approves the `offline_access` scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire. -If your app does not explicitly request the `offline_access` scope, it won't receive refresh tokens. This means that when you redeem an authorization code in the [OAuth 2.0 authorization code flow](active-directory-v2-protocols.md), you'll receive only an access token from the `/token` endpoint. The access token is valid for a short time. The access token usually expires in one hour. At that point, your app needs to redirect the user back to the `/authorize` endpoint to get a new authorization code. During this redirect, depending on the type of app, the user might need to enter their credentials again or consent again to permissions. Note that while the `offline_access` scope is automatically requested by the server, your client must still request it in order to receive the refresh tokens. +If your app does not explicitly request the `offline_access` scope, it won't receive refresh tokens. This means that when you redeem an authorization code in the [OAuth 2.0 authorization code flow](active-directory-v2-protocols.md), you'll receive only an access token from the `/token` endpoint. The access token is valid for a short time. The access token usually expires in one hour. At that point, your app needs to redirect the user back to the `/authorize` endpoint to get a new authorization code. During this redirect, depending on the type of app, the user might need to enter their credentials again or consent again to permissions. While the `offline_access` scope is automatically requested by the server, your client must still request it in order to receive the refresh tokens. -For more information about how to get and use refresh tokens, see the [v2.0 protocol reference](active-directory-v2-protocols.md). +For more information about how to get and use refresh tokens, see the [Microsoft identity platform protocol reference](active-directory-v2-protocols.md). ## Requesting individual user consent @@ -115,7 +116,7 @@ https%3A%2F%2Fgraph.microsoft.com%2Fmail.send The `scope` parameter is a space-separated list of delegated permissions that the app is requesting. Each permission is indicated by appending the permission value to the resource's identifier (the Application ID URI). In the request example, the app needs permission to read the user's calendar and send mail as the user. -After the user enters their credentials, the v2.0 endpoint checks for a matching record of *user consent*. If the user has not consented to any of the requested permissions in the past, nor has an administrator consented to these permissions on behalf of the entire organization, the v2.0 endpoint asks the user to grant the requested permissions. +After the user enters their credentials, the Microsoft identity platform endpoint checks for a matching record of *user consent*. If the user has not consented to any of the requested permissions in the past, nor has an administrator consented to these permissions on behalf of the entire organization, the Microsoft identity platform endpoint asks the user to grant the requested permissions. > [!NOTE] > At this time, the `offline_access` ("Maintain access to data you have given it access to") and `user.read` ("Sign you in and read your profile") permissions are automatically included in the initial consent to an application. These permissions are generally required for proper app functionality - `offline_access` gives the app access to refresh tokens, critical for native and web apps, while `user.read` gives access to the `sub` claim, allowing the client or app to correctly identify the user over time and access rudimentary user information. @@ -140,17 +141,17 @@ Some high-privilege permissions in the Microsoft ecosystem can be set to *admin- * Write data to an organization's directory by using `Directory.ReadWrite.All` * Read all groups in an organization's directory by using `Groups.Read.All` -Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions. +Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. If your app requires access to admin-restricted scopes for organizations, you should request them directly from a company administrator, also by using the admin consent endpoint, described next. If the application is requesting high privilege delegated permissions and an administrator grants these permissions via the admin consent endpoint, consent is granted for all users in the tenant. -If the application is requesting application permissions and an administrator grants these permissions via the admin consent endpoint, this grant is not done on behalf of any specific user. Instead, the client application is granted permissions *directly*. These types of permissions are generally only used by daemon services and other non-interactive applications that run in the background. +If the application is requesting application permissions and an administrator grants these permissions via the admin consent endpoint, this grant isn't done on behalf of any specific user. Instead, the client application is granted permissions *directly*. These types of permissions are only used by daemon services and other non-interactive applications that run in the background. ## Using the admin consent endpoint -When a Company Administrator uses your application and is directed to the authorize endpoint, Microsoft identity platform will detect the user's role and ask them if they would like to consent on behalf of the entire tenant for the permissions you have requested. However, there is also a dedicated admin consent endpoint you can use if you would like to proactively request that an administrator grants permission on behalf of the entire tenant. Using this endpoint is also necessary for requesting Application Permissions (which cannot be requested using the authorize endpoint). +When a Company Administrator uses your application and is directed to the authorize endpoint, Microsoft identity platform will detect the user's role and ask them if they would like to consent on behalf of the entire tenant for the permissions you have requested. However, there is also a dedicated admin consent endpoint you can use if you would like to proactively request that an administrator grants permission on behalf of the entire tenant. Using this endpoint is also necessary for requesting Application Permissions (which can't be requested using the authorize endpoint). If you follow these steps, your app can request permissions for all users in a tenant, including admin-restricted scopes. This is a high privilege operation and should only be done if necessary for your scenario. @@ -158,10 +159,11 @@ To see a code sample that implements the steps, see the [admin-restricted scopes ### Request the permissions in the app registration portal -The admin consent does not accept a scope parameter, so any permissions being requested must be statically defined in the application's registration. In general it is best practice to ensure that the permissions statically defined for a given application are a superset of the permissions that it will be requesting dynamically/incrementally. +The admin consent does not accept a scope parameter, so any permissions being requested must be statically defined in the application's registration. In general, it's best practice to ensure that the permissions statically defined for a given application are a superset of the permissions that it will be requesting dynamically/incrementally. + +#### To configure the list of statically requested permissions for an application -To configure the list of statically requested permissions for an application: -1. Go to your application in the [Application Registration Portal](https://apps.dev.microsoft.com/?referrer=https://azure.microsoft.com/documentation/articles&deeplink=/appList), or [create an app](quickstart-v2-register-an-app.md) if you haven't already. +1. Go to your application in the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience, or [create an app](quickstart-register-app.md) if you haven't already. 2. Locate the **Microsoft Graph Permissions** section, and then add the permissions that your app requires. 3. **Save** the app registration. @@ -169,11 +171,11 @@ To configure the list of statically requested permissions for an application: Typically, when you build an application that uses the admin consent endpoint, the app needs a page or view in which the admin can approve the app's permissions. This page can be part of the app's sign-up flow, part of the app's settings, or it can be a dedicated "connect" flow. In many cases, it makes sense for the app to show this "connect" view only after a user has signed in with a work or school Microsoft account. -When you sign the user into your app, you can identify the organization to which the admin belongs before asking them to approve the necessary permissions. Although not strictly necessary, it can help you create a more intuitive experience for your organizational users. To sign the user in, follow our [v2.0 protocol tutorials](active-directory-v2-protocols.md). +When you sign the user into your app, you can identify the organization to which the admin belongs before asking them to approve the necessary permissions. Although not strictly necessary, it can help you create a more intuitive experience for your organizational users. To sign the user in, follow our [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md). ### Request the permissions from a directory admin -When you're ready to request permissions from your organization's admin, you can redirect the user to the v2.0 *admin consent endpoint*. +When you're ready to request permissions from your organization's admin, you can redirect the user to the Microsoft identity platform *admin consent endpoint*. ``` // Line breaks are for legibility only. @@ -195,7 +197,7 @@ https://login.microsoftonline.com/common/adminconsent?client_id=6731de76-14a6-49 | Parameter | Condition | Description | | --- | --- | --- | | `tenant` | Required | The directory tenant that you want to request permission from. Can be provided in GUID or friendly name format OR generically referenced with `common` as seen in the example. | -| `client_id` | Required | The application (client) ID that the [Application Registration Portal](https://apps.dev.microsoft.com/?referrer=https://azure.microsoft.com/documentation/articles&deeplink=/appList) or [new App registrations (preview) portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview) has assigned to your app. | +| `client_id` | Required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `redirect_uri` | Required |The redirect URI where you want the response to be sent for your app to handle. It must exactly match one of the redirect URIs that you registered in the app registration portal. | | `state` | Recommended | A value included in the request that will also be returned in the token response. It can be a string of any content you want. Use the state to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. | @@ -232,7 +234,7 @@ After you've received a successful response from the admin consent endpoint, you ## Using permissions -After the user consents to permissions for your app, your app can acquire access tokens that represent your app's permission to access a resource in some capacity. An access token can be used only for a single resource, but encoded inside the access token is every permission that your app has been granted for that resource. To acquire an access token, your app can make a request to the v2.0 token endpoint, like this: +After the user consents to permissions for your app, your app can acquire access tokens that represent your app's permission to access a resource in some capacity. An access token can be used only for a single resource, but encoded inside the access token is every permission that your app has been granted for that resource. To acquire an access token, your app can make a request to the Microsoft identity platform token endpoint, like this: ``` POST common/oauth2/v2.0/token HTTP/1.1 @@ -251,24 +253,24 @@ Content-Type: application/json You can use the resulting access token in HTTP requests to the resource. It reliably indicates to the resource that your app has the proper permission to perform a specific task. -For more information about the OAuth 2.0 protocol and how to get access tokens, see the [v2.0 endpoint protocol reference](active-directory-v2-protocols.md). +For more information about the OAuth 2.0 protocol and how to get access tokens, see the [Microsoft identity platform endpoint protocol reference](active-directory-v2-protocols.md). ## The /.default scope -You can use the `/.default` scope to help migrate your apps from the v1.0 endpoint to the v2.0 endpoint. This is a built-in scope for every application that refers to the static list of permissions configured on the application registration. A `scope` value of `https://graph.microsoft.com/.default` is functionally the same as the v1.0 endpoints `resource=https://graph.microsoft.com` - namely, it requests a token with the scopes on Microsoft Graph that the application has registered for in the Azure portal. +You can use the `/.default` scope to help migrate your apps from the v1.0 endpoint to the Microsoft identity platform endpoint. This is a built-in scope for every application that refers to the static list of permissions configured on the application registration. A `scope` value of `https://graph.microsoft.com/.default` is functionally the same as the v1.0 endpoints `resource=https://graph.microsoft.com` - namely, it requests a token with the scopes on Microsoft Graph that the application has registered for in the Azure portal. -The /.default scope can be used in any OAuth 2.0 flow, but is particularly necessary in the [On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md) and [client credentials flow](v2-oauth2-client-creds-grant-flow.md). +The /.default scope can be used in any OAuth 2.0 flow, but is necessary in the [On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md) and [client credentials flow](v2-oauth2-client-creds-grant-flow.md). > [!NOTE] -> Clients cannot combine static (`/.default`) and dynamic consent in a single request. Thus, `scope=https://graph.microsoft.com/.default+mail.read` will result in an error due to the combination of scope types. +> Clients can't combine static (`/.default`) and dynamic consent in a single request. Thus, `scope=https://graph.microsoft.com/.default+mail.read` will result in an error due to the combination of scope types. ### /.default and consent -The `/.default` scope triggers the v1.0 endpoint behavior for `prompt=consent` as well. It requests consent for all permissions registered by the application, regardless of the resource. If included as part of the request, the `/.default` scope returns a token that contains the scopes for the resource specifically requested. +The `/.default` scope triggers the v1.0 endpoint behavior for `prompt=consent` as well. It requests consent for all permissions registered by the application, regardless of the resource. If included as part of the request, the `/.default` scope returns a token that contains the scopes for the resource requested. ### /.default when the user has already given consent -Because `/.default` is functionally identical to the `resource`-centric v1.0 endpoint's behavior, it brings with it the consent behavior of the v1.0 endpoint as well. Namely, `/.default` only triggers a consent prompt if no permission has been granted between the client and the resource by the user. If any such consent exists, then a token will be returned containing all scopes granted by the user for that resource. However, if no permission has been granted, or the `prompt=consent` parameter has been provided, a consent prompt will be shown for all scopes registered by the client application. +Because `/.default` is functionally identical to the `resource`-centric v1.0 endpoint's behavior, it brings with it the consent behavior of the v1.0 endpoint as well. Namely, `/.default` only triggers a consent prompt if no permission has been granted between the client and the resource by the user. If any such consent exists, then a token will be returned containing all scopes granted by the user for that resource. However, if no permission has been granted, or the `prompt=consent` parameter has been provided, a consent prompt will be shown for all scopes registered by the client application. #### Example 1: The user, or tenant admin, has granted permissions @@ -297,7 +299,7 @@ response_type=token //code or a hybrid flow is also possible here &state=1234 ``` -This produces a consent screen for all registered permissions (if applicable based on the above descriptions of consent and `/.default`), then returns an id_token, rather than an access token. This behavior exists for certain legacy clients moving from ADAL to MSAL, and should not be used by new clients targeting the v2.0 endpoint. +This produces a consent screen for all registered permissions (if applicable based on the above descriptions of consent and `/.default`), then returns an id_token, rather than an access token. This behavior exists for certain legacy clients moving from ADAL to MSAL, and should not be used by new clients targeting the Microsoft identity platform endpoint. ## Troubleshooting permissions and consent diff --git a/articles/active-directory/develop/v2-protocols-oidc.md b/articles/active-directory/develop/v2-protocols-oidc.md index d64736eed8677..aa7410bcbf0e5 100644 --- a/articles/active-directory/develop/v2-protocols-oidc.md +++ b/articles/active-directory/develop/v2-protocols-oidc.md @@ -1,6 +1,6 @@ --- -title: Azure Active Directory v2.0 and the OpenID Connect protocol | Microsoft Docs -description: Build web applications by using the Azure AD v2.0 implementation of the OpenID Connect authentication protocol. +title: Microsoft identity platform and the OpenID Connect protocol | Azure +description: Build web applications by using the Microsoft identity platform implementation of the OpenID Connect authentication protocol. services: active-directory documentationcenter: '' author: CelesteDG @@ -13,32 +13,32 @@ ms.subservice: develop ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 09/24/2018 +ms.topic: conceptual +ms.date: 04/12/2019 ms.author: celested ms.reviewer: hirsin ms.custom: aaddev ms.collection: M365-identity-device-management --- -# Azure Active Directory v2.0 and the OpenID Connect protocol +# Microsoft identity platform and OpenID Connect protocol -OpenID Connect is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to a web application. When you use the v2.0 endpoint's implementation of OpenID Connect, you can add sign-in and API access to your web-based apps. This article shows how to do this independent of language and describes how to send and receive HTTP messages without using any Microsoft open-source libraries. +OpenID Connect is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to a web application. When you use the Microsoft identity platform endpoint's implementation of OpenID Connect, you can add sign-in and API access to your web-based apps. This article shows how to do this independent of language and describes how to send and receive HTTP messages without using any Microsoft open-source libraries. > [!NOTE] -> The v2.0 endpoint does not support all Azure Active Directory (Azure AD) scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](active-directory-v2-limitations.md). +> The Microsoft identity platform endpoint does not support all Azure Active Directory (Azure AD) scenarios and features. To determine whether you should use the Microsoft identity platform endpoint, read about [Microsoft identity platform limitations](active-directory-v2-limitations.md). -[OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) extends the OAuth 2.0 *authorization* protocol to use as an *authentication* protocol, so that you can do single sign-on using OAuth. OpenID Connect introduces the concept of an *ID token*, which is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about the user. Because OpenID Connect extends OAuth 2.0, apps can securely acquire *access tokens*, which can be used to access resources that are secured by an [authorization server](active-directory-v2-protocols.md#the-basics). The v2.0 endpoint also allows third-party apps that are registered with Azure AD to issue access tokens for secured resources such as Web APIs. For more information about how to set up an application to issue access tokens, see [How to register an app with the v2.0 endpoint](quickstart-v2-register-an-app.md). We recommend that you use OpenID Connect if you are building a [web application](v2-app-types.md#web-apps) that is hosted on a server and accessed via a browser. +[OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) extends the OAuth 2.0 *authorization* protocol to use as an *authentication* protocol, so that you can do single sign-on using OAuth. OpenID Connect introduces the concept of an *ID token*, which is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about the user. Because OpenID Connect extends OAuth 2.0, apps can securely acquire *access tokens*, which can be used to access resources that are secured by an [authorization server](active-directory-v2-protocols.md#the-basics). The Microsoft identity platform endpoint also allows third-party apps that are registered with Azure AD to issue access tokens for secured resources such as Web APIs. For more information about how to set up an application to issue access tokens, see [How to register an app with the Microsoft identity platform endpoint](quickstart-v2-register-an-app.md). We recommend that you use OpenID Connect if you are building a [web application](v2-app-types.md#web-apps) that is hosted on a server and accessed via a browser. ## Protocol diagram: Sign-in The most basic sign-in flow has the steps shown in the next diagram. Each step is described in detail in this article. -![OpenID Connect protocol: Sign-in](./media/v2-protocols-oidc/convergence_scenarios_webapp.png) +![OpenID Connect protocol: Sign-in](./media/v2-protocols-oidc/convergence-scenarios-webapp.svg) ## Fetch the OpenID Connect metadata document -OpenID Connect describes a metadata document that contains most of the information required for an app to perform sign-in. This includes information such as the URLs to use and the location of the service's public signing keys. For the v2.0 endpoint, this is the OpenID Connect metadata document you should use: +OpenID Connect describes a metadata document that contains most of the information required for an app to do sign-in. This includes information such as the URLs to use and the location of the service's public signing keys. For the Microsoft identity platform endpoint, this is the OpenID Connect metadata document you should use: ``` https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration @@ -50,29 +50,31 @@ The `{tenant}` can take one of four values: | Value | Description | | --- | --- | -| `common` |Users with both a personal Microsoft account and a work or school account from Azure Active Directory (Azure AD) can sign in to the application. | +| `common` |Users with both a personal Microsoft account and a work or school account from Azure AD can sign in to the application. | | `organizations` |Only users with work or school accounts from Azure AD can sign in to the application. | | `consumers` |Only users with a personal Microsoft account can sign in to the application. | -| `8eaef023-2b34-4da1-9baa-8bc8c9d6a490` or `contoso.onmicrosoft.com` |Only users with a work or school account from a specific Azure AD tenant can sign in to the application. Either the friendly domain name of the Azure AD tenant or the tenant's GUID identifier can be used. | +| `8eaef023-2b34-4da1-9baa-8bc8c9d6a490` or `contoso.onmicrosoft.com` | Only users with a work or school account from a specific Azure AD tenant can sign in to the application. Either the friendly domain name of the Azure AD tenant or the tenant's GUID identifier can be used. You can also use the consumer tenant, `9188040d-6c67-4c5b-b112-36a304b66dad`, in place of the `consumers` tenant. | The metadata is a simple JavaScript Object Notation (JSON) document. See the following snippet for an example. The snippet's contents are fully described in the [OpenID Connect specification](https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.2). ``` { - "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize", - "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token", + "authorization_endpoint": "https:\/\/login.microsoftonline.com\/{tenant}\/oauth2\/v2.0\/authorize", + "token_endpoint": "https:\/\/login.microsoftonline.com\/{tenant}\/oauth2\/v2.0\/token", "token_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt" ], - "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys", + "jwks_uri": "https:\/\/login.microsoftonline.com\/{tenant}\/discovery\/v2.0\/keys", ... } ``` -Typically, you would use this metadata document to configure an OpenID Connect library or SDK; the library would use the metadata to do its work. However, if you're not using a pre-build OpenID Connect library, you can follow the steps in the remainder of this article to perform sign-in in a web app by using the v2.0 endpoint. +If your app has custom signing keys as a result of using the [claims-mapping](active-directory-claims-mapping.md) feature, you must append an `appid` query parameter containing the app ID in order to get a `jwks_uri` pointing to your app's signing key information. For example: `https://login.microsoftonline.com/{tenant}/.well-known/v2.0/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e` contains a `jwks_uri` of `https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e`. + +Typically, you would use this metadata document to configure an OpenID Connect library or SDK; the library would use the metadata to do its work. However, if you're not using a pre-built OpenID Connect library, you can follow the steps in the remainder of this article to do sign-in in a web app by using the Microsoft identity platform endpoint. ## Send the sign-in request @@ -83,7 +85,7 @@ When your web app needs to authenticate the user, it can direct the user to the * The request must include the `nonce` parameter. > [!IMPORTANT] -> In order to successfully request an ID token, the app registration in the [registration portal](https://apps.dev.microsoft.com) must have the **[Implicit grant](v2-oauth2-implicit-grant-flow.md)** enabled for the Web client. If it is not enabled, an `unsupported_response` error will be returned: "The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'" +> In order to successfully request an ID token from the /authorization endpoint, the app registration in the [registration portal](https://portal.azure.com) must have the implicit grant of id_tokens enabled in the Authentication tab (which sets the `oauth2AllowIdTokenImplicitFlow` flag in the [application manifest](reference-app-manifest.md) to `true`). If it isn't enabled, an `unsupported_response` error will be returned: "The provided value for the input parameter 'response_type' isn't allowed for this client. Expected value is 'code'" For example: @@ -106,21 +108,21 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | Condition | Description | | --- | --- | --- | -| tenant |Required |You can use the `{tenant}` value in the path of the request to control who can sign in to the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [protocol basics](active-directory-v2-protocols.md#endpoints). | -| client_id |Required |The Application ID that the [Application Registration Portal](https://apps.dev.microsoft.com/?referrer=https://azure.microsoft.com/documentation/articles&deeplink=/appList) assigned to your app. | -| response_type |Required |Must include `id_token` for OpenID Connect sign-in. It might also include other `response_type` values, such as `code`. | -| redirect_uri |Recommended |The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except that it must be URL encoded. | -| scope |Required |A space-separated list of scopes. For OpenID Connect, it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. You might also include other scopes in this request for requesting consent. | -| nonce |Required |A value included in the request, generated by the app, that will be included in the resulting id_token value as a claim. The app can verify this value to mitigate token replay attacks. The value typically is a randomized, unique string that can be used to identify the origin of the request. | -| response_mode |Recommended |Specifies the method that should be used to send the resulting authorization code back to your app. Can be `form_post` or `fragment`. For web applications, we recommend using `response_mode=form_post`, to ensure the most secure transfer of tokens to your application. | -| state |Recommended |A value included in the request that also will be returned in the token response. It can be a string of any content you want. A randomly generated unique value typically is used to [prevent cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state also is used to encode information about the user's state in the app before the authentication request occurred, such as the page or view the user was on. | -| prompt |Optional |Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`. The `prompt=login` claim forces the user to enter their credentials on that request, which negates single sign-on. The `prompt=none` claim is the opposite. This claim ensures that the user is not presented with any interactive prompt whatsoever. If the request cannot be completed silently via single sign-on, the v2.0 endpoint returns an error. The `prompt=consent` claim triggers the OAuth consent dialog after the user signs in. The dialog asks the user to grant permissions to the app. | -| login_hint |Optional |You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the username from an earlier sign-in by using the `preferred_username` claim. | -| domain_hint |Optional |This value can be `consumers` or `organizations`. If included, it skips the email-based discovery process that the user goes through on the v2.0 sign-in page, for a slightly more streamlined user experience. Often, apps use this parameter during reauthentication by extracting the `tid` claim from the ID token. If the `tid` claim value is `9188040d-6c67-4c5b-b112-36a304b66dad` (the Microsoft Account consumer tenant), use `domain_hint=consumers`. Otherwise, use `domain_hint=organizations`. | - -At this point, the user is prompted to enter their credentials and complete the authentication. The v2.0 endpoint verifies that the user has consented to the permissions indicated in the `scope` query parameter. If the user has not consented to any of those permissions, the v2.0 endpoint prompts the user to consent to the required permissions. You can read more about [permissions, consent, and multitenant apps](v2-permissions-and-consent.md). - -After the user authenticates and grants consent, the v2.0 endpoint returns a response to your app at the indicated redirect URI by using the method specified in the `response_mode` parameter. +| `tenant` | Required | You can use the `{tenant}` value in the path of the request to control who can sign in to the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [protocol basics](active-directory-v2-protocols.md#endpoints). | +| `client_id` | Required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | +| `response_type` | Required | Must include `id_token` for OpenID Connect sign-in. It might also include other `response_type` values, such as `code`. | +| `redirect_uri` | Recommended | The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except that it must be URL encoded. If not present, the endpoint will pick one registered redirect_uri at random to send the user back to. | +| `scope` | Required | A space-separated list of scopes. For OpenID Connect, it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. You might also include other scopes in this request for requesting consent. | +| `nonce` | Required | A value included in the request, generated by the app, that will be included in the resulting id_token value as a claim. The app can verify this value to mitigate token replay attacks. The value typically is a randomized, unique string that can be used to identify the origin of the request. | +| `response_mode` | Recommended | Specifies the method that should be used to send the resulting authorization code back to your app. Can be `form_post` or `fragment`. For web applications, we recommend using `response_mode=form_post`, to ensure the most secure transfer of tokens to your application. | +| `state` | Recommended | A value included in the request that also will be returned in the token response. It can be a string of any content you want. A randomly generated unique value typically is used to [prevent cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state also is used to encode information about the user's state in the app before the authentication request occurred, such as the page or view the user was on. | +| `prompt` | Optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`. The `prompt=login` claim forces the user to enter their credentials on that request, which negates single sign-on. The `prompt=none` claim is the opposite. This claim ensures that the user isn't presented with any interactive prompt at. If the request can't be completed silently via single sign-on, the Microsoft identity platform endpoint returns an error. The `prompt=consent` claim triggers the OAuth consent dialog after the user signs in. The dialog asks the user to grant permissions to the app. | +| `login_hint` | Optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the username from an earlier sign-in by using the `preferred_username` claim. | +| `domain_hint` | Optional | The realm of the user in a federated directory. This skips the email-based discovery process that the user goes through on the sign-in page, for a slightly more streamlined user experience. For tenants that are federated through an on-premises directory like AD FS, this often results in a seamless sign-in because of the existing login session. | + +At this point, the user is prompted to enter their credentials and complete the authentication. The Microsoft identity platform endpoint verifies that the user has consented to the permissions indicated in the `scope` query parameter. If the user hasn't consented to any of those permissions, the Microsoft identity platform endpoint prompts the user to consent to the required permissions. You can read more about [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md). + +After the user authenticates and grants consent, the Microsoft identity platform endpoint returns a response to your app at the indicated redirect URI by using the method specified in the `response_mode` parameter. ### Successful response @@ -136,8 +138,8 @@ id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345 | Parameter | Description | | --- | --- | -| id_token |The ID token that the app requested. You can use the `id_token` parameter to verify the user's identity and begin a session with the user. For more information about ID tokens and their contents, see the [`id_tokens` reference](id-tokens.md). | -| state |If a `state` parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | +| `id_token` | The ID token that the app requested. You can use the `id_token` parameter to verify the user's identity and begin a session with the user. For more information about ID tokens and their contents, see the [`id_tokens` reference](id-tokens.md). | +| `state` | If a `state` parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | ### Error response @@ -153,8 +155,8 @@ error=access_denied&error_description=the+user+canceled+the+authentication | Parameter | Description | | --- | --- | -| error |An error code string that you can use to classify types of errors that occur, and to react to errors. | -| error_description |A specific error message that can help you identify the root cause of an authentication error. | +| `error` | An error code string that you can use to classify types of errors that occur, and to react to errors. | +| `error_description` | A specific error message that can help you identify the root cause of an authentication error. | ### Error codes for authorization endpoint errors @@ -162,20 +164,19 @@ The following table describes error codes that can be returned in the `error` pa | Error code | Description | Client action | | --- | --- | --- | -| invalid_request |Protocol error, such as a missing, required parameter. |Fix and resubmit the request. This is a development error that typically is caught during initial testing. | -| unauthorized_client |The client application cannot request an authorization code. |This usually occurs when the client application is not registered in Azure AD or is not added to the user's Azure AD tenant. The application can prompt the user with instructions to install the application and add it to Azure AD. | -| access_denied |The resource owner denied consent. |The client application can notify the user that it cannot proceed unless the user consents. | -| unsupported_response_type |The authorization server does not support the response type in the request. |Fix and resubmit the request. This is a development error that typically is caught during initial testing. | -| server_error |The server encountered an unexpected error. |Retry the request. These errors can result from temporary conditions. The client application might explain to the user that its response is delayed due to a temporary error. | -| temporarily_unavailable |The server is temporarily too busy to handle the request. |Retry the request. The client application might explain to the user that its response is delayed due to a temporary condition. | -| invalid_resource |The target resource is invalid because either it does not exist, Azure AD cannot find it, or it is not correctly configured. |This indicates that the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instructions for installing the application and adding it to Azure AD. | +| `invalid_request` | Protocol error, such as a missing, required parameter. |Fix and resubmit the request. This is a development error that typically is caught during initial testing. | +| `unauthorized_client` | The client application can't request an authorization code. |This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instructions to install the application and add it to Azure AD. | +| `access_denied` | The resource owner denied consent. |The client application can notify the user that it can't proceed unless the user consents. | +| `unsupported_response_type` |The authorization server does not support the response type in the request. |Fix and resubmit the request. This is a development error that typically is caught during initial testing. | +| `server_error` | The server encountered an unexpected error. |Retry the request. These errors can result from temporary conditions. The client application might explain to the user that its response is delayed because of a temporary error. | +| `temporarily_unavailable` | The server is temporarily too busy to handle the request. |Retry the request. The client application might explain to the user that its response is delayed because of a temporary condition. | +| `invalid_resource` | The target resource is invalid because either it does not exist, Azure AD can't find it, or it isn't correctly configured. |This indicates that the resource, if it exists, hasn't been configured in the tenant. The application can prompt the user with instructions for installing the application and adding it to Azure AD. | ## Validate the ID token -Just receiving an id_token is not sufficient to authenticate the user; you must validate the id_token's signature and verify the claims in the token per your app's requirements. The v2.0 endpoint uses [JSON Web Tokens (JWTs)](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html) and public key cryptography to sign tokens and verify that they are valid. +Just receiving an id_token isn't sufficient to authenticate the user; you must validate the id_token's signature and verify the claims in the token per your app's requirements. The Microsoft identity platform endpoint uses [JSON Web Tokens (JWTs)](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html) and public key cryptography to sign tokens and verify that they're valid. -You can choose to validate the `id_token` in client code, but a common practice is to send the `id_token` to a backend server and perform the validation there. Once you've validated the signature of the id_token, there are a few claims you will be required to verify. See the [`id_token` reference](id-tokens.md) for more information, including [Validating Tokens](id-tokens.md#validating-an-id_token) and [Important Information About Signing Key Rollover](active-directory-signing-key-rollover.md). We recommend making use of a library for parsing and validating tokens - there is at least one available for most languages and platforms. - +You can choose to validate the `id_token` in client code, but a common practice is to send the `id_token` to a backend server and do the validation there. Once you've validated the signature of the id_token, there are a few claims you'll be required to verify. See the [`id_token` reference](id-tokens.md) for more information, including [Validating Tokens](id-tokens.md#validating-an-id_token) and [Important Information About Signing Key Rollover](active-directory-signing-key-rollover.md). We recommend making use of a library for parsing and validating tokens - there is at least one available for most languages and platforms. You may also wish to validate additional claims depending on your scenario. Some common validations include: @@ -183,11 +184,11 @@ You may also wish to validate additional claims depending on your scenario. Some * Ensuring the user has proper authorization/privileges * Ensuring a certain strength of authentication has occurred, such as multi-factor authentication. -Once you have completely validated the id_token, you can begin a session with the user and use the claims in the id_token to obtain information about the user in your app. This information can be used for display, records, personalization, etc. +Once you have validated the id_token, you can begin a session with the user and use the claims in the id_token to obtain information about the user in your app. This information can be used for display, records, personalization, etc. ## Send a sign-out request -When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the v2.0 endpoint to sign out. If you don't do this, the user reauthenticates to your app without entering their credentials again, because they will have a valid single sign-in session with the v2.0 endpoint. +When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform endpoint to sign out. If you don't do this, the user reauthenticates to your app without entering their credentials again, because they will have a valid single sign-in session with the Microsoft identity platform endpoint. You can redirect the user to the `end_session_endpoint` listed in the OpenID Connect metadata document: @@ -198,11 +199,11 @@ post_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F | Parameter | Condition | Description | | ----------------------- | ------------------------------- | ------------ | -| post_logout_redirect_uri | Recommended | The URL that the user is redirected to after successfully signing out. If the parameter is not included, the user is shown a generic message that's generated by the v2.0 endpoint. This URL must match one of the redirect URIs registered for your application in the app registration portal. | +| `post_logout_redirect_uri` | Recommended | The URL that the user is redirected to after successfully signing out. If the parameter isn't included, the user is shown a generic message that's generated by the Microsoft identity platform endpoint. This URL must match one of the redirect URIs registered for your application in the app registration portal. | ## Single sign-out -When you redirect the user to the `end_session_endpoint`, the v2.0 endpoint clears the user's session from the browser. However, the user may still be signed in to other applications that use Microsoft accounts for authentication. To enable those applications to sign the user out simultaneously, the v2.0 endpoint sends an HTTP GET request to the registered `LogoutUrl` of all the applications that the user is currently signed in to. Applications must respond to this request by clearing any session that identifies the user and returning a `200` response. If you wish to support single sign-out in your application, you must implement such a `LogoutUrl` in your application's code. You can set the `LogoutUrl` from the app registration portal. +When you redirect the user to the `end_session_endpoint`, the Microsoft identity platform endpoint clears the user's session from the browser. However, the user may still be signed in to other applications that use Microsoft accounts for authentication. To enable those applications to sign the user out simultaneously, the Microsoft identity platform endpoint sends an HTTP GET request to the registered `LogoutUrl` of all the applications that the user is currently signed in to. Applications must respond to this request by clearing any session that identifies the user and returning a `200` response. If you wish to support single sign-out in your application, you must implement such a `LogoutUrl` in your application's code. You can set the `LogoutUrl` from the app registration portal. ## Protocol diagram: Access token acquisition @@ -210,7 +211,7 @@ Many web apps need to not only sign the user in, but also to access a web servic The full OpenID Connect sign-in and token acquisition flow looks similar to the next diagram. We describe each step in detail in the next sections of the article. -![OpenID Connect protocol: Token acquisition](./media/v2-protocols-oidc/convergence_scenarios_webapp_webapi.png) +![OpenID Connect protocol: Token acquisition](./media/v2-protocols-oidc/convergence-scenarios-webapp-webapi.svg) ## Get access tokens To acquire access tokens, modify the sign-in request: @@ -233,10 +234,8 @@ https%3A%2F%2Fgraph.microsoft.com%2Fuser.read > [!TIP] > Click the following link to execute this request. After you sign in, your browser is redirected to `https://localhost/myapp/`, with an ID token and a code in the address bar. Note that this request uses `response_mode=fragment` for demonstration purposes only. We recommend that you use `response_mode=form_post`. > https://login.microsoftonline.com/common/oauth2/v2.0/authorize... -> -> -By including permission scopes in the request and by using `response_type=id_token code`, the v2.0 endpoint ensures that the user has consented to the permissions indicated in the `scope` query parameter. It returns an authorization code to your app to exchange for an access token. +By including permission scopes in the request and by using `response_type=id_token code`, the Microsoft identity platform endpoint ensures that the user has consented to the permissions indicated in the `scope` query parameter. It returns an authorization code to your app to exchange for an access token. ### Successful response @@ -252,9 +251,9 @@ id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&code=AwABAA | Parameter | Description | | --- | --- | -| id_token |The ID token that the app requested. You can use the ID token to verify the user's identity and begin a session with the user. You'll find more details about ID tokens and their contents in the [`id_tokens` reference](id-tokens.md). | -| code |The authorization code that the app requested. The app can use the authorization code to request an access token for the target resource. An authorization code is very short-lived. Typically, an authorization code expires in about 10 minutes. | -| state |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | +| `id_token` | The ID token that the app requested. You can use the ID token to verify the user's identity and begin a session with the user. You'll find more details about ID tokens and their contents in the [`id_tokens` reference](id-tokens.md). | +| `code` | The authorization code that the app requested. The app can use the authorization code to request an access token for the target resource. An authorization code is short-lived. Typically, an authorization code expires in about 10 minutes. | +| `state` | If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | ### Error response @@ -270,8 +269,8 @@ error=access_denied&error_description=the+user+canceled+the+authentication | Parameter | Description | | --- | --- | -| error |An error code string that you can use to classify types of errors that occur, and to react to errors. | -| error_description |A specific error message that can help you identify the root cause of an authentication error. | +| `error` | An error code string that you can use to classify types of errors that occur, and to react to errors. | +| `error_description` | A specific error message that can help you identify the root cause of an authentication error. | For a description of possible error codes and recommended client responses, see [Error codes for authorization endpoint errors](#error-codes-for-authorization-endpoint-errors). diff --git a/articles/active-directory/devices/hybrid-azuread-join-plan.md b/articles/active-directory/devices/hybrid-azuread-join-plan.md index 14cdd297a6a00..5ee8e9bfd82cf 100644 --- a/articles/active-directory/devices/hybrid-azuread-join-plan.md +++ b/articles/active-directory/devices/hybrid-azuread-join-plan.md @@ -14,7 +14,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 02/03/2019 +ms.date: 04/10/2019 ms.author: joflore ms.reviewer: sandeo @@ -32,60 +32,46 @@ By bringing your devices to Azure AD, you maximize your users' productivity thro If you have an on-premises Active Directory environment and you want to join your domain-joined devices to Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. This article provides you with the related steps to implement a hybrid Azure AD join in your environment. - ## Prerequisites This article assumes that you are familiar with the [Introduction to device management in Azure Active Directory](../device-management-introduction.md). ->[!NOTE] -> The minimum required domain functional and forest functional levels for Windows 10 hybrid Azure AD join is Windows Server 2008 R2. On lower versions, the user may not get a Primary Refresh Token during Windows logon due to LSA issues +> [!NOTE] +> The minimum required domain functional and forest functional levels for Windows 10 hybrid Azure AD join is Windows Server 2008 R2. On lower versions, the user may not get a Primary Refresh Token during Windows logon due to LSA issues. ## Plan your implementation To plan your hybrid Azure AD implementation, you should familiarize yourself with: | | | -|---|---| -|![Check][1]|Review supported devices| -|![Check][1]|Review things you should know| -|![Check][1]|Review how to control the hybrid Azure AD join of your devices| -|![Check][1]|Select your scenario| - +| --- | --- | +| ![Check][1] | Review supported devices | +| ![Check][1] | Review things you should know | +| ![Check][1] | Review how to control the hybrid Azure AD join of your devices | +| ![Check][1] | Select your scenario | - - -## Review supported devices +## Review supported devices Hybrid Azure AD join supports a broad range of Windows devices. Because the configuration for devices running older versions of Windows requires additional or different steps, the supported devices are grouped into two categories: -**Windows current devices** +### Windows current devices - Windows 10 - - Windows Server 2016 - +- Windows Server 2019 For devices running the Windows desktop operating system, the supported version is the Windows 10 Anniversary Update (version 1607) or later. As a best practice, upgrade to the latest version of Windows 10. - - - **Windows down-level devices** +### Windows down-level devices - Windows 8.1 - - Windows 7 - - Windows Server 2012 R2 - -- Windows Server 2012 - -- Windows Server 2008 R2 - +- Windows Server 2012 +- Windows Server 2008 R2 As a first planning step, you should review your environment and determine whether you need to support Windows down-level devices. - - ## Review things you should know You can't use a hybrid Azure AD join if your environment consists of a single forest that synchronized identity data to more than one Azure AD tenant. @@ -97,23 +83,20 @@ If you are relying on a Virtual Machine (VM) snapshot to create additional VMs, Hybrid Azure AD join of Windows down-level devices: - **Is** supported in non-federated environments through [Azure Active Directory Seamless Single Sign-On](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start). - - **Is not** supported when using Azure AD Pass-through Authentication without Seamless Single Sign On. - - **Is not** supported when using credential roaming or user profile roaming or when using virtual desktop infrastructure (VDI). - The registration of Windows Server running the Domain Controller (DC) role is not supported. If your organization requires access to the Internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration using machine context, it is necessary to configure outbound proxy authentication using machine context. - Hybrid Azure AD join is a process to automatically register your on-premises domain-joined devices with Azure AD. There are cases where you don't want all your devices to register automatically. If this is true for you, see [How to control the hybrid Azure AD join of your devices](hybrid-azuread-join-control.md). -If your Windows 10 domain joined devices are already [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/overview#azure-ad-registered-devices) to your tenant, we highly recommend removing that state before enabling Hybrid Azure AD join. From Windows 10 1809 release, the following changes have been made to avoid this dual state: - - Any existing Azure AD registered state would be automatically removed after the device is Hybrid Azure AD joined. - - You can prevent your domain joined device from being Azure AD registered by adding this registry key - HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001 . - - This change is now available for Windows 10 1803 release with KB4489894. +If your Windows 10 domain joined devices are already [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/overview#azure-ad-registered-devices) to your tenant, we highly recommend removing that state before enabling Hybrid Azure AD join. From Windows 10 1809 release, the following changes have been made to avoid this dual state: + +- Any existing Azure AD registered state would be automatically removed after the device is Hybrid Azure AD joined. +- You can prevent your domain joined device from being Azure AD registered by adding this registry key - HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001 . +- This change is now available for Windows 10 1803 release with KB4489894. FIPS-compliant TPMs aren't supported for Hybrid Azure AD join. If your devices have FIPS-compliant TPMs, you must disable them before proceeding with Hybrid Azure AD join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Please contact your hardware OEM for support. @@ -130,43 +113,33 @@ You can configure hybrid Azure AD join for the following scenarios: - Managed domains - Federated domains - - If your environment has managed domains, hybrid Azure AD join supports: - Pass Through Authentication (PTA) - - Password Hash Sync (PHS) Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. For more information, see: - [Configure hybrid Azure Active Directory join for federated domains](hybrid-azuread-join-federated-domains.md) - - - [Configure hybrid Azure Active Directory join for managed domains](hybrid-azuread-join-managed-domains.md) - If installing the required version of Azure AD Connect is not an option for you, see [how to manually configure device registration](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual). - ## On-premises AD UPN support in Hybrid Azure AD join Sometimes, your on-premises AD UPNs could be different from your Azure AD UPNs. In such cases, Windows 10 Hybrid Azure AD join provides limited support for on-premises AD UPNs based on the [authentication method](https://docs.microsoft.com/azure/security/azure-ad-choose-authn), domain type and Windows 10 version. There are two types of on-premises AD UPNs that can exist in your environment: - - Routable UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and [verified in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/add-custom-domain) - - - Non-routable UPN: A non-routable UPN does not have a verified domain. It is applicable only within your organization's private network. For example, if contoso.com is the primary domain in Azure AD, contoso.local is the primary domain in on-premises AD but is not a verifiable domain in the internet and only used within Contoso's network. - -The table below provides details on support for these on-premises AD UPNs in Windows 10 Hybrid Azure AD join - -|Type of on-premises AD UPN|Domain type|Windows 10 version|Description| -|-----|-----|-----|-----| -|Routable|Federated |From 1703 release|Generally available| -|Routable|Managed|From 1709 release|Currently in private preview. Azure AD SSPR is not supported | -|Non-routable|Federated|From 1803 release|Generally available| -|Non-routable|Managed|Not supported|| +- Routable UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and [verified in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/add-custom-domain) +- Non-routable UPN: A non-routable UPN does not have a verified domain. It is applicable only within your organization's private network. For example, if contoso.com is the primary domain in Azure AD, contoso.local is the primary domain in on-premises AD but is not a verifiable domain in the internet and only used within Contoso's network. +The table below provides details on support for these on-premises AD UPNs in Windows 10 Hybrid Azure AD join +| Type of on-premises AD UPN | Domain type | Windows 10 version | Description | +| ----- | ----- | ----- | ----- | +| Routable | Federated | From 1703 release | Generally available | +| Routable | Managed | From 1709 release | Currently in private preview. Azure AD SSPR is not supported | +| Non-routable | Federated | From 1803 release | Generally available | +| Non-routable | Managed | Not supported | | ## Next steps @@ -174,8 +147,5 @@ The table below provides details on support for these on-premises AD UPNs in Win > [Configure hybrid Azure Active Directory join for federated domains](hybrid-azuread-join-federated-domains.md) > [Configure hybrid Azure Active Directory join for managed domains](hybrid-azuread-join-managed-domains.md) - - - [1]: ./media/hybrid-azuread-join-plan/12.png diff --git a/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md b/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md index a37cd3efea870..3559e7c084a7e 100644 --- a/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md +++ b/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md @@ -56,7 +56,7 @@ If you’re not going to continue to use this application, you can delete the te The tenant and its associated information is deleted. - ![Create directory page, with sample information](media/active-directory-access-create-new-tenant/azure-ad-delete-new-tenant.png) + ![Overview page, with highlighted Delete directory button](media/active-directory-access-create-new-tenant/azure-ad-delete-new-tenant.png) ## Next steps - Change or add additional domain names, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md) diff --git a/articles/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md b/articles/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md index fda3e06444f91..9f39d4e5812a2 100644 --- a/articles/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +++ b/articles/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md @@ -26,6 +26,8 @@ All of your users have a single *home* directory for authentication. However, yo > [!Important] > When you associate a subscription to a different directory, users that have roles assigned using [role-based access control (RBAC)](../../role-based-access-control/role-assignments-portal.md) will lose their access. Classic subscription administrators (Service Administrator and Co-Administrators) will also lose access. +> +> Additionally, moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principals rights. For more information about AKS, see [Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/). ## Before you begin @@ -63,15 +65,16 @@ Before you can associate or add your subscription, you must perform the followin ![Directory switcher page, with sample information](media/active-directory-how-subscriptions-associated-directory/directory-switcher.png) -Changing the subscription directory is a service-level operation, so it doesn't affect subscription billing ownership. The Account Admin can still change the Service Admin from the [Account Center](https://account.azure.com/subscriptions). To delete the original directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about transferring billing ownership, see [Transfer ownership of an Azure subscription to another account](../../billing/billing-subscription-transfer.md). +Changing the subscription directory is a service-level operation, so it doesn't affect subscription billing ownership. The Account Admin can still change the Service Admin from the [Account Center](https://account.azure.com/subscriptions). To delete the original directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about transferring billing ownership, see [Transfer ownership of an Azure subscription to another account](../../billing/billing-subscription-transfer.md). ## Post association steps - After you associate a subscription to a different directory, there might be additional steps that you must perform to resume operations. 1. If you have any key vaults, you must change the key vault tenant ID. For more information, see [Change a key vault tenant ID after a subscription move](../../key-vault/key-vault-subscription-move-fix.md). -1. If you have registered an Azure Stack using this subscription, you must re-register. For more information, see [Register Azure Stack with Azure](../../azure-stack/azure-stack-registration.md). +2. If you have registered an Azure Stack using this subscription, you must re-register. For more information, see [Register Azure Stack with Azure](../../azure-stack/azure-stack-registration.md). + + ## Next steps diff --git a/articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md b/articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md index fedc558163736..0915c3ad2ed6b 100644 --- a/articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md +++ b/articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md @@ -9,7 +9,7 @@ ms.service: active-directory ms.workload: identity ms.subservice: fundamentals ms.topic: conceptual -ms.date: 09/05/2018 +ms.date: 04/11/2019 ms.author: lizross ms.reviewer: jeffsta ms.collection: M365-identity-device-management @@ -22,7 +22,7 @@ Add user profile information, including a profile picture, job-specific informat As you'll see, there's more information available in a user's profile than what you're able to add during the user's creation. All this additional information is optional and can be added as needed by your organization. ## To add or change profile information -1. Sign in to the [Azure portal](https://portal.azure.com/) as a Global administrator or user administrator for the directory. +1. Sign in to the [Azure portal](https://portal.azure.com/) as a User administrator for the organization. 2. Select **Azure Active Directory**, select **Users**, and then select a user. For example, _Alain Charon_. @@ -36,7 +36,7 @@ As you'll see, there's more information available in a user's profile than what - **Profile picture.** Select a thumbnail image for the user's account. This picture appears in Azure Active Directory and on the user's personal pages, such as the myapps.microsoft.com page. - - **Identity.** Add any account-related information, such as a married last name or a changed user name. + - **Identity.** Add or update an additional identity value for the user, such as a married last name. You can set this name independently from the values of First name and Last name. For example, you could use it to include initials, a company name, or to change the sequence of names shown. In another example, for two users whose names are ‘Chris Green’ you could use the Identity string to set their names to 'Chris B. Green' 'Chris R. Green (Contoso).' - **Job info.** Add any job-related information, such as the user's job title, department, or manager. diff --git a/articles/active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md b/articles/active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md index b6ac9830b3251..d3d04028c1c6c 100644 --- a/articles/active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md +++ b/articles/active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md @@ -19,6 +19,7 @@ ms.custom: "it-pro, seodec18" ms.collection: M365-identity-device-management --- # Reset a user's password using Azure Active Directory + As an administrator, you can reset a user's password if the password is forgotten, if the user gets locked out of a device, or if the user never received a password. >[!Note] @@ -29,7 +30,7 @@ As an administrator, you can reset a user's password if the password is forgotte ## To reset a password -1. Sign in to the [Azure portal](https://portal.azure.com/) as a global administrator, user administrator, or password administrator. For more information about the available roles, see [Assigning administrator roles in Azure Active Directory](../users-groups-roles/directory-assign-admin-roles.md#available-roles) +1. Sign in to the [Azure portal](https://portal.azure.com/) as a user administrator, or password administrator. For more information about the available roles, see [Assigning administrator roles in Azure Active Directory](../users-groups-roles/directory-assign-admin-roles.md#available-roles) 2. Select **Azure Active Directory**, select **Users**, search for and select the user that needs the reset, and then select **Reset Password**. @@ -47,6 +48,7 @@ As an administrator, you can reset a user's password if the password is forgotte >The temporary password never expires. The next time the user signs in, the password will still work, regardless how much time has passed since the temporary password was generated. ## Next steps + After you've reset your user's password, you can perform the following basic processes: - [Add or delete users](add-users-azure-active-directory.md) diff --git a/articles/active-directory/fundamentals/add-users-azure-active-directory.md b/articles/active-directory/fundamentals/add-users-azure-active-directory.md index a033992cf2686..ab8c3d543f7a5 100644 --- a/articles/active-directory/fundamentals/add-users-azure-active-directory.md +++ b/articles/active-directory/fundamentals/add-users-azure-active-directory.md @@ -43,7 +43,7 @@ You can create a new user using the Azure Active Directory portal. - **Groups.** Optionally, you can add the user to one or more existing groups. You can also add the user to groups at a later time. For more information about adding users to groups, see [How to create a basic group and add members](active-directory-groups-create-azure-portal.md). - - **Directory role.** Optionally, you can add the user to a an Azure AD administrator role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [How to assign roles to users](active-directory-users-assign-role-azure-portal.md). + - **Directory role.** Optionally, you can add the user to an Azure AD administrator role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [How to assign roles to users](active-directory-users-assign-role-azure-portal.md). 4. Copy the auto-generated password provided in the **Password** box. You'll need to give this password to the user for the initial sign-in process. diff --git a/articles/active-directory/fundamentals/whats-new-archive.md b/articles/active-directory/fundamentals/whats-new-archive.md index 009d8feebaffd..6af5c064a0d19 100644 --- a/articles/active-directory/fundamentals/whats-new-archive.md +++ b/articles/active-directory/fundamentals/whats-new-archive.md @@ -462,7 +462,7 @@ For more information about Azure AD Password Protection, see [Eliminate bad pass During the creation of your Terms of Use (ToU), a new conditional access policy template is also created for "all guests" and "all apps". This new policy template applies the newly created ToU, streamlining the creation and enforcement process for guests. -For more information, see [Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/active-directory-tou). +For more information, see [Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use). --- @@ -474,7 +474,7 @@ For more information, see [Azure Active Directory Terms of use feature](https:// During the creation of your Terms of Use (ToU), a new “custom” conditional access policy template is also created. This new policy template lets you create the ToU and then immediately go to the conditional access policy creation blade, without needing to manually navigate through the portal. -For more information, see [Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/active-directory-tou). +For more information, see [Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use). --- @@ -735,7 +735,7 @@ For more information, see: Administrators can now select a given ToU and see all the users that have consented to that ToU and what date/time it took place. -For more information, see the [Azure AD terms of use feature](https://docs.microsoft.com/azure/active-directory/active-directory-tou). +For more information, see the [Azure AD terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use). --- @@ -778,7 +778,7 @@ For more information, see [Configuring single sign-on to applications that are n Azure AD Terms of Use have moved from public preview to generally available. -For more information, see the [Azure AD terms of use feature](https://docs.microsoft.com/azure/active-directory/active-directory-tou). +For more information, see the [Azure AD terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use). --- @@ -1410,7 +1410,7 @@ Follow these steps: 4. Now you can review the terms of use you accepted. -For more information, see the [Azure AD terms of use feature (preview)](https://docs.microsoft.com/azure/active-directory/active-directory-tou). +For more information, see the [Azure AD terms of use feature (preview)](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use). --- @@ -1450,7 +1450,7 @@ An option for administrators requires their users to expand the terms of use pri Select either **On** or **Off** to require users to expand the terms of use. The **On** setting requires users to view the terms of use prior to accepting them. -For more information, see the [Azure AD terms of use feature (preview)](https://docs.microsoft.com/azure/active-directory/active-directory-tou). +For more information, see the [Azure AD terms of use feature (preview)](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use). --- @@ -1804,7 +1804,7 @@ You can use Azure AD terms of use in the following scenarios: - Specific terms of use based on a user's attributes (for example, doctors vs. nurses or domestic vs. international employees, done by dynamic groups) - Specific terms of use for accessing high-impact business apps, like Salesforce -For more information, see [Azure AD terms of use](https://docs.microsoft.com/azure/active-directory/active-directory-tou). +For more information, see [Azure AD terms of use](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use). --- diff --git a/articles/active-directory/fundamentals/whats-new.md b/articles/active-directory/fundamentals/whats-new.md index 8b950e7f8bc55..5fc353b4021f7 100644 --- a/articles/active-directory/fundamentals/whats-new.md +++ b/articles/active-directory/fundamentals/whats-new.md @@ -35,8 +35,40 @@ This page is updated monthly, so revisit it regularly. If you're looking for ite --- +## April 2019 + +### Increased security using the app protection-based conditional access policy in Azure AD (Public preview) + +**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +App protection-based conditional access is now available by using the **Require app protection** policy. This new policy helps to increase your organization's security by helping to prevent: + +- Users gaining access to apps without a Microsoft Intune license. + +- Users being unable to get a Microsoft Intune app protection policy. + +- Users gaining access to apps without a configured Microsoft Intune app protection policy. + +For more information, see [How to Require app protection policy for cloud app access with conditional access](https://docs.microsoft.com/azure/active-directory/conditional-access/app-protection-based-conditional-access). + +--- + ## March 2019 +### New support for Azure AD single sign-on and conditional access in Microsoft Edge (Public preview) + +**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +We've enhanced our Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and conditional access. If you've previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead. + +For more information about setting up and managing your devices and apps using conditional access, see [Require managed devices for cloud app access with conditional access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices) and [Require approved client apps for cloud app access with conditional access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-conditional-access). For more information about how to manage access using Microsoft Edge with Microsoft Intune policies, see [Manage Internet access using a Microsoft Intune policy-protected browser](https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser). + +--- + ### Identity Experience Framework and custom policy support in Azure Active Directory B2C is now available (GA) **Type:** New feature @@ -153,7 +185,7 @@ To help prevent administrators from accidentally locking themselves out of their **Service category:** Terms of Use **Product capability:** Governance -We've updated our existing Terms of use experiences to help improve how you review and consent to Terms of use on a mobile device. You can now zoom in and out, go back, download the information, and select hyperlinks. For more information about the updated Terms of use, see [Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/governance/active-directory-tou#what-terms-of-use-looks-like-for-users). +We've updated our existing Terms of use experiences to help improve how you review and consent to Terms of use on a mobile device. You can now zoom in and out, go back, download the information, and select hyperlinks. For more information about the updated Terms of use, see [Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#what-terms-of-use-looks-like-for-users). --- @@ -531,7 +563,7 @@ For more information about how to get and use this timestamp, see [How To: Manag Administrators can now turn on the **Require users to consent on every device** option to require your users to accept your Terms of use on every device they're using on your tenant. -For more information, see the [Per-device Terms of use section of the Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/governance/active-directory-tou#per-device-terms-of-use). +For more information, see the [Per-device Terms of use section of the Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#per-device-terms-of-use). --- @@ -544,7 +576,7 @@ For more information, see the [Per-device Terms of use section of the Azure Acti Administrators can now turn on the **Expire consents** option to make a Terms of use expire for all of your users based on your specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the Terms of use expire, users must reaccept. -For more information, see the [Add Terms of use section of the Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/governance/active-directory-tou#add-terms-of-use). +For more information, see the [Add Terms of use section of the Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#add-terms-of-use). --- @@ -556,7 +588,7 @@ For more information, see the [Add Terms of use section of the Azure Active Dire Administrators can now specify a duration that user must reaccept a Terms of use. For example, administrators can specify that users must reaccept a Terms of use every 90 days. -For more information, see the [Add Terms of use section of the Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/governance/active-directory-tou#add-terms-of-use). +For more information, see the [Add Terms of use section of the Azure Active Directory Terms of use feature](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#add-terms-of-use). --- diff --git a/articles/active-directory/governance/TOC.yml b/articles/active-directory/governance/TOC.yml index 28626738c1964..6ad7d9e096e75 100644 --- a/articles/active-directory/governance/TOC.yml +++ b/articles/active-directory/governance/TOC.yml @@ -51,5 +51,3 @@ href: ../privileged-identity-management/pim-resource-roles-start-access-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json - name: Complete an access review href: ../privileged-identity-management/pim-resource-roles-complete-access-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json - - name: Terms of use - href: active-directory-tou.md diff --git a/articles/active-directory/governance/active-directory-tou.md b/articles/active-directory/governance/active-directory-tou.md deleted file mode 100644 index 40bd0cd52eb5e..0000000000000 --- a/articles/active-directory/governance/active-directory-tou.md +++ /dev/null @@ -1,385 +0,0 @@ ---- -title: Terms of use - Azure Active Directory | Microsoft Docs -description: Describes how to get started using Azure Active Directory Terms of use to present information to employees or guests before getting access. -services: active-directory -author: rolyon -manager: mtillman -editor: '' -ms.assetid: d55872ef-7e45-4de5-a9a0-3298e3de3565 -ms.service: active-directory -ms.workload: identity -ms.tgt_pltfrm: na -ms.devlang: na -ms.topic: conceptual -ms.subservice: compliance -ms.date: 03/24/2019 -ms.author: rolyon - -ms.collection: M365-identity-device-management ---- - -# Azure Active Directory Terms of use feature -Azure AD Terms of use provides a simple method that organizations can use to present information to end users. This presentation ensures users see relevant disclaimers for legal or compliance requirements. This article describes how to get started with Terms of use. - -[!INCLUDE [GDPR-related guidance](../../../includes/gdpr-intro-sentence.md)] - -## Overview videos - -The following video provides a quick overview of Terms of use. - ->[!VIDEO https://www.youtube.com/embed/tj-LK0abNao] - -For additional videos, see: -- [How to deploy Terms of use in Azure Active Directory](https://www.youtube.com/embed/N4vgqHO2tgY) -- [How to roll out Terms of use in Azure Active Directory](https://www.youtube.com/embed/t_hA4y9luCY) - -## What can I do with Terms of use? -Azure AD Terms of use has the following capabilities: -- Require employees or guests to accept your Terms of use before getting access. -- Require employees or guests to accept your Terms of use on every device before getting access. -- Require employees or guests to accept your Terms of use on a recurring schedule. -- Present general Terms of use for all users in your organization. -- Present specific Terms of use based on a user attributes (ex. doctors vs nurses or domestic vs international employees, by using [dynamic groups](../users-groups-roles/groups-dynamic-membership.md)). -- Present specific Terms of use when accessing high business impact applications, like Salesforce. -- Present Terms of use in different languages. -- List who has or hasn't accepted to your Terms of use. -- Assist in meeting privacy regulations. -- Display a log of Terms of use activity for compliance and audit. -- Create and manage Terms of use using [Microsoft Graph APIs](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/agreement) (currently in preview). - -## Prerequisites -To use and configure Azure AD Terms of use, you must have: - -- Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription. - - If you don't have one of theses subscriptions, you can [get Azure AD Premium](../fundamentals/active-directory-get-started-premium.md) or [enable Azure AD Premium trial](https://azure.microsoft.com/trial/get-started-active-directory/). -- One of the following administrator accounts for the directory you want to configure: - - Global Administrator - - Security Administrator - - Conditional Access Administrator - -## Terms of use document - -Azure AD Terms of use uses the PDF format to present content. The PDF file can be any content, such as existing contract documents, allowing you to collect end-user agreements during user sign-in. To support users on mobile devices, the recommended font size in the PDF is 24 point. - -## Add Terms of use -Once you have finalized your Terms of use document, use the following procedure to add it. - -1. Sign in to Azure as a Global Administrator, Security Administrator, or Conditional Access Administrator. - -1. Navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). - - ![Terms of use blade](./media/active-directory-tou/tou-blade.png) - -1. Click **New terms**. - - ![Add TOU](./media/active-directory-tou/new-tou.png) - -1. In the **Name** box, enter a name for the Terms of use that will be used in the Azure portal. - -1. In the **Display name** box, enter a title that users see when they sign in. - -1. For **Terms of use document**, browse to your finalized Terms of use PDF and select it. - -1. Select the language for your Terms of use document. The language option allows you to upload multiple Terms of use, each with a different language. The version of the Terms of use that an end user will see will be based on their browser preferences. - -1. To require end users to view the Terms of use prior to accepting them, set **Require users to expand the terms of use** to **On**. - -1. To require end users to accept your Terms of use on every device they are accessing from, set **Require users to consent on every device** to **On**. For more information, see [Per-device Terms of use](#per-device-terms-of-use). - -1. If you want to expire Terms of use consents on a schedule, set **Expire consents** to **On**. When set to On, two additional schedule settings are displayed. - - ![Expire consents](./media/active-directory-tou/expire-consents.png) - -1. Use the **Expire starting on** and **Frequency** settings to specify the schedule for Terms of use expirations. The following table shows the result for a couple of example settings: - - | Expire starting on | Frequency | Result | - | --- | --- | --- | - | Today's date | Monthly | Starting today, users must accept the Terms of use and then reaccept every month. | - | Date in the future | Monthly | Starting today, users must accept the Terms of use. When the future date occurs, consents will expire and then users must reaccept every month. | - - For example, if you set the expire starting on date to **Jan 1** and frequency to **Monthly**, here is how expirations might occur for two users: - - | User | First accept date | First expire date | Second expire date | Third expire date | - | --- | --- | --- | --- | --- | - | Alice | Jan 1 | Feb 1 | Mar 1 | Apr 1 | - | Bob | Jan 15 | Feb 1 | Mar 1 | Apr 1 | - -1. Use the **Duration before re-acceptance requires (days)** setting to specify the number of days before the user must reaccept the Terms of use. This allows users to follow their own schedule. For example, if you set the duration to **30** days, here is how expirations might occur for two users: - - | User | First accept date | First expire date | Second expire date | Third expire date | - | --- | --- | --- | --- | --- | - | Alice | Jan 1 | Jan 31 | Mar 2 | Apr 1 | - | Bob | Jan 15 | Feb 14 | Mar 16 | Apr 15 | - - It is possible to use the **Expire consents** and **Duration before re-acceptance requires (days)** settings together, but typically you use one or the other. - -1. Under **Conditional Access**, use the **Enforce with conditional access policy template** list to select the template to enforce the Terms of use. - - ![Conditional access templates](./media/active-directory-tou/conditional-access-templates.png) - - | Template | Description | - | --- | --- | - | **Access to cloud apps for all guests** | A conditional access policy will be created for all guests and all cloud apps. This policy impacts the Azure portal. Once this is created, you might be required to sign-out and sign-in. | - | **Access to cloud apps for all users** | A conditional access policy will be created for all users and all cloud apps. This policy impacts the Azure portal. Once this is created, you will be required to sign-out and sign-in. | - | **Custom policy** | Select the users, groups, and apps that this Terms of Use will be applied to. | - | **Create conditional access policy later** | This terms of use will appear in the grant control list when creating a conditional access policy. | - - >[!IMPORTANT] - >Conditional access policy controls (including Terms of use) do not support enforcement on service accounts. We recommend excluding all service accounts from the conditional access policy. - - Custom conditional access policies enable granular Terms of use, down to a specific cloud application or group of users. For more information, see [Quickstart: Require terms of use to be accepted before accessing cloud apps](../conditional-access/require-tou.md). - -1. Click **Create**. - - If you selected a custom conditional access template, then a new screen appears that allows you to create the custom conditional access policy. - - ![Custom policy](./media/active-directory-tou/custom-policy.png) - - You should now see your new Terms of use. - - ![Add TOU](./media/active-directory-tou/create-tou.png) - -## View report of who has accepted and declined -The Terms of use blade shows a count of the users who have accepted and declined. These counts and who accepted/declined are stored for the life of the Terms of use. - -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). - - ![Terms of use blade](./media/active-directory-tou/view-tou.png) - -1. For a Terms of use, click the numbers under **Accepted** or **Declined** to view the current state for users. - - ![Terms of use consents](./media/active-directory-tou/accepted-tou.png) - -1. To view the history for an individual user, click the ellipsis (**...**) and then **View History**. - - ![View History menu](./media/active-directory-tou/view-history-menu.png) - - In the view history pane, you see a history of all the accepts, declines, and expirations. - - ![View History pane](./media/active-directory-tou/view-history-pane.png) - -## View Azure AD audit logs -If you want to view additional activity, Azure AD Terms of use includes audit logs. Each user consent triggers an event in the audit logs that is stored for **30 days**. You can view these logs in the portal or download as a .csv file. - -To get started with Azure AD audit logs, use the following procedure: - -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). - -1. Select a Terms of use. - -1. Click **View audit logs**. - - ![Terms of use blade](./media/active-directory-tou/audit-tou.png) - -1. On the Azure AD audit logs screen, you can filter the information using the provided lists to target specific audit log information. - - You can also click **Download** to download the information in a .csv file for use locally. - - ![Audit logs](./media/active-directory-tou/audit-logs-tou.png) - - If you click a log, a pane appears with additional activity details. - - ![Activity details](./media/active-directory-tou/audit-log-activity-details.png) - -## What Terms of use looks like for users -Once a Terms of use is created and enforced, users, who are in scope, will see the following screen during sign-in. - -![User web sign-in](./media/active-directory-tou/user-tou.png) - -Users can view the Terms of use and, if necessary, use buttons to zoom in and out. - -![View Terms of use with zoom buttons](./media/active-directory-tou/zoom-buttons.png) - -The following screen shows how Terms of use looks on mobile devices. - -![User mobile sign-in](./media/active-directory-tou/mobile-tou.png) - -Users are only required to accept the Terms of use once and they will not see the Terms of use again on subsequent sign-ins. - -### How users can review their Terms of use -Users can review and see the Terms of use that they have accepted by using the following procedure. - -1. Sign in to [https://myapps.microsoft.com](https://myapps.microsoft.com). - -1. In the upper right corner, click your name and select **Profile**. - - ![Profile](./media/active-directory-tou/tou14.png) - -1. On your Profile page, click **Review terms of use**. - - ![Profile - Review terms of use](./media/active-directory-tou/tou13a.png) - -1. From there, you can review the Terms of use you have accepted. - -## Edit Terms of use details -You can edit some details of Terms of use, but you can't modify an existing document. The following procedure describes how to edit the details. - -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). - -1. Select the Terms of use you want to edit. - -1. Click **Edit terms**. - -1. In the Edit terms of use pane, change the name, display name, or require users to expand values. - - If there are other settings you would like to change, such as PDF document, require users to consent on every device, expire consents, duration before reacceptance, or conditional access policy, you must create a new Terms of use. - - ![Edit terms of use](./media/active-directory-tou/edit-tou.png) - -1. Click **Save** to save your changes. - - Once you save your changes, users will not have to reaccept these edits. - -## Add a Terms of use language -The following procedure describes how to add a Terms of use language. - -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). - -1. Select the Terms of use you want to edit. - -1. In the details pane, click the **Languages** tab. - - ![Add TOU](./media/active-directory-tou/languages-tou.png) - -1. Click **Add language**. - -1. In the Add terms of use language pane, upload your localized PDF and select the language. - - ![Add TOU](./media/active-directory-tou/language-add-tou.png) - -1. Click **Add** to add the language. - -## Per-device Terms of use - -The **Require users to consent on every device** setting enables you to require end users to accept your Terms of use on every device they are accessing from. The end user will be required to join their device in Azure AD. When the device is joined, the device ID is used to enforce the Terms of use on each device. - -Here is a list of the supported platforms and software. - -> [!div class="mx-tableFixed"] -> | | iOS | Android | Windows 10 | Other | -> | --- | --- | --- | --- | --- | -> | **Native app** | Yes | Yes | Yes | | -> | **Microsoft Edge** | Yes | Yes | Yes | | -> | **Internet Explorer** | Yes | Yes | Yes | | -> | **Chrome (with extension)** | Yes | Yes | Yes | | - -Per-device Terms of use has the following constraints: - -- A device can only be joined to one tenant. -- A user must have permissions to join their device. -- The Intune Enrollment app is not supported. - -If the user's device is not joined, they will receive a message that they need to join their device. Their experience will be dependent on the platform and software. - -### Join a Windows 10 device - -If a user is using Windows 10 and Microsoft Edge, they will receive a message similar to the following to [join their device](../user-help/user-help-join-device-on-network.md#to-join-an-already-configured-windows-10-device). - -![Windows 10 and Microsoft Edge - Join device prompt](./media/active-directory-tou/per-device-win10-edge.png) - -If they are using Chrome, they will be prompted to install the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji). - -### Browsers - -If a user is using browser that is not supported, they will be asked to use a different browser. - -![Unsupported browser](./media/active-directory-tou/per-device-browser-unsupported.png) - -## Delete Terms of use -You can delete old Terms of use using the following procedure. - -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). - -1. Select the Terms of use you want to remove. - -1. Click **Delete terms**. - -1. In the message that appears asking if you want to continue, click **Yes**. - - ![Delete Terms of use](./media/active-directory-tou/delete-tou.png) - - You should no longer see your Terms of use. - -## Deleted users and active Terms of use -By default, a deleted user is in a deleted state in Azure AD for 30 days, during which time they can be restored by an administrator if necessary. After 30 days, that user is permanently deleted. In addition, using the Azure Active Directory portal, a Global Administrator can explicitly [permanently delete a recently deleted user](../fundamentals/active-directory-users-restore.md) before that time period is reached. One a user has been permanently deleted, subsequent data about that user will be removed from the active Terms of use. Audit information about deleted users remains in the audit log. - -## Policy changes -Conditional access policies take effect immediately. When this happens, the administrator will start to see “sad clouds” or "Azure AD token issues". The administrator must sign out and sign in again in order to satisfy the new policy. - ->[!IMPORTANT] -> Users in scope will need to sign-out and sign-in in order to satisfy a new policy if: -> - a conditional access policy is enabled on a Terms of use -> - or a second Terms of use is created - -## B2B guests (Preview) - -Most organizations have a process in place for their employees to consent to their organization's Terms of use and privacy statements. But how can you enforce the same consents for Azure AD business-to-business (B2B) guests when they're added via SharePoint or Teams? Using conditional access and Terms of use, you can enforce a policy directly towards B2B guest users. During the invitation redemption flow, the user is presented with the Terms of use. This support is currently in preview. - -Terms of use will only be displayed when the user has a guest account in Azure AD. SharePoint Online currently has an [ad hoc external sharing recipient experience](/sharepoint/what-s-new-in-sharing-in-targeted-release) to share a document or a folder that does not require the user to have a guest account. In this case, a Terms of use is not displayed. - -![All guest users](./media/active-directory-tou/b2b-guests.png) - -## Support for cloud apps (Preview) - -Terms of use can be used for different cloud apps, such as Azure Information Protection and Microsoft Intune. This support is currently in preview. - -### Azure Information Protection - -You can configure a conditional access policy for the Azure Information Protection app and require a Terms of use when a user accesses a protected document. This will trigger a Terms of use prior to a user accessing a protected document for the first time. - -![Azure Information Protection cloud app](./media/active-directory-tou/cloud-app-info-protection.png) - -### Microsoft Intune Enrollment - -You can configure a conditional access policy for the Microsoft Intune Enrollment app and require a Terms of use prior to the enrollment of a device in Intune. For more information, see the Read [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409). - -![Microsoft Intune cloud app](./media/active-directory-tou/cloud-app-intune.png) - -> [!NOTE] -> The Intune Enrollment app is not supported for [Per-device Terms of use](#per-device-terms-of-use). - -## Frequently asked questions - -**Q: How do I see when/if a user has accepted a Terms of use?**
-A: On the Terms of use blade, click the number under **Accepted**. You can also view or search the accept activity in the Azure AD audit logs. For more information, see View report of who has accepted and declined and [View Azure AD audit logs](#view-azure-ad-audit-logs). - -**Q: How long is information stored?**
-A: The user counts in the Terms of use report and who accepted/declined are stored for the life of the Terms of use. The Azure AD audit logs are stored for 30 days. - -**Q: Why do I see a different number of consents in the Terms of use report vs. the Azure AD audit logs?**
-A: The Terms of use report is stored for the lifetime of that Terms of use, while the Azure AD audit logs are stored for 30 days. Also, the Terms of use report only displays the users current consent state. For example, if a user declines and then accepts, the Terms of use report will only show that user's accept. If you need to see the history, you can use the Azure AD audit logs. - -**Q: If I edit the details for a Terms of use, does it require users to accept again?**
-A: No, if an administrator edits the details for a Terms of use (name, display name, require users to expand, or add a language), it does not require users to reaccept the new terms. - -**Q: Can I update an existing Terms of use document?**
-A: Currently, you can't update an existing Terms of use document. To change a Terms of use document, you will have to create a new Terms of use instance. - -**Q: If hyperlinks are in the Terms of use PDF document, will end users be able to click them?**
-A: The PDF is rendered by default as a JPEG, so hyperlinks are not clickable. Users have the option to select **Having trouble viewing? Click here**, which renders the PDF natively where hyperlinks are supported. - -**Q: Can a Terms of use support multiple languages?**
-A: Yes. Currently there are 108 different languages an administrator can configure for a single Terms of use. An administrator can upload multiple PDF documents and tag those documents with a corresponding language (up to 108). When end users sign in, we look at their browser language preference and display the matching document. If there is no match, we will display the default document, which is the first document that is uploaded. - -**Q: When is the Terms of use triggered?**
-A: The Terms of use is triggered during the sign-in experience. - -**Q: What applications can I target a Terms of use to?**
-A: You can create a conditional access policy on the enterprise applications using modern authentication. For more information, see [enterprise applications](./../manage-apps/view-applications-portal.md). - -**Q: Can I add multiple Terms of use to a given user or app?**
-A: Yes, by creating multiple conditional access policies targeting those groups or applications. If a user falls in scope of multiple Terms of use, they accept one Terms of use at a time. - -**Q: What happens if a user declines the Terms of use?**
-A: The user is blocked from getting access to the application. The user would have to sign in again and accept the terms in order to get access. - -**Q: Is it possible to unaccept Terms of use that were previously accepted?**
-A: You can [review previously accepted Terms of use](#how-users-can-review-their-terms-of-use), but currently there isn't a way to unaccept. - -**Q: What happens if I'm also using Intune terms and conditions?**
-A: If you have configured both Azure AD Terms of use and [Intune terms and conditions](/intune/terms-and-conditions-create), the user will be required to accept both. For more information, see the [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409). - -## Next steps - -- [Quickstart: Require terms of use to be accepted before accessing cloud apps](../conditional-access/require-tou.md) -- [Best practices for conditional access in Azure Active Directory](../conditional-access/best-practices.md) diff --git a/articles/active-directory/governance/create-access-review.md b/articles/active-directory/governance/create-access-review.md index 552a68a96a4f8..217e554e623ab 100644 --- a/articles/active-directory/governance/create-access-review.md +++ b/articles/active-directory/governance/create-access-review.md @@ -11,7 +11,7 @@ ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual ms.subservice: compliance -ms.date: 02/20/2019 +ms.date: 04/01/2019 ms.author: rolyon ms.reviewer: mwahl ms.collection: M365-identity-device-management @@ -30,13 +30,13 @@ This article describes how to create one or more access reviews for group member ## Create one or more access reviews -1. Sign-in to the Azure portal and open the [Access reviews page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/). +1. Sign in to the Azure portal and open the [Access reviews page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/). -1. Click **Controls**. +1. In the left menu, click **Access reviews**. 1. Click **New access review** to create a new access review. - ![Access review - Controls](./media/create-access-review/controls.png) + ![Access review - Controls](./media/create-access-review/access-reviews.png) 1. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers. @@ -46,15 +46,15 @@ This article describes how to create one or more access reviews for group member ![Create an access review - Start and end dates](./media/create-access-review/start-end-dates.png) -1. To make the access review recurring, change the **Frequency** setting from **One time** to **Weekly**, **Monthly**, **Quarterly** or **Annually**, and use the **Duration** slider or text box to define how many days each review of the recurring series will be open for input from reviewers. For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews. +1. To make the access review recurring, change the **Frequency** setting from **One time** to **Weekly**, **Monthly**, **Quarterly** or **Annually**. Use the **Duration** slider or text box to define how many days each review of the recurring series will be open for input from reviewers. For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews. 1. Use the **End** setting to specify how to end the recurring access review series. The series can end in three ways: it runs continuously to start reviews indefinitely, until a specific date, or after a defined number of occurrences has been completed. You, another User administrator, or another Global administrator can stop the series after creation by changing the date in **Settings**, so that it ends on that date. -1. In the **Users** section, specify the users that access review applies to. Access reviews can be for the members of a group or for users who were assigned to an application. You can further scope the access review to review only the guest users who are members (or assigned to the application), rather than reviewing all the users who are members or who have access to the application. +1. In the **Users** section, specify the users that the access review applies to. Access reviews can be for the members of a group or for users who were assigned to an application. You can further scope the access review to review only the guest users who are members (or assigned to the application), rather than reviewing all the users who are members or who have access to the application. ![Create an access review - Users](./media/create-access-review/users.png) -1. In the **Groups** section, select one or more groups that you would like to review membership of. +1. In the **Group** section, select one or more groups that you would like to review membership of. > [!NOTE] > Selecting more than one group will create multiple access reviews. For example, selecting five groups will create five separate access reviews. @@ -107,7 +107,9 @@ This article describes how to create one or more access reviews for group member ## Start the access review -Once you have specified the settings for an access review, click **Start**. +Once you have specified the settings for an access review, click **Start**. The access review will appear in your list with an indicator of its status. + +![Access reviews list](./media/create-access-review/access-reviews-list.png) By default, Azure AD sends an email to reviewers shortly after the review starts. If you choose not to have Azure AD send the email, be sure to inform the reviewers that an access review is waiting for them to complete. You can show them the instructions for how to [review access to groups or applications](perform-access-review.md). If your review is for guests to review their own access, show them the instructions for how to [review access for yourself to groups or applications](review-your-access.md). @@ -115,13 +117,15 @@ If some of the reviewers are guests, guests are notified via email only if they' ## Manage the access review -You can track the progress as the reviewers complete their reviews in the Azure AD dashboard in the **Access reviews** section. No access rights are changed in the directory until [the review is completed](complete-access-review.md). +You can track the progress as the reviewers complete their reviews on the **Overview** page of the access review. No access rights are changed in the directory until [the review is completed](complete-access-review.md). + +![Access reviews progress](./media/create-access-review/overview-progress.png) If this is a one-time review, then after the access review period is over or the administrator stops the access review, follow the steps in [Complete an access review of groups or applications](complete-access-review.md) to see and apply the results. -To manage a series of access reviews, navigate to the access review from **Controls**, and you will find upcoming occurrences in Scheduled reviews, and edit the end date or add/remove reviewers accordingly. +To manage a series of access reviews, navigate to the access review, and you will find upcoming occurrences in Scheduled reviews, and edit the end date or add/remove reviewers accordingly. -Based on your selections in Upon completion settings, auto-apply will be executed after the review's end date or when you manually stop the review. The status of the review will change from Completed through intermediate states such as Applying and finally to state Applied. You should expect to see denied users, if any, being removed from the group membership or application assignment in a few minutes. +Based on your selections in **Upon completion settings**, auto-apply will be executed after the review's end date or when you manually stop the review. The status of the review will change from **Completed** through intermediate states such as **Applying** and finally to state **Applied**. You should expect to see denied users, if any, being removed from the group membership or application assignment in a few minutes. ## Create reviews via APIs diff --git a/articles/active-directory/governance/identity-governance-overview.md b/articles/active-directory/governance/identity-governance-overview.md index 57ee64c5478ce..903b5455e1295 100644 --- a/articles/active-directory/governance/identity-governance-overview.md +++ b/articles/active-directory/governance/identity-governance-overview.md @@ -51,7 +51,7 @@ Typically, IT delegates access approval decisions to business decision makers. Organizations can automate the access lifecycle process through technologies such as [dynamic groups](../users-groups-roles/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](../saas-apps/tutorial-list.md) or [apps integrated with SCIM](../manage-apps/use-scim-to-provision-users-and-groups.md). Organizations can also control which [guest users have access to on-premises applications](../b2b/hybrid-cloud-to-on-premises.md). These access rights can then be regularly reviewed using recurring [Azure AD access reviews](access-reviews-overview.md). -When a user attempts to access applications, Azure AD enforces [conditional access](/azure/active-directory/conditional-access/) policies. For example, conditional access policies can include displaying a [terms of use](active-directory-tou.md) and [ensuring the user has agreed to those terms](../conditional-access/require-tou.md) prior to being able to access an application. +When a user attempts to access applications, Azure AD enforces [conditional access](/azure/active-directory/conditional-access/) policies. For example, conditional access policies can include displaying a [Terms of use](../conditional-access/terms-of-use.md) and [ensuring the user has agreed to those terms](../conditional-access/require-tou.md) prior to being able to access an application. ## Privileged access lifecycle @@ -76,7 +76,7 @@ While there is no perfect solution or recommendation for every customer, the fol ### Terms of use -- [What can I do with Terms of use?](active-directory-tou.md) +- [What can I do with Terms of use?](../conditional-access/terms-of-use.md) ### Privileged identity management diff --git a/articles/active-directory/governance/index.yml b/articles/active-directory/governance/index.yml index b510618c2bf0e..7cfce6f21e0b1 100644 --- a/articles/active-directory/governance/index.yml +++ b/articles/active-directory/governance/index.yml @@ -45,4 +45,4 @@ sections: - type: list style: unordered items: - - html: What can I do with Terms of use? + - html: What can I do with Terms of use? diff --git a/articles/active-directory/governance/media/create-access-review/access-reviews-list.png b/articles/active-directory/governance/media/create-access-review/access-reviews-list.png new file mode 100644 index 0000000000000..86515398f51c6 Binary files /dev/null and b/articles/active-directory/governance/media/create-access-review/access-reviews-list.png differ diff --git a/articles/active-directory/governance/media/create-access-review/access-reviews.png b/articles/active-directory/governance/media/create-access-review/access-reviews.png new file mode 100644 index 0000000000000..7d529198260a5 Binary files /dev/null and b/articles/active-directory/governance/media/create-access-review/access-reviews.png differ diff --git a/articles/active-directory/governance/media/create-access-review/advanced-settings.png b/articles/active-directory/governance/media/create-access-review/advanced-settings.png index 42fa099a6ed42..6681c045fa789 100644 Binary files a/articles/active-directory/governance/media/create-access-review/advanced-settings.png and b/articles/active-directory/governance/media/create-access-review/advanced-settings.png differ diff --git a/articles/active-directory/governance/media/create-access-review/controls.png b/articles/active-directory/governance/media/create-access-review/controls.png deleted file mode 100644 index dabafcf400c26..0000000000000 Binary files a/articles/active-directory/governance/media/create-access-review/controls.png and /dev/null differ diff --git a/articles/active-directory/governance/media/create-access-review/name-description.png b/articles/active-directory/governance/media/create-access-review/name-description.png index 57a57a96366b3..399ca1a3ab010 100644 Binary files a/articles/active-directory/governance/media/create-access-review/name-description.png and b/articles/active-directory/governance/media/create-access-review/name-description.png differ diff --git a/articles/active-directory/governance/media/create-access-review/overview-progress.png b/articles/active-directory/governance/media/create-access-review/overview-progress.png new file mode 100644 index 0000000000000..cf8a7d8dbac47 Binary files /dev/null and b/articles/active-directory/governance/media/create-access-review/overview-progress.png differ diff --git a/articles/active-directory/governance/media/create-access-review/programs.png b/articles/active-directory/governance/media/create-access-review/programs.png index 2a214c9ff632d..d2eb3ed8e2f23 100644 Binary files a/articles/active-directory/governance/media/create-access-review/programs.png and b/articles/active-directory/governance/media/create-access-review/programs.png differ diff --git a/articles/active-directory/governance/media/create-access-review/reviewers.png b/articles/active-directory/governance/media/create-access-review/reviewers.png index ae37afe6db1dd..19a213b43bc37 100644 Binary files a/articles/active-directory/governance/media/create-access-review/reviewers.png and b/articles/active-directory/governance/media/create-access-review/reviewers.png differ diff --git a/articles/active-directory/governance/media/create-access-review/select-application.png b/articles/active-directory/governance/media/create-access-review/select-application.png index fc7804fa0ae40..f997a714a6c88 100644 Binary files a/articles/active-directory/governance/media/create-access-review/select-application.png and b/articles/active-directory/governance/media/create-access-review/select-application.png differ diff --git a/articles/active-directory/governance/media/create-access-review/select-group.png b/articles/active-directory/governance/media/create-access-review/select-group.png index ee19831ef1100..c9960f2d54f03 100644 Binary files a/articles/active-directory/governance/media/create-access-review/select-group.png and b/articles/active-directory/governance/media/create-access-review/select-group.png differ diff --git a/articles/active-directory/governance/media/create-access-review/start-end-dates.png b/articles/active-directory/governance/media/create-access-review/start-end-dates.png index dbe400c7897da..0d6e26b653fae 100644 Binary files a/articles/active-directory/governance/media/create-access-review/start-end-dates.png and b/articles/active-directory/governance/media/create-access-review/start-end-dates.png differ diff --git a/articles/active-directory/governance/media/create-access-review/upon-completion-settings.png b/articles/active-directory/governance/media/create-access-review/upon-completion-settings.png index fc10ca3306e1b..d66400016610f 100644 Binary files a/articles/active-directory/governance/media/create-access-review/upon-completion-settings.png and b/articles/active-directory/governance/media/create-access-review/upon-completion-settings.png differ diff --git a/articles/active-directory/governance/media/create-access-review/users.png b/articles/active-directory/governance/media/create-access-review/users.png index 4fa45f4a0f4ed..4fe480f9004ae 100644 Binary files a/articles/active-directory/governance/media/create-access-review/users.png and b/articles/active-directory/governance/media/create-access-review/users.png differ diff --git a/articles/active-directory/governance/media/perform-access-review/accept-recommendations-summary.png b/articles/active-directory/governance/media/perform-access-review/accept-recommendations-summary.png index af23f144d30d5..4f6cfce84c52e 100644 Binary files a/articles/active-directory/governance/media/perform-access-review/accept-recommendations-summary.png and b/articles/active-directory/governance/media/perform-access-review/accept-recommendations-summary.png differ diff --git a/articles/active-directory/governance/media/perform-access-review/accept-recommendations.png b/articles/active-directory/governance/media/perform-access-review/accept-recommendations.png index d93ffc888c58d..0447e14f89f78 100644 Binary files a/articles/active-directory/governance/media/perform-access-review/accept-recommendations.png and b/articles/active-directory/governance/media/perform-access-review/accept-recommendations.png differ diff --git a/articles/active-directory/governance/media/perform-access-review/access-review-email.png b/articles/active-directory/governance/media/perform-access-review/access-review-email.png index f33fb645504ee..93f7f69b4679a 100644 Binary files a/articles/active-directory/governance/media/perform-access-review/access-review-email.png and b/articles/active-directory/governance/media/perform-access-review/access-review-email.png differ diff --git a/articles/active-directory/governance/media/perform-access-review/access-reviews-list.png b/articles/active-directory/governance/media/perform-access-review/access-reviews-list.png index c598cb1771812..32f7db3e317f7 100644 Binary files a/articles/active-directory/governance/media/perform-access-review/access-reviews-list.png and b/articles/active-directory/governance/media/perform-access-review/access-reviews-list.png differ diff --git a/articles/active-directory/governance/media/perform-access-review/approve-deny.png b/articles/active-directory/governance/media/perform-access-review/approve-deny.png index 704161dfd2028..3ba28be52f318 100644 Binary files a/articles/active-directory/governance/media/perform-access-review/approve-deny.png and b/articles/active-directory/governance/media/perform-access-review/approve-deny.png differ diff --git a/articles/active-directory/governance/media/perform-access-review/myapps-access-panel.png b/articles/active-directory/governance/media/perform-access-review/myapps-access-panel.png index fe5f8b3a9ae79..9426d930d8ac0 100644 Binary files a/articles/active-directory/governance/media/perform-access-review/myapps-access-panel.png and b/articles/active-directory/governance/media/perform-access-review/myapps-access-panel.png differ diff --git a/articles/active-directory/governance/media/perform-access-review/perform-access-review.png b/articles/active-directory/governance/media/perform-access-review/perform-access-review.png index abbd505a436df..f3ebb4b26137f 100644 Binary files a/articles/active-directory/governance/media/perform-access-review/perform-access-review.png and b/articles/active-directory/governance/media/perform-access-review/perform-access-review.png differ diff --git a/articles/active-directory/governance/perform-access-review.md b/articles/active-directory/governance/perform-access-review.md index 3da0ff5710099..8636f3acb918d 100644 --- a/articles/active-directory/governance/perform-access-review.md +++ b/articles/active-directory/governance/perform-access-review.md @@ -11,7 +11,7 @@ ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual ms.subservice: compliance -ms.date: 02/20/2019 +ms.date: 04/01/2019 ms.author: rolyon ms.reviewer: mwahl ms.collection: M365-identity-device-management @@ -41,7 +41,7 @@ If you don't have the email, you can find your pending access reviews by followi 1. In the upper-right corner of the page, click the user symbol, which displays your name and default organization. If more than one organization is listed, select the organization that requested an access review. -1. On the right side of the page, click the **Access reviews** tile to see a list of the pending access reviews. +1. Click the **Access reviews** tile to see a list of the pending access reviews. If the tile isn't visible, there are no access reviews to perform for that organization and no action is needed at this time. @@ -66,12 +66,14 @@ There are two ways that you can approve or deny access: 1. Review the list of users to decide whether to approve or deny their continued access. -1. To approve or deny each request, click the row to open the window to specify the action to take. +1. To approve or deny each request, click the row to open a window to specify the action to take. 1. Click **Approve** or **Deny**. If you are unsure, you can click **Don't know**. Doing so will result in the user maintaining his/her access, but the selection will be reflected in the audit logs. ![Perform access review](./media/perform-access-review/approve-deny.png) +1. If necessary, enter a reason in the **Reason** box. + The administrator of the access review might require that you supply a reason for approving continued access or group membership. 1. Once you have specified the action to take, click **Save**. diff --git a/articles/active-directory/hybrid/how-to-connect-health-adfs.md b/articles/active-directory/hybrid/how-to-connect-health-adfs.md index c26442a24408b..e4473730af04b 100644 --- a/articles/active-directory/hybrid/how-to-connect-health-adfs.md +++ b/articles/active-directory/hybrid/how-to-connect-health-adfs.md @@ -115,5 +115,5 @@ The report provides the following information: ## Related links * [Azure AD Connect Health](whatis-hybrid-identity-health.md) * [Azure AD Connect Health Agent Installation](how-to-connect-health-agent-install.md) -* [Risky IP report ](how-to-connect-health-adfs-risky-ip.md) +* [Risky IP report](how-to-connect-health-adfs-risky-ip.md) diff --git a/articles/active-directory/hybrid/how-to-connect-health-agent-install.md b/articles/active-directory/hybrid/how-to-connect-health-agent-install.md index f6d52d2d5dc36..534c0612d0937 100644 --- a/articles/active-directory/hybrid/how-to-connect-health-agent-install.md +++ b/articles/active-directory/hybrid/how-to-connect-health-agent-install.md @@ -136,7 +136,7 @@ In order for the Usage Analytics feature to gather and analyze data, the Azure A 1. Open **Local Security Policy** by opening **Server Manager** on the Start screen, or Server Manager in the taskbar on the desktop, then click **Tools/Local Security Policy**. 2. Navigate to the **Security Settings\Local Policies\User Rights Assignment** folder, and then double-click **Generate security audits**. 3. On the **Local Security Setting** tab, verify that the AD FS service account is listed. If it is not present, click **Add User or Group** and add it to the list, and then click **OK**. -4. To enable auditing, open a command prompt with elevated privileges and run the following command: ```auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable```. +4. To enable auditing, open a command prompt with elevated privileges and run the following command: ```auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable``` 5. Close **Local Security Policy**.
-- **The following steps are only required for primary AD FS servers.** --
6. Open the **AD FS Management** snap-in (in Server Manager, click Tools, and then select AD FS Management). @@ -149,7 +149,7 @@ In order for the Usage Analytics feature to gather and analyze data, the Azure A 1. Open **Local Security Policy** by opening **Server Manager** on the Start screen, or Server Manager in the taskbar on the desktop, then click **Tools/Local Security Policy**. 2. Navigate to the **Security Settings\Local Policies\User Rights Assignment** folder, and then double-click **Generate security audits**. 3. On the **Local Security Setting** tab, verify that the AD FS service account is listed. If it is not present, click **Add User or Group** and add the AD FS service account to the list, and then click **OK**. -4. To enable auditing, open a command prompt with elevated privileges and run the following command: auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable. +4. To enable auditing, open a command prompt with elevated privileges and run the following command: auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable 5. Close **Local Security Policy**.
-- **The following steps are only required for primary AD FS servers.** --
6. Open the **AD FS Management** snap-in (in Server Manager, click Tools, and then select AD FS Management). @@ -259,7 +259,7 @@ $secpasswd = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force $myCreds = New-Object System.Management.Automation.PSCredential ($userName, $secpasswd) import-module "C:\Program Files\Azure Ad Connect Health Adds Agent\PowerShell\AdHealthAdds" -Register-AzureADConnectHealthADDSAgent -UserPrincipalName $USERNAME -Credential $password +Register-AzureADConnectHealthADDSAgent -UserPrincipalName $USERNAME -Credential $myCreds ``` @@ -378,4 +378,4 @@ The role parameter currently takes the following values: * [Using Azure AD Connect Health for sync](how-to-connect-health-sync.md) * [Using Azure AD Connect Health with AD DS](how-to-connect-health-adds.md) * [Azure AD Connect Health FAQ](reference-connect-health-faq.md) -* [Azure AD Connect Health Version History](reference-connect-health-version-history.md) \ No newline at end of file +* [Azure AD Connect Health Version History](reference-connect-health-version-history.md) diff --git a/articles/active-directory/hybrid/how-to-connect-sso-how-it-works.md b/articles/active-directory/hybrid/how-to-connect-sso-how-it-works.md index e7ee594c4fe69..7027618497f05 100644 --- a/articles/active-directory/hybrid/how-to-connect-sso-how-it-works.md +++ b/articles/active-directory/hybrid/how-to-connect-sso-how-it-works.md @@ -12,7 +12,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 04/02/2019 +ms.date: 04/08/2019 ms.subservice: hybrid ms.author: billmath ms.collection: M365-identity-device-management @@ -39,7 +39,7 @@ Seamless SSO is enabled using Azure AD Connect as shown [here](how-to-connect-ss - The computer account's Kerberos decryption key is shared securely with Azure AD. If there are multiple AD forests, each computer account will have its own unique Kerberos decryption key. >[!IMPORTANT] -> The `AZUREADSSOACC` computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions. The Kerberos decryption key on the computer account should also be treated as sensitive. We highly recommend that you [roll over the Kerberos decryption key](how-to-connect-sso-faq.md#how-can-i-roll-over-the-kerberos-decryption-key-of-the-azureadssoacc-computer-account) of the `AZUREADSSOACC` computer account at least every 30 days. +> The `AZUREADSSOACC` computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access. The Kerberos decryption key on the computer account should also be treated as sensitive. We highly recommend that you [roll over the Kerberos decryption key](how-to-connect-sso-faq.md#how-can-i-roll-over-the-kerberos-decryption-key-of-the-azureadssoacc-computer-account) of the `AZUREADSSOACC` computer account at least every 30 days. Once the set-up is complete, Seamless SSO works the same way as any other sign-in that uses Integrated Windows Authentication (IWA). diff --git a/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md b/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md index 49ed2f82cfa50..59e3ead225790 100644 --- a/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md +++ b/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md @@ -12,7 +12,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 04/02/2019 +ms.date: 04/08/2019 ms.subservice: hybrid ms.author: billmath ms.collection: M365-identity-device-management @@ -88,7 +88,7 @@ Follow these instructions to verify that you have enabled Seamless SSO correctly ![Azure portal: Azure AD Connect pane](./media/how-to-connect-sso-quick-start/sso10.png) >[!IMPORTANT] -> Seamless SSO creates a computer account named `AZUREADSSOACC` in your on-premises Active Directory (AD) in each AD forest. The `AZUREADSSOACC` computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions. +> Seamless SSO creates a computer account named `AZUREADSSOACC` in your on-premises Active Directory (AD) in each AD forest. The `AZUREADSSOACC` computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access. >[!NOTE] > If you are using Pass-the-Hash and Credential Theft Mitigation architectures in your on-premises environment, make appropriate changes to ensure that the `AZUREADSSOACC` computer account doesn't end up in the Quarantine container. diff --git a/articles/active-directory/hybrid/how-to-upgrade-previous-version.md b/articles/active-directory/hybrid/how-to-upgrade-previous-version.md index f57023c652127..0afac8c0a81f7 100644 --- a/articles/active-directory/hybrid/how-to-upgrade-previous-version.md +++ b/articles/active-directory/hybrid/how-to-upgrade-previous-version.md @@ -13,7 +13,7 @@ ms.devlang: na ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: Identity -ms.date: 07/18/2018 +ms.date: 04/08/2019 ms.subservice: hybrid ms.author: billmath @@ -22,6 +22,9 @@ ms.collection: M365-identity-device-management # Azure AD Connect: Upgrade from a previous version to the latest This topic describes the different methods that you can use to upgrade your Azure Active Directory (Azure AD) Connect installation to the latest release. We recommend that you keep yourself current with the releases of Azure AD Connect. You also use the steps in the [Swing migration](#swing-migration) section when you make a substantial configuration change. +>[!NOTE] +> It is currently supported to upgrade from any version of Azure AD Connect to the current version. In-place upgrades of DirSync or ADSync are not supported and a swing migration is required. If you want to upgrade from DirSync, see [Upgrade from Azure AD sync tool (DirSync)](how-to-dirsync-upgrade-get-started.md) or the [Swing migration](#swing-migration) section.
In practice, customers on extremely old versions may encounter problems not directly related to Azure AD Connect. Servers that have been in production for several years, typically have had several patches applied to them and not all of these can be accounted for. Generally, customers who have not upgraded in 12-18 months should consider a swing upgrade instead as this is the most conservative and least risky option. + If you want to upgrade from DirSync, see [Upgrade from Azure AD sync tool (DirSync)](how-to-dirsync-upgrade-get-started.md) instead. There are a few different strategies that you can use to upgrade Azure AD Connect. diff --git a/articles/active-directory/hybrid/whatis-aadc-admin-agent.md b/articles/active-directory/hybrid/whatis-aadc-admin-agent.md index 7d94d8c84e7e0..4e12dbf083376 100644 --- a/articles/active-directory/hybrid/whatis-aadc-admin-agent.md +++ b/articles/active-directory/hybrid/whatis-aadc-admin-agent.md @@ -37,16 +37,18 @@ The Microsoft Support Engineer cannot change any data in your system and cannot If you do not want the Microsoft service engineer to access your data for a support call you can disable this by modifying the service config file as described below: - 1. Open **C:\Program Files\Microsoft Azure AD Connect Administration Agent\AzureADConnectAdministrationAgentService.exe.config** in notepad. - 2. Disable **UserDataEnabled** setting as shown below. If **UserDataEnabled** setting exists and is set to true, then set it to false. If the setting does not exist, then add the setting as shown below. - ` - - - - - ` - 3. Save the config file. - 4. Restart Azure AD Connect Administration Agent service as shown below +1. Open **C:\Program Files\Microsoft Azure AD Connect Administration Agent\AzureADConnectAdministrationAgentService.exe.config** in notepad. +2. Disable **UserDataEnabled** setting as shown below. If **UserDataEnabled** setting exists and is set to true, then set it to false. If the setting does not exist, then add the setting as shown below. + + ```xml + + + + + ``` + +3. Save the config file. +4. Restart Azure AD Connect Administration Agent service as shown below ![admin agent](media/whatis-aadc-admin-agent/adminagent2.png) diff --git a/articles/active-directory/identity-protection/howto-investigate-risky-users-signins.md b/articles/active-directory/identity-protection/howto-investigate-risky-users-signins.md index 042fbf769b244..fc82b25457c1e 100644 --- a/articles/active-directory/identity-protection/howto-investigate-risky-users-signins.md +++ b/articles/active-directory/identity-protection/howto-investigate-risky-users-signins.md @@ -148,7 +148,7 @@ The **Status** filter enables you to select: ### Download risky users data -You can download the risky users data if you want work with it outside the Azure portal. Clicking Download creates a CSV file of the most recent 5K records. +You can download the risky users data if you want to work with it outside the Azure portal. Clicking Download creates a CSV file of the most recent 2,500 records. ![Risky users report](./media/howto-investigate-risky-users-signins/07.png) @@ -317,7 +317,7 @@ Possible values are: ### Download risky sign-ins data -You can download the risky sign-ins data if you want work with it outside the Azure portal. Clicking Download creates a CSV file of the most recent 5K records. +You can download the risky sign-ins data if you want to work with it outside the Azure portal. Clicking Download creates a CSV file of the most recent 2,500 records. ![Risky users report](./media/howto-investigate-risky-users-signins/15.png) diff --git a/articles/active-directory/identity-protection/media/vulnerabilities/101.png b/articles/active-directory/identity-protection/media/vulnerabilities/101.png deleted file mode 100644 index 6e32c6313754a..0000000000000 Binary files a/articles/active-directory/identity-protection/media/vulnerabilities/101.png and /dev/null differ diff --git a/articles/active-directory/identity-protection/media/vulnerabilities/identity-protection-vulnerabilities.png b/articles/active-directory/identity-protection/media/vulnerabilities/identity-protection-vulnerabilities.png new file mode 100644 index 0000000000000..e1a9cca2cd23f Binary files /dev/null and b/articles/active-directory/identity-protection/media/vulnerabilities/identity-protection-vulnerabilities.png differ diff --git a/articles/active-directory/identity-protection/vulnerabilities.md b/articles/active-directory/identity-protection/vulnerabilities.md index 8e783b58dc72d..9c84db3ecb853 100644 --- a/articles/active-directory/identity-protection/vulnerabilities.md +++ b/articles/active-directory/identity-protection/vulnerabilities.md @@ -1,63 +1,65 @@ --- -title: Vulnerabilities detected by Azure Active Directory Identity Protection | Microsoft Docs +title: Vulnerabilities detected by Azure Active Directory Identity Protection description: Overview of the vulnerabilities detected by Azure Active Directory Identity Protection. -services: active-directory -keywords: azure active directory identity protection, cloud discovery, managing applications, security, risk, risk level, vulnerability, security policy -documentationcenter: '' -author: MicrosoftGuyJFlo -manager: daveba -ms.assetid: 92233a5b-cb34-4d28-88cc-d5d29c0f3256 +services: active-directory ms.service: active-directory ms.subservice: identity-protection -ms.workload: identity -ms.tgt_pltfrm: na -ms.devlang: na ms.topic: article -ms.date: 06/27/2018 +ms.date: 04/09/2019 + ms.author: joflore +author: MicrosoftGuyJFlo +manager: daveba ms.reviewer: sahandle ms.collection: M365-identity-device-management --- # Vulnerabilities detected by Azure Active Directory Identity Protection -Vulnerabilities are weaknesses in your environment that can be exploited by an attacker. We recommend that you address these vulnerabilities to improve the security posture of your organization, and prevent attackers from exploiting them. +Vulnerabilities are weaknesses in an environment that can be exploited by an attacker. We recommend administrators address these vulnerabilities to improve the security posture of their organization. -![vulnerabilities](./media/vulnerabilities/101.png "vulnerabilities") +![Vulnerabilities reported by Identity Protection](./media/vulnerabilities/identity-protection-vulnerabilities.png) +The following sections provide you with an overview of the vulnerabilities reported by Identity Protection. +## Multi-Factor Authentication registration not configured -The following sections provide you with an overview of the vulnerabilities reported by Identity Protection. +This vulnerability helps assess the deployment of Azure Multi-Factor Authentication in your organization. + +To view the count for users that are not registered for MFA, click on the vulnerability and you are redirected to statistics within Identity Secure Score. -## Multi-factor authentication registration not configured -This vulnerability helps you control the deployment of Azure Multi-Factor Authentication in your organization. +Azure Multi-Factor Authentication provides a second layer of security to user authentication. It helps safeguard access to data and applications while meeting user demand for a simple sign-in process. Azure Multi-Factor Authentication provides easy to use verification options like: -Azure multi-factor authentication provides a second layer of security to user authentication. It helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of easy verification options—phone call, text message, or mobile app notification or verification code and third party OATH tokens. +* Phone call +* Text message +* Mobile app notification +* OTP Verification code We recommend that you require Azure Multi-Factor Authentication for user sign-ins. Multi-factor authentication plays a key role in risk-based conditional access policies available through Identity Protection. For more information, see [What is Azure Multi-Factor Authentication?](../authentication/multi-factor-authentication.md) ## Unmanaged cloud apps + This vulnerability helps you identify unmanaged cloud apps in your organization. -In modern enterprises, IT departments are often unaware of all the cloud applications that users in their organization are using to do their work. It is easy to see why administrators would have concerns about unauthorized access to corporate data, possible data leakage, and other security risks. +IT staff are often unaware of all the cloud applications in their organization. It is easy to see why administrators would have concerns about unauthorized access to corporate data, possible data leakage, and other security risks. -We recommend to deploy Cloud Discovery to discover unmanaged cloud applications, and to manage these applications using Azure Active Directory. +We recommend deploying Cloud Discovery to discover unmanaged cloud applications, and to manage these applications using Azure Active Directory. For more information, see [Cloud Discovery](/cloud-app-security/set-up-cloud-discovery). ## Security Alerts from Privileged Identity Management + This vulnerability helps you discover and resolve alerts about privileged identities in your organization. -To enable users to carry out privileged operations, organizations need to grant users temporary or permanent privileged access in Azure AD, Azure or Office 365 resources, or other SaaS apps. Each of these privileged users increases the attack surface of your organization. This vulnerability helps you identify users with unnecessary privileged access, and take appropriate action to reduce or eliminate the risk they pose. +To enable users to carry out privileged operations, organizations need to grant users temporary or permanent privileged access in Azure AD, Azure or Office 365 resources, or other SaaS apps. Each of these privileged users increases the attack surface of your organization. This vulnerability helps you identify users with unnecessary privileged access, and take appropriate action to reduce or eliminate the risk they pose. -We recommend that your organization uses Azure AD Privileged Identity Management to manage, control, and monitor privileged identities and their access to resources in Azure AD as well as other Microsoft online services like Office 365 or Microsoft Intune. +We recommend organizations use Azure AD Privileged Identity Management to manage, control, and monitor privileged identities in Azure AD as well as other Microsoft online services like Office 365 or Microsoft Intune. -For more information, see [Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md). +For more information, see [Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md). ## See also [Azure Active Directory Identity Protection](../active-directory-identityprotection.md) - diff --git a/articles/active-directory/index.md b/articles/active-directory/index.md index 431a4366b5d61..8f84078b7534b 100644 --- a/articles/active-directory/index.md +++ b/articles/active-directory/index.md @@ -252,7 +252,7 @@ ms.collection: M365-identity-device-management

Create an access review
Start an access review
- Using Terms of use
+ Using Terms of use
See more >



diff --git a/articles/active-directory/manage-apps/add-application-portal.md b/articles/active-directory/manage-apps/add-application-portal.md index bf651c44238f8..251f8b4aae8da 100644 --- a/articles/active-directory/manage-apps/add-application-portal.md +++ b/articles/active-directory/manage-apps/add-application-portal.md @@ -8,7 +8,7 @@ ms.service: active-directory ms.subservice: app-mgmt ms.topic: quickstart ms.workload: identity -ms.date: 07/24/2018 +ms.date: 04/09/2019 ms.author: celested ms.collection: M365-identity-device-management @@ -39,27 +39,27 @@ To add a gallery application to your Azure AD tenant: 1. In the [Azure portal](https://portal.azure.com), on the left navigation panel, select **Azure Active Directory**. -2. In the **Azure Active Directory** pane, select **Enterprise applications**. +1. In the **Azure Active Directory** pane, select **Enterprise applications**. ![Open enterprise applications](media/add-application-portal/open-enterprise-apps.png) -3. The **All applications** pane opens to show a random sample of the applications in your Azure AD tenant. Select **New application** at the top of the **All applications** pane. +1. The **All applications** pane opens to show a random sample of the applications in your Azure AD tenant. Select **New application** at the top of the **All applications** pane. ![New application](media/add-application-portal/new-application.png) -4. In the **Categories** pane, you'll see icons under the **Featured applications** area that are a random sample of gallery applications. To see more applications, you could select **Show more**. But, we don't recommend searching this way since there are thousands of applications in the gallery. +1. In the **Categories** pane, you'll see icons under the **Featured applications** area that are a random sample of gallery applications. To see more applications, you could select **Show more**. But, we don't recommend searching this way since there are thousands of applications in the gallery. ![Search by name or category](media/add-application-portal/categories.png) -5. To search for an application, under **Add from the gallery**, enter the name of the application you want to add. Select the application from the results and select **Add**. The following example shows the **Add app** form that appears after searching for github.com. +1. To search for an application, under **Add from the gallery**, enter the name of the application you want to add. Select the application from the results and select **Add**. The following example shows the **Add app** form that appears after searching for github.com. ![Add an application](media/add-application-portal/add-an-application.png) -6. In the application-specific form, you can change property information. For example, you can edit the name of the application to match the needs of your organization. This example uses the name **GitHub-test**. +1. In the application-specific form, you can change property information. For example, you can edit the name of the application to match the needs of your organization. This example uses the name **GitHub-test**. -7. When you've finished making changes to the properties, select **Add**. +1. When you've finished making changes to the properties, select **Add**. -8. A getting started page appears with the options for configuring the application for your organization. +1. A getting started page appears with the options for configuring the application for your organization. You've finished adding your application. Feel free to take a break. The next sections show you how to change the logo and edit other properties for your application. @@ -69,13 +69,13 @@ Let's assume you had to leave and now you're returning to continue configuring y 1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, select **Azure Active Directory**. -2. In the **Azure Active Directory** pane, select **Enterprise applications**. +1. In the **Azure Active Directory** pane, select **Enterprise applications**. -3. From the **Application Type** drop-down menu, select **All Applications**, and then select **Apply**. To learn more about the viewing options, see [View tenant applications](view-applications-portal.md). +1. From the **Application Type** drop-down menu, select **All Applications**, and then select **Apply**. To learn more about the viewing options, see [View tenant applications](view-applications-portal.md). -4. You can now see a list of all the applications in your Azure AD tenant. The list is a random sample. To see more applications, select **Show more** one or more times. +1. You can now see a list of all the applications in your Azure AD tenant. The list is a random sample. To see more applications, select **Show more** one or more times. -5. To quickly find an application in your tenant, enter the application name in the search box and select **Apply**. This example finds the GitHub-test application added previously. +1. To quickly find an application in your tenant, enter the application name in the search box and select **Apply**. This example finds the GitHub-test application added previously. ![Search for an application](media/add-application-portal/find-application.png) @@ -87,17 +87,17 @@ Now that you've found the application, you can open it and configure application To edit the application properties: 1. Select the application to open it. -2. Select **Properties** to open the properties pane for editing. +1. Select **Properties** to open the properties pane for editing. ![Edit properties pane](media/add-application-portal/edit-properties.png) -3. Take a moment to understand the sign-in options. The options determine how users who are assigned or unassigned to the application can sign into the application. And, the options also determine if a user can see the application in the access panel. +1. Take a moment to understand the sign-in options. The options determine how users who are assigned or unassigned to the application can sign into the application. And, the options also determine if a user can see the application in the access panel. - **Enabled for users to sign-in** determines whether users assigned to the application can sign in. - **User assignment required** determines whether users who aren't assigned to the application can sign in. - **Visible to user** determines whether users assigned to an app can see it in the access panel and O365 launcher. -4. Use the following tables to help you choose the best options for your needs. +1. Use the following tables to help you choose the best options for your needs. - Behavior for **assigned** users: @@ -134,10 +134,10 @@ To edit the application properties: To use a custom logo: 1. Create a logo that is 215 by 215 pixels, and save it in PNG format. -2. Since you've already found your application, select the application. -2. In the left pane, select **Properties**. -4. Upload the logo. -5. When you're finished, select **Save**. +1. Since you've already found your application, select the application. +1. In the left pane, select **Properties**. +1. Upload the logo. +1. When you're finished, select **Save**. ![Change the logo](media/add-application-portal/change-logo.png) diff --git a/articles/active-directory/manage-apps/application-proxy-configure-hard-coded-link-translation.md b/articles/active-directory/manage-apps/application-proxy-configure-hard-coded-link-translation.md index 466b8fbc8f7aa..b4f0f3277de10 100644 --- a/articles/active-directory/manage-apps/application-proxy-configure-hard-coded-link-translation.md +++ b/articles/active-directory/manage-apps/application-proxy-configure-hard-coded-link-translation.md @@ -78,6 +78,31 @@ There are two common types of internal links in on-premises applications: - **Relative internal links** that point to a shared resource in a local file structure like `/claims/claims.html`. These links automatically work in apps that are published through Application Proxy, and continue to work with or without link translation. - **Hardcoded internal links** to other on-premises apps like `http://expenses` or published files like `http://expenses/logo.jpg`. The link translation feature works on hardcoded internal links, and changes them to point to the external URLs that remote users need to go through. +The complete list of HTML code tags that Application Proxy supports link translation for include: +* a +* audio +* base +* button +* div +* embed +* form +* frame +* head +* html +* iframe +* img +* input +* link +* menuitem +* meta +* object +* script +* source +* track +* video + +Additionally, within CSS the URL attribute is also translated. + ### How do apps link to each other? Link translation is enabled for each application, so that you have control over the user experience at the per-app level. Turn on link translation for an app when you want the links *from* that app to be translated, not links *to* that app. diff --git a/articles/active-directory/manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md b/articles/active-directory/manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md index 943d09b84c3d9..f5bbbd5e74b97 100644 --- a/articles/active-directory/manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md +++ b/articles/active-directory/manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md @@ -24,7 +24,7 @@ ms.collection: M365-identity-device-management You can provide single sign-on (SSO) to on-premises applications that are secured with SAML authentication and provide remote access to these applications through Application Proxy. With SAML single sign-on, Azure Active Directory (Azure AD) authenticates to the application by using the user's Azure AD account. Azure AD communicates the sign-on information to the application through a connection protocol. You can also map users to specific application roles based on rules you define in your SAML claims. By enabling Application Proxy in addition to SAML SSO your users will have external access to the application and a seamless SSO experience. The applications must be able to consume SAML tokens issued by **Azure Active Directory**. -This configuration does not apply to applications using an on-premises identity provider. For these scenarios we recommend reviewing [Resources for migrating applications to Azure AD](migration-resources.md). +This configuration does not apply to applications using an on-premises identity provider. For these scenarios, we recommend reviewing [Resources for migrating applications to Azure AD](migration-resources.md). SAML SSO with Application Proxy also works with the SAML token encryption feature. For more info, see [Configure Azure AD SAML token encryption](howto-saml-token-encryption.md). @@ -32,22 +32,23 @@ SAML SSO with Application Proxy also works with the SAML token encryption featur Before you can provide SSO for on-premises applications, make sure you have enabled Application Proxy and you have a connector installed. See [Add an on-premises application for remote access through Application Proxy in Azure AD](application-proxy-add-on-premises-application.md) to learn how. -Keep the following in mind when you're going through the tutorial: +Keep in mind the following when you're going through the tutorial: * Publish your application according to the instructions in the tutorial. Make sure to select **Azure Active Directory** as the **Pre Authentication** method for your application (step 4 in [Add an on-premises app to Azure AD](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad )). * Copy the **External URL** for the application. * As a best practice, use custom domains whenever possible for an optimized user experience. Learn more about [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md). -* Add at least one user to the application and make sure the test account has access to the on-premises application. +* Add at least one user to the application and make sure the test account has access to the on-premises application. Using the test account test if you can reach the application by visiting the **External URL** to validate Application Proxy is set up correctly. For troubleshooting information, see [Troubleshoot Application Proxy problems and error messages](application-proxy-troubleshoot.md). ## Set up SAML SSO 1. In the Azure portal, select **Azure Active Directory > Enterprise applications** and select the application from the list. 1. From the app's **Overview** page, select **Single sign-on**. 1. Select **SAML** as the single sign-on method. -1. In the **Set up Single Sign-On with SAML** page, edit the **Basic SAML Configuration** data and follow the steps in [Enter basic SAML configuration](configure-single-sign-on-non-gallery-applications.md#saml-based-single-sign-on) to configure SAML-based authentication for the application. +1. In the **Set up Single Sign-On with SAML** page, edit the **Basic SAML Configuration** data, and follow the steps in [Enter basic SAML configuration](configure-single-sign-on-non-gallery-applications.md#saml-based-single-sign-on) to configure SAML-based authentication for the application. - * Make sure the **Reply URL** root matches or is a path under the **External URL** for the on-premises application that you added for remote access through Application Proxy in Azure AD. + * Make sure the **Reply URL** matches or is a path under the **External URL** for the on-premises application that you published through Application Proxy. If your application requires a different **Reply URL** for the SAML configuration, add this as the **first** URL in the list and keep the **External URL** as an additional URL, ordered after the first. + * Ensure that the application also specifies the correct **Reply URL** or Assertion Consumer Service URL to use for receiving the authentication token. ![Enter basic SAML configuration data](./media/application-proxy-configure-single-sign-on-on-premises-apps/basic-saml-configuration.png) @@ -59,7 +60,7 @@ Keep the following in mind when you're going through the tutorial: When you've completed all these steps, your app should be up and running. To test the app: 1. Open a browser and navigate to the external URL that you created when you published the app. -1. Sign in with the test account that you assigned to the app. +1. Sign in with the test account that you assigned to the app. You should be able to load the application and have SSO into the application. ## Next steps diff --git a/articles/active-directory/manage-apps/application-proxy-migration.md b/articles/active-directory/manage-apps/application-proxy-migration.md index 42ca58847e3b4..0996412060fd6 100644 --- a/articles/active-directory/manage-apps/application-proxy-migration.md +++ b/articles/active-directory/manage-apps/application-proxy-migration.md @@ -45,7 +45,7 @@ Use this table to understand how Threat Management Gateway (TMG), Unified Access | No components in the demilitarized zone (DMZ) | - | - | - | Yes | | No inbound connections | - | - | - | Yes | -For most scenarios, we recommend Azure AD Application as the modern solution. Web Application Proxy is only preferred in scenarios that require a proxy server for AD FS, and you can't use custom domains in Azure Active Directory. +For most scenarios, we recommend Azure AD Application Proxy as the modern solution. Web Application Proxy is only preferred in scenarios that require a proxy server for AD FS, and you can't use custom domains in Azure Active Directory. Azure AD Application Proxy offers unique benefits when compared to similar products, including: diff --git a/articles/active-directory/manage-apps/application-proxy-release-version-history.md b/articles/active-directory/manage-apps/application-proxy-release-version-history.md new file mode 100644 index 0000000000000..189373df73ca5 --- /dev/null +++ b/articles/active-directory/manage-apps/application-proxy-release-version-history.md @@ -0,0 +1,88 @@ +--- +title: 'Azure AD Application Proxy: Version release history | Microsoft Docs' +description: This article lists all releases of Azure AD Application Proxy and describes new features and fixed issues +services: active-directory +documentationcenter: '' +author: msmimart +manager: celested +editor: '' +ms.assetid: +ms.service: active-directory +ms.devlang: na +ms.topic: reference +ms.tgt_pltfrm: na +ms.workload: identity +ms.date: 04/05/2019 +ms.subservice: manage-apps +ms.author: mimart + +ms.collection: M365-identity-device-management +--- +# Azure AD Application Proxy: Version release history +This article lists the versions and features of Azure Active Directory (Azure AD) Application Proxy that have been released. The Azure AD team regularly updates Application Proxy with new features and functionality. Application Proxy connectors are updated automatically when a new version is released. + +Here is a list of related resources: + +Resource | Details +--------- | --------- | +How to enable Application Proxy | Pre-requisites for enabling Application Proxy and installing and registering a connector are described in this [tutorial](application-proxy-add-on-premises-application.md). +Understand Azure AD Application Proxy connectors | Find out more about [connector management](application-proxy-connectors.md) and how connectors [auto-upgrade](application-proxy-connectors.md#automatic-updates). +Azure AD Application Proxy Connector Download | [Download the latest connector](https://download.msappproxy.net/subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/connector/download). + +## 1.5.612.0 + +### Release status + +September 20, 2018: Released for download + +### New features and improvements + +- Added WebSocket support for the QlikSense application. To learn more about how to integrate QlikSense with Application Proxy, see this [walkthrough](application-proxy-qlik.md). +- Improved the installation wizard to make it easier to configure an outbound proxy. +- Set TLS 1.2 as the default protocol for connectors. +- Added a new End-User License Agreement (EULA). + +### Fixed issues + +- Fixed a bug that caused some memory leaks in the connector. +- Updated the Azure Service Bus version, which includes a bug fix for connector timeout issues. + +## 1.5.402.0 + +### Release status + +January 19, 2018: Released for download + +### Fixed issues + +- Added support for custom domains that need domain translation in the cookie. + +## 1.5.132.0 + +### Release status + +May 25, 2017: Released for download + +### New features and improvements + +Improved control over connectors' outbound connection limits. + +## 1.5.36.0 + +### Release status + +April 15, 2017: Released for download + +### New features and improvements + +- Simplified onboarding and management with fewer required ports. Application Proxy now requires opening only two standard outbound ports: 443 and 80. Application Proxy continues to use only outbound connections, so you still don't need any components in a DMZ. For details, see our [configuration documentation](application-proxy-add-on-premises-application.md). +- If supported by your external proxy or firewall, you can now open your network by DNS instead of IP range. Application Proxy services require connections to *.msappproxy.net and *.servicebus.windows.net only. + + +## Earlier versions + +If you're using an Application Proxy connector version earlier than 1.5.36.0, update to the latest version to ensure you have the latest fully supported features. + +## Next steps +- Learn more about [Remote access to on-premises applications through Azure AD Application Proxy](application-proxy.md). +- To start using Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy](application-proxy-add-on-premises-application.md). diff --git a/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md b/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md index dffb6b6a9fbe9..b0b1d8eea56ce 100644 --- a/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md +++ b/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md @@ -9,7 +9,7 @@ ms.service: active-directory ms.subservice: app-mgmt ms.workload: identity ms.topic: conceptual -ms.date: 11/15/2018 +ms.date: 04/11/2019 ms.author: celested ms.reviewer: luleon ms.collection: M365-identity-device-management @@ -27,37 +27,32 @@ To assign a user or group to an enterprise app, you must have the appropriate pe ## Assign a user to an app - portal 1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory. -2. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**. -3. Select **Enterprise applications**. - - ![Opening Enterprise apps](./media/assign-user-or-group-access-portal/open-enterprise-apps.png) -4. On the **Enterprise applications** blade, select **All applications**. This lists the apps you can manage. -5. On the **Enterprise applications - All applications** blade, select an app. -6. On the ***appname*** blade (that is, the blade with the name of the selected app in the title), select **Users & Groups**. - - ![Selecting the all applications command](./media/assign-user-or-group-access-portal/select-app-users.png) -7. On the ***appname*** **- User & Group Assignment** blade, select the **Add** command. -8. On the **Add Assignment** blade, select **Users and groups**. +1. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**. +1. Select **Enterprise applications**. +1. On the **Enterprise applications - All applications** pane, you see a list of the apps you can manage. Select an app. +1. On the ***appname*** pane (that is, the pane with the name of the selected app in the title), select **Users & Groups**. +1. On the ***appname*** **- User and groups** pane, select **Add user**. +1. On the **Add Assignment** pane, select **Users and groups**. ![Assign a user or group to the app](./media/assign-user-or-group-access-portal/assign-users.png) -9. On the **Users and groups** blade, select one or more users or groups from the list and then select the **Select** button at the bottom of the blade. -10. On the **Add Assignment** blade, select **Role**. Then, on the **Select Role** blade, select a role to apply to the selected users or groups, and then select the **OK** button at the bottom of the blade. -11. On the **Add Assignment** blade, select the **Assign** button at the bottom of the blade. The assigned users or groups have the permissions defined by the selected role for this enterprise app. +1. On the **Users and groups** pane, select one or more users or groups from the list and then choose the **Select** button at the bottom of the pane. +1. On the **Add Assignment** pane, select **Role**. Then, on the **Select Role** pane, select a role to apply to the selected users or groups, then select **OK** at the bottom of the pane. +1. On the **Add Assignment** pane, select the **Assign** button at the bottom of the pane. The assigned users or groups have the permissions defined by the selected role for this enterprise app. ## Allow all users to access an app - portal To allow all users to access an application: 1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory. -2. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**. -3. Select **Enterprise applications**. -4. On the **Enterprise applications** blade, select **All applications**. This lists the apps you can manage. -5. On the **Enterprise applications - All applications** blade, select an app. -6. On the ***appname*** blade, select **Properties**. -7. On the ***appname* - Properties** blade, set the **User assignment required?** setting to **No**. +1. Select **All services**, enter Azure Active Directory in the text box, and then select **Enter**. +1. Select **Enterprise applications**. +1. On the **Enterprise applications** pane, select **All applications**. This lists the apps you can manage. +1. On the **Enterprise applications - All applications** pane, select an app. +1. On the ***appname*** pane, select **Properties**. +1. On the ***appname* - Properties** pane, set the **User assignment required?** setting to **No**. The **User assignment required?** option: -- Does not affect whether or not an application appears on the application access panel. To show the application on the access panel, you need to assign an appropriate user or group to the application. +- Doesn't affect whether or not an application appears on the application access panel. To show the application on the access panel, you need to assign an appropriate user or group to the application. - Only functions with the cloud applications that are configured for SAML single sign-on, and on-premises applications configured with Application Proxy. See [Single sign-on for applications](what-is-single-sign-on.md). - Requires that users consent to an application. An admin can grant consent for all users. See [Configure the way end-users consent to an application](configure-user-consent.md). @@ -69,8 +64,8 @@ The **User assignment required?** option: >[!NOTE] > You need to install the AzureAD module (use the command `Install-Module -Name AzureAD`). If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER. -2. Run `Connect-AzureAD` and sign in with a Global Admin user account. -3. Use the following script to assign a user and role to an application: +1. Run `Connect-AzureAD` and sign in with a Global Admin user account. +1. Use the following script to assign a user and role to an application: ```powershell # Assign the values to the variables @@ -103,7 +98,7 @@ This example assigns the user Britta Simon to the [Microsoft Workplace Analytics $app_name = "Workplace Analytics" ``` -2. In this example, we don't know what is the exact name of the application role we want to assign to Britta Simon. Run the following commands to get the user ($user) and the service principal ($sp) using the user UPN and the service principal display names. +1. In this example, we don't know what is the exact name of the application role we want to assign to Britta Simon. Run the following commands to get the user ($user) and the service principal ($sp) using the user UPN and the service principal display names. ```powershell # Get the user to assign, and the service principal for the app to assign to @@ -111,11 +106,11 @@ This example assigns the user Britta Simon to the [Microsoft Workplace Analytics $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'" ``` -3. Run the command `$sp.AppRoles` to display the roles available for the Workplace Analytics application. In this example, we want to assign Britta Simon the Analyst (Limited access) Role. +1. Run the command `$sp.AppRoles` to display the roles available for the Workplace Analytics application. In this example, we want to assign Britta Simon the Analyst (Limited access) Role. ![Workplace Analytics Role](./media/assign-user-or-group-access-portal/workplace-analytics-role.png) -4. Assign the role name to the `$app_role_name` variable. +1. Assign the role name to the `$app_role_name` variable. ```powershell # Assign the values to the variables @@ -123,7 +118,7 @@ This example assigns the user Britta Simon to the [Microsoft Workplace Analytics $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name } ``` -5. Run the following command to assign the user to the app role: +1. Run the following command to assign the user to the app role: ```powershell # Assign the user to the app role diff --git a/articles/active-directory/manage-apps/certificate-signing-options.md b/articles/active-directory/manage-apps/certificate-signing-options.md index e385623e7b376..f906e5ba294f2 100644 --- a/articles/active-directory/manage-apps/certificate-signing-options.md +++ b/articles/active-directory/manage-apps/certificate-signing-options.md @@ -45,7 +45,7 @@ Azure AD supports two signing algorithms, or secure hash algorithms (SHAs), to s * **SHA-1**. This algorithm is older, and it's treated as less secure than SHA-256. If an application supports only this signing algorithm, you can select this option in the **Signing Algorithm** drop-down list. Azure AD then signs the SAML response with the SHA-1 algorithm. -## Change the certificate signing options and certificate signing algorithm +## Change certificate signing options and signing algorithm To change an application's SAML certificate signing options and the certificate signing algorithm, select the application in question: diff --git a/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md b/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md index 4018bf2c0a5ce..d28869e1e2757 100644 --- a/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md +++ b/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md @@ -1,6 +1,6 @@ --- title: Configure sign-in auto-acceleration for an application using a Home Realm Discovery policy | Microsoft Docs -description: Explains what an Azure AD tenant is, and how to manage Azure through Azure Active Directory. +description: Learn how to configure Home Realm Discovery policy for Azure Active Directory authentication for federated users, including auto-acceleration and domain hints. services: active-directory documentationcenter: author: CelesteDG @@ -11,14 +11,15 @@ ms.workload: infrastructure-services ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 06/08/2018 +ms.date: 04/08/2019 ms.author: celested +ms.custom: seoapril2019 ms.collection: M365-identity-device-management --- # Configure Azure Active Directory sign in behavior for an application by using a Home Realm Discovery policy -The following document provides an introduction to configuring Azure Active Directory authentication behavior for federated users. It covers configuration of auto-acceleration and authentication restrictions for users in federated domains. +This article provides an introduction to configuring Azure Active Directory authentication behavior for federated users. It covers configuration of auto-acceleration and authentication restrictions for users in federated domains. ## Home Realm Discovery Home Realm Discovery (HRD) is the process that allows Azure Active Directory (Azure AD) to determine where a user needs to authenticate at sign-in time. When a user signs in to an Azure AD tenant to access a resource, or to the Azure AD common sign-in page, they type a user name (UPN). Azure AD uses that to discover where the user needs to sign in. diff --git a/articles/active-directory/manage-apps/configure-automatic-user-provisioning-portal.md b/articles/active-directory/manage-apps/configure-automatic-user-provisioning-portal.md index 95144f46e7bf8..bd044a7cd9afa 100644 --- a/articles/active-directory/manage-apps/configure-automatic-user-provisioning-portal.md +++ b/articles/active-directory/manage-apps/configure-automatic-user-provisioning-portal.md @@ -12,44 +12,57 @@ ms.devlang: na ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity -ms.date: 11/13/2018 +ms.date: 04/01/2019 ms.author: celested ms.reviewer: asmalser ms.collection: M365-identity-device-management --- # Managing user account provisioning for enterprise apps in the Azure portal + This article describes how to use the [Azure portal](https://portal.azure.com) to manage automatic user account provisioning and de-provisioning for applications that support it. To learn more about automatic user account provisioning and how it works, see [Automate User Provisioning and Deprovisioning to SaaS Applications with Azure Active Directory](user-provisioning.md). ## Finding your apps in the portal -All applications that are configured for single sign-on in a directory can be viewed and managed in the [Azure portal](https://portal.azure.com). The applications can be found in the **All Services** > **Enterprise Applications** section of the portal. Enterprise apps are apps that are deployed and used within your organization. -![Enterprise Applications pane](./media/configure-automatic-user-provisioning-portal/enterprise-apps-pane.png) +Use the Azure Active Directory portal to view and manage all applications that are configured for single sign-on in a directory. Enterprise apps are apps that are deployed and used within your organization. Follow these steps to view and manage your enterprise applications: + +1. Open the [Azure Active Directory portal](https://aad.portal.azure.com). -Selecting the **All applications** link on the left shows a list of all apps that have been configured, including apps that had been added from the gallery. Selecting an app loads the resource pane for that app, where reports can be viewed for that app and a variety of settings can be managed. +1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery. -User account provisioning settings can be managed by selecting **Provisioning** on the left. +1. Select any app to load its resource pane, where you can view reports and manage app settings. -![Application resource pane](./media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning.png) +1. Select **Provisioning** to manage user account provisioning settings for the selected app. + + ![Application resource pane](./media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning.png) ## Provisioning modes -The **Provisioning** pane begins with a **Mode** menu, which shows what provisioning modes are supported for an enterprise application, and allows them to be configured. The available options include: -* **Automatic** - This option appears if Azure AD supports automatic API-based provisioning and/or de-provisioning of user accounts to this application. Selecting this mode displays an interface that guides administrators through configuring Azure AD to connect to the application's user management API, creating account mappings and workflows that define how user account data should flow between Azure AD and the app, and managing the Azure AD provisioning service. -* **Manual** - This option is shown if Azure AD does not support automatic provisioning of user accounts to this application. This option means that user account records stored in the application must be managed using an external process, based on the user management and provisioning capabilities provided by that application (which can include SAML Just-In-Time provisioning). +The **Provisioning** pane begins with a **Mode** menu, which shows the provisioning modes supported for an enterprise application, and lets you configure them. The available options include: + +* **Automatic** - This option is shown if Azure AD supports automatic API-based provisioning or de-provisioning of user accounts to this application. Select this mode to display an interface that helps administrators: + + * Configure Azure AD to connect to the application's user management API + * Create account mappings and workflows that define how user account data should flow between Azure AD and the app + * Manage the Azure AD provisioning service + +* **Manual** - This option is shown if Azure AD doesn't support automatic provisioning of user accounts to this application. In this case, user account records stored in the application must be managed using an external process, based on the user management and provisioning capabilities provided by that application (which can include SAML Just-In-Time provisioning). ## Configuring automatic user account provisioning -Selecting the **Automatic** option displays a screen that is divided in four sections: + +Select the **Automatic** option to specify settings for admin credentials, mappings, starting and stopping, and synchronization. ### Admin Credentials -This section is where the credentials required for Azure AD to connect to the application's user management API are entered. The input required varies depending on the application. To learn about the credential types and requirements for specific applications, see the [configuration tutorial for that specific application](user-provisioning.md). -Selecting the **Test Connection** button allows you to test the credentials by having Azure AD attempt to connect to the app's provisioning app using the supplied credentials. +Expand **Admin Credentials** to enter the credentials required for Azure AD to connect to the application's user management API. The input required varies depending on the application. To learn about the credential types and requirements for specific applications, see the [configuration tutorial for that specific application](user-provisioning.md). + +Select **Test Connection** to test the credentials by having Azure AD attempt to connect to the app's provisioning app using the supplied credentials. ### Mappings -This section is where admins can view and edit what user attributes flow between Azure AD and the target application, when user accounts are provisioned or updated. -There is a preconfigured set of mappings between Azure AD user objects and each SaaS app’s user objects. Some apps manage other types of objects, such as Groups or Contacts. Selecting one of these mappings in the table shows the mapping editor to the right, where they can be viewed and customized. +Expand **Mappings** to view and edit the user attributes that flow between Azure AD and the target application when user accounts are provisioned or updated. + +There's a preconfigured set of mappings between Azure AD user objects and each SaaS app’s user objects. Some apps manage other types of objects, such as Groups or Contacts. Select a mapping in the table to open the mapping editor to the right, where you can view and customize them. ![Application resource pane](./media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning-mapping.png) @@ -57,21 +70,30 @@ Supported customizations include: * Enabling and disabling mappings for specific objects, such as the Azure AD user object to the SaaS app's user object. * Editing the attributes that flow from the Azure AD user object to the app's user object. For more information on attribute mapping, see [Understanding attribute mapping types](customize-application-attributes.md#understanding-attribute-mapping-types). -* Filter the provisioning actions that Azure AD performs on the targeted application. Instead of having Azure AD fully synchronize objects, you can limit the actions performed. For example, by only selecting **Update**, Azure AD only updates existing user accounts in an application and does not create new ones. By only selecting **Create**, Azure only creates new user accounts but does not update existing ones. This feature allows admins to create different mappings for account creation and update workflows. +* Filtering the provisioning actions that Azure AD runs on the targeted application. Instead of having Azure AD fully synchronize objects, you can limit the actions run. + + For example, only select **Update** and Azure AD only updates existing user accounts in an application but doesn't create new ones. Only select **Create** and Azure only creates new user accounts but doesn't update existing ones. This feature lets admins create different mappings for account creation and update workflows. + +* Adding a new attribute mapping. Select **Add New Mapping** at the bottom of the **Attribute Mapping** pane. Fill out the **Edit Attribute** form and select **Ok** to add the new mapping to the list. ### Settings -This section allows admins to start and stop the Azure AD provisioning service for the selected application, as well as optionally clear the provisioning cache and restart the service. -If provisioning is being enabled for the first time for an application, turn on the service by changing the **Provisioning Status** to **On**. This change causes the Azure AD provisioning service to perform an initial sync, where it reads the users assigned in the **Users and groups** section, queries the target application for them, and then performs the provisioning actions defined in the Azure AD **Mappings** section. During this process, the provisioning service stores cached data about what user accounts it is managing, so non-managed accounts inside the target applications that were never in scope for assignment aren't affected by de-provisioning operations. After the initial sync, the provisioning service automatically synchronizes user and group objects on a ten-minute interval. +You can start and stop the Azure AD provisioning service for the selected application in the **Settings** area of the **Provisioning** screen. You can also choose to clear the provisioning cache and restart the service. -Changing the **Provisioning Status** to **Off** simply pauses the provisioning service. In this state, Azure does not create, update, or remove any user or group objects in the app. Changing the state back to on causes the service to pick up where it left off. +If provisioning is being enabled for the first time for an application, turn on the service by changing the **Provisioning Status** to **On**. This change causes the Azure AD provisioning service to run an initial sync. It reads the users assigned in the **Users and groups** section, queries the target application for them, and then runs the provisioning actions defined in the Azure AD **Mappings** section. During this process, the provisioning service stores cached data about what user accounts it's managing, so non-managed accounts inside the target applications that were never in scope for assignment aren't affected by de-provisioning operations. After the initial sync, the provisioning service automatically synchronizes user and group objects on a ten-minute interval. -Selecting the **Clear current state and restart synchronization** checkbox and saving stops the provisioning service, dumps the cached data about what accounts Azure AD is managing, restarts the services and performs the initial synchronization again. This option allows admins to start the provisioning deployment process over again. +Change the **Provisioning Status** to **Off** to pause the provisioning service. In this state, Azure doesn't create, update, or remove any user or group objects in the app. Change the state back to **On** and the service picks up where it left off. -### Synchronization Details -This section provides addition details about the operation of the provisioning service, including the first and last times the provisioning service ran against the application, and how many user and group objects are being managed. +Select the **Clear current state and restart synchronization** checkbox and select **Save** to: + +* Stop the provisioning service +* Dump the cached data about what accounts Azure AD is managing +* Restart the services and run the initial synchronization again -Links are provided to the **Provisioning activity report** that provides a log of all users and groups created, updated, and removed between Azure AD and the target application, and to the **Provisioning error report** that provides more detailed error messages for user and group objects that failed to be read, created, updated, or removed. +This option lets admins start the provisioning deployment process over again. +### Synchronization Details +This section provides additional details about the operation of the provisioning service, including the first and last times the provisioning service ran against the application, and how many user and group objects it manages. +A link is provided to the **Provisioning activity report**, which provides a log of all users and groups created, updated, and removed between Azure AD and the target application. A link is also provided to the **Provisioning error report**, which provides more detailed error messages for user and group objects that failed to be read, created, updated, or removed. diff --git a/articles/active-directory/manage-apps/configure-single-sign-on-portal.md b/articles/active-directory/manage-apps/configure-single-sign-on-portal.md index 1688f9b302c7d..e5729b2a7ace1 100644 --- a/articles/active-directory/manage-apps/configure-single-sign-on-portal.md +++ b/articles/active-directory/manage-apps/configure-single-sign-on-portal.md @@ -8,7 +8,7 @@ ms.service: active-directory ms.subservice: app-mgmt ms.topic: tutorial ms.workload: identity -ms.date: 12/06/2018 +ms.date: 04/08/2019 ms.author: celested ms.reviewer: arvinh,luleon ms.collection: M365-identity-device-management @@ -33,33 +33,35 @@ This tutorial uses the Azure portal to: 1. If the application hasn't been added to your Azure AD tenant, see [Quickstart: Add an application to your Azure AD tenant](add-application-portal.md). -2. Ask your application vendor for the information described in [Configure domain and URLS](#configure-domain-and-urls). +2. Ask your application vendor for the information described in [Configure basic SAML options](#configure-basic-saml-options). -3. To test the steps in this tutorial, we recommend using a non-production environment. If you don't have an Azure AD non-production environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +3. Use a non-production environment to test the steps in this tutorial. If you don't have an Azure AD non-production environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). 4. Sign in to the [Azure portal](https://portal.azure.com) as a cloud application admin, or an application admin for your Azure AD tenant. ## Select a single sign-on mode -After an application is added to your Azure AD tenant, you're ready to configure single sign-on for the application. +After you've added an application to your Azure AD tenant, you're ready to configure single sign-on for the application. To open the single sign-on settings: -1. In the [Azure portal](https://portal.azure.com), on the left navigation panel, click **Azure Active Directory**. +1. In the [Azure portal](https://portal.azure.com), on the left navigation panel, select **Azure Active Directory**. -2. In the **Azure Active Directory** blade, click **Enterprise applications**. The **All applications** blade opens to show a random sample of the applications in your Azure AD tenant. +2. Under **Manage** in the **Azure Active Directory** navigation panel that appears, select **Enterprise applications**. A random sample of the applications in your Azure AD tenant appears. -3. In the **Application Type** menu, select **All applications**, and click **Apply**. +3. In the **Application Type** menu, select **All applications**, and then select **Apply**. -4. Enter the name of the application for which you want to configure single sign-on. Choose your own application, or enter **GitHub-test** to configure the application you added in the [add application](add-application-portal.md) quickstart. +4. Enter the name of the application for which you want to configure single sign-on. For example, you can enter **GitHub-test** to configure the application you added in the [add application](add-application-portal.md) quickstart. -5. Click **Single sign-on**. Under **Single Sign-on Mode**, **SAML-based Sign-on** appears as the default option. + ![Screenshot that shows the application search bar.](media/configure-single-sign-on-portal/azure-portal-application-search.png) - ![Configuration options](media/configure-single-sign-on-portal/config-options.png) +5. Choose the application for which you want to configure single sign-on. -6. Click **Save** at the top of the blade. +6. Under the **Manage** section, select **Single sign-on**. -## Configure domain and URLs +7. Select **SAML** to configure single sign-on. The **Set up Single Sign-On with SAML - Preview** page appears. + +## Configure basic SAML options To configure the domain and URLs: @@ -67,106 +69,94 @@ To configure the domain and URLs: | Configuration setting | SP-Initiated | idP-Initiated | Description | |:--|:--|:--|:--| - | Sign-on URL | Required | Don't specify | When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on the user. Azure AD uses the URL to start the application from Office 365 or the Azure AD Access Panel. When blank, Azure AD relies on the identity provider to initiate single sign-on when a user launches the application.| | Identifier (Entity ID) | Required for some apps | Required for some apps | Uniquely identifies the application for which single sign-on is being configured. Azure AD sends the identifier to the application as the Audience parameter of the SAML token. The application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by the application.| | Reply URL | Optional | Required | Specifies where the application expects to receive the SAML token. The reply URL is also referred to as the Assertion Consumer Service (ACS) URL. | - | Relay State | Optional | Optional | Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for the application, however some applications use this field differently. For more information, ask the application vendor. - -2. Enter the information. To see all the settings, click **Show advanced URL settings**. + | Sign-on URL | Required | Don't specify | When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on the user. Azure AD uses the URL to start the application from Office 365 or the Azure AD Access Panel. When blank, Azure AD relies on the identity provider to start single sign-on when a user launches the application.| + | Relay State | Optional | Optional | Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for the application. However, some applications use this field differently. For more information, ask the application vendor. + | Logout URL | Optional | Optional | Used to send the SAML Logout responses back to the application. - ![Configuration options](media/configure-single-sign-on-portal/config-urls.png) -3. At the top of the blade, click **Save**. +2. To edit the basic SAML configuration options, select the **Edit** icon (a pencil) in the upper-right corner of the **Basic SAML Configuration** section. -4. There's a **Test SAML Settings** button in this section. Run this test later in the tutorial in the [Test single sign-on](#test-single-sign-on) section. + ![Configure certificates](media/configure-single-sign-on-portal/basic-saml-configuration-edit-icon.png) -## Configure user attributes +3. In the appropriate fields on the page, enter the information provided by the application vendor in step 1. -User attributes allow you to control what information Azure AD sends to the application in the SAML token each time a user signs on. For example, Azure AD could send the name, email, and employee ID of the user to the application. +4. At the top of the page, select **Save**. -These attributes may be required or optional to make single sign-on work properly. For more information, see the [application-specific tutorial](../saas-apps/tutorial-list.md), or ask the application vendor. +## Configure user attributes and claims -1. To view all the options, click **View and edit all other user attributes**. +You can control what information Azure AD sends to the application in the SAML token when a user signs in. You control this information by configuring user attributes. For example, you can configure Azure AD to send the user's name, email, and employee ID to the application when a user signs in. - ![Configure user attributes](media/configure-single-sign-on-portal/config-user-attributes.png) +These attributes may be required or optional to make single sign-on work properly. For more information, see the [application-specific tutorial](../saas-apps/tutorial-list.md), or ask the application vendor. -2. Enter **User Identifier**. +1. To edit user attributes and claims, select the **Edit** icon (a pencil) in the upper-right corner of the **User Attributes and Claims** section. - The user identifier uniquely identifies each user within the application. For example, if the email address is both the username and the unique identifier, set the value to *user.mail*. + The **Name Identifier Value** is set with the default value of *user.principalname*. The user identifier uniquely identifies each user within the application. For example, if the email address is both the username and the unique identifier, set the value to *user.mail*. -3. For more SAML token attributes, click **View and edit all other user attributes**. +2. To modify the **Name Identifier Value**, select the **Edit** icon (a pencil) for the **Name Identifier Value** field. Make the appropriate changes to the identifier format and source, as needed. Save the changes when you're done. For more information about customizing claims, see the [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md) how-to article. -4. To add an attribute to the **SAML Token Attributes**, click **Add attribute**. Enter the **Name** and select the **Value** from the menu. +3. To add a claim, select **Add new claim** at the top of the page. Enter the **Name** and select the appropriate source. If you select the **Attribute** source, you'll need to choose the **Source attribute** you want to use. If you select the **Translation** source, you'll need to choose the **Transformation** and **Parameter 1** you want to use. -5. Click **Save**. You see the new attribute in the table. +4. Select **Save**. The new claim appears in the table. -## Create a SAML signing certificate +## Generate a SAML signing certificate Azure AD uses a certificate to sign the SAML tokens that it sends to the application. -1. To see all the options, click **Show advanced certificate signing options**. - - ![Configure certificates](media/configure-single-sign-on-portal/config-certificate.png) - -2. To configure a certificate, click **Create new certificate**. - -3. In the **Create New Certificate** blade, set **expiration date**, and click **Save**. +1. To generate a new certificate, select the **Edit** icon (a pencil) in the upper-right corner of the **SAML Signing Certificate** section. -4. Click **Make new certificate active**. +2. In the **SAML Signing Certificate** section, select **New Certificate**. -5. To learn more, see [Advanced certificate signing options](certificate-signing-options.md). +3. In the new certificate row that appears, set the **Expiration Date**. For more information about available configuration options, see the [Advanced certificate signing options](certificate-signing-options.md) article. -6. To keep the changes you have made so far, be sure to click **Save** at the top of the **Single sign-on** blade. +4. Select **Save** at the top of the **SAML Signing Certificate** section. ## Assign users to the application -Microsoft recommends testing the single sign-on with several users or groups before rolling out the application to your organization. +It's a good idea to test the single sign-on with several users or groups before rolling out the application to your organization. + +> [!NOTE] +> +> These steps take you to the **Users and groups** configuration section in the portal. When you finish, you'll need to navigate back to the **Single sign-on** section to complete the tutorial. To assign a user or group to the application: 1. Open the application in the portal, if it isn't already open. -2. In the left application blade, click **Users and groups**. -3. Click **Add user**. -4. In the **Add Assignment** blade, click **Users and groups**. -5. To find a specific user, type the user name into the **Select** box, click the checkbox next to the user’s profile photo or logo, and click **Select**. -6. Find your current username and select it. You can optionally select more users. -7. In the **Add Assignment** blade, click **Assign**. When completed, the selected users appear in the **Users and groups** list. - -## Configure the application to use Azure AD - -You're almost done. As a final step, you need to configure the application to use Azure AD as a SAML identity provider. +2. In the left navigation panel for the application, select **Users and groups**. +3. Select **Add user**. +4. In the **Add Assignment** section, select **Users and groups**. +5. To find a specific user, type the user name into the **Select member or invite an external user** box. Then, select the user’s profile photo or logo, and then choose **Select**. +6. In the **Add Assignment** section, select **Assign**. When finished, the selected users appear in the **Users and groups** list. -1. Scroll down to the end of the **Single sign-on** blade for your application. +## Set up the application to use Azure AD - ![Configure application](media/configure-single-sign-on-portal/configure-app.png) +You're almost done. As a final step, you need to set up the application to use Azure AD as a SAML identity provider. -2. Click **Configure application** in the portal, and follow the instructions. -3. Manually create user accounts in the application to test single sign-on. Create the user accounts you assigned to the application in the [previous section](#assign-users-to-the-application). +1. Scroll down to the **Set up ** section. For this tutorial, this section is called **Set up GitHub-test**. +2. Copy the value from each row in this section. Then, paste each value into the appropriate row in the **Basic SAML Configuration** section. For example, copy the **Login URL** value from the **Set up GitHub-test** section and paste it into the **Sign On URL** field in the **Basic SAML Configuration** section, and so on. +3. When you've pasted all the values into the appropriate fields, select **Save**. ## Test single sign-on -You are ready to test your settings. +You're ready to test your settings. 1. Open the single sign-on settings for your application. -2. Scroll to the **Configure domain and URLs** section. -2. Click **Test SAML Settings**. The testing options appear. +2. Scroll to the **Validate single sign-on with ** section. For this tutorial, this section is called **Set up GitHub-test**. +3. Select **Test**. The testing options appear. +4. Select **Sign in as current user**. This test lets you first see if single sign-on works for you, the admin. - ![Test single sign-on options](media/configure-single-sign-on-portal/test-single-sign-on.png) +If there's an error, an error message appears. Complete the following steps: -3. Click **Sign in as current user**. This test lets you first see if single sign-on works for you, the admin. -4. If there's an error, an error message appears. Copy and paste the specifics into the **What does the error look like?** box. +1. Copy and paste the specifics into the **What does the error look like?** box. ![Get resolution guidance](media/configure-single-sign-on-portal/error-guidance.png) -5. Click **Get resolution guidance**. The root cause and resolution guidance appear. In this example, the user wasn't assigned to the application. - - ![Fix error](media/configure-single-sign-on-portal/fix-error.png) - -6. Read the resolution guidance and then, if appropriate, click **Fix it**. - -7. Run the test again until it completes successfully. +2. Select **Get resolution guidance**. The root cause and resolution guidance appear. In this example, the user wasn't assigned to the application. +3. Read the resolution guidance and then, if possible, fix the issue. +4. Run the test again until it completes successfully. ## Next steps In this tutorial, you configured the single sign-on settings for an application. After finishing the configuration, you assigned a user to the application, and configured the application to use SAML-based single sign-on. When all of this work was finished, you verified the SAML sign-on is working properly. @@ -181,7 +171,7 @@ You did these things: > * Configured the application to use Azure AD as a SAML identity provider > * Tested the SAML-based single sign-on -To roll out the application to more users in your organization, we recommend using automatic user provisioning. +To roll out the application to more users in your organization, use automatic user provisioning. > [!div class="nextstepaction"] > [Learn how to assign users with automatic provisioning](configure-automatic-user-provisioning-portal.md) diff --git a/articles/active-directory/manage-apps/customize-application-attributes.md b/articles/active-directory/manage-apps/customize-application-attributes.md index 65462915060ab..4c844d5840f21 100644 --- a/articles/active-directory/manage-apps/customize-application-attributes.md +++ b/articles/active-directory/manage-apps/customize-application-attributes.md @@ -12,35 +12,44 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 09/09/2018 +ms.date: 04/03/2019 ms.author: celested ms.custom: H1Hack27Feb2017 ms.collection: M365-identity-device-management --- # Customizing User Provisioning Attribute-Mappings for SaaS Applications in Azure Active Directory -Microsoft Azure AD provides support for user provisioning to third-party SaaS applications such as Salesforce, Google Apps and others. If you have user provisioning for a third-party SaaS application enabled, the Azure portal controls its attribute values in form of attribute-mappings. +Microsoft Azure AD provides support for user provisioning to third-party SaaS applications such as Salesforce, Google Apps and others. If you enable user provisioning for a third-party SaaS application, the Azure portal controls its attribute values through attribute-mappings. -There is a pre-configured set of attributes and attribute-mappings between Azure AD user objects and each SaaS app’s user objects. Some apps manage other types of objects in addition to Users, such as Groups.
- You can customize the default attribute-mappings according to your business needs. This means, you can change or delete existing attribute-mappings, or create new attribute-mappings. +There's a pre-configured set of attributes and attribute-mappings between Azure AD user objects and each SaaS app’s user objects. Some apps manage other types of objects along with Users, such as Groups. + +You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings. ## Editing user attribute-mappings -In the Azure AD portal, you can access this feature by clicking a **Mappings** configuration under **Provisioning** in the **Manage** section of an **Enterprise application**. +Follow these steps to access the **Mappings** feature of user provisioning: + +1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com). + +1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery. +1. Select any app to load its app management pane, where you can view reports and manage app settings. -![Salesforce](./media/customize-application-attributes/21.png) +1. Select **Provisioning** to manage user account provisioning settings for the selected app. -Clicking a **Mappings** configuration, opens the related **Attribute-Mapping** screen. There are attribute-mappings that are required by a SaaS application to function correctly. For required attributes, the **Delete** feature is unavailable. +1. Expand **Mappings** to view and edit the user attributes that flow between Azure AD and the target application. If the target application supports it, this section lets you optionally configure provisioning of groups and user accounts. + ![Salesforce](./media/customize-application-attributes/21.png) -![Salesforce](./media/customize-application-attributes/22.png) +1. Select a **Mappings** configuration to open the related **Attribute Mapping** screen. Some attribute-mappings are required by a SaaS application to function correctly. For required attributes, the **Delete** feature is unavailable. -In the example above, you can see that the **Username** attribute of a managed object in Salesforce is populated with the **userPrincipalName** value of the linked Azure Active Directory Object. + ![Salesforce](./media/customize-application-attributes/22.png) -You can customize existing **Attribute-Mappings** by clicking a mapping. This opens the **Edit Attribute** screen. + In this screenshot, you can see that the **Username** attribute of a managed object in Salesforce is populated with the **userPrincipalName** value of the linked Azure Active Directory Object. -![Salesforce](./media/customize-application-attributes/23.png) +1. Select an existing **Attribute Mapping** to open the **Edit Attribute** screen. Here you can edit the user attributes that flow between Azure AD and the target application. + + ![Salesforce](./media/customize-application-attributes/23.png) ### Understanding attribute-mapping types @@ -48,35 +57,35 @@ With attribute-mappings, you control how attributes are populated in a third-par There are four different mapping types supported: * **Direct** – the target attribute is populated with the value of an attribute of the linked object in Azure AD. -* **Constant** – the target attribute is populated with a specific string you have specified. +* **Constant** – the target attribute is populated with a specific string you specified. * **Expression** - the target attribute is populated based on the result of a script-like expression. For more information, see [Writing Expressions for Attribute-Mappings in Azure Active Directory](functions-for-customizing-application-data.md). -* **None** - the target attribute is left unmodified. However, if the target attribute is ever empty, it is populated with the Default value that you specify. +* **None** - the target attribute is left unmodified. However, if the target attribute is ever empty, it's populated with the Default value that you specify. -In addition to these four basic types, custom attribute-mappings support the concept of an optional **default** value assignment. The default value assignment ensures that a target attribute is populated with a value if there is neither a value in Azure AD nor on the target object. The most common configuration is to leave this blank. +Along with these four basic types, custom attribute-mappings support the concept of an optional **default** value assignment. The default value assignment ensures that a target attribute is populated with a value if there's not a value in Azure AD or on the target object. The most common configuration is to leave this blank. ### Understanding attribute-mapping properties -In the previous section, you have already been introduced to the attribute-mapping type property. -In addition to this property, attribute-mappings do also support the following attributes: +In the previous section, you were already introduced to the attribute-mapping type property. +Along with this property, attribute-mappings also support the following attributes: - **Source attribute** - The user attribute from the source system (example: Azure Active Directory). - **Target attribute** – The user attribute in the target system (example: ServiceNow). -- **Match objects using this attribute** – Whether or not this mapping should be used to uniquely identify users between the source and target systems. This is typically set on the userPrincipalName or mail attribute in Azure AD, which is typically mapped to a username field in a target application. -- **Matching precedence** – Multiple matching attributes can be set. When there are multiple, they are evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated. +- **Match objects using this attribute** – Whether this mapping should be used to uniquely identify users between the source and target systems. It's typically set on the userPrincipalName or mail attribute in Azure AD, which is typically mapped to a username field in a target application. +- **Matching precedence** – Multiple matching attributes can be set. When there are multiple, they're evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated. - **Apply this mapping** - - **Always** – Apply this mapping on both user creation and update actions - - **Only during creation** - Apply this mapping only on user creation actions + - **Always** – Apply this mapping on both user creation and update actions. + - **Only during creation** - Apply this mapping only on user creation actions. ## Editing group attribute-mappings -A selected number of applications, such as ServiceNow, Box, and Google Apps, support the ability to provision Group objects in addition to User objects. Group objects can contain group properties such as display names and email aliases, in addition to group members. +A selected number of applications, such as ServiceNow, Box, and Google Apps, support the ability to provision Group objects and User objects. Group objects can contain group properties such as display names and email aliases, along with group members. ![ServiceNow](./media/customize-application-attributes/24.png) -Group provisioning can be optionally enabled or disabled by selecting the group mapping under **Mappings**, and setting **Enabled** to the desired option in the **Attribute-Mapping** screen. +Group provisioning can be optionally enabled or disabled by selecting the group mapping under **Mappings**, and setting **Enabled** to the option you want in the **Attribute Mapping** screen. The attributes provisioned as part of Group objects can be customized in the same manner as User objects, described previously. @@ -86,9 +95,9 @@ The attributes provisioned as part of Group objects can be customized in the sam ## Editing the list of supported attributes -The user attributes supported for a given application are pre-configured. Most application's user management APIs do not support schema discovery, therefore the Azure AD provisioning service is not able to dynamically generate the list of supported attributes by making calls to the application. +The user attributes supported for a given application are pre-configured. Most application's user management APIs don't support schema discovery. So, the Azure AD provisioning service isn't able to dynamically generate the list of supported attributes by making calls to the application. -However, some applications support custom attributes. In order for the Azure AD provisioning service to be able to read and write to custom attributes, their definitions must be entered into the Azure portal using the **Show advanced options** check box at the bottom of the **Attribute-Mapping** screen. +However, some applications support custom attributes, and the Azure AD provisioning service can read and write to custom attributes. To enter their definitions into the Azure portal, select the **Show advanced options** check box at the bottom of the **Attribute Mapping** screen, and then select **Edit attribute list for** your app. Applications and systems that support customization of the attribute list include: @@ -101,35 +110,33 @@ Applications and systems that support customization of the attribute list includ >[!NOTE] >Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. -![Editor](./media/customize-application-attributes/25.png) - When editing the list of supported attributes, the following properties are provided: * **Name** - The system name of the attribute, as defined in the target object's schema. -* **Type** - The type of data the attribute stores, as defined in the target object's schema. This can be one of the following: +* **Type** - The type of data the attribute stores, as defined in the target object's schema, which can be one of the following types: * *Binary* - Attribute contains binary data. * *Boolean* - Attribute contains a True or False value. * *DateTime* - Attribute contains a date string. * *Integer* - Attribute contains an integer. * *Reference* - Attribute contains an ID that references a value stored in another table in the target application. * *String* - Attribute contains a text string. -* **Primary Key?** - Whether or not the attribute is defined as a primary key field in the target object's schema. -* **Required?** - Whether or not the attribute is required to be populated in the target application or system. -* **Multi-value?** - Whether or not the attribute supports multiple values. -* **Exact case?** - Whether or not the attributes values are evaluated in a case-sensitive way. -* **API Expression** - Do not use, unless instructed to do so by the documentation for a specific provisioning connector (such as Workday). -* **Referenced Object Attribute** - If this is a Reference type attribute, then this menu allows you to select the table and attribute in the target application that contains the value associated with the attribute. For example, if you have an attribute named "Department" whose stored value references an object in a separate "Departments" table, you would select "Departments.Name". Note that the reference tables and the primary ID fields supported for a given application are pre-configured and currently cannot be edited using the Azure portal, but can be edited using the [Graph API](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/synchronization-configure-with-custom-target-attributes). +* **Primary Key?** - Whether the attribute is defined as a primary key field in the target object's schema. +* **Required?** - Whether the attribute is required to be populated in the target application or system. +* **Multi-value?** - Whether the attribute supports multiple values. +* **Exact case?** - Whether the attributes values are evaluated in a case-sensitive way. +* **API Expression** - Don't use, unless instructed to do so by the documentation for a specific provisioning connector (such as Workday). +* **Referenced Object Attribute** - If it's a Reference type attribute, then this menu lets you select the table and attribute in the target application that contains the value associated with the attribute. For example, if you have an attribute named "Department" whose stored value references an object in a separate "Departments" table, you would select "Departments.Name". The reference tables and the primary ID fields supported for a given application are pre-configured and currently can't be edited using the Azure portal, but can be edited using the [Graph API](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/synchronization-configure-with-custom-target-attributes). -To add a new attribute, scroll to the end of the list of supported attributes, populate the fields above using the provided inputs, and select **Add Attribute**. Select **Save** when finished adding attributes. You will then need to reload the **Provisioning** tab for the new attributes to become available in the attribute-mapping editor. +To add a new attribute, scroll to the end of the list of supported attributes, populate the fields above using the provided inputs, and select **Add Attribute**. Select **Save** when finished adding attributes. You then need to reload the **Provisioning** tab for the new attributes to become available in the attribute-mapping editor. ## Restoring the default attributes and attribute-mappings -Should you need to start over, and reset your existing mappings back to their default state, you can select the **Restore default mappings** check box and save the configuration. This sets all mappings as if the application had just been added to your Azure AD tenant from the application gallery. +Should you need to start over and reset your existing mappings back to their default state, you can select the **Restore default mappings** check box and save the configuration. Doing so sets all mappings as if the application was just added to your Azure AD tenant from the application gallery. -Selecting this option will effectively force a re-synchronization of all users while the provisioning service is running. +Selecting this option will effectively force a resynchronization of all users while the provisioning service is running. >[!IMPORTANT] ->It is strongly recommended that **Provisioning status** be set to **Off** before invoking this option. +>We strongly recommend that **Provisioning status** be set to **Off** before invoking this option. ## What you should know @@ -138,7 +145,7 @@ Selecting this option will effectively force a re-synchronization of all users w * Updating attribute-mappings has an impact on the performance of a synchronization cycle. An update to the attribute-mapping configuration requires all managed objects to be reevaluated. -* It is a recommended best practice to keep the number of consecutive changes to your attribute-mappings at a minimum. +* A recommended best practice is to keep the number of consecutive changes to your attribute-mappings at a minimum. ## Next steps diff --git a/articles/active-directory/manage-apps/disable-user-sign-in-portal.md b/articles/active-directory/manage-apps/disable-user-sign-in-portal.md index fddfc18cd1748..69a9bc823c94e 100644 --- a/articles/active-directory/manage-apps/disable-user-sign-in-portal.md +++ b/articles/active-directory/manage-apps/disable-user-sign-in-portal.md @@ -12,7 +12,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 08/28/2017 +ms.date: 04/12/2019 ms.author: celested ms.reviewer: asteen ms.custom: it-pro @@ -20,21 +20,16 @@ ms.custom: it-pro ms.collection: M365-identity-device-management --- # Disable user sign-ins for an enterprise app in Azure Active Directory -It's easy to disable an enterprise application so that no users may sign in to it in Azure Active Directory (Azure AD). You must have the appropriate permissions to manage the enterprise app, and you must be global admin for the directory. +It's easy to disable an enterprise application so no users can sign in to it in Azure Active Directory (Azure AD). You need the appropriate permissions to manage the enterprise app. And, you must be global admin for the directory. ## How do I disable user sign-ins? 1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory. -2. Select **All services**, enter **Azure Active Directory** in the text box, and then select **Enter**. -3. On the **Azure Active Directory** - ***directoryname*** pane (that is, the Azure AD pane for the directory you are managing), select **Enterprise applications**. - - ![Opening Enterprise apps](./media/disable-user-sign-in-portal/open-enterprise-apps.png) -4. On the **Enterprise applications** pane, select **All applications**. You see a list of the apps you can manage. -5. On the **Enterprise applications - All applications** pane, select an app. -6. On the ***appname*** pane (that is, the pane with the name of the selected app in the title), select **Properties**. - - ![Selecting the all applications command](./media/disable-user-sign-in-portal/select-app.png) -7. On the ***appname*** - **Properties** pane, select **No** for **Enabled for users to sign-in?**. -8. Select the **Save** command. +1. Select **All services**, enter **Azure Active Directory** in the text box, and then select **Enter**. +1. On the **Azure Active Directory** - ***directoryname*** pane (that is, the Azure AD pane for the directory you're managing), select **Enterprise applications**. +1. On the **Enterprise applications - All applications** pane, you see a list of the apps you can manage. Select an app. +1. On the ***appname*** pane (that is, the pane with the name of the selected app in the title), select **Properties**. +1. On the ***appname*** - **Properties** pane, select **No** for **Enabled for users to sign-in?**. +1. Select the **Save** command. ## Next steps * [See all my groups](../fundamentals/active-directory-groups-view-azure-portal.md) diff --git a/articles/active-directory/manage-apps/manage-access-panel-browser-extension.md b/articles/active-directory/manage-apps/manage-access-panel-browser-extension.md index 4b1d8430a7bb2..53243c2c01b7a 100644 --- a/articles/active-directory/manage-apps/manage-access-panel-browser-extension.md +++ b/articles/active-directory/manage-apps/manage-access-panel-browser-extension.md @@ -1,5 +1,5 @@ --- -title: Troubleshooting the Azure Access Panel Extension for IE | Microsoft Docs +title: Troubleshoot the Azure Access Panel Extension for IE | Microsoft Docs description: How to use group policy to deploy the Internet Explorer add-on for the My Apps portal. services: active-directory documentationcenter: '' @@ -11,82 +11,81 @@ ms.devlang: na ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity -ms.date: 09/11/2018 +ms.date: 04/11/2019 ms.author: celested ms.reviewer: asteen ms.custom: H1Hack27Feb2017 ms.collection: M365-identity-device-management --- -# Troubleshooting the Access Panel Extension for Internet Explorer +# Troubleshoot the Access Panel Extension for Internet Explorer + This article helps you troubleshoot the following problems: * You're unable to access your apps through the My Apps portal while using Internet Explorer. * You see the "Install Software" message even though you've already installed the software. -If you are an admin, see also: [How to Deploy the Access Panel Extension for Internet Explorer using Group Policy](deploy-access-panel-browser-extension.md) +If you're an admin, see [How to Deploy the Access Panel Extension for Internet Explorer using Group Policy](deploy-access-panel-browser-extension.md). -## Run the Diagnostic Tool -You can diagnose installation problems with the Access Panel Extension by downloading and running the Access Panel diagnostic tool: +## Run the diagnostic tool -1. [Click here to download the diagnostic tool.](https://account.activedirectory.windowsazure.com/applications/AccessPanelExtensionDiagnosticTool/AccessPanelExtensionDiagnosticTool.zip) -2. Open the file, and press **Extract all** button. - - ![Press Extract All](./media/manage-access-panel-browser-extension/extract1.png) -3. Then press the **Extract** button to continue. - - ![Press Extract](./media/manage-access-panel-browser-extension/extract2.png) -4. To run the tool, right-click the file named **AccessPanelExtensionDiagnosticTool**, then select **Open with > Microsoft Windows Based Script Host**. +You can diagnose installation problems with the Access Panel Extension by downloading and running the Access Panel diagnostic tool. + +To download and install the diagnostic tool: + +1. [Select this link to download the diagnostic tool.](https://account.activedirectory.windowsazure.com/applications/AccessPanelExtensionDiagnosticTool/AccessPanelExtensionDiagnosticTool.zip) + +2. Open the file and extract the contents to your computer. - ![Open with > Microsoft Windows Based Script Host](./media/manage-access-panel-browser-extension/open_tool.png) -5. You will then see the following diagnostic window, which describes what might be wrong with your installation. +3. To run the tool, right-click the file named *AccessPanelExtensionDiagnosticTool.js* and select **Open with** > **Microsoft Windows Based Script Host**. - ![A sample of the diagnostic window](./media/manage-access-panel-browser-extension/tool_preview.png) -6. Click "**YES**" to let the program fix the issues that have been found. -7. To save these changes, close every Internet Explorer window, and then open Internet Explorer again.
If you still can't access your apps, try the steps below. + ![Open with > Microsoft Windows Based Script Host](./media/manage-access-panel-browser-extension/open-access-panel-extension-diagnostic-tool.png) + +4. Review the diagnostic results that appear and select **Yes** to fix the issues. The **Check Results** dialog box appears with information about what to do if the extension doesn't work. + +5. Read the message and select **OK**. ## Check that the Access Panel Extension is enabled -To verify that the Access Panel Extension is enabled in Internet Explorer: -1. In Internet Explorer, click the **Gear icon** on the top right corner of the window. Then select **Internet options**.
(In older versions of Internet Explorer you can find this under **Tools > Internet options**. +To verify that you've enabled the Access Panel Extension in Internet Explorer: + +1. In Internet Explorer, select the **Gear icon** on the upper-right corner of the window and select **Internet options**. - ![Go to Tools > Internet Options](./media/manage-access-panel-browser-extension/internetoptions.png) -2. Click the **Programs** tab, then click the **Manage add-ons** button. +2. Go to the **Programs** tab and select **Manage add-ons**. - ![Click Manage Add-Ons](./media/manage-access-panel-browser-extension/internetoptions_programs.png) -3. In this dialog, select **Access Panel Extension** and then click the **Enable** button. +3. Select **Access Panel Extension** in the **Microsoft Corporation** section and select **Enable**. - ![Click Enable](./media/manage-access-panel-browser-extension/enableaddon.png) -4. To save these changes, close every Internet Explorer window and then open Internet Explorer again. +4. To save the changes, close all of the Internet Explorer browser windows you have open. The change takes effect the next time you open Internet Explorer. + +## Enable extensions for InPrivate Browsing -## Enable Extensions for InPrivate Browsing -If you are using the InPrivate Browsing mode: +To enable extensions for InPrivate Browsing: -1. In Internet Explorer, click the **Gear icon** on the top right corner of the window. Then select **Internet options**.
(In older versions of Internet Explorer you can find this under **Tools > Internet options**. +1. In Internet Explorer, select the **Gear icon** on the upper-right corner of the window and select **Internet options**. - ![A sample of the diagnostic window](./media/manage-access-panel-browser-extension/inprivateoptions.png) -2. Go to the **Privacy** tab, then **uncheck** the checkbox labeled **Disable toolbars and extensions when InPrivate Browsing starts**

+2. Go to the **Privacy** tab and verify that the **Disable toolbars and extensions when InPrivate Browsing starts** check box is clear. - ![Uncheck Disable toolbars and extensions when InPrivate Browsing starts](./media/manage-access-panel-browser-extension/enabletoolbars.png) -3. To save these changes, close every Internet Explorer window and then open Internet Explorer again. +3. To save the changes, close all of the Internet Explorer browser windows you have open. The change takes effect the next time you open Internet Explorer. ## Uninstall the Access Panel Extension -To uninstall the Access Panel extension from your computer: -1. On your keyboard, press the **Windows key** to open the Start menu. When the menu is open, you can type anything to do a search. Type "Control Panel" and then open the **Control Panel** when it appears in the search results. - - ![Search for Control Panel](./media/manage-access-panel-browser-extension/search_sm.png) -2. In the top right corner of the Control Panel, change the **View by** option to **Large icons**. Then find and click the **Programs and Features** button. +To uninstall the Access Panel Extension from your computer: + +1. In Control Panel, search for *uninstall*. + +2. In the search results, select **Uninstall a program**. - ![Chang the view to show Large Icons](./media/manage-access-panel-browser-extension/control_panel.png) -3. From the list, select **Access Panel Extension**, and the click the **Uninstall** button. + ![Search for uninstall program.](./media/manage-access-panel-browser-extension/uninstall-program-control-panel.png) + +3. From the list, select **Access Panel Extension** and select **Uninstall**. + + ![Uninstall the Access Panel Extension.](./media/manage-access-panel-browser-extension/uninstall-access-panel-extension.png) - ![Click Uninstall](./media/manage-access-panel-browser-extension/uninstall.png) 4. You can then try to install the extension again to see if the problem has been resolved. -If you encounter issues uninstalling the extension, you can also remove it using the [Microsoft Fix It](https://go.microsoft.com/?linkid=9779673) tool. +If you run into issues uninstalling the extension, you can also remove it using the [Microsoft Fix It](https://go.microsoft.com/?linkid=9779673) tool. -## Related Articles +## Related articles * [Application access and single sign-on with Azure Active Directory](what-is-single-sign-on.md) -* [How to Deploy the Access Panel Extension for Internet Explorer using Group Policy](deploy-access-panel-browser-extension.md) +* [How to deploy the Access Panel Extension for Internet Explorer using Group Policy](deploy-access-panel-browser-extension.md) diff --git a/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md b/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md index b7ba6a6ae69f3..f35f1944bc458 100644 --- a/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md +++ b/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md @@ -12,80 +12,118 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 09/11/2018 +ms.date: 04/04/2019 ms.author: celested ms.reviewer: jeedes ms.collection: M365-identity-device-management --- # Manage certificates for federated single sign-on in Azure Active Directory -This article covers common questions and information related to the certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your SaaS applications. Add applications from the Azure AD app gallery or by using a non-gallery application template. Configure the application by using the federated SSO option. -This article is relevant only to apps that are configured to use Azure AD SSO through SAML federation, as shown in the following example: +In this article, we cover common questions and information related to certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your software as a service (SaaS) applications. Add applications from the Azure AD app gallery or by using a non-gallery application template. Configure the application by using the federated SSO option. -![Azure AD Single Sign-On](./media/manage-certificates-for-federated-single-sign-on/saml_sso.PNG) +This article is relevant only to apps that are configured to use Azure AD SSO through [Security Assertion Markup Language](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML) federation. ## Auto-generated certificate for gallery and non-gallery applications -When you add a new application from the gallery and configure a SAML-based sign-on, Azure AD generates a certificate for the application that is valid for three years. You can download this certificate from the **SAML Signing Certificate** section. For gallery applications, this section might show an option to download the certificate or metadata, depending on the requirement of the application. -![Azure AD single sign-on](./media/manage-certificates-for-federated-single-sign-on/saml_certificate_download.png) +When you add a new application from the gallery and configure a SAML-based sign-on (by selecting **Single sign-on** > **SAML** from the application overview page), Azure AD generates a certificate for the application that is valid for three years. To download the active certificate as a security certificate (**.cer**) file, return to that page (**SAML-based sign-on**) and select a download link in the **SAML Signing Certificate** heading. You can choose between the raw (binary) certificate or the Base64 (base 64-encoded text) certificate. For gallery applications, this section might also show a link to download the certificate as federation metadata XML (an **.xml** file), depending on the requirement of the application. + +![SAML active signing certificate download options](./media/manage-certificates-for-federated-single-sign-on/active-certificate-download-options.png) + +You can also download an active or inactive certificate by selecting the **SAML Signing Certificate** heading's **Edit** icon (a pencil), which displays the **SAML Signing Certificate** page. Select the ellipsis (**...**) next to the certificate you want to download, and then choose which certificate format you want. You have the additional option to download the certificate in privacy-enhanced mail (PEM) format. This format is identical to Base64 but with a **.pem** file name extension, which isn't recognized in Windows as a certificate format. + +![SAML signing certificate download options (active and inactive)](./media/manage-certificates-for-federated-single-sign-on/all-certificate-download-options.png) ## Customize the expiration date for your federation certificate and roll it over to a new certificate -By default, certificates are set to expire after three years. You can choose a different expiration date for your certificate by completing the following steps. -The screenshots use Salesforce for the sake of example, but these steps can apply to any federated SaaS app. -1. In the [Azure portal](https://aad.portal.azure.com), click **Enterprise application** in the left pane and then click **New application** on the **Overview** page: +By default, Azure configures a certificate to expire after three years when it is created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you have to: + +1. Create a new certificate with the desired date. +2. Save the new certificate. +3. Download the new certificate in the correct format. +4. Upload the new certificate to the application. +5. Make the new certificate active in the Azure Active Directory portal. + +The following two sections help you perform these steps. + +### Create a new certificate + +First, create and save new certificate with a different expiration date: + +1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/). The **Azure Active Directory admin center** page appears. + +2. In the left pane, select **Enterprise applications**. A list of the enterprise applications in your account appears. + +3. Select the affected application. An overview page for the application appears. - ![Open the SSO configuration wizard](./media/manage-certificates-for-federated-single-sign-on/enterprise_application_new_application.png) +4. In the left pane of the application overview page, select **Single sign-on**. -2. Search for the gallery application and then select the application that you want to add. If you cannot find the required application, add the application by using the **Non-gallery application** option. This feature is available only in the Azure AD Premium (P1 and P2) SKU. +5. If the **Select a single sign-on method** page appears, select **SAML**. - ![Azure AD single sign-on](./media/manage-certificates-for-federated-single-sign-on/add_gallery_application.png) +6. In the **Set up Single Sign-On with SAML - Preview** page, find the **SAML Signing Certificate** heading and select the **Edit** icon (a pencil). The **SAML Signing Certificate** page appears, which displays the status (**Active** or **Inactive**), expiration date, and thumbprint (a hash string) of each certificate. -3. Click the **Single sign-on** link in the left pane and change **Single Sign-on Mode** to **SAML-based Sign-on**. This step generates a three-year certificate for your application. +7. Select **New Certificate**. A new row appears below the certificate list, where the expiration date defaults to exactly three years after the current date. (Your changes haven't been saved yet, so you can still modify the expiration date.) -4. To create a new certificate, click the **Create new certificate** link in the **SAML Signing Certificate** section. +8. In the new certificate row, hover over the expiration date column and select the **Select Date** icon (a calendar). A calendar control appears, displaying the days of a month of the new row's current expiration date. - ![Generate a new certificate](./media/manage-certificates-for-federated-single-sign-on/create_new_certficate.png) +9. Use the calendar control to set a new date. You can set any date between the current date and three years after the current date. -5. The **Create a new certificate** link opens the calendar control. You can set any date and time up to three years from the current date. The selected date and time is the new expiration date and time of your new certificate. Click **Save**. +10. Select **Save**. The new certificate now appears with a status of **Inactive**, the expiration date that you chose, and a thumbprint. - ![Download then upload the certificate](./media/manage-certificates-for-federated-single-sign-on/certifcate_date_selection.PNG) +11. Select the **X** to return to the **Set up Single Sign-On with SAML - Preview** page. -6. Now the new certificate is available to download. Click the **Certificate** link to download it. At this point, your certificate is not active. When you want to roll over to this certificate, select the **Make new certificate active** check box and click **Save**. From that point, Azure AD starts using the new certificate for signing the response. +### Upload and activate a certificate -7. To learn how to upload the certificate to your particular SaaS application, click the **View application configuration tutorial** link. +Next, download the new certificate in the correct format, upload it to the application, and make it active in Azure Active Directory: -## Certificate expiration notification email +1. View the application's additional SAML sign-on configuration instructions by either: + - selecting the **configuration guide** link to view in a separate browser window or tab, or + - going to the **set up** heading and selecting **View step-by-step instructions** to view in a sidebar. -Azure AD will send an email notification 60, 30, and 7 days before SAML certificate expires. To specify the email address for where to send the notification: +2. In the instructions, note the encoding format required for the certificate upload. -- On the Azure Active Directory application Single sign-on page, go to the Notification Email field. -- Enter the email address that should receive the certificate expiration notification email. By default, this field uses the email address of the admin who added the application. +3. Follow the instructions in the [Auto-generated certificate for gallery and non-gallery applications](#auto-generated-certificate-for-gallery-and-non-gallery-applications) section earlier. This step downloads the certificate in the encoding format required for upload by the application. -You will receive the notification email from aadnotification@microsoft.com. To avoid the email going to your spam location, be sure to add this email to your contacts. +4. When you want to roll over to the new certificate, go back to the **SAML Signing Certificate** page, and in the newly saved certificate row, select the ellipsis (**...**) and select **Make certificate active**. The status of the new certificate changes to **Active**, and the previously active certificate changes to a status of **Inactive**. + +5. Continue following the application's SAML sign-on configuration instructions that you displayed earlier, so that you can upload the SAML signing certificate in the correct encoding format. + +## Add email notification addresses for certificate expiration + +Azure AD will send an email notification 60, 30, and 7 days before the SAML certificate expires. You may add more than one email address to receive notifications. To specify the email address(es) you want the notifications to be sent to: + +1. In the **SAML Signing Certificate** page, go to the **notification email addresses** heading. By default, this heading uses only the email address of the admin who added the application. + +2. Below the final email address, type the email address that should receive the certificate's expiration notice, and then press Enter. + +3. Repeat the previous step for each email address you want to add. + +4. For each email address you want to delete, select the **Delete** icon (a garbage can) next to the email address. + +5. Select **Save**. + +You will receive the notification email from aadnotification@microsoft.com. To avoid the email going to your spam location, add this email to your contacts. ## Renew a certificate that will soon expire -The following renewal steps should result in no significant downtime for your users. The screenshots in this section feature Salesforce as an example, but these steps can apply to any federated SaaS app. -1. On the **Azure Active Directory** application **Single sign-on** page, generate the new certificate for your application. You can do this by clicking the **Create new certificate** link in the **SAML Signing Certificate** section. +If a certificate is about to expire, you can renew it using a procedure that results in no significant downtime for your users. To renew an expiring certificate: - ![Generate a new certificate](./media/manage-certificates-for-federated-single-sign-on/create_new_certficate.png) +1. Follow the instructions in the [Create a new certificate](#create-a-new-certificate) section earlier, using a date that overlaps with the existing certificate. That date limits the amount of downtime caused by the certificate expiration. -2. Select the desired expiration date and time for your new certificate and click **Save**. Selecting a date that overlaps with the existing certificate will ensure that any downtime due to cert expiry is limited. +2. If the application can automatically roll over a certificate, set the new certificate to active by following these steps: + 1. Go back to the **SAML Signing Certificate** page. + 2. In the newly saved certificate row, select the ellipsis (**...**) and then select **Make certificate active**. + 3. Skip the next two steps. -3. If the app can automatically roll over a certificate, set the new certificate to active. Sign in to the app to check that it works. +3. If the app can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesn’t automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime.) -4. If the app doesn’t automatically pickup the new cert, but can handle more than one signing cert, before the old one expires, upload the new one to the app, then go back to the portal and make it the active certificate. +4. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. -5. If the app can only handle one certificate at a time, pick a downtime window, download the new certificate, upload it to the application, come back to the Azure Portal and set the new certificate as active. - -6. To activate the new certificate in Azure AD, select the **Make new certificate active** check box and click the **Save** button at the top of the page. This rolls over the new certificate on the Azure AD side. The status of the certificate changes from **New** to **Active**. From that point, Azure AD starts using the new certificate for signing the response. - - ![Generate a new certificate](./media/manage-certificates-for-federated-single-sign-on/new_certificate_download.png) +5. Sign in to the application to make sure that the certificate works correctly. ## Related articles -* [List of tutorials on how to integrate SaaS apps with Azure Active Directory](../saas-apps/tutorial-list.md) -* [Application Management in Azure Active Directory](what-is-application-management.md) -* [Application access and single sign-on with Azure Active Directory](what-is-single-sign-on.md) -* [Troubleshooting SAML-based single sign-on](../develop/howto-v1-debug-saml-sso-issues.md) + +* [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md) +* [Application management with Azure Active Directory](what-is-application-management.md) +* [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md) +* [Debug SAML-based single sign-on to applications in Azure Active Directory](../develop/howto-v1-debug-saml-sso-issues.md) diff --git a/articles/active-directory/manage-apps/media/assign-user-or-group-access-portal/assign-users.png b/articles/active-directory/manage-apps/media/assign-user-or-group-access-portal/assign-users.png index 5c3ad090f2f27..1be237285a484 100644 Binary files a/articles/active-directory/manage-apps/media/assign-user-or-group-access-portal/assign-users.png and b/articles/active-directory/manage-apps/media/assign-user-or-group-access-portal/assign-users.png differ diff --git a/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-pane.png b/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-pane.png index f0408ea895125..9857b4d093ef2 100644 Binary files a/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-pane.png and b/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-pane.png differ diff --git a/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning-mapping.png b/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning-mapping.png index e70484edaf480..5d12121be8326 100644 Binary files a/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning-mapping.png and b/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning-mapping.png differ diff --git a/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning.png b/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning.png index bff0442c87db2..119cacf4070eb 100644 Binary files a/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning.png and b/articles/active-directory/manage-apps/media/configure-automatic-user-provisioning-portal/enterprise-apps-provisioning.png differ diff --git a/articles/active-directory/manage-apps/media/configure-single-sign-on-portal/azure-portal-application-search.png b/articles/active-directory/manage-apps/media/configure-single-sign-on-portal/azure-portal-application-search.png new file mode 100644 index 0000000000000..aa02b646547c2 Binary files /dev/null and b/articles/active-directory/manage-apps/media/configure-single-sign-on-portal/azure-portal-application-search.png differ diff --git a/articles/active-directory/manage-apps/media/configure-single-sign-on-portal/basic-saml-configuration-edit-icon.png b/articles/active-directory/manage-apps/media/configure-single-sign-on-portal/basic-saml-configuration-edit-icon.png new file mode 100644 index 0000000000000..5e4000cd4627a Binary files /dev/null and b/articles/active-directory/manage-apps/media/configure-single-sign-on-portal/basic-saml-configuration-edit-icon.png differ diff --git a/articles/active-directory/manage-apps/media/customize-application-attributes/21.png b/articles/active-directory/manage-apps/media/customize-application-attributes/21.png index 57b5ee5d31f4d..d634da5b5207c 100644 Binary files a/articles/active-directory/manage-apps/media/customize-application-attributes/21.png and b/articles/active-directory/manage-apps/media/customize-application-attributes/21.png differ diff --git a/articles/active-directory/manage-apps/media/customize-application-attributes/24.png b/articles/active-directory/manage-apps/media/customize-application-attributes/24.png index c8c2078137c2e..2184dcd9d0165 100644 Binary files a/articles/active-directory/manage-apps/media/customize-application-attributes/24.png and b/articles/active-directory/manage-apps/media/customize-application-attributes/24.png differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/control_panel.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/control_panel.png deleted file mode 100644 index 3cf9846ec0406..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/control_panel.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/enableaddon.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/enableaddon.png deleted file mode 100644 index d57a6b3defc12..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/enableaddon.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/enabletoolbars.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/enabletoolbars.png deleted file mode 100644 index 0fd15941a3fe7..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/enabletoolbars.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/extract1.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/extract1.png deleted file mode 100644 index 09e68d52bcbe6..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/extract1.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/extract2.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/extract2.png deleted file mode 100644 index e8d7d71223b12..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/extract2.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/inprivateoptions.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/inprivateoptions.png deleted file mode 100644 index 375a920febe02..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/inprivateoptions.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/internetoptions.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/internetoptions.png deleted file mode 100644 index c9bc24f44a890..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/internetoptions.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/internetoptions_programs.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/internetoptions_programs.png deleted file mode 100644 index 18f8f7bf3c0a0..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/internetoptions_programs.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/open-access-panel-extension-diagnostic-tool.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/open-access-panel-extension-diagnostic-tool.png new file mode 100644 index 0000000000000..7aabc73e8f0de Binary files /dev/null and b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/open-access-panel-extension-diagnostic-tool.png differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/open_tool.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/open_tool.png deleted file mode 100644 index 276a6ebf454ce..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/open_tool.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/search_sm.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/search_sm.png deleted file mode 100644 index 903b62ed0c8a5..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/search_sm.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/tool_preview.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/tool_preview.png deleted file mode 100644 index 0531bfb6c71af..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/tool_preview.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall-access-panel-extension.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall-access-panel-extension.png new file mode 100644 index 0000000000000..90d0566e8cfa6 Binary files /dev/null and b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall-access-panel-extension.png differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall-program-control-panel.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall-program-control-panel.png new file mode 100644 index 0000000000000..84ebb53a73185 Binary files /dev/null and b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall-program-control-panel.png differ diff --git a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall.png b/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall.png deleted file mode 100644 index 270da4da37cf0..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-access-panel-browser-extension/uninstall.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/active-certificate-download-options.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/active-certificate-download-options.png new file mode 100644 index 0000000000000..236ec791905d0 Binary files /dev/null and b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/active-certificate-download-options.png differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/add_gallery_application.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/add_gallery_application.png deleted file mode 100644 index 63c76f694ffcd..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/add_gallery_application.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/all-certificate-download-options.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/all-certificate-download-options.png new file mode 100644 index 0000000000000..df418f9f604f0 Binary files /dev/null and b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/all-certificate-download-options.png differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/certifcate_date_selection.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/certifcate_date_selection.png deleted file mode 100644 index 0d482b76e59f0..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/certifcate_date_selection.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/create_new_certficate.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/create_new_certficate.png deleted file mode 100644 index 280d046746b50..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/create_new_certficate.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/enterprise_application_new_application.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/enterprise_application_new_application.png deleted file mode 100644 index 36089575ad576..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/enterprise_application_new_application.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/new_certificate_download.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/new_certificate_download.png deleted file mode 100644 index 45d6756b2cd22..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/new_certificate_download.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/saml_certificate_download.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/saml_certificate_download.png deleted file mode 100644 index 3358a77ca9d73..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/saml_certificate_download.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/saml_sso.png b/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/saml_sso.png deleted file mode 100644 index a871af4816c63..0000000000000 Binary files a/articles/active-directory/manage-apps/media/manage-certificates-for-federated-single-sign-on/saml_sso.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2a.png b/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2a.png index 0b495f50963d7..db13581cc0fbe 100644 Binary files a/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2a.png and b/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2a.png differ diff --git a/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2b.png b/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2b.png index 8d7cf1436f098..82b0832ef73e7 100644 Binary files a/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2b.png and b/articles/active-directory/manage-apps/media/use-scim-to-provision-users-and-groups/scim-figure-2b.png differ diff --git a/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-040419.png b/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-040419.png new file mode 100644 index 0000000000000..0fd777a1f7e4a Binary files /dev/null and b/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-040419.png differ diff --git a/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-updated.png b/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-updated.png deleted file mode 100644 index cfde56e3fa46a..0000000000000 Binary files a/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method-updated.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method.png b/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method.png deleted file mode 100644 index 3f33da1408668..0000000000000 Binary files a/articles/active-directory/manage-apps/media/what-is-single-sign-on/choose-single-sign-on-method.png and /dev/null differ diff --git a/articles/active-directory/manage-apps/remove-user-or-group-access-portal.md b/articles/active-directory/manage-apps/remove-user-or-group-access-portal.md index 0def8b2d36493..a6273f362a870 100644 --- a/articles/active-directory/manage-apps/remove-user-or-group-access-portal.md +++ b/articles/active-directory/manage-apps/remove-user-or-group-access-portal.md @@ -12,7 +12,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 02/14/2018 +ms.date: 04/12/2019 ms.author: celested ms.reviewer: asteen ms.custom: it-pro @@ -20,25 +20,18 @@ ms.custom: it-pro ms.collection: M365-identity-device-management --- # Remove a user or group assignment from an enterprise app in Azure Active Directory -It's easy to remove a user or a group from being assigned access to one of your enterprise applications in Azure Active Directory (Azure AD). You must have the appropriate permissions to manage the enterprise app, and you must be global admin for the directory. +It's easy to remove a user or a group from assigned access to one of your enterprise applications in Azure Active Directory (Azure AD). You need the appropriate permissions to manage the enterprise app. And, you must be global admin for the directory. > [!NOTE] > For Microsoft Applications (such as Office 365 apps), use PowerShell to remove users to an enterprise app. ## How do I remove a user or group assignment to an enterprise app in the Azure portal? 1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a global admin for the directory. -2. Select **More services**, enter **Azure Active Directory** in the text box, and then select **Enter**. -3. On the **Azure Active Directory - *directoryname*** page (that is, the Azure AD page for the directory you are managing), select **Enterprise applications**. - - ![Opening Enterprise apps](./media/remove-user-or-group-access-portal/open-enterprise-apps.png) -4. On the **Enterprise applications** page, select **All applications**. You'll see a list of the apps you can manage. -5. On the **Enterprise applications - All applications** page, select an app. -6. On the ***appname*** page (that is, the page with the name of the selected app in the title), select **Users & Groups**. - - ![Selecting users or groups](./media/remove-user-or-group-access-portal/remove-app-users.png) -7. On the ***appname*** **- User & Group Assignment** page, select one of more users or groups and then select the **Remove** command. Confirm your decision at the prompt. - - ![Selecting the Remove command](./media/remove-user-or-group-access-portal/remove-users.png) +1. Select **All services**, enter **Azure Active Directory** in the text box, and then select **Enter**. +1. On the **Azure Active Directory - *directoryname*** page (that is, the Azure AD page for the directory you're managing), select **Enterprise applications**. +1. On the **Enterprise applications - All applications** page, you'll see a list of the apps you can manage. Select an app. +1. On the ***appname*** overview page (that is, the page with the name of the selected app in the title), select **Users & Groups**. +1. On the ***appname*** **- User & Group Assignment** page, select one of more users or groups and then select the **Remove** command. Confirm your decision at the prompt. ## How do I remove a user or group assignment to an enterprise app using PowerShell? 1. Open an elevated Windows PowerShell command prompt. @@ -46,8 +39,8 @@ It's easy to remove a user or a group from being assigned access to one of your >[!NOTE] > You need to install the AzureAD module (use the command `Install-Module -Name AzureAD`). If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER. -2. Run `Connect-AzureAD` and sign in with a Global Admin user account. -3. Use the following script to remove a user and role from an application: +1. Run `Connect-AzureAD` and sign in with a Global Admin user account. +1. Use the following script to remove a user and role from an application: ```powershell # Store the proper parameters diff --git a/articles/active-directory/manage-apps/tenant-restrictions.md b/articles/active-directory/manage-apps/tenant-restrictions.md index c2d622e1f90f0..66312e89525ef 100644 --- a/articles/active-directory/manage-apps/tenant-restrictions.md +++ b/articles/active-directory/manage-apps/tenant-restrictions.md @@ -1,6 +1,6 @@ --- -title: Manage access to cloud apps by restricting tenants - Azure | Microsoft Docs -description: How to use Tenant Restrictions to manage which users can access apps based on their Azure AD tenant. +title: Use tenant restrictions to manage access to SaaS cloud applications - Azure | Microsoft Docs +description: How to use tenant restrictions to manage which users can access apps based on their Azure AD tenant. services: active-directory documentationcenter: '' author: CelesteDG @@ -12,131 +12,159 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 05/15/2018 +ms.date: 03/28/2019 ms.author: celested ms.reviewer: richagi ms.collection: M365-identity-device-management --- -# Use Tenant Restrictions to manage access to SaaS cloud applications +# Use tenant restrictions to manage access to SaaS cloud applications -Large organizations that emphasize security want to move to cloud services like Office 365, but need to know that their users only can access approved resources. Traditionally, companies restrict domain names or IP addresses when they want to manage access. This approach fails in a world where SaaS apps are hosted in a public cloud, running on shared domain names like outlook.office.com and login.microsoftonline.com. Blocking these addresses would keep users from accessing Outlook on the web entirely, instead of merely restricting them to approved identities and resources. +Large organizations that emphasize security want to move to cloud services like Office 365, but need to know that their users only can access approved resources. Traditionally, companies restrict domain names or IP addresses when they want to manage access. This approach fails in a world where software as a service (or SaaS) apps are hosted in a public cloud, running on shared domain names like [outlook.office.com](https://outlook.office.com/) and [login.microsoftonline.com](https://login.microsoftonline.com/). Blocking these addresses would keep users from accessing Outlook on the web entirely, instead of merely restricting them to approved identities and resources. -Azure Active Directory's solution to this challenge is a feature called Tenant Restrictions. Tenant Restrictions enables organizations to control access to SaaS cloud applications, based on the Azure AD tenant the applications use for single sign-on. For example, you may want to allow access to your organization’s Office 365 applications, while preventing access to other organizations’ instances of these same applications.   +The Azure Active Directory (Azure AD) solution to this challenge is a feature called tenant restrictions. With tenant restrictions, organizations can control access to SaaS cloud applications, based on the Azure AD tenant the applications use for single sign-on. For example, you may want to allow access to your organization’s Office 365 applications, while preventing access to other organizations’ instances of these same applications.   -Tenant Restrictions gives organizations the ability to specify the list of tenants that their users are permitted to access. Azure AD then only grants access to these permitted tenants. +With tenant restrictions, organizations can specify the list of tenants that their users are permitted to access. Azure AD then only grants access to these permitted tenants. -This article focuses on Tenant Restrictions for Office 365, but the feature should work with any SaaS cloud app that uses modern authentication protocols with Azure AD for single sign-on. If you use SaaS apps with a different Azure AD tenant from the tenant used by Office 365, make sure that all required tenants are permitted. For more information about SaaS cloud apps, see the [Active Directory Marketplace](https://azure.microsoft.com/marketplace/active-directory/). +This article focuses on tenant restrictions for Office 365, but the feature should work with any SaaS cloud app that uses modern authentication protocols with Azure AD for single sign-on. If you use SaaS apps with a different Azure AD tenant from the tenant used by Office 365, make sure that all required tenants are permitted. For more information about SaaS cloud apps, see the [Active Directory Marketplace](https://azure.microsoft.com/marketplace/active-directory/). ## How it works -The overall solution comprises the following components:  +The overall solution comprises the following components: -1. **Azure AD** – If the `Restrict-Access-To-Tenants: ` is present, Azure AD only issues security tokens for the permitted tenants.  +1. **Azure AD**: If the `Restrict-Access-To-Tenants: ` is present, Azure AD only issues security tokens for the permitted tenants. -2. **On-premises proxy server infrastructure** – a proxy device capable of SSL inspection, configured to insert the header containing the list of permitted tenants into traffic destined for Azure AD.  +2. **On-premises proxy server infrastructure**: This infrastructure is a proxy device capable of Secure Sockets Layer (SSL) inspection. You must configure the proxy to insert the header containing the list of permitted tenants into traffic destined for Azure AD. -3. **Client software** – to support Tenant Restrictions, client software must request tokens directly from Azure AD, so that traffic can be intercepted by the proxy infrastructure. Tenant Restrictions is currently supported by browser-based Office 365 applications and by Office clients when modern authentication (like OAuth 2.0) is used.  +3. **Client software**: To support tenant restrictions, client software must request tokens directly from Azure AD, so that the proxy infrastructure can intercept traffic. Browser-based Office 365 applications currently support tenant restrictions, as do Office clients that use modern authentication (like OAuth 2.0). -4. **Modern Authentication** – cloud services must use modern authentication to use Tenant Restrictions and block access to all non-permitted tenants. Office 365 cloud services must be configured to use modern authentication protocols by default. For the latest information on Office 365 support for modern authentication, read [Updated Office 365 modern authentication](https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/). +4. **Modern Authentication**: Cloud services must use modern authentication to use tenant restrictions and block access to all non-permitted tenants. You must configure Office 365 cloud services to use modern authentication protocols by default. For the latest information on Office 365 support for modern authentication, read [Updated Office 365 modern authentication](https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/). -The following diagram illustrates the high-level traffic flow. SSL inspection is only required on traffic to Azure AD, not to the Office 365 cloud services. This distinction is important because the traffic volume for authentication to Azure AD is typically much lower than traffic volume to SaaS applications like Exchange Online and SharePoint Online. +The following diagram illustrates the high-level traffic flow. Tenant restrictions requires SSL inspection only on traffic to Azure AD, not to the Office 365 cloud services. This distinction is important, because the traffic volume for authentication to Azure AD is typically much lower than traffic volume to SaaS applications like Exchange Online and SharePoint Online. -![Tenant Restrictions traffic flow - diagram](./media/tenant-restrictions/traffic-flow.png) +![Tenant restrictions traffic flow - diagram](./media/tenant-restrictions/traffic-flow.png) -## Set up Tenant Restrictions +## Set up tenant restrictions -There are two steps to get started with Tenant Restrictions. The first step is to make sure that your clients can connect to the right addresses. The second is to configure your proxy infrastructure. +There are two steps to get started with tenant restrictions. First, make sure that your clients can connect to the right addresses. Second, configure your proxy infrastructure. ### URLs and IP addresses -To use Tenant Restrictions, your clients must be able to connect to the following Azure AD URLs to authenticate: login.microsoftonline.com, login.microsoft.com, and login.windows.net. Additionally, to access Office 365, your clients must also be able to connect to the FQDNs/URLs and IP addresses defined in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).  +To use tenant restrictions, your clients must be able to connect to the following Azure AD URLs to authenticate: [login.microsoftonline.com](https://login.microsoftonline.com/), [login.microsoft.com](https://login.microsoft.com/), and [login.windows.net](https://login.windows.net/). Additionally, to access Office 365, your clients must also be able to connect to the fully qualified domain names (FQDNs), URLs, and IP addresses defined in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).  ### Proxy configuration and requirements -The following configuration is required to enable Tenant Restrictions through your proxy infrastructure. This guidance is generic, so you should refer to your proxy vendor’s documentation for specific implementation steps. +The following configuration is required to enable tenant restrictions through your proxy infrastructure. This guidance is generic, so you should refer to your proxy vendor’s documentation for specific implementation steps. #### Prerequisites -- The proxy must be able to perform SSL interception, HTTP header insertion, and filter destinations using FQDNs/URLs.  +- The proxy must be able to perform SSL interception, HTTP header insertion, and filter destinations using FQDNs/URLs. -- Clients must trust the certificate chain presented by the proxy for SSL communications. For example, if certificates from an internal PKI are used, the internal issuing root certificate authority certificate must be trusted. +- Clients must trust the certificate chain presented by the proxy for SSL communications. For example, if certificates from an internal [public key infrastructure (PKI)](/windows/desktop/seccertenroll/public-key-infrastructure) are used, the internal issuing root certificate authority certificate must be trusted. -- This feature is included in Office 365 subscriptions, but if you want to use Tenant Restrictions to control access to other SaaS apps then Azure AD Premium 1 licenses are required. +- This feature is included in Office 365 subscriptions, but if you want to use tenant restrictions to control access to other SaaS apps, then Azure AD Premium 1 licenses are required. #### Configuration For each incoming request to login.microsoftonline.com, login.microsoft.com, and login.windows.net, insert two HTTP headers: *Restrict-Access-To-Tenants* and *Restrict-Access-Context*. -The headers should include the following elements:  -- For *Restrict-Access-To-Tenants*, a value of \, which is a comma-separated list of tenants you want to allow users to access. Any domain that is registered with a tenant can be used to identify the tenant in this list. For example, to permit access to both Contoso and Fabrikam tenants, the name/value pair looks like:  `Restrict-Access-To-Tenants: contoso.onmicrosoft.com,fabrikam.onmicrosoft.com`  -- For *Restrict-Access-Context*, a value of a single directory ID, declaring which tenant is setting the Tenant Restrictions. For example, to declare Contoso as the tenant that set the Tenant Restrictions policy, the name/value pair looks like: `Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d`   +The headers should include the following elements: + +- For *Restrict-Access-To-Tenants*, use a value of \, which is a comma-separated list of tenants you want to allow users to access. Any domain that is registered with a tenant can be used to identify the tenant in this list. For example, to permit access to both Contoso and Fabrikam tenants, the name/value pair looks like: `Restrict-Access-To-Tenants: contoso.onmicrosoft.com,fabrikam.onmicrosoft.com` + +- For *Restrict-Access-Context*, use a value of a single directory ID, declaring which tenant is setting the tenant restrictions. For example, to declare Contoso as the tenant that set the tenant restrictions policy, the name/value pair looks like: `Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d`   > [!TIP] -> You can find your directory ID in the [Azure portal](https://portal.azure.com). Sign in as an administrator, select **Azure Active Directory**, then select **Properties**. +> You can find your directory ID in the [Azure Active Directory portal](https://aad.portal.azure.com/). Sign in as an administrator, select **Azure Active Directory**, then select **Properties**. -To prevent users from inserting their own HTTP header with non-approved tenants, the proxy needs to replace the Restrict-Access-To-Tenants header if it is already present in the incoming request.  +To prevent users from inserting their own HTTP header with non-approved tenants, the proxy needs to replace the *Restrict-Access-To-Tenants* header if it is already present in the incoming request. -Clients must be forced to use the proxy for all requests to login.microsoftonline.com, login.microsoft.com, and login.windows.net. For example, if PAC files are used to direct clients to use the proxy, end users should not be able to edit or disable the PAC files. +Clients must be forced to use the proxy for all requests to login.microsoftonline.com, login.microsoft.com, and login.windows.net. For example, if PAC files are used to direct clients to use the proxy, end users shouldn't be able to edit or disable the PAC files. ## The user experience -This section shows the experience for both end users and admins. +This section describes the experience for both end users and admins. ### End-user experience -An example user is on the Contoso network, but is trying to access the Fabrikam instance of a shared SaaS application like Outlook online. If Fabrikam is a non-permitted tenant for the Contoso instance, the user sees the following page: - -![Access denied page for users in non-permitted tenants](./media/tenant-restrictions/end-user-denied.png) +An example user is on the Contoso network, but is trying to access the Fabrikam instance of a shared SaaS application like Outlook online. If Fabrikam is a non-permitted tenant for the Contoso instance, the user sees an access denial message, which says you're trying to access a resource that belongs to an organization unapproved by your IT department. ### Admin experience -While configuration of Tenant Restrictions is done on the corporate proxy infrastructure, admins can access the Tenant Restrictions reports in the Azure portal directly. To view the reports, go to the Azure Active Directory Overview page, then look under ‘Other capabilities’. +While configuration of tenant restrictions is done on the corporate proxy infrastructure, admins can access the tenant restrictions reports in the Azure portal directly. To view the reports: + +1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/). The **Azure Active Directory admin center** dashboard appears. + +2. In the left pane, select **Azure Active Directory**. The Azure Active Directory overview page appears. + +3. In the **Other capabilities** heading, select **Tenant restrictions**. -The admin for the tenant specified as the Restricted-Access-Context tenant can use this report to see sign-ins blocked because of the Tenant Restrictions policy, including the identity used and the target directory ID. Sign-ins are included if the tenant setting the restriction is either the user tenant or resource tenant for the sign-in. +The admin for the tenant specified as the Restricted-Access-Context tenant can use this report to see sign-ins blocked because of the tenant restrictions policy, including the identity used and the target directory ID. Sign-ins are included if the tenant setting the restriction is either the user tenant or resource tenant for the sign-in. -![Use the Azure portal to view restricted sign-in attempts](./media/tenant-restrictions/portal-report.png) +Like other reports in the Azure portal, you can use filters to specify the scope of your report. You can filter on a specific time interval, user, application, client, or status. If you select the **Columns** button, you can choose to display data with any combination of the following fields: -Like other reports in the Azure portal, you can use filters to specify the scope of your report. You can filter on a specific user, application, client, or time interval. +- **User** +- **Application** +- **Status** +- **Date** +- **Date (UTC)** (where UTC is Coordinated Universal Time) +- **MFA Auth Method** (multifactor authentication method) +- **MFA Auth Detail** (multifactor authentication detail) +- **MFA Result** +- **IP Address** +- **Client** +- **Username** +- **Location** +- **Target tenant ID** ## Office 365 support -Office 365 applications must meet two criteria to fully support Tenant Restrictions: +Office 365 applications must meet two criteria to fully support tenant restrictions: -1. The client used supports modern authentication +1. The client used supports modern authentication. 2. Modern authentication is enabled as the default authentication protocol for the cloud service. -Refer to [Updated Office 365 modern authentication](https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/) for the latest information on which Office clients currently support modern authentication. That page also includes links to instructions for enabling modern authentication on specific Exchange Online and Skype for Business Online tenants. Modern authentication is already enabled by default in SharePoint Online. +Refer to [Updated Office 365 modern authentication](https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/) for the latest information on which Office clients currently support modern authentication. That page also includes links to instructions for enabling modern authentication on specific Exchange Online and Skype for Business Online tenants. SharePoint Online already enables Modern authentication by default. -Tenant Restrictions is currently supported by Office 365 browser-based applications (the Office Portal, Yammer, SharePoint sites, Outlook on the Web, etc.). For thick clients (Outlook, Skype for Business, Word, Excel, PowerPoint, etc.) Tenant Restrictions can only be enforced when modern authentication is used. +Office 365 browser-based applications (the Office Portal, Yammer, SharePoint sites, Outlook on the Web, and more) currently support tenant restrictions. Thick clients (Outlook, Skype for Business, Word, Excel, PowerPoint, and more) can enforce tenant restrictions only when using modern authentication. -Outlook and Skype for Business clients that support modern authentication may still able to use legacy protocols against tenants where modern authentication is not enabled, effectively bypassing Tenant Restrictions. Applications that use legacy protocols may be blocked by Tenant Restrictions if they contact login.microsoftonline.com, login.microsoft.com, or login.windows.net during authentication. +Outlook and Skype for Business clients that support modern authentication may still able to use legacy protocols against tenants where modern authentication isn't enabled, effectively bypassing tenant restrictions. Tenant restrictions may block applications that use legacy protocols if they contact login.microsoftonline.com, login.microsoft.com, or login.windows.net during authentication. For Outlook on Windows, customers may choose to implement restrictions preventing end users from adding non-approved mail accounts to their profiles. For example, see the [Prevent adding non-default Exchange accounts](https://gpsearch.azurewebsites.net/default.aspx?ref=1) group policy setting. ## Testing -If you want to try out Tenant Restrictions before implementing it for your whole organization, there are two options: a host-based approach using a tool like Fiddler, or a staged rollout of proxy settings. +If you want to try out tenant restrictions before implementing it for your whole organization, you have two options: a host-based approach using a tool like Fiddler, or a staged rollout of proxy settings. ### Fiddler for a host-based approach -Fiddler is a free web debugging proxy that can be used to capture and modify HTTP/HTTPS traffic, including inserting HTTP headers. To configure Fiddler to test Tenant Restrictions, perform the following steps: +Fiddler is a free web debugging proxy that can be used to capture and modify HTTP/HTTPS traffic, including inserting HTTP headers. To configure Fiddler to test tenant restrictions, perform the following steps: -1. [Download and install Fiddler](https://www.telerik.com/fiddler). -2. Configure Fiddler to decrypt HTTPS traffic, per [Fiddler’s help documentation](https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS). -3. Configure Fiddler to insert the *Restrict-Access-To-Tenants* and *Restrict-Access-Context* headers using custom rules: - 1. In the Fiddler Web Debugger tool, select the **Rules** menu and select **Customize Rules…** to open the CustomRules file. - 2. Add the following lines at the beginning of the *OnBeforeRequest* function. Replace \ with a domain registered with your tenant, for example, contoso.onmicrosoft.com. Replace \ with your tenant's Azure AD GUID identifier. +1. [Download and install Fiddler](https://www.telerik.com/fiddler). - ``` - if (oSession.HostnameIs("login.microsoftonline.com") || oSession.HostnameIs("login.microsoft.com") || oSession.HostnameIs("login.windows.net")){ oSession.oRequest["Restrict-Access-To-Tenants"] = ""; oSession.oRequest["Restrict-Access-Context"] = "";} - ``` +2. Configure Fiddler to decrypt HTTPS traffic, per [Fiddler’s help documentation](https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS). - If you need to allow multiple tenants, use a comma to separate the tenant names. For example: +3. Configure Fiddler to insert the *Restrict-Access-To-Tenants* and *Restrict-Access-Context* headers using custom rules: - ``` - oSession.oRequest["Restrict-Access-To-Tenants"] = "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com"; - ``` + 1. In the Fiddler Web Debugger tool, select the **Rules** menu and select **Customize Rules…** to open the CustomRules file. + + 2. Add the following lines at the beginning of the `OnBeforeRequest` function. Replace \ with a domain registered with your tenant (for example, `contoso.onmicrosoft.com`). Replace \ with your tenant's Azure AD GUID identifier. + + ```JScript.NET + if ( + oSession.HostnameIs("login.microsoftonline.com") || + oSession.HostnameIs("login.microsoft.com") || + oSession.HostnameIs("login.windows.net") + ) + { + oSession.oRequest["Restrict-Access-To-Tenants"] = ""; + oSession.oRequest["Restrict-Access-Context"] = ""; + } + ``` + + If you need to allow multiple tenants, use a comma to separate the tenant names. For example: + + `oSession.oRequest["Restrict-Access-To-Tenants"] = "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com";` 4. Save and close the CustomRules file. @@ -146,13 +174,12 @@ After you configure Fiddler, you can capture traffic by going to the **File** me Depending on the capabilities of your proxy infrastructure, you may be able to stage the rollout of settings to your users. Here are a couple high-level options for consideration: -1. Use PAC files to point test users to a test proxy infrastructure, while normal users continue to use the production proxy infrastructure. -2. Some proxy servers may support different configurations using groups. +1. Use PAC files to point test users to a test proxy infrastructure, while normal users continue to use the production proxy infrastructure. +2. Some proxy servers may support different configurations using groups. -Refer to your proxy server documentation for specific details. +For specific details, refer to your proxy server documentation. ## Next steps - Read about [Updated Office 365 modern authentication](https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/) - - Review the [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) diff --git a/articles/active-directory/manage-apps/toc.yml b/articles/active-directory/manage-apps/toc.yml index 07b98e3b0b427..9aa5a84d52a00 100644 --- a/articles/active-directory/manage-apps/toc.yml +++ b/articles/active-directory/manage-apps/toc.yml @@ -269,6 +269,10 @@ href: application-sign-in-problem-federated-sso-gallery.md - name: Problem with custom-developed app href: application-sign-in-problem-custom-dev.md + - name: Reference + items: + - name: Application Proxy version history + href: application-proxy-release-version-history.md - name: Resources items: - name: Azure AD deployment plans diff --git a/articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md b/articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md index 00ef35353cd19..138407df4f2c2 100644 --- a/articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md +++ b/articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md @@ -12,7 +12,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: conceptual -ms.date: 2/22/2018 +ms.date: 4/03/2019 ms.author: celested ms.reviewer: asmalser ms.custom: aaddev;it-pro;seohack1 @@ -28,7 +28,7 @@ SCIM is standardized protocol and schema that aims to drive greater consistency Many of the applications for which Azure AD supports [pre-integrated automatic user provisioning](../saas-apps/tutorial-list.md) implement SCIM as the means to receive user change notifications. In addition to these, customers can connect applications that support a specific profile of the [SCIM 2.0 protocol specification](https://tools.ietf.org/html/rfc7644) using the generic "non-gallery" integration option in the Azure portal. -The main focus of this document is on the profile of SCIM 2.0 that Azure AD implements as part of its generic SCIM connector for non-gallery apps. However, successful testing of an application that supports SCIM with the generic Azure AD connector is a step to getting an app listed in the Azure AD gallery as supporting user provisioning. For more information on getting your application listed in the Azure AD application gallery, see the [Microsoft Application Network](https://microsoft.sharepoint.com/teams/apponboarding/Apps/SitePages/Default.aspx). +The main focus of this article is on the profile of SCIM 2.0 that Azure AD implements as part of its generic SCIM connector for non-gallery apps. However, successful testing of an application that supports SCIM with the generic Azure AD connector is a step to getting an app listed in the Azure AD gallery as supporting user provisioning. For more information on getting your application listed in the Azure AD application gallery, see the [Microsoft Application Network](https://microsoft.sharepoint.com/teams/apponboarding/Apps/SitePages/Default.aspx). >[!IMPORTANT] @@ -41,87 +41,90 @@ This article is split into four sections: * **[Provisioning users and groups to third-party applications that support SCIM 2.0](#provisioning-users-and-groups-to-applications-that-support-scim)** - If your organization is using a third-party application that implements the profile of SCIM 2.0 that Azure AD supports, you can start automating both provisioning and de-provisioning of users and groups today. -* **[Understanding the Azure AD SCIM implementation](#understanding-the-azure-ad-scim-implementation)** - If you are building an application that supports a SCIM 2.0 user management API, this section describes in detail how the Azure AD SCIM client is implemented, and how you should model your SCIM protocol request handling and responses. +* **[Understanding the Azure AD SCIM implementation](#understanding-the-azure-ad-scim-implementation)** - If you're building an application that supports a SCIM 2.0 user management API, this section describes in detail how the Azure AD SCIM client is implemented, and how you should model your SCIM protocol request handling and responses. -* **[Building a SCIM endpoint using Microsoft CLI libraries](#building-a-scim-endpoint-using-microsoft-cli-libraries)** - To help you develop a SCIM endpoint, there are Common Language Infrastructure (CLI) libraries along with code samples that show you how to do provide a SCIM endpoint and translate SCIM messages. +* **[Building a SCIM endpoint using Microsoft CLI libraries](#building-a-scim-endpoint-using-microsoft-cli-libraries)** - Common Language Infrastructure (CLI) libraries along with code samples show you how to develop a SCIM endpoint and translate SCIM messages. * **[User and group schema reference](#user-and-group-schema-reference)** - Describes the user and group schema supported by the Azure AD SCIM implementation for non-gallery apps. ## Provisioning users and groups to applications that support SCIM -Azure AD can be configured to automatically provision assigned users and groups to applications that implement a specific profile of the [SCIM 2.0 protocol](https://tools.ietf.org/html/rfc7644). The specifics of the profile are documented in Understanding the Azure AD SCIM implementation. +Azure AD can be configured to automatically provision assigned users and groups to applications that implement a specific profile of the [SCIM 2.0 protocol](https://tools.ietf.org/html/rfc7644). The specifics of the profile are documented in [Understanding the Azure AD SCIM implementation](#understanding-the-azure-ad-scim-implementation). Check with your application provider, or your application provider's documentation for statements of compatibility with these requirements. >[!IMPORTANT] ->The Azure AD SCIM implementation is built on top of the Azure AD user provisioning service, which is designed to perpetually keep users in sync between Azure AD and the target application, and implements a very specific set of standard operations. it is important to understand these behaviors in order to understand the behavior of the Azure AD SCIM client. For more information, see [What happens during user provisioning?](user-provisioning.md#what-happens-during-provisioning). +>The Azure AD SCIM implementation is built on top of the Azure AD user provisioning service, which is designed to constantly keep users in sync between Azure AD and the target application, and implements a very specific set of standard operations. It's important to understand these behaviors to understand the behavior of the Azure AD SCIM client. For more information, see [What happens during user provisioning?](user-provisioning.md#what-happens-during-provisioning). ### Getting started Applications that support the SCIM profile described in this article can be connected to Azure Active Directory using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process every 40 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details. **To connect an application that supports SCIM:** -1. Sign in to [the Azure portal](https://portal.azure.com). -2. Browse to **Azure Active Directory > Enterprise Applications**, and select **New application > All > Non-gallery application**. -3. Enter a name for your application, and click **Add** icon to create an app object. +1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com). + +1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery. + +1. Select **+ New application** > **All** > **Non-gallery application**. + +1. Enter a name for your application, and select **Add** to create an app object. The new app is added to the list of enterprise applications and opens to its app management screen. ![][1] *Figure 2: Azure AD application gallery* -4. In the resulting screen, select the **Provisioning** tab in the left column. -5. In the **Provisioning Mode** menu, select **Automatic**. +1. In the app management screen, select **Provisioning** in the left panel. +1. In the **Provisioning Mode** menu, select **Automatic**. ![][2] *Figure 3: Configuring provisioning in the Azure portal* -6. In the **Tenant URL** field, enter the URL of the application's SCIM endpoint. Example: https://api.contoso.com/scim/v2/ -7. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. If this field is left blank, then Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token. -8. Click the **Test Connection** button to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempts fail, error information is displayed. +1. In the **Tenant URL** field, enter the URL of the application's SCIM endpoint. Example: https://api.contoso.com/scim/v2/ +1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. If this field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token. +1. Select **Test Connection** to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed. >[!NOTE] >**Test Connection** queries the SCIM endpoint for a user that doesn't exist, using a random GUID as the matching property selected in the Azure AD configuration. The expected correct response is HTTP 200 OK with an empty SCIM ListResponse message. -9. If the attempts to connect to the application succeed, then click **Save** to save the admin credentials. -10. In the **Mappings** section, there are two selectable sets of attribute mappings: one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Azure Active Directory to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select the Save button to commit any changes. +1. If the attempts to connect to the application succeed, then select **Save** to save the admin credentials. +1. In the **Mappings** section, there are two selectable sets of attribute mappings: one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Azure Active Directory to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select **Save** to commit any changes. >[!NOTE] >You can optionally disable syncing of group objects by disabling the "groups" mapping. -11. Under **Settings**, the **Scope** field defines which users and groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the **Users and groups** tab. -12. Once your configuration is complete, change the **Provisioning Status** to **On**. -13. Click **Save** to start the Azure AD provisioning service. -14. If syncing only assigned users and groups (recommended), be sure to select the **Users and groups** tab and assign the users and/or groups you wish to sync. +1. Under **Settings**, the **Scope** field defines which users and groups are synchronized. Select **Sync only assigned users and groups** (recommended) to only sync users and groups assigned in the **Users and groups** tab. +1. Once your configuration is complete, set the **Provisioning Status** to **On**. +1. Select **Save** to start the Azure AD provisioning service. +1. If syncing only assigned users and groups (recommended), be sure to select the **Users and groups** tab and assign the users or groups you want to sync. -Once the initial synchronization has started, you can use the **Audit logs** tab to monitor progress, which shows all actions performed by the provisioning service on your app. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](check-status-user-account-provisioning.md). +Once the initial synchronization has started, you can select **Audit logs** in the left panel to monitor progress, which shows all actions done by the provisioning service on your app. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](check-status-user-account-provisioning.md). > [!NOTE] -> The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. - +> The initial sync takes longer to perform than later syncs, which occur approximately every 40 minutes as long as the service is running. ## Understanding the Azure AD SCIM implementation -If you are building an application that supports a SCIM 2.0 user management API, this section describes in detail how the Azure AD SCIM client is implemented, and how you should model your SCIM protocol request handling and responses. Once you have implemented your SCIM endpoint, you can test it by following the procedure described in the previous section. +If you're building an application that supports a SCIM 2.0 user management API, this section describes in detail how the Azure AD SCIM client is implemented, and how you should model your SCIM protocol request handling and responses. Once you've implemented your SCIM endpoint, you can test it by following the procedure described in the previous section. Within the [SCIM 2.0 protocol specification](http://www.simplecloud.info/#Specification), your application must meet these requirements: * Supports creating users, and optionally also groups, as per section [3.3 of the SCIM protocol](https://tools.ietf.org/html/rfc7644#section-3.3). -* Supports modifying users and/or groups with PATCH requests as per [section 3.5.2 of the SCIM protocol](https://tools.ietf.org/html/rfc7644#section-3.5.2). +* Supports modifying users or groups with PATCH requests, as per [section 3.5.2 of the SCIM protocol](https://tools.ietf.org/html/rfc7644#section-3.5.2). * Supports retrieving a known resource for a user or group created earlier, as per [section 3.4.1 of the SCIM protocol](https://tools.ietf.org/html/rfc7644#section-3.4.1). -* Supports querying users and/or groups, as per section [3.4.2 of the SCIM protocol](https://tools.ietf.org/html/rfc7644#section-3.4.2). By default, users are retrieved by their `id` and queried by their `username` and `externalid`, and groups are queried by `displayName`. -* Supports querying user by ID and by manager as per section 3.4.2 of the SCIM protocol. -* Supports querying groups by ID and by member as per section 3.4.2 of the SCIM protocol. +* Supports querying users or groups, as per section [3.4.2 of the SCIM protocol](https://tools.ietf.org/html/rfc7644#section-3.4.2). By default, users are retrieved by their `id` and queried by their `username` and `externalid`, and groups are queried by `displayName`. +* Supports querying user by ID and by manager, as per section 3.4.2 of the SCIM protocol. +* Supports querying groups by ID and by member, as per section 3.4.2 of the SCIM protocol. * Accepts a single bearer token for authentication and authorization of Azure AD to your application. -In addition, follow these general guidelines when implementing a SCIM endpoint to ensure compatibility with Azure AD: +Follow these general guidelines when implementing a SCIM endpoint to ensure compatibility with Azure AD: -* `id` is a required property for all the resources; every response that returns a resource should ensure each resource has this property, except for `ListResponse` with zero members. +* `id` is a required property for all the resources. Every response that returns a resource should ensure each resource has this property, except for `ListResponse` with zero members. * Response to a query/filter request should always be a `ListResponse`. * Groups are optional, but only supported if the SCIM implementation supports PATCH requests. -* It is not necessary to include the entire resource in the PATCH response. -* Microsoft Azure AD only uses the following operators +* It isn't necessary to include the entire resource in the PATCH response. +* Microsoft Azure AD only uses the following operators: - `eq` - `and` -* Do not require a case-sensitive match on structural elements in SCIM, in particular PATCH `op` operation values, as defined in https://tools.ietf.org/html/rfc7644#section-3.5.2. Azure AD emits the values of 'op' as `Add`, `Replace`, and `Remove`. -* Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It is also done as a part of **Test Connection** flow in the [Azure portal](https://portal.azure.com). +* Don't require a case-sensitive match on structural elements in SCIM, in particular PATCH `op` operation values, as defined in https://tools.ietf.org/html/rfc7644#section-3.5.2. Azure AD emits the values of 'op' as `Add`, `Replace`, and `Remove`. +* Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of **Test Connection** flow in the [Azure portal](https://portal.azure.com). * The attribute that the resources can be queried on should be set as a matching attribute on the application in the [Azure portal](https://portal.azure.com). For more information, see [Customizing User Provisioning Attribute Mappings](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-customizing-attribute-mappings) ### User provisioning and de-provisioning @@ -131,16 +134,16 @@ The following illustration shows the messages that Azure Active Directory sends *Figure 4: User provisioning and de-provisioning sequence* ### Group provisioning and de-provisioning -Group provisioning and de-provisioning are optional. When implemented and enabled, the following illustration shows the messages that Azure AD sends to a SCIM service to manage the lifecycle of a group in your application's identity store. Those messages differ from the messages pertaining to users in two ways: +Group provisioning and de-provisioning are optional. When implemented and enabled, the following illustration shows the messages that Azure AD sends to a SCIM service to manage the lifecycle of a group in your application's identity store. Those messages differ from the messages about users in two ways: -* Requests to retrieve groups stipulate that the members attribute is to be excluded from any resource provided in response to the request. +* Requests to retrieve groups specify that the members attribute is to be excluded from any resource provided in response to the request. * Requests to determine whether a reference attribute has a certain value are requests about the members attribute. ![][5] *Figure 5: Group provisioning and de-provisioning sequence* ### SCIM protocol requests and responses -This section provides example SCIM requests emitted by the Azure AD SCIM client, as well as example expected responses. For best results, you should code your app to handle these requests in this format and emit the expected responses. +This section provides example SCIM requests emitted by the Azure AD SCIM client and example expected responses. For best results, you should code your app to handle these requests in this format and emit the expected responses. >[!IMPORTANT] >To understand how and when the Azure AD user provisioning service emits the operations described below, see [What happens during user provisioning?](user-provisioning.md#what-happens-during-provisioning). @@ -443,8 +446,8 @@ This section provides example SCIM requests emitted by the Azure AD SCIM client, * Groups shall always be created with an empty members list. * Groups can be queried by the `displayName` attribute. -* Update to the group PATCH request should yield an *HTTP 204 No Content* in the response. Returning a body with a list of all the members is not advisable. -* It is not necessary to support returning all the members of the group. +* Update to the group PATCH request should yield an *HTTP 204 No Content* in the response. Returning a body with a list of all the members isn't advisable. +* It isn't necessary to support returning all the members of the group. #### Create Group @@ -603,19 +606,19 @@ By creating a SCIM web service that interfaces with Azure Active Directory, you Here’s how it works: -1. Azure AD provides a common language infrastructure (CLI) library named Microsoft.SystemForCrossDomainIdentityManagement, included with the code samples describe below. System integrators and developers can use this library to create and deploy a SCIM-based web service endpoint capable of connecting Azure AD to any application’s identity store. +1. Azure AD provides a common language infrastructure (CLI) library named Microsoft.SystemForCrossDomainIdentityManagement, included with the code samples describe below. System integrators and developers can use this library to create and deploy a SCIM-based web service endpoint that can connect Azure AD to any application’s identity store. 2. Mappings are implemented in the web service to map the standardized user schema to the user schema and protocol required by the application. 3. The endpoint URL is registered in Azure AD as part of a custom application in the application gallery. -4. Users and groups are assigned to this application in Azure AD. Upon assignment, they are put into a queue to be synchronized to the target application. The synchronization process handling the queue runs every 40 minutes. +4. Users and groups are assigned to this application in Azure AD. Upon assignment, they're put into a queue to be synchronized to the target application. The synchronization process handling the queue runs every 40 minutes. ### Code Samples -To make this process easier, [code samples](https://github.com/Azure/AzureAD-BYOA-Provisioning-Samples/tree/master) are provided that create a SCIM web service endpoint and demonstrate automatic provisioning. The sample is of a provider that maintains a file with rows of comma-separated values representing users and groups. +To make this process easier, [code samples](https://github.com/Azure/AzureAD-BYOA-Provisioning-Samples/tree/master) are provided, which create a SCIM web service endpoint and demonstrate automatic provisioning. The sample is of a provider that maintains a file with rows of comma-separated values representing users and groups. **Prerequisites** * Visual Studio 2013 or later * [Azure SDK for .NET](https://azure.microsoft.com/downloads/) -* Windows machine that supports the ASP.NET framework 4.5 to be used as the SCIM endpoint. This machine must be accessible from the cloud +* Windows machine that supports the ASP.NET framework 4.5 to be used as the SCIM endpoint. This machine must be accessible from the cloud. * [An Azure subscription with a trial or licensed version of Azure AD Premium](https://azure.microsoft.com/services/active-directory/) ### Getting Started @@ -624,65 +627,78 @@ The easiest way to implement a SCIM endpoint that can accept provisioning reques #### To create a sample SCIM endpoint 1. Download the code sample package at [https://github.com/Azure/AzureAD-BYOA-Provisioning-Samples/tree/master](https://github.com/Azure/AzureAD-BYOA-Provisioning-Samples/tree/master) -2. Unzip the package and place it on your Windows machine at a location such as C:\AzureAD-BYOA-Provisioning-Samples\. -3. In this folder, launch the FileProvisioning\Host\FileProvisioningService.csproj project in Visual Studio. -4. Select **Tools > NuGet Package Manager > Package Manager Console**, and execute the following commands for the FileProvisioningService project to resolve the solution references: +1. Unzip the package and place it on your Windows machine at a location such as C:\AzureAD-BYOA-Provisioning-Samples\. +1. In this folder, launch the FileProvisioning\Host\FileProvisioningService.csproj project in Visual Studio. +1. Select **Tools** > **NuGet Package Manager** > **Package Manager Console**, and execute the following commands for the FileProvisioningService project to resolve the solution references: ``` Update-Package -Reinstall ``` -5. Build the FileProvisioningService project. -6. Launch the Command Prompt application in Windows (as an Administrator), and use the **cd** command to change the directory to your **\AzureAD-BYOA-Provisioning-Samples\FileProvisioning\Host\bin\Debug** folder. -7. Run the following command, replacing `` with the IP address or domain name of the Windows machine: +1. Build the FileProvisioningService project. +1. Launch the Command Prompt application in Windows (as an Administrator), and use the **cd** command to change the directory to your **\AzureAD-BYOA-Provisioning-Samples\FileProvisioning\Host\bin\Debug** folder. +1. Run the following command, replacing `` with the IP address or domain name of the Windows machine: ``` FileSvc.exe http://:9000 TargetFile.csv ``` -8. In Windows under **Windows Settings > Network & Internet Settings**, select the **Windows Firewall > Advanced Settings**, and create an **Inbound Rule** that allows inbound access to port 9000. -9. If the Windows machine is behind a router, the router needs to be configured to perform Network Access Translation between its port 9000 that is exposed to the internet, and port 9000 on the Windows machine. This configuration is required for Azure AD to be able to access this endpoint in the cloud. +1. In Windows under **Windows Settings** > **Network & Internet Settings**, select the **Windows Firewall** > **Advanced Settings**, and create an **Inbound Rule** that allows inbound access to port 9000. +1. If the Windows machine is behind a router, the router needs to be configured to run Network Access Translation between its port 9000 that is exposed to the internet, and port 9000 on the Windows machine. This configuration is required for Azure AD to access this endpoint in the cloud. #### To register the sample SCIM endpoint in Azure AD -1. Sign in to [the Azure portal](https://portal.azure.com). -2. Browse to **Azure Active Directory > Enterprise Applications**, and select **New application > All > Non-gallery application**. -3. Enter a name for your application, and click **Add** icon to create an app object. The application object created is intended to represent the target app you would be provisioning to and implementing single sign-on for, and not just the SCIM endpoint. -4. In the resulting screen, select the **Provisioning** tab in the left column. -5. In the **Provisioning Mode** menu, select **Automatic**. +1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com). + +1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery. + +1. Select **+ New application** > **All** > **Non-gallery application**. + +1. Enter a name for your application, and select **Add** to create an app object. The application object created is intended to represent the target app you would be provisioning to and implementing single sign-on for, and not just the SCIM endpoint. + +1. In the app management screen, select **Provisioning** in the left panel. + +1. In the **Provisioning Mode** menu, select **Automatic**. ![][2] *Figure 6: Configuring provisioning in the Azure portal* -6. In the **Tenant URL** field, enter the internet-exposed URL and port of your SCIM endpoint. The entry is something like http://testmachine.contoso.com:9000 or http://\:9000/, where \ is the internet exposed IP address. -7. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. If this field is left blank, then Azure AD will include an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD -issued token. -8. Click the **Test Connection** button to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempts fail, error information is displayed. +1. In the **Tenant URL** field, enter the internet-exposed URL and port of your SCIM endpoint. The entry is something like http://testmachine.contoso.com:9000 or http://\:9000/, where \ is the internet exposed IP address. + +1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. If this field is left blank, Azure AD will include an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD -issued token. + +1. Select **Test Connection** to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed. >[!NOTE] >**Test Connection** queries the SCIM endpoint for a user that doesn't exist, using a random GUID as the matching property selected in the Azure AD configuration. The expected correct response is HTTP 200 OK with an empty SCIM ListResponse message -9. If the attempts to connect to the application succeed, then click **Save** to save the admin credentials. -10. In the **Mappings** section, there are two selectable sets of attribute mappings: one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Azure Active Directory to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select the Save button to commit any changes. -11. Under **Settings**, the **Scope** field defines which users and or groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the **Users and groups** tab. -12. Once your configuration is complete, change the **Provisioning Status** to **On**. -13. Click **Save** to start the Azure AD provisioning service. -14. If syncing only assigned users and groups (recommended), be sure to select the **Users and groups** tab and assign the users and/or groups you wish to sync. +1. If the attempts to connect to the application succeed, then select **Save** to save the admin credentials. + +1. In the **Mappings** section, there are two selectable sets of attribute mappings: one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Azure Active Directory to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select **Save** to commit any changes. + +1. Under **Settings**, the **Scope** field defines which users and or groups are synchronized. Select **"Sync only assigned users and groups** (recommended) to only sync users and groups assigned in the **Users and groups** tab. + +1. Once your configuration is complete, set the **Provisioning Status** to **On**. + +1. Select **Save** to start the Azure AD provisioning service. + +1. If syncing only assigned users and groups (recommended), be sure to select the **Users and groups** tab and assign the users or groups you want to sync. -Once the initial synchronization has started, you can use the **Audit logs** tab to monitor progress, which shows all actions performed by the provisioning service on your app. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](check-status-user-account-provisioning.md). +Once the initial synchronization has started, you can select **Audit logs** in the left panel to monitor progress, which shows all actions done by the provisioning service on your app. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](check-status-user-account-provisioning.md). The final step in verifying the sample is to open the TargetFile.csv file in the \AzureAD-BYOA-Provisioning-Samples\ProvisioningAgent\bin\Debug folder on your Windows machine. Once the provisioning process is run, this file shows the details of all assigned and provisioned users and groups. ### Development libraries To develop your own web service that conforms to the SCIM specification, first familiarize yourself with the following libraries provided by Microsoft to help accelerate the development process: -1. Common Language Infrastructure (CLI) libraries are offered for use with languages based on that infrastructure, such as C#. One of those libraries, Microsoft.SystemForCrossDomainIdentityManagement.Service, declares an interface, Microsoft.SystemForCrossDomainIdentityManagement.IProvider, shown in the following illustration. A developer using the libraries would implement that interface with a class that may be referred to, generically, as a provider. The libraries enable the developer to deploy a web service that conforms to the SCIM specification. The web service can be either hosted within Internet Information Services, or any executable CLI assembly. Request is translated into calls to the provider’s methods, which would be programmed by the developer to operate on some identity store. +- Common Language Infrastructure (CLI) libraries are offered for use with languages based on that infrastructure, such as C#. One of those libraries, Microsoft.SystemForCrossDomainIdentityManagement.Service, declares an interface, Microsoft.SystemForCrossDomainIdentityManagement.IProvider, shown in the following illustration. A developer using the libraries would implement that interface with a class that may be referred to, generically, as a provider. The libraries let the developer deploy a web service that conforms to the SCIM specification. The web service can be either hosted within Internet Information Services, or any executable CLI assembly. Request is translated into calls to the provider’s methods, which would be programmed by the developer to operate on some identity store. ![][3] -2. [Express route handlers](https://expressjs.com/guide/routing.html) are available for parsing node.js request objects representing calls (as defined by the SCIM specification), made to a node.js web service. +- [Express route handlers](https://expressjs.com/guide/routing.html) are available for parsing node.js request objects representing calls (as defined by the SCIM specification), made to a node.js web service. ### Building a Custom SCIM Endpoint -Using the CLI libraries, developers using those libraries can host their services within any executable CLI assembly, or within Internet Information Services. Here is sample code for hosting a service within an executable assembly, at the address http://localhost:9000: +Developers using the CLI libraries can host their services within any executable CLI assembly, or within Internet Information Services. Here is sample code for hosting a service within an executable assembly, at the address http://localhost:9000: private static void Main(string[] arguments) { @@ -802,7 +818,7 @@ To host the service within Internet Information Services, a developer would buil } ### Handling endpoint authentication -Requests from Azure Active Directory include an OAuth 2.0 bearer token. Any service receiving the request should authenticate the issuer as being Azure Active Directory on behalf of the expected Azure Active Directory tenant, for access to the Azure Active Directory Graph web service. In the token, the issuer is identified by an iss claim, like, "iss":"https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/". In this example, the base address of the claim value, https://sts.windows.net, identifies Azure Active Directory as the issuer, while the relative address segment, cbb1a5ac-f33b-45fa-9bf5-f37db0fed422, is a unique identifier of the Azure Active Directory tenant on behalf of which the token was issued. If the token was issued for accessing the Azure Active Directory Graph web service, then the identifier of that service, 00000002-0000-0000-c000-000000000000, should be in the value of the token’s aud claim. Note that each of the applications that are registered in a single tenant may receive the same `iss` claim with SCIM requests. +Requests from Azure Active Directory include an OAuth 2.0 bearer token. Any service receiving the request should authenticate the issuer as being Azure Active Directory for the expected Azure Active Directory tenant, for access to the Azure Active Directory Graph web service. In the token, the issuer is identified by an iss claim, like "iss":"https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/". In this example, the base address of the claim value, https://sts.windows.net, identifies Azure Active Directory as the issuer, while the relative address segment, cbb1a5ac-f33b-45fa-9bf5-f37db0fed422, is a unique identifier of the Azure Active Directory tenant for which the token was issued. If the token was issued for accessing the Azure Active Directory Graph web service, then the identifier of that service, 00000002-0000-0000-c000-000000000000, should be in the value of the token’s aud claim. Each of the applications that are registered in a single tenant may receive the same `iss` claim with SCIM requests. Developers using the CLI libraries provided by Microsoft for building a SCIM service can authenticate requests from Azure Active Directory using the Microsoft.Owin.Security.ActiveDirectory package by following these steps: @@ -824,7 +840,7 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser } ``` -2. Add the following code to that method to have any request to any of the service’s endpoints authenticated as bearing a token issued by Azure Active Directory on behalf of a specified tenant, for access to the Azure AD Graph web service: +2. Add the following code to that method to have any request to any of the service’s endpoints authenticated as bearing a token issued by Azure Active Directory for a specified tenant, for access to the Azure AD Graph web service: ``` private void OnServiceStartup( @@ -862,7 +878,7 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser 1. Azure Active Directory queries the service for a user with an externalId attribute value matching the mailNickname attribute value of a user in Azure AD. The query is expressed as a Hypertext Transfer Protocol (HTTP) request such as this example, wherein jyoung is a sample of a mailNickname of a user in Azure Active Directory. >[!NOTE] - > This is an example only. Not all users will have a mailNickname attribute, and the value a user has may not be unique in the directory. Furthermore, the attribute used for matching (which in this case is externalId) is configurable in the [Azure AD attribute mappings](customize-application-attributes.md). + > This is an example only. Not all users will have a mailNickname attribute, and the value a user has may not be unique in the directory. Also, the attribute used for matching (which in this case is externalId) is configurable in the [Azure AD attribute mappings](customize-application-attributes.md). ```` GET https://.../scim/Users?filter=externalId eq jyoung HTTP/1.1 @@ -963,7 +979,7 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser * parameters.AlternateFilter.ElementAt(0).ComparisonValue: "jyoung" * correlationIdentifier: System.Net.Http.HttpRequestMessage.GetOwinEnvironment["owin.RequestId"] -2. If the response to a query to the web service for a user with an externalId attribute value that matches the mailNickname attribute value of a user does not return any users, then Azure Active Directory requests that the service provision a user corresponding to the one in Azure Active Directory. Here is an example of such a request: +2. If the response to a query to the web service for a user with an externalId attribute value that matches the mailNickname attribute value of a user doesn't return any users, then Azure Active Directory requests that the service provision a user corresponding to the one in Azure Active Directory. Here is an example of such a request: ```` POST https://.../scim/Users HTTP/1.1 @@ -1045,7 +1061,7 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser * Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682" * SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" -4. If a reference attribute is to be updated, then Azure Active Directory queries the service to determine whether or not the current value of the reference attribute in the identity store fronted by the service already matches the value of that attribute in Azure Active Directory. For users, the only attribute of which the current value is queried in this way is the manager attribute. Here is an example of a request to determine whether the manager attribute of a particular user object currently has a certain value: +4. If a reference attribute is to be updated, then Azure Active Directory queries the service to determine whether the current value of the reference attribute in the identity store fronted by the service already matches the value of that attribute in Azure Active Directory. For users, the only attribute of which the current value is queried in this way is the manager attribute. Here is an example of a request to determine whether the manager attribute of a particular user object currently has a certain value: If the service was built using the CLI libraries provided by Microsoft for implementing SCIM services, then the request is translated into a call to the Query method of the service’s provider. The value of the properties of the object provided as the value of the parameters argument are as follows: @@ -1059,7 +1075,7 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser * parameters.RequestedAttributePaths.ElementAt(0): "ID" * parameters.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" - Here, the value of the index x may be 0 and the value of the index y may be 1, or the value of x may be 1 and the value of y may be 0, depending on the order of the expressions of the filter query parameter. + Here, the value of the index x can be 0 and the value of the index y can be 1, or the value of x can be 1 and the value of y can be 0, depending on the order of the expressions of the filter query parameter. 5. Here is an example of a request from Azure Active Directory to an SCIM service to update a user: ```` @@ -1130,7 +1146,7 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser * parameters.RequestedAttributePaths.ElementAt(0): "ID" * parameters.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" - Here, the value of the index x may be 0 and the value of the index y may be 1, or the value of x may be 1 and the value of y may be 0, depending on the order of the expressions of the filter query parameter. + Here, the value of the index x can be 0 and the value of the index y can be 1, or the value of x can be 1 and the value of y can be 0, depending on the order of the expressions of the filter query parameter. 1. Here is an example of a request from Azure Active Directory to an SCIM service to update a user: @@ -1292,9 +1308,9 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser ## User and group schema reference Azure Active Directory can provision two types of resources to SCIM web services. Those types of resources are users and groups. -User resources are identified by the schema identifier, `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`, which is included in this protocol specification: https://tools.ietf.org/html/rfc7643. The default mapping of the attributes of users in Azure Active Directory to the attributes of user resources is provided in table 1 below. +User resources are identified by the schema identifier, `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`, which is included in this protocol specification: https://tools.ietf.org/html/rfc7643. The default mapping of the attributes of users in Azure Active Directory to the attributes of user resources is provided in Table 1. -Group resources are identified by the schema identifier, `urn:ietf:params:scim:schemas:core:2.0:Group`. Table 2 below shows the default mapping of the attributes of groups in Azure Active Directory to the attributes of group resources. +Group resources are identified by the schema identifier, `urn:ietf:params:scim:schemas:core:2.0:Group`. Table 2 shows the default mapping of the attributes of groups in Azure Active Directory to the attributes of group resources. ### Table 1: Default user attribute mapping diff --git a/articles/active-directory/manage-apps/view-applications-portal.md b/articles/active-directory/manage-apps/view-applications-portal.md index cfc0526531513..824c8f7208a40 100644 --- a/articles/active-directory/manage-apps/view-applications-portal.md +++ b/articles/active-directory/manage-apps/view-applications-portal.md @@ -12,7 +12,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 07/25/2018 +ms.date: 04/09/2019 ms.author: celested ms.reviewer: arvinh ms.custom: it-pro @@ -38,11 +38,11 @@ To find your tenant applications: 1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, select **Azure Active Directory**. -2. In the **Azure Active Directory** pane, select **Enterprise applications**. +1. In the **Azure Active Directory** pane, select **Enterprise applications**. -3. From the **Application Type** drop-down menu, select **All Applications**, and choose **Apply**. A random sample of your tenant applications appears. +1. From the **Application Type** drop-down menu, select **All Applications**, and choose **Apply**. A random sample of your tenant applications appears. -4. To view more applications, select **Load more** at the bottom of the list. Depending on the number of applications in your tenant, it might be easier to [search for a particular application](#search-for-a-tenant-application), instead of scrolling through the list. +1. To view more applications, select **Load more** at the bottom of the list. Depending on the number of applications in your tenant, it might be easier to [search for a particular application](#search-for-a-tenant-application), instead of scrolling through the list. ## Select viewing options @@ -50,17 +50,17 @@ Select options according to what you're looking for. 1. You can view the applications by **Application Type**, **Application Status**, and **Application visibility**. -2. Under **Application Type**, choose one of these options: +1. Under **Application Type**, choose one of these options: - **Enterprise Applications** shows non-Microsoft applications. - **Microsoft Applications** shows Microsoft applications. - **All Applications** shows both non-Microsoft and Microsoft applications. -3. Under **Application Status**, choose **Any**, **Disabled**, or **Enabled**. The **Any** option includes both disabled and enabled applications. +1. Under **Application Status**, choose **Any**, **Disabled**, or **Enabled**. The **Any** option includes both disabled and enabled applications. -4. Under **Application Visibility**, choose **Any**, or **Hidden**. The **Hidden** option shows applications that are in the tenant, but aren't visible to users. +1. Under **Application Visibility**, choose **Any**, or **Hidden**. The **Hidden** option shows applications that are in the tenant, but aren't visible to users. -5. After choosing the options you want, select **Apply**. +1. After choosing the options you want, select **Apply**. ## Search for a tenant application @@ -69,11 +69,11 @@ To search for a particular application: 1. In the **Application Type** menu, select **All applications**, and choose **Apply**. -2. Enter the name of the application you want to find. If the application has been added to your Azure AD tenant, it appears in the search results. This example shows that GitHub hasn't been added to the tenant applications. +1. Enter the name of the application you want to find. If the application has been added to your Azure AD tenant, it appears in the search results. This example shows that GitHub hasn't been added to the tenant applications. ![Search for an application](media/view-applications-portal/search-for-tenant-application.png) -3. Try entering the first few letters of an application name. This example shows all the applications that start with **Sales**. +1. Try entering the first few letters of an application name. This example shows all the applications that start with **Sales**. ![Search with a prefix](media/view-applications-portal/search-by-prefix.png) diff --git a/articles/active-directory/manage-apps/what-is-single-sign-on.md b/articles/active-directory/manage-apps/what-is-single-sign-on.md index 22961a1230f6f..7e1240ff3ddaa 100644 --- a/articles/active-directory/manage-apps/what-is-single-sign-on.md +++ b/articles/active-directory/manage-apps/what-is-single-sign-on.md @@ -16,24 +16,25 @@ ms.collection: M365-identity-device-management --- # Single sign-on to applications in Azure Active Directory + Single sign-on (SSO) adds security and convenience when users sign-on to applications in Azure Active Directory (Azure AD). This article describes the single sign-on methods, and helps you choose the most appropriate SSO method when configuring your applications. -- **With single sign-on**, users sign in once with one account to access domain-joined devices, company resources, software as a service (SaaS) applications, and web applications. After signing in, the user can launch applications from the Office 365 portal or the Azure AD MyApps access panel. Administrators can centralize user account management, and automatically add or remove user access to applications based on group membership. +- **With single sign-on**, users sign in once with one account to access domain-joined devices, company resources, software as a service (SaaS) applications, and web applications. After signing in, the user can launch applications from the Office 365 portal or the Azure AD MyApps access panel. Administrators can centralize user account management, and automatically add or remove user access to applications based on group membership. - **Without single sign-on**, users must remember application-specific passwords and sign in to each application. IT staff needs to create and update user accounts for each application such as Office 365, Box, and Salesforce. Users need to remember their passwords, plus spend the time to sign in to each application. ## Choosing a single sign-on method -There are several ways to configure an application for single sign-on. Choosing a single sign-on method depends on how the application is configured for authentication. +There are several ways to configure an application for single sign-on. Choosing a single sign-on method depends on how the application is configured for authentication. - Cloud applications can use OpenID Connect, OAuth, SAML, password-based, linked, or disabled methods for single sign-on. - On-premises applications can use password-based, Integrated Windows Authentication, header-based, linked, or disabled methods for single sign-on. The on-premises choices work when applications are configured for Application Proxy. -This flowchart helps you decide which single sign-on method is best for your situation. +This flowchart helps you decide which single sign-on method is best for your situation. -![Choose single sign-on method](./media/what-is-single-sign-on/choose-single-sign-on-method-updated.png) +![Choose single sign-on method](./media/what-is-single-sign-on/choose-single-sign-on-method-040419.png) -The following table summarizes the single sign-on methods, and links to more details. +The following table summarizes the single sign-on methods, and links to more details. | Single sign-on method | Application types | When to use | | :------ | :------- | :----- | diff --git a/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md b/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md index 12cbb5997b97d..7b29af6f4b4bc 100644 --- a/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md +++ b/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md @@ -76,10 +76,11 @@ GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-0 | `Metadata` | An HTTP request header field, required by managed identities for Azure resources as a mitigation against Server Side Request Forgery (SSRF) attack. This value must be set to "true", in all lower case. | | `object_id` | (Optional) A query string parameter, indicating the object_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.| | `client_id` | (Optional) A query string parameter, indicating the client_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.| +| `mi_res_id` | (Optional) A query string parameter, indicating the mi_res_id (Azure Resource ID) of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities. | Sample request using the managed identities for Azure resources VM Extension Endpoint *(planned for deprecation in January 2019)*: -``` +```http GET http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fmanagement.azure.com%2F HTTP/1.1 Metadata: true ``` @@ -93,10 +94,9 @@ Metadata: true | `object_id` | (Optional) A query string parameter, indicating the object_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.| | `client_id` | (Optional) A query string parameter, indicating the client_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.| - Sample response: -``` +```json HTTP/1.1 200 OK Content-Type: application/json { diff --git a/articles/active-directory/managed-identities-azure-resources/overview.md b/articles/active-directory/managed-identities-azure-resources/overview.md index 60553d0dfdfa0..244a6cf0cc5cd 100644 --- a/articles/active-directory/managed-identities-azure-resources/overview.md +++ b/articles/active-directory/managed-identities-azure-resources/overview.md @@ -47,12 +47,21 @@ There are two types of managed identities: - A **system-assigned managed identity** is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD. - A **user-assigned managed identity** is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it's assigned. -Your code can use a managed identity to request access tokens for services that support Azure AD authentication. Azure takes care of rolling the credentials that are used by the service instance. +Internally, managed identities are service principals of a special type, which are locked to only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed. + +Your code can use a managed identity to request access tokens for services that support Azure AD authentication. Azure takes care of rolling the credentials that are used by the service instance. The following diagram shows how managed service identities work with Azure virtual machines (VMs): ![Managed service identities and Azure VMs](media/overview/msi-vm-vmextension-imds-example.png) +| Property | System-assigned managed identity | User-assigned managed identity | +|------|----------------------------------|--------------------------------| +| Creation | Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service) | Created as a stand-alone Azure resource | +| Lifecycle | Shared lifecycle with the Azure resource that the managed identity is created with.
When the parent resource is deleted, the managed identity is deleted as well. | Independent life-cycle.
Must be explicitly deleted. | +| Sharing across Azure resources | Cannot be shared.
It can only be associated with a single Azure resource. | Can be shared
The same user-assigned managed identity can be associated with more than one Azure resource. | +| Common use cases | Workloads that are contained within a single Azure resource
Workloads for which you need independent identities.
For example, an application that runs on a single virtual machine | Workloads that run on multiple resources and which can share a single identity.
Workloads that need pre-authorization to a secure resource as part of a provisioning flow.
Workloads where resources are recycled frequently, but permissions should stay consistent.
For example, a workload where multiple virtual machines need to access the same resource | + ### How a system-assigned managed identity works with an Azure VM 1. Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM. diff --git a/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md b/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md index 2cfa93f3371f2..0eee0da2e44bd 100644 --- a/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md +++ b/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md @@ -156,7 +156,7 @@ To create a virtual machine scale set with system-assigned managed identity enab } ``` -### Enable system-assigned managed identity on a existing virtual machine scale set +### Enable system-assigned managed identity on an existing virtual machine scale set To enable system-assigned managed identity on an existing virtual machine scale set, you need to acquire an access token and then use CURL to call the Resource Manager REST endpoint to update the identity type. diff --git a/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vmss.md b/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vmss.md index be581ce7702ec..4410e0adfa65f 100644 --- a/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vmss.md +++ b/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vmss.md @@ -56,7 +56,7 @@ Regardless of the option you choose, template syntax is the same during initial In this section, you will enable and disable the system-assigned managed identity using an Azure Resource Manager template. -### Enable system-assigned managed identity during creation the creation of a virtual machines scale set or a existing virtual machine scale set +### Enable system-assigned managed identity during creation the creation of a virtual machines scale set or an existing virtual machine scale set 1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the virtual machine scale set. 2. To enable the system-assigned managed identity, load the template into an editor, locate the `Microsoft.Compute/virtualMachinesScaleSets` resource of interest within the resources section and add the `identity` property at the same level as the `"type": "Microsoft.Compute/virtualMachinesScaleSets"` property. Use the following syntax: diff --git a/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md b/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md index 9471f9ef12af7..219a8cd806e4a 100644 --- a/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md +++ b/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md @@ -172,7 +172,7 @@ Refer to the following list to configure access to Azure Resource Manager: | Azure Germany | `https://vault.microsoftazure.de` | Available | | Azure China 21Vianet | `https://vault.azure.cn` | Available | -## Azure Data Lake +### Azure Data Lake | Cloud | Resource ID | Status | |--------|------------|--------| @@ -181,7 +181,7 @@ Refer to the following list to configure access to Azure Resource Manager: | Azure Germany | | Not Available | | Azure China 21Vianet | | Not Available | -## Azure SQL +### Azure SQL | Cloud | Resource ID | Status | |--------|------------|--------| @@ -190,7 +190,7 @@ Refer to the following list to configure access to Azure Resource Manager: | Azure Germany | `https://database.cloudapi.de/` | Available | | Azure China 21Vianet | `https://database.chinacloudapi.cn/` | Available | -## Azure Event Hubs +### Azure Event Hubs | Cloud | Resource ID | Status | |--------|------------|--------| @@ -199,7 +199,7 @@ Refer to the following list to configure access to Azure Resource Manager: | Azure Germany | | Not Available | | Azure China 21Vianet | | Not Available | -## Azure Service Bus +### Azure Service Bus | Cloud | Resource ID | Status | |--------|------------|--------| @@ -208,7 +208,7 @@ Refer to the following list to configure access to Azure Resource Manager: | Azure Germany | | Not Available | | Azure China 21Vianet | | Not Available | -## Azure Storage +### Azure Storage | Cloud | Resource ID | Status | |--------|------------|--------| diff --git a/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md b/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md index 3c967f314fded..b961972b0e68a 100644 --- a/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md +++ b/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md @@ -153,7 +153,7 @@ The CURL response gives you the list of Keys. For example, if you get the read- "secondaryReadonlyMasterKey":"38v5ns...7bA=="} ``` -Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the with the value you obtained above: +Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the `` from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the `` with the value you obtained above: ```bash az cosmosdb collection show -c -d --url-connection "" --key diff --git a/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md b/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md index 6c1889f142b22..54935843f13de 100644 --- a/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md +++ b/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md @@ -25,6 +25,9 @@ ms.collection: M365-identity-device-management This tutorial shows you how to use a system-assigned managed identity for a Linux virtual machine (VM) to obtain a storage Shared Access Signature (SAS) credential. Specifically, a [Service SAS credential](/azure/storage/common/storage-dotnet-shared-access-signature-part-1?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#types-of-shared-access-signatures). +> [!NOTE] +> The SAS key generated in this tutorial will not be restricted/bound to the VM. + A Service SAS provides the ability to grant limited access to objects in a storage account, for a limited time and a specific service (in our case, the blob service), without exposing an account access key. You can use a SAS credential as usual when doing storage operations, for example when using the Storage SDK. For this tutorial, we demonstrate uploading and downloading a blob using Azure Storage CLI. You will learn how to: diff --git a/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph.md b/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph.md index 0840ec9498c6f..bfc587b992db1 100644 --- a/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph.md +++ b/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph.md @@ -161,7 +161,7 @@ To use the VM's system assigned managed identity for authentication to Azure AD $AccessToken = $content.access_token ``` -5. Using the Object ID of your VM identity's service principal (you can retrieve this value from the variable declared in previous steps: ``$ManagedIdentitiesServicePrincipal.ObjectId``), you can query the Azure AD Graph API to retrieve its group memberships. Replace with the Object ID from the previous step and with the previously obtained access token: +5. Using the Object ID of your VM identity's service principal (you can retrieve this value from the variable declared in previous steps: ``$ManagedIdentitiesServicePrincipal.ObjectId``), you can query the Azure AD Graph API to retrieve its group memberships. Replace `` with the Object ID from the previous step and <`ACCESS-TOKEN>` with the previously obtained access token: ```powershell Invoke-WebRequest 'https://graph.windows.net//servicePrincipals//getMemberGroups?api-version=1.6' -Method POST -Body '{"securityEnabledOnly":"false"}' -Headers @{Authorization="Bearer $AccessToken"} -ContentType "application/json" diff --git a/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md b/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md index 17a77d3f15a8a..67e6cb3659f72 100644 --- a/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md +++ b/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md @@ -106,7 +106,7 @@ The response give you the list of Keys. For example, if you get read-only keys: {"primaryReadonlyMasterKey":"bWpDxS...dzQ==", "secondaryReadonlyMasterKey":"38v5ns...7bA=="} ``` -Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the with the value you obtained above: +Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the `` from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the `` with the value you obtained above: ```bash az cosmosdb collection show -c -d --url-connection "" --key diff --git a/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm.md b/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm.md index 41ef01bcc49a9..80d590b639973 100644 --- a/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm.md +++ b/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm.md @@ -131,7 +131,7 @@ For the remainder of the tutorial, you will work from the VM we created earlier. ## Read the properties of a Resource Group -Use the access token retrieved in the previous step to access Azure Resource Manager, and read the properties of the Resource Group you granted your user-assigned identity access. Replace with the subscription id of your environment. +Use the access token retrieved in the previous step to access Azure Resource Manager, and read the properties of the Resource Group you granted your user-assigned identity access. Replace `` with the subscription id of your environment. ```azurepowershell (Invoke-WebRequest -Uri https://management.azure.com/subscriptions/80c696ff-5efa-4909-a64d-f1b616f423ca/resourceGroups/myResourceGroupVM?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{Authorization ="Bearer $ArmToken"}).content diff --git a/articles/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow.md b/articles/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow.md index 972fecc8a4311..be45b24a014a2 100644 --- a/articles/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow.md +++ b/articles/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow.md @@ -13,7 +13,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 02/08/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md b/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md index f86cb6723bed1..b015ebee26543 100644 --- a/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md +++ b/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md @@ -14,7 +14,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 01/24/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/image021.png b/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/image021.png index c7100d2ce7b50..20e7f854a3f97 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/image021.png and b/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/image021.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/pim-directory-roles-approve-requests.png b/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/pim-directory-roles-approve-requests.png index 9eca28a34477b..4980c3323c845 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/pim-directory-roles-approve-requests.png and b/articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/pim-directory-roles-approve-requests.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/RBAC-alerts-home.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/RBAC-alerts-home.png index e7b127576c334..24c6cf88760cd 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/RBAC-alerts-home.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/RBAC-alerts-home.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_manage_azure_resource_some_there.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_manage_azure_resource_some_there.png index baf4348c08604..11e70914e7ba5 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_manage_azure_resource_some_there.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_manage_azure_resource_some_there.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_approve_grid.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_approve_grid.png index c15155b121dd3..c5a9ccf78e1b6 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_approve_grid.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_approve_grid.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_extend.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_extend.png index 46aaa1efaec54..13d42046adc6d 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_extend.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_admin_extend.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_cancel_request.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_cancel_request.png index 9b298d3e7dc86..cf5cefe91530e 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_cancel_request.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_cancel_request.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_ui.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_ui.png index 6f76c0d50c5d9..6b8fac4a62295 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_ui.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_extend_ui.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_renew_from_member_blade.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_renew_from_member_blade.png index 3370b38ab1004..4711b2294c811 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_renew_from_member_blade.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/aadpim_rbac_renew_from_member_blade.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/export-membership.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/export-membership.png index b183d546a4d64..0225d3b5d9fc8 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/export-membership.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/export-membership.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/my-audit-time.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/my-audit-time.png index 321cf9c8ac949..57c7a99e1e821 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/my-audit-time.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/my-audit-time.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-complete.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-complete.png index 6ff00434d9950..a3c743f9f68ca 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-complete.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-complete.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home-list.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home-list.png index df7ddab812bbd..c48fd0abf9574 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home-list.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home-list.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home.png index bd9d6c30ca5f5..798e8789ad24b 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-access-review-home.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-navigate-settings.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-navigate-settings.png index 8b074ac2f4602..0a03e51bc0a23 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-navigate-settings.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-navigate-settings.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-overview-top.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-overview-top.png index d1dfa4d2b8ee3..626377e55b38d 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-overview-top.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-overview-top.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-resource-audit.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-resource-audit.png index c00699f860c35..76af9261c6bcf 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-resource-audit.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/rbac-resource-audit.png differ diff --git a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/role-settings.png b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/role-settings.png index 9da3d189f0e31..054271ce60760 100644 Binary files a/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/role-settings.png and b/articles/active-directory/privileged-identity-management/media/azure-pim-resource-rbac/role-settings.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-configure/pim-overview.png b/articles/active-directory/privileged-identity-management/media/pim-configure/pim-overview.png index d4a7727aba886..4c5b861afd4c9 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-configure/pim-overview.png and b/articles/active-directory/privileged-identity-management/media/pim-configure/pim-overview.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-getting-started/pim-quickstart-tasks.png b/articles/active-directory/privileged-identity-management/media/pim-getting-started/pim-quickstart-tasks.png index b16e7d6f1fd88..8041a7ebb0af7 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-getting-started/pim-quickstart-tasks.png and b/articles/active-directory/privileged-identity-management/media/pim-getting-started/pim-quickstart-tasks.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-requests.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-requests.png index 3ac9af274451d..f41082d6969c6 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-requests.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-requests.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles-activate.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles-activate.png index 7edb1086990b6..3b1d8719f82f9 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles-activate.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles-activate.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles.png index 4ba549ea08410..5fe9470e72432 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-activate-role/directory-roles-my-roles.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-role-list-members.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-role-list-members.png index 7de80c72fed3c..f683a1e870742 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-role-list-members.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-role-list-members.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-roles.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-roles.png index 870cdb2a1cb31..c72eb8e9bda38 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-roles.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-add-role-to-user/pim-directory-roles.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-change-default-settings/pim-directory-roles-settings.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-change-default-settings/pim-directory-roles-settings.png index d6932b536e84a..998cc174f200c 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-change-default-settings/pim-directory-roles-settings.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-change-default-settings/pim-directory-roles-settings.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-configure-security-alerts/pim-directory-alerts.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-configure-security-alerts/pim-directory-alerts.png index ebeeb650aec31..c9dfab4759145 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-configure-security-alerts/pim-directory-alerts.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-configure-security-alerts/pim-directory-alerts.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-how-to-give-access-to-pim/pim-directory-roles-roles.png b/articles/active-directory/privileged-identity-management/media/pim-how-to-give-access-to-pim/pim-directory-roles-roles.png index 395393b74425d..50f9830576a62 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-how-to-give-access-to-pim/pim-directory-roles-roles.png and b/articles/active-directory/privileged-identity-management/media/pim-how-to-give-access-to-pim/pim-directory-roles-roles.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-requests.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-requests.png index a201ca8a1b46c..629dbde385798 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-requests.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-requests.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-roles.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-roles.png index 2c6d0afa8bfc5..890d218db39eb 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-roles.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-activate-your-roles/resources-my-roles.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-approval-workflow/resources-approve-requests.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-approval-workflow/resources-approve-requests.png index b68bc23070cc7..b2188962a4d41 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-approval-workflow/resources-approve-requests.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-approval-workflow/resources-approve-requests.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-list.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-list.png index d3cae13d16dc6..805fb737b07f2 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-list.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-list.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-roles.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-roles.png index c307e4c91a910..0182035b29b4b 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-roles.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-roles.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-update-select-role.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-update-select-role.png index 46d3759a5a096..b134cccc9d763 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-update-select-role.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-assign-roles/resources-update-select-role.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-list.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-list.png index d3cae13d16dc6..805fb737b07f2 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-list.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-list.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-role-settings.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-role-settings.png index ff73c6547524f..bbbc10c710b76 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-role-settings.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-configure-role-settings/resources-role-settings.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-discover-resources/discover-resources.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-discover-resources/discover-resources.png index cc2af1d5e51d8..efc8ffba66b46 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-discover-resources/discover-resources.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-discover-resources/discover-resources.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-external-users/audit-resource.png b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-external-users/audit-resource.png index 02e51eade18a2..c7dae1ef4c658 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-resource-roles-external-users/audit-resource.png and b/articles/active-directory/privileged-identity-management/media/pim-resource-roles-external-users/audit-resource.png differ diff --git a/articles/active-directory/privileged-identity-management/media/pim-security-wizard/wizard-start.png b/articles/active-directory/privileged-identity-management/media/pim-security-wizard/wizard-start.png index 6435283312fc8..6eae07d2faf11 100644 Binary files a/articles/active-directory/privileged-identity-management/media/pim-security-wizard/wizard-start.png and b/articles/active-directory/privileged-identity-management/media/pim-security-wizard/wizard-start.png differ diff --git a/articles/active-directory/privileged-identity-management/pim-configure.md b/articles/active-directory/privileged-identity-management/pim-configure.md index c95bb9fc822dd..83f487e69953a 100644 --- a/articles/active-directory/privileged-identity-management/pim-configure.md +++ b/articles/active-directory/privileged-identity-management/pim-configure.md @@ -10,7 +10,7 @@ ms.service: active-directory ms.workload: identity ms.subservice: pim ms.topic: overview -ms.date: 01/16/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-getting-started.md b/articles/active-directory/privileged-identity-management/pim-getting-started.md index ea3457117694b..a393a9f826da3 100644 --- a/articles/active-directory/privileged-identity-management/pim-getting-started.md +++ b/articles/active-directory/privileged-identity-management/pim-getting-started.md @@ -11,7 +11,7 @@ ms.service: active-directory ms.subservice: pim ms.topic: conceptual ms.workload: identity -ms.date: 11/09/2018 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md b/articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md index 14d2041070cee..bc8b1062b1064 100644 --- a/articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md +++ b/articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md @@ -11,7 +11,7 @@ ms.service: active-directory ms.topic: conceptual ms.workload: identity ms.subservice: pim -ms.date: 03/05/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md b/articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md index 248f96f32d934..b5f4d38078766 100644 --- a/articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md +++ b/articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md @@ -10,7 +10,7 @@ ms.service: active-directory ms.topic: conceptual ms.workload: identity ms.subservice: pim -ms.date: 10/30/2018 +ms.date: 04/09/2019 ms.author: rolyon ms.collection: M365-identity-device-management --- diff --git a/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md b/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md index 3fe402b2ecc69..fd1d627123cd1 100644 --- a/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md +++ b/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md @@ -11,7 +11,7 @@ ms.service: active-directory ms.topic: conceptual ms.workload: identity ms.subservice: pim -ms.date: 11/30/2018 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md b/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md index 182bc598431ef..2e9df265ab64c 100644 --- a/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md +++ b/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md @@ -11,7 +11,7 @@ ms.service: active-directory ms.topic: conceptual ms.workload: identity ms.subservice: pim -ms.date: 01/04/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim.md b/articles/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim.md index add36bce1eea3..a5507f3469949 100644 --- a/articles/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim.md +++ b/articles/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim.md @@ -11,7 +11,7 @@ ms.service: active-directory ms.topic: conceptual ms.workload: identity ms.subservice: pim -ms.date: 08/29/2018 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md b/articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md index b671272ed935f..0dbd5efc5595c 100644 --- a/articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md +++ b/articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md @@ -11,7 +11,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 03/05/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md b/articles/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md index a04e039383726..bb526baf41e3d 100644 --- a/articles/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md +++ b/articles/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md @@ -11,7 +11,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 02/08/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md b/articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md index a799ee9133376..dcbe72e316066 100644 --- a/articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md +++ b/articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md @@ -11,7 +11,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 08/30/2018 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md b/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md index edf2d337af1cd..cd70ac0c0400b 100644 --- a/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md +++ b/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md @@ -11,7 +11,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 08/30/2018 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-resource-roles-discover-resources.md b/articles/active-directory/privileged-identity-management/pim-resource-roles-discover-resources.md index 1865904e33481..bf4c598b3a696 100644 --- a/articles/active-directory/privileged-identity-management/pim-resource-roles-discover-resources.md +++ b/articles/active-directory/privileged-identity-management/pim-resource-roles-discover-resources.md @@ -11,7 +11,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 01/23/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.collection: M365-identity-device-management --- diff --git a/articles/active-directory/privileged-identity-management/pim-resource-roles-external-users.md b/articles/active-directory/privileged-identity-management/pim-resource-roles-external-users.md index 7fe671ba8097a..0ecbe7d12ed41 100644 --- a/articles/active-directory/privileged-identity-management/pim-resource-roles-external-users.md +++ b/articles/active-directory/privileged-identity-management/pim-resource-roles-external-users.md @@ -11,7 +11,7 @@ ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.subservice: pim -ms.date: 03/13/2019 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ms.collection: M365-identity-device-management diff --git a/articles/active-directory/privileged-identity-management/pim-security-wizard.md b/articles/active-directory/privileged-identity-management/pim-security-wizard.md index 462cd2094d3d0..51e90e8742a3a 100644 --- a/articles/active-directory/privileged-identity-management/pim-security-wizard.md +++ b/articles/active-directory/privileged-identity-management/pim-security-wizard.md @@ -11,7 +11,7 @@ ms.service: active-directory ms.topic: conceptual ms.workload: identity ms.subservice: pim -ms.date: 11/09/2018 +ms.date: 04/09/2019 ms.author: rolyon ms.custom: pim ; H1Hack27Feb2017 ms.collection: M365-identity-device-management diff --git a/articles/active-directory/saas-apps/10000ftplans-tutorial.md b/articles/active-directory/saas-apps/10000ftplans-tutorial.md index 51742b70f1d4b..e0fdfbdeeb019 100644 --- a/articles/active-directory/saas-apps/10000ftplans-tutorial.md +++ b/articles/active-directory/saas-apps/10000ftplans-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: b60c955e-8fa3-4872-a897-c4e81fd7beac ms.service: active-directory @@ -12,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/14/2017 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,208 +22,181 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with 10,000ft Plans In this tutorial, you learn how to integrate 10,000ft Plans with Azure Active Directory (Azure AD). - Integrating 10,000ft Plans with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to 10,000ft Plans -- You can enable your users to automatically get signed-on to 10,000ft Plans (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to 10,000ft Plans. +* You can enable your users to be automatically signed-in to 10,000ft Plans (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with 10,000ft Plans, you need the following items: -- An Azure AD subscription -- A 10,000ft Plans single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial here [trial offer](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* 10,000ft Plans single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding 10,000ft Plans from the gallery -2. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* 10,000ft Plans support **SP** initiated SSO +* 10,000ft Plans support **Just In Time** user provisioning ## Adding 10,000ft Plans from the gallery + To configure the integration of 10,000ft Plans into Azure AD, you need to add 10,000ft Plans from the gallery to your list of managed SaaS apps. **To add 10,000ft Plans from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -3. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add a new application, click the **New application** button at the top of the dialog. -4. In the search box, type **10,000ft Plans**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/10000ftplans-tutorial/tutorial_10,000ftplans_search.png) +4. In the search box, type **10,000ft Plans**, select **10,000ft Plans** from the result panel then click the **Add** button to add the application. -5. In the results panel, select **10,000ft Plans**, and then click **Add** button to add the application. + ![10,000ft Plans in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/10000ftplans-tutorial/tutorial_10,000ftplans_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with 10,000ft Plans based on a test user called "Britta Simon." +In this section, you configure and test Azure AD single sign-on with 10,000ft Plans based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in 10,000ft Plans needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in 10,000ft Plans is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in 10,000ft Plans needs to be established. +To configure and test Azure AD single sign-on with 10,000ft Plans, you need to complete the following building blocks: -In 10,000ft Plans, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure 10000ft Plans Single Sign-On](#configure-10000ft-plans-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create 10000ft Plans test user](#create-10000ft-plans-test-user)** - to have a counterpart of Britta Simon in 10,000ft Plans that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with 10,000ft Plans, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating a 10,000ft Plans test user](#creating-a-10000ft-plans-test-user)** - to have a counterpart of Britta Simon in 10,000ft Plans that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with 10,000ft Plans, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your 10,000ft Plans application. +1. In the [Azure portal](https://portal.azure.com/), on the **10,000ft Plans** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with 10,000ft Plans, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **10,000ft Plans** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/10000ftplans-tutorial/tutorial_10,000ftplans_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -3. On the **10,000ft Plans Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/10000ftplans-tutorial/tutorial_10,000ftplans_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type the URL: `https://app.10000ft.com` + ![10,000ft Plans Domain and URLs single sign-on information](common/sp-identifier.png) - b. In the **Identifier** textbox, type the URL: `https://app.10000ft.com/saml/metadata` + a. In the **Sign on URL** text box, type the URL: + `https://app.10000ft.com` - > [!NOTE] - > The value for **Identifier** is different if you have a custom domain. Contact [10,000ft Plans support team](https://www.10000ft.com/plans/support) to get this value. - -4. On the **SAML Signing Certificate** section, click **Certificate(Raw)** and then save the certificate file on your computer. + b. In the **Identifier (Entity ID)** text box, type the URL: + `https://app.10000ft.com/saml/metadata` - ![Configure Single Sign-On](./media/10000ftplans-tutorial/tutorial_10,000ftplans_certificate.png) + > [!NOTE] + > The value for **Identifier** is different if you have a custom domain. Contact [10,000ft Plans Client support team](https://www.10000ft.com/plans/support) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -5. Click **Save** button. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/10000ftplans-tutorial/tutorial_general_400.png) + ![The Certificate download link](common/certificateraw.png) -6. On the **10,000ft Plans Configuration** section, click **Configure 10,000ft Plans** to open **Configure sign-on** window. Copy the **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** +6. On the **Set up 10,000ft Plans** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/10000ftplans-tutorial/tutorial_10,000ftplans_configure.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -7. To configure single sign-on on **10,000ft Plans** side, you need to send the downloaded **Certificate(Raw), Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** to [10,000ft Plans support team](https://www.10000ft.com/plans/support). + a. Login URL -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) + b. Azure AD Identifier -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + c. Logout URL -![Create Azure AD User][100] +### Configure 10000ft Plans Single Sign-On -**To create a test user in Azure AD, perform the following steps:** +To configure single sign-on on **10,000ft Plans** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [10,000ft Plans support team](https://www.10000ft.com/plans/support). They set this setting to have the SAML SSO connection set properly on both sides. -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +### Create an Azure AD test user - ![Creating an Azure AD test user](./media/10000ftplans-tutorial/create_aaduser_01.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -2. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/10000ftplans-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -3. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/10000ftplans-tutorial/create_aaduser_03.png) + ![The "Users and groups" and "All users" links](common/users.png) -4. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/10000ftplans-tutorial/create_aaduser_04.png) +2. Select **New user** at the top of the screen. - a. In the **Name** textbox, type **BrittaSimon**. + ![New user Button](common/new-user.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. +3. In the User properties, perform the following steps. - c. Select **Show Password** and write down the value of the **Password**. + ![The User dialog box](common/user-properties.png) - d. Click **Create**. - -### Creating a 10,000ft Plans test user + a. In the **Name** field, enter **BrittaSimon**. + + b. In the **User name** field, type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com -The objective of this section is to create a user called Britta Simon in 10,000ft Plans. 10,000ft Plans supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access 10,000ft Plans if it doesn't exist yet. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -> [!NOTE] -> If you need to create a user manually, you need to contact the [10,000ft Plans support team](https://www.10000ft.com/plans/support). + d. Click **Create**. -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to 10,000ft Plans. -![Assign User][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **10,000ft Plans**. -**To assign Britta Simon to 10,000ft Plans, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **10,000ft Plans**. - ![Assign User][201] + ![The 10,000ft Plans link in the Applications list](common/all-applications.png) -2. In the applications list, select **10,000ft Plans**. +3. In the menu on the left, select **Users and groups**. - ![Configure Single Sign-On](./media/10000ftplans-tutorial/tutorial_10,000ftplans_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -3. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][202] + ![The Add Assignment pane](common/add-assign-user.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![Assign User][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -5. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog, click the **Assign** button. -6. Click **Select** button on **Users and groups** dialog. +### Create 10000ft Plans test user -7. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +In this section, a user called Britta Simon is created in 10,000ft Plans. 10,000ft Plans supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in 10,000ft Plans, a new one is created after authentication. + +> [!NOTE] +> If you need to create a user manually, you need to contact the [10,000ft Plans Client support team](https://www.10000ft.com/plans/support). -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. -When you click the 10,000ft Plans tile in the Access Panel, you should get automatically signed-on to your 10,000ft Plans application. - -## Additional resources +### Test single sign-on -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the 10,000ft Plans tile in the Access Panel, you should be automatically signed in to the 10,000ft Plans for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/10000ftplans-tutorial/tutorial_general_01.png -[2]: ./media/10000ftplans-tutorial/tutorial_general_02.png -[3]: ./media/10000ftplans-tutorial/tutorial_general_03.png -[4]: ./media/10000ftplans-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/10000ftplans-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/10000ftplans-tutorial/tutorial_general_200.png -[201]: ./media/10000ftplans-tutorial/tutorial_general_201.png -[202]: ./media/10000ftplans-tutorial/tutorial_general_202.png -[203]: ./media/10000ftplans-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/agiloft-tutorial.md b/articles/active-directory/saas-apps/agiloft-tutorial.md index ba05f5d00b8ba..4157a41d8be61 100644 --- a/articles/active-directory/saas-apps/agiloft-tutorial.md +++ b/articles/active-directory/saas-apps/agiloft-tutorial.md @@ -163,13 +163,13 @@ To configure Azure AD single sign-on with Agiloft, perform the following steps: ![Agiloft Configuration](./media/agiloft-tutorial/setup4.png) - a. In **IdP Entity Id / Issuer** textbox, paste the value of **Azure Ad Identifier**, which you have copied from Azure portal. + a. In **IdP Entity Id / Issuer** textbox, paste the value of **Azure Ad Identifier**, which you have copied from Azure portal. - b. In **IdP Login URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal. + b. In **IdP Login URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal. - c. In **IdP Logout URL** textbox, paste the value of **Logout URL**, which you have copied from Azure portal. + c. In **IdP Logout URL** textbox, paste the value of **Logout URL**, which you have copied from Azure portal. - d. Open your **base-64 encoded certificate** in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the **IdP Provided X.509 certificate contents** textbox. + d. Open your **base-64 encoded certificate** in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the **IdP Provided X.509 certificate contents** textbox. e. Click **Finish**. diff --git a/articles/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md b/articles/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md new file mode 100644 index 0000000000000..255798359caea --- /dev/null +++ b/articles/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md @@ -0,0 +1,234 @@ +--- +title: 'Tutorial: Azure Active Directory integration with Alibaba Cloud Service (Role-based SSO) | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and Alibaba Cloud Service (Role-based SSO). +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: 3667841e-acfc-4490-acf5-80d9ca3e71e8 +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/05/2019 +ms.author: jeedes + +ms.collection: M365-identity-device-management +--- +# Tutorial: Azure Active Directory integration with Alibaba Cloud Service (Role-based SSO) + +In this tutorial, you learn how to integrate Alibaba Cloud Service (Role-based SSO) with Azure Active Directory (Azure AD). +Integrating Alibaba Cloud Service (Role-based SSO) with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to Alibaba Cloud Service (Role-based SSO). +* You can enable your users to be automatically signed-in to Alibaba Cloud Service (Role-based SSO) (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with Alibaba Cloud Service (Role-based SSO), you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Alibaba Cloud Service (Role-based SSO) single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Alibaba Cloud Service (Role-based SSO) supports **IDP** initiated SSO + +## Adding Alibaba Cloud Service (Role-based SSO) from the gallery + +To configure the integration of Alibaba Cloud Service (Role-based SSO) into Azure AD, you need to add Alibaba Cloud Service (Role-based SSO) from the gallery to your list of managed SaaS apps. + +**To add Alibaba Cloud Service (Role-based SSO) from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **Alibaba Cloud Service (Role-based SSO)**, select **Alibaba Cloud Service (Role-based SSO)** from result panel then click **Add** button to add the application. + + ![Alibaba Cloud Service (Role-based SSO) in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with Alibaba Cloud Service (Role-based SSO) based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Alibaba Cloud Service (Role-based SSO) needs to be established. + +To configure and test Azure AD single sign-on with Alibaba Cloud Service (Role-based SSO), you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Alibaba Cloud Service (Role-based SSO) Single Sign-On](#configure-alibaba-cloud-service-role-based-sso-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Alibaba Cloud Service (Role-based SSO) test user](#create-alibaba-cloud-service-role-based-sso-test-user)** - to have a counterpart of Britta Simon in Alibaba Cloud Service (Role-based SSO) that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Alibaba Cloud Service (Role-based SSO), perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Alibaba Cloud Service (Role-based SSO)** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: + + ![Alibaba Cloud Service (Role-based SSO) Domain and URLs single sign-on information](common/idp-intiated.png) + + a. In the **Identifier** text box, type any of the URL: + + | | + |--| + | `urn:alibaba:cloudcomputing` | + | `urn:alibaba:cloudcomputing:international` | + + b. In the **Reply URL** text box, type any of the URL: + + | | + |--| + | `https://signin.aliyun.com/saml-role/SSO` | + | `https://signin.alibabacloud.com/saml-role/SSO` | + +5. Alibaba Cloud Service (Role-based SSO) application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog. + + ![image](common/edit-attribute.png) + +6. In addition to above, Alibaba Cloud Service (Role-based SSO) application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table: + + | Name | Source Attribute| + | ---------------| --------------- | + | Role | user.assignedroles | + | RoleSessionName | user.mail | + + > [!NOTE] + > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-enterprise-app-role-management) to know how to configure **Role** in Azure AD + + a. Click **Add new claim** to open the **Manage user claims** dialog. + + ![image](common/new-save-attribute.png) + + ![image](common/new-attribute-details.png) + + b. In the **Name** textbox, type the attribute name shown for that row. + + c. Leave the **Namespace** blank. + + d. Select Source as **Attribute**. + + e. From the **Source attribute** list, type the attribute value shown for that row. + + f. Click **Save**. + +7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) + +8. On the **Set up Alibaba Cloud Service (Role-based SSO)** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure Alibaba Cloud Service (Role-based SSO) Single Sign-On + +To configure single sign-on on **Alibaba Cloud Service (Role-based SSO)** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Alibaba Cloud Service (Role-based SSO) support team](https://www.aliyun.com/service/). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Alibaba Cloud Service (Role-based SSO). + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Alibaba Cloud Service (Role-based SSO)**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Alibaba Cloud Service (Role-based SSO)**. + + ![The Alibaba Cloud Service (Role-based SSO) link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create Alibaba Cloud Service (Role-based SSO) test user + +In this section, you create a user called Britta Simon in Alibaba Cloud Service (Role-based SSO). Work with [Alibaba Cloud Service (Role-based SSO) support team](https://www.aliyun.com/service/) to add the users in the Alibaba Cloud Service (Role-based SSO) platform. Users must be created and activated before you use single sign-on. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the Alibaba Cloud Service (Role-based SSO) tile in the Access Panel, you should be automatically signed in to the Alibaba Cloud Service (Role-based SSO) for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/amms-tutorial.md b/articles/active-directory/saas-apps/amms-tutorial.md new file mode 100644 index 0000000000000..0d7fa92cb0380 --- /dev/null +++ b/articles/active-directory/saas-apps/amms-tutorial.md @@ -0,0 +1,189 @@ +--- +title: 'Tutorial: Azure Active Directory integration with AMMS | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and AMMS. +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: 107653a2-bd5c-4916-9fd2-1c15a9e24dc1 +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/04/2019 +ms.author: jeedes + +ms.collection: M365-identity-device-management +--- +# Tutorial: Azure Active Directory integration with AMMS + +In this tutorial, you learn how to integrate AMMS with Azure Active Directory (Azure AD). +Integrating AMMS with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to AMMS. +* You can enable your users to be automatically signed-in to AMMS (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with AMMS, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* AMMS single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* AMMS supports **SP** initiated SSO + +## Adding AMMS from the gallery + +To configure the integration of AMMS into Azure AD, you need to add AMMS from the gallery to your list of managed SaaS apps. + +**To add AMMS from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **AMMS**, select **AMMS** from result panel then click **Add** button to add the application. + + ![AMMS in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with AMMS based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in AMMS needs to be established. + +To configure and test Azure AD single sign-on with AMMS, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure AMMS Single Sign-On](#configure-amms-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create AMMS test user](#create-amms-test-user)** - to have a counterpart of Britta Simon in AMMS that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with AMMS, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **AMMS** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, perform the following steps: + + ![AMMS Domain and URLs single sign-on information](common/sp-identifier.png) + + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.microwestcloud.com/amms/pages/login.aspx` + + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `.microwestcloud.com/amms` + + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [AMMS Client support team](mailto:techsupport@microwestsoftware.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. + + ![The Certificate download link](common/copy-metadataurl.png) + +### Configure AMMS Single Sign-On + +To configure single sign-on on **AMMS** side, you need to send the **App Federation Metadata Url** to [AMMS support team](mailto:techsupport@microwestsoftware.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to AMMS. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **AMMS**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **AMMS**. + + ![The AMMS link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create AMMS test user + +In this section, you create a user called Britta Simon in AMMS. Work with [AMMS support team](mailto:techsupport@microwestsoftware.com) to add the users in the AMMS platform. Users must be created and activated before you use single sign-on. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the AMMS tile in the Access Panel, you should be automatically signed in to the AMMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/appraisd-tutorial.md b/articles/active-directory/saas-apps/appraisd-tutorial.md index 531b52977a16e..dfa617ba9407f 100644 --- a/articles/active-directory/saas-apps/appraisd-tutorial.md +++ b/articles/active-directory/saas-apps/appraisd-tutorial.md @@ -158,7 +158,7 @@ To configure Azure AD single sign-on with Appraisd, perform the following steps: 1. In a different web browser window, sign in to Appraisd as a Security Administrator. -2. On the top right of the page, click on **Settings** icon, then navigate to **Configuration**. +2. On the top right of the page, click on **Settings** icon, then navigate to **Configuration**. ![image](./media/appraisd-tutorial/tutorial_appraisd_sett.png) @@ -170,9 +170,9 @@ To configure Azure AD single sign-on with Appraisd, perform the following steps: ![image](./media/appraisd-tutorial/tutorial_appraisd_saml.png) - a. Copy the **Default Relay State** value and paste it in **Relay State** textbox in **Basic SAML Configuration** on Azure portal. + a. Copy the **Default Relay State** value and paste it in **Relay State** textbox in **Basic SAML Configuration** on Azure portal. - b. Copy the **Service-initiated login URL** value and paste it in **Sign-on URL** textbox in **Basic SAML Configuration** on Azure portal. + b. Copy the **Service-initiated login URL** value and paste it in **Sign-on URL** textbox in **Basic SAML Configuration** on Azure portal. 5. Scroll down the same page under **Identifying users**, perform the following steps: @@ -182,7 +182,7 @@ To configure Azure AD single sign-on with Appraisd, perform the following steps: b. In the **Identity Provider Issuer URL** textbox, paste the value of **Azure Ad Identifier**, which you have copied from the Azure portal and click **Save**. - c. In Notepad, open the base-64 encoded certificate that you downloaded from the Azure portal, copy its content, and then paste it into the **X.509 Certificate** box and click **Save**. + c. In Notepad, open the base-64 encoded certificate that you downloaded from the Azure portal, copy its content, and then paste it into the **X.509 Certificate** box and click **Save**. ### Create an Azure AD test user @@ -243,11 +243,11 @@ To enable Azure AD users sign in to Appraisd, they must be provisioned into Appr 1. Sign in to Appraisd as a Security Administrator. -2. On the top right of the page, click on **Settings** icon, then navigate to **Administration centre**. +2. On the top right of the page, click on **Settings** icon, then navigate to **Administration centre**. ![image](./media/appraisd-tutorial/tutorial_appraisd_admin.png) -3. In the toolbar at the top of the page, click **People**, then navigate to **Add a new user**. +3. In the toolbar at the top of the page, click **People**, then navigate to **Add a new user**. ![image](./media/appraisd-tutorial/tutorial_appraisd_user.png) diff --git a/articles/active-directory/saas-apps/asana-provisioning-tutorial.md b/articles/active-directory/saas-apps/asana-provisioning-tutorial.md index d36ab15da65dd..f242f3fbbdc79 100644 --- a/articles/active-directory/saas-apps/asana-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/asana-provisioning-tutorial.md @@ -1,5 +1,4 @@ --- - title: 'Tutorial: Configure Asana for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Asana. services: active-directory @@ -15,7 +14,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/27/2019 ms.author: asmalser ms.reviewer: asmalser @@ -30,16 +29,16 @@ The objective of this tutorial is to show you the steps you need to perform in A The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure AD tenant -* An Asana tenant with an [Enterprise](https://www.asana.com/pricing) plan or better enabled -* A user account in Asana with admin permissions +* An Azure AD tenant +* An Asana tenant with an [Enterprise](https://www.asana.com/pricing) plan or better enabled +* A user account in Asana with admin permissions -> [!NOTE] +> [!NOTE] > Azure AD provisioning integration relies on the [Asana API](https://asana.com/developers/api-reference/users), which is available to Asana. ## Assign users to Asana -Azure AD uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users assigned to an application in Azure AD are synchronized. +Azure AD uses a concept called *assignments* to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users assigned to an application in Azure AD are synchronized. Before you configure and enable the provisioning service, you must decide which users in Azure AD need access to your Asana app. Then you can assign these users to your Asana app by following the instructions here: @@ -49,7 +48,7 @@ Before you configure and enable the provisioning service, you must decide which We recommend that you assign a single Azure AD user to Asana to test the provisioning configuration. Additional users can be assigned later. -## Configure user provisioning to Asana +## Configure user provisioning to Asana This section guides you through connecting your Azure AD to Asana user account provisioning API. You also configure the provisioning service to create, update, and disable assigned user accounts in Asana based on user assignments in Azure AD. @@ -84,7 +83,7 @@ This section guides you through connecting your Azure AD to Asana user account p 1. Enter the email address of a person or group that you want to receive provisioning error notifications in **Notification Email**. Select the check box underneath. -1. Select **Save**. +1. Select **Save**. 1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Asana**. @@ -92,7 +91,7 @@ This section guides you through connecting your Azure AD to Asana user account p 1. To enable the Azure AD provisioning service for Asana, in the **Settings** section, change **Provisioning Status** to **On**. -1. Select **Save**. +1. Select **Save**. Now the initial synchronization starts for any users assigned to Asana in the **Users** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. Use the **Synchronization Details** section to monitor progress and follow links to provisioning activity logs. The audit logs describe all actions performed by the provisioning service on your Asana app. diff --git a/articles/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial.md b/articles/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial.md index bc73a2f400de7..16186c6320c24 100644 --- a/articles/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial.md @@ -14,70 +14,65 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 03/03/2019 +ms.date: 03/27/2019 ms.author: v-ant --- # Tutorial: Configure Atlassian Cloud for automatic user provisioning -The objective of this tutorial is to demonstrate the steps to be performed in Atlassian Cloud and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Atlassian Cloud. +The objective of this tutorial is to demonstrate the steps to be performed in Atlassian Cloud and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Atlassian Cloud. > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). -> +> > This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following prerequisites: -* An Azure AD tenant -* [An Atlassian Cloud tenant](https://www.atlassian.com/licensing/cloud) -* An user account in Atlassian Cloud with Admin permissions. +* An Azure AD tenant +* [An Atlassian Cloud tenant](https://www.atlassian.com/licensing/cloud) +* An user account in Atlassian Cloud with Admin permissions. > [!NOTE] > The Azure AD provisioning integration relies on the **Atlassian Cloud SCIM API**, which is available to Atlassian Cloud teams. -## Adding Atlassian Cloud from the gallery +## Add Atlassian Cloud from the gallery + Before configuring Atlassian Cloud for automatic user provisioning with Azure AD, you need to add Atlassian Cloud from the Azure AD application gallery to your list of managed SaaS applications. **To add Atlassian Cloud from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] - -2. Navigate to **Enterprise applications** > **All applications**. +1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Azure Active Directory**. - ![The Enterprise applications Section][2] - -3. To add Atlassian Cloud, click the **New application** button on the top of the dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![The New application button][3] +2. Go to **Enterprise applications**, and then select **All applications**. -4. In the search box, type **Atlassian Cloud**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/app-search.png) +3. To add a new application, select the **New application** button at the top of the pane. -5. In the results panel, select **Atlassian Cloud**, and then click the **Add** button to add Atlassian Cloud to your list of SaaS applications. + ![The New application button](common/add-new-app.png) - ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/app-create.png) +4. In the search box, enter **Atlassian Cloud**, select **Atlassian Cloud** in the results panel, and then click the **Add** button to add the application. - ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/app-instance.png) + ![Atlassian Cloud in the results list](common/search-new-app.png) ## Assigning users to Atlassian Cloud -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. +Azure Active Directory uses a concept called *assignments* to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been assigned to an application in Azure AD are synchronized. Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Atlassian Cloud. Once decided, you can assign these users and/or groups to Atlassian Cloud by following the instructions here: -* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) +* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) ### Important tips for assigning users to Atlassian Cloud -* It is recommended that a single Azure AD user is assigned to Atlassian Cloud to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to Atlassian Cloud to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to Atlassian Cloud, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Atlassian Cloud, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Atlassian Cloud @@ -88,14 +83,16 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Atlassian Cloud in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Atlassian Cloud**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Atlassian Cloud**. -2. Select Atlassian Cloud from your list of SaaS applications. - - ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/application-instance-search.png) + ![The Atlassian Cloud link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. - + ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/provisioning-tab.png) 4. Set the **Provisioning Mode** to **Automatic**. @@ -104,7 +101,7 @@ This section guides you through the steps to configure the Azure AD provisioning 5. Under the **Admin Credentials** section, input the **Tenant URL** and **Secret Token** of your Atlassian Cloud's account. Examples of these values are: - * In the **Tenant URL** field, fill the specific tenant endpoint you receive from the Atlassian, as described in Step 6. For Example: **https://api.atlassian.com/scim/directory/{directoryId}** + * In the **Tenant URL** field, fill the specific tenant endpoint you receive from the Atlassian, as described in Step 6. For Example: `https://api.atlassian.com/scim/directory/{directoryId}`. * In the **Secret Token** field, populate the secret token as described in Step 6. @@ -112,13 +109,13 @@ This section guides you through the steps to configure the Azure AD provisioning ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/secret-token-1.png) ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/secret-token-2.png) - + ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/secret-token-3.png) 7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Atlassian Cloud. If the connection fails, ensure your Atlassian Cloud account has Admin permissions and try again. ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/test-connection.png) - + 8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**. ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/notification.png) @@ -155,7 +152,6 @@ This section guides you through the steps to configure the Azure AD provisioning ![Atlassian Cloud Provisioning](./media/atlassian-cloud-provisioning-tutorial/save.png) - This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Atlassian Cloud. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). diff --git a/articles/active-directory/saas-apps/auditboard-tutorial.md b/articles/active-directory/saas-apps/auditboard-tutorial.md index bba79edc803ea..0e1a2b25cb941 100644 --- a/articles/active-directory/saas-apps/auditboard-tutorial.md +++ b/articles/active-directory/saas-apps/auditboard-tutorial.md @@ -13,7 +13,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 12/18/2018 +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -34,7 +34,7 @@ If you don't have an Azure subscription, [create a free account](https://azure.m To configure Azure AD integration with AuditBoard, you need the following items: -* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) * AuditBoard single sign-on enabled subscription ## Scenario description @@ -63,7 +63,7 @@ To configure the integration of AuditBoard into Azure AD, you need to add AuditB 4. In the search box, type **AuditBoard**, select **AuditBoard** from result panel then click **Add** button to add the application. - ![AuditBoard in the results list](common/search-new-app.png) + ![AuditBoard in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on @@ -75,8 +75,8 @@ To configure and test Azure AD single sign-on with AuditBoard, you need to compl 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. 2. **[Configure AuditBoard Single Sign-On](#configure-auditboard-single-sign-on)** - to configure the Single Sign-On settings on application side. 3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -4. **[Create AuditBoard test user](#create-auditboard-test-user)** - to have a counterpart of Britta Simon in AuditBoard that is linked to the Azure AD representation of user. -5. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create AuditBoard test user](#create-auditboard-test-user)** - to have a counterpart of Britta Simon in AuditBoard that is linked to the Azure AD representation of user. 6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on @@ -117,7 +117,7 @@ To configure Azure AD single sign-on with AuditBoard, perform the following step > [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [AuditBoard Client support team](mailto:support@auditboard.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -4. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. +5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png) @@ -125,7 +125,7 @@ To configure Azure AD single sign-on with AuditBoard, perform the following step To configure single sign-on on **AuditBoard** side, you need to send the **App Federation Metadata Url** to [AuditBoard support team](mailto:support@auditboard.com). They set this setting to have the SAML SSO connection set properly on both sides. -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. @@ -143,8 +143,7 @@ The objective of this section is to create a test user in the Azure portal calle a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon\@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com c. Select **Show password** check box, and then write down the value that's displayed in the Password box. @@ -180,7 +179,7 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting In this section, you create a user called Britta Simon in AuditBoard. Work with [AuditBoard support team](mailto:support@auditboard.com) to add the users in the AuditBoard platform. Users must be created and activated before you use single sign-on. -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. @@ -192,5 +191,4 @@ When you click the AuditBoard tile in the Access Panel, you should be automatica - [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) - +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/bambubysproutsocial-tutorial.md b/articles/active-directory/saas-apps/bambubysproutsocial-tutorial.md index fc0eb40982b1e..c9f62efad6d78 100644 --- a/articles/active-directory/saas-apps/bambubysproutsocial-tutorial.md +++ b/articles/active-directory/saas-apps/bambubysproutsocial-tutorial.md @@ -183,8 +183,8 @@ When you click the Bambu by Sprout Social tile in the Access Panel, you should b ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/beeline-tutorial.md b/articles/active-directory/saas-apps/beeline-tutorial.md index 00605ee586077..7e17a0172f92b 100644 --- a/articles/active-directory/saas-apps/beeline-tutorial.md +++ b/articles/active-directory/saas-apps/beeline-tutorial.md @@ -199,8 +199,8 @@ When you click the BeeLine tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/benchling-tutorial.md b/articles/active-directory/saas-apps/benchling-tutorial.md index cb07ab6452a90..e823ff1a692e7 100644 --- a/articles/active-directory/saas-apps/benchling-tutorial.md +++ b/articles/active-directory/saas-apps/benchling-tutorial.md @@ -219,9 +219,9 @@ When you click the Benchling tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/bersin-tutorial.md b/articles/active-directory/saas-apps/bersin-tutorial.md index 546c7baac3fe2..aac6b40a6a1f1 100644 --- a/articles/active-directory/saas-apps/bersin-tutorial.md +++ b/articles/active-directory/saas-apps/bersin-tutorial.md @@ -197,8 +197,8 @@ When you click the Bersin tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/betterworks-tutorial.md b/articles/active-directory/saas-apps/betterworks-tutorial.md index 6783bd90ae872..3aeaf9bbd0f5e 100644 --- a/articles/active-directory/saas-apps/betterworks-tutorial.md +++ b/articles/active-directory/saas-apps/betterworks-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 5bb9505a-be02-46ae-9979-5308715d2b47 ms.service: active-directory @@ -12,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/09/2017 +ms.topic: tutorial +ms.date: 04/05/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,235 +22,212 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with BetterWorks In this tutorial, you learn how to integrate BetterWorks with Azure Active Directory (Azure AD). - Integrating BetterWorks with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to BetterWorks -- You can enable your users to automatically get signed-on to BetterWorks (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to BetterWorks. +* You can enable your users to be automatically signed-in to BetterWorks (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with BetterWorks, you need the following items: -- An Azure AD subscription -- A BetterWorks single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* BetterWorks single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding BetterWorks from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* BetterWorks supports **SP and IDP** initiated SSO ## Adding BetterWorks from the gallery + To configure the integration of BetterWorks into Azure AD, you need to add BetterWorks from the gallery to your list of managed SaaS apps. **To add BetterWorks from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add a new application, click the **New application** button at the top of the dialog. -1. In the search box, type **BetterWorks**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/betterworks-tutorial/tutorial_betterworks_search.png) +4. In the search box, type **BetterWorks**, select **BetterWorks** from the result panel then click the **Add** button to add the application. -1. In the results panel, select **BetterWorks**, and then click **Add** button to add the application. + ![BetterWorks in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/betterworks-tutorial/tutorial_betterworks_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with BetterWorks based on a test user called "Britta Simon." +In this section, you configure and test Azure AD single sign-on with BetterWorks based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in BetterWorks needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in BetterWorks is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in BetterWorks needs to be established. +To configure and test Azure AD single sign-on with BetterWorks, you need to complete the following building blocks: -In BetterWorks, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure BetterWorks Single Sign-On](#configure-betterworks-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create BetterWorks test user](#create-betterworks-test-user)** - to have a counterpart of Britta Simon in BetterWorks that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with BetterWorks, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a BetterWorks test user](#creating-a-betterworks-test-user)** - to have a counterpart of Britta Simon in BetterWorks that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with BetterWorks, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your BetterWorks application. +1. In the [Azure portal](https://portal.azure.com/), on the **BetterWorks** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with BetterWorks, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **BetterWorks** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_betterworks_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **BetterWorks Domain and URLs** section, If you wish to configure the application in **IDP initiated mode**: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_betterworks_url.png) +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: - a. In the **Identifier** textbox, type a URL using the following pattern: `https://app.betterworks.com/saml2/metadata/` + ![BetterWorks Domain and URLs single sign-on information](common/idp-intiated.png) - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://app.betterworks.com/saml2/acs/` + a. In the **Identifier** text box, type a URL using the following pattern: + `https://app.betterworks.com/saml2/metadata/` -1. On the **BetterWorks Domain and URLs** section, If you wish to configure the application in **SP initiated mode**, perform the following steps: - - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_betterworks_url1.png) + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://app.betterworks.com/saml2/acs/` - a. Click on the **Show advanced URL settings**. +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - b. In the **Sign On URL** textbox, type a URL using the following pattern: `https://app.betterworks.com` + ![BetterWorks Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) - > [!NOTE] - > These are not real values. Update these values with the Reply URL, Identifier and actual Sign On URL. Contact [BetterWorks support team](mailto:support@betterworks.com) to get these values. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://app.betterworks.com` - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_betterworks_certificate.png) + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [BetterWorks Client support team](mailto:support@betterworks.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. BetterWorks application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the "**Attribute**" tab of the application. The following screenshot shows an example for this. +6. Your BetterWorks application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog. - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_betterworks_attribute.png) + ![image](common/edit-attribute.png) -1. On the **SAML token attributes** dialog, for each row shown in the table below, perform the following steps: - - | Attribute Name | Attribute Value | - | -------------- | ------------ | - | saml_token | bd189cf6-1701-11e6-8f90-d26992eca2a5 | +7. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps: - a. Click **Add attribute** to open the **Add Attribute** dialog. + | Name | Source Attribute| + | ----- | ------------ | + | saml_token | bd189cf6-1701-11e6-8f90-d26992eca2a5 | - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_officespace_04.png) + a. Click **Add new claim** to open the **Manage user claims** dialog. - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_officespace_05.png) + ![image](common/new-save-attribute.png) - b. In the **Name** textbox, type the attribute name shown for that row. + ![image](common/new-attribute-details.png) - c. From the **Value** list, type the attribute value shown for that row. - - d. Click **Ok**. + b. In the **Name** textbox, type the attribute name shown for that row. -1. Click **Save** button. + c. Leave the **Namespace** blank. - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_general_400.png) + d. Select Source as **Attribute**. -1. To configure single sign-on on **BetterWorks** side, you need to send the downloaded **Metadata XML** to [BetterWorks support team](mailto:support@betterworks.com). + e. From the **Source attribute** list, type the attribute value shown for that row. + f. Click **Ok** -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) - + g. Click **Save**. -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. +8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) -![Create Azure AD User][100] +9. On the **Set up BetterWorks** section, copy the appropriate URL(s) as per your requirement. -**To create a test user in Azure AD, perform the following steps:** + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + a. Login URL - ![Creating an Azure AD test user](./media/betterworks-tutorial/create_aaduser_01.png) + b. Azure AD Identifier -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/betterworks-tutorial/create_aaduser_02.png) + c. Logout URL -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/betterworks-tutorial/create_aaduser_03.png) +### Configure BetterWorks Single Sign-On -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/betterworks-tutorial/create_aaduser_04.png) +To configure single sign-on on **BetterWorks** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [BetterWorks support team](mailto:support@betterworks.com). They set this setting to have the SAML SSO connection set properly on both sides. - a. In the **Name** textbox, type **BrittaSimon**. +### Create an Azure AD test user - b. In the **User name** textbox, type the **email address** of BrittaSimon. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - c. Select **Show Password** and write down the value of the **Password**. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - d. Click **Create**. - -### Creating a BetterWorks test user + ![The "Users and groups" and "All users" links](common/users.png) -In this section, you create a user called Britta Simon in BetterWorks. Work with [BetterWorks support team](mailto:support@betterworks.com) to add the users in the BetterWorks platform. +2. Select **New user** at the top of the screen. -### Assigning the Azure AD test user + ![New user Button](common/new-user.png) -In this section, you enable Britta Simon to use Azure single sign-on by granting access to BetterWorks. +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. -![Assign User][200] + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -**To assign Britta Simon to BetterWorks, perform the following steps:** + d. Click **Create**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +### Assign the Azure AD test user - ![Assign User][201] +In this section, you enable Britta Simon to use Azure single sign-on by granting access to BetterWorks. -1. In the applications list, select **BetterWorks**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **BetterWorks**. - ![Configure Single Sign-On](./media/betterworks-tutorial/tutorial_betterworks_app.png) + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the menu on the left, click **Users and groups**. +2. In the applications list, select **BetterWorks**. - ![Assign User][202] + ![The BetterWorks link in the Applications list](common/all-applications.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +3. In the menu on the left, select **Users and groups**. - ![Assign User][203] + ![The "Users and groups" link](common/users-groups-blade.png) -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Click **Select** button on **Users and groups** dialog. + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -When you click the BetterWorks tile in the Access Panel, you should get automatically signed-on to your BetterWorks application. +7. In the **Add Assignment** dialog click the **Assign** button. -## Additional resources +### Create BetterWorks test user -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you create a user called Britta Simon in BetterWorks. Work with [BetterWorks support team](mailto:support@betterworks.com) to add the users in the BetterWorks platform. Users must be created and activated before you use single sign-on. +### Test single sign-on - +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -[1]: ./media/betterworks-tutorial/tutorial_general_01.png -[2]: ./media/betterworks-tutorial/tutorial_general_02.png -[3]: ./media/betterworks-tutorial/tutorial_general_03.png -[4]: ./media/betterworks-tutorial/tutorial_general_04.png +When you click the BetterWorks tile in the Access Panel, you should be automatically signed in to the BetterWorks for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional resources -[100]: ./media/betterworks-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/betterworks-tutorial/tutorial_general_200.png -[201]: ./media/betterworks-tutorial/tutorial_general_201.png -[202]: ./media/betterworks-tutorial/tutorial_general_202.png -[203]: ./media/betterworks-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/bluejeans-provisioning-tutorial.md b/articles/active-directory/saas-apps/bluejeans-provisioning-tutorial.md index e5e5113b92e33..742b67dc21429 100644 --- a/articles/active-directory/saas-apps/bluejeans-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/bluejeans-provisioning-tutorial.md @@ -14,7 +14,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 02/01/2018 +ms.date: 03/27/2019 ms.author: v-ant ms.collection: M365-identity-device-management @@ -31,53 +31,48 @@ The objective of this tutorial is to demonstrate the steps to be performed in Bl The scenario outlined in this tutorial assumes that you already have the following: -* An Azure AD tenant -* A BlueJeans tenant with the [My Company](https://www.BlueJeans.com/pricing) plan or better enabled -* A user account in BlueJeans with Admin permissions +* An Azure AD tenant +* A BlueJeans tenant with the [My Company](https://www.BlueJeans.com/pricing) plan or better enabled +* A user account in BlueJeans with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the [BlueJeans API](https://BlueJeans.github.io/developer), which is available to BlueJeans teams on the Standard plan or better. ## Adding BlueJeans from the gallery + Before configuring BlueJeans for automatic user provisioning with Azure AD, you need to add BlueJeans from the Azure AD application gallery to your list of managed SaaS applications. **To add BlueJeans from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] +1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Azure Active Directory**. -2. Navigate to **Enterprise applications** > **All applications**. + ![The Azure Active Directory button](common/select-azuread.png) - ![The Enterprise applications Section][2] - -3. To add BlueJeans, click the **New application** button on the top of the dialog. +2. Go to **Enterprise applications**, and then select **All applications**. - ![The New application button][3] + ![The Enterprise applications blade](common/enterprise-applications.png) -4. In the search box, type **BlueJeans**. +3. To add a new application, select the **New application** button at the top of the pane. - ![BlueJeans Provisioning](./media/bluejeans-provisioning-tutorial/BluejeansAppSearch.png) + ![The New application button](common/add-new-app.png) -5. In the results panel, select **BlueJeans**, and then click the **Add** button to add BlueJeans to your list of SaaS applications. +4. In the search box, enter **BlueJeans**, select **BlueJeans** in the results panel, and then select the **Add** button to add the application. - ![BlueJeans Provisioning](./media/bluejeans-provisioning-tutorial/BluejeansAppSearchResults.png) + ![BlueJeans in the results list](common/search-new-app.png) - ![BlueJeans Provisioning](./media/bluejeans-provisioning-tutorial/BluejeansAppCreate.png) - ## Assigning users to BlueJeans Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to BlueJeans. Once decided, you can assign these users and/or groups to BlueJeans by following the instructions here: -* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) +* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) ### Important tips for assigning users to BlueJeans -* It is recommended that a single Azure AD user is assigned to BlueJeans to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to BlueJeans to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to BlueJeans, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to BlueJeans, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to BlueJeans @@ -88,11 +83,13 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for BlueJeans in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **BlueJeans**. + + ![Enterprise applications blade](common/enterprise-applications.png) -2. Select BlueJeans from your list of SaaS applications. - - ![BlueJeans Provisioning](./media/bluejeans-provisioning-tutorial/Bluejeans2.png) +2. In the applications list, select **BlueJeans**. + + ![The BlueJeans link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. @@ -158,6 +155,7 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti * [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md) + [1]: ./media/bluejeans-provisioning-tutorial/tutorial_general_01.png [2]: ./media/bluejeans-tutorial/tutorial_general_02.png [3]: ./media/bluejeans-tutorial/tutorial_general_03.png diff --git a/articles/active-directory/saas-apps/bonusly-provisioning-tutorial.md b/articles/active-directory/saas-apps/bonusly-provisioning-tutorial.md index 1e792af4af3db..94ecd865477bb 100644 --- a/articles/active-directory/saas-apps/bonusly-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/bonusly-provisioning-tutorial.md @@ -7,13 +7,14 @@ author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 879b0ee9-042a-441b-90a7-8c364d62426a ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 06/27/2018 +ms.date: 03/27/2019 ms.author: v-wingf-msft ms.collection: M365-identity-device-management --- @@ -29,39 +30,34 @@ The objective of this tutorial is to demonstrate the steps to be performed in Bo The scenario outlined in this tutorial assumes that you already have the following: -* An Azure AD tenant -* A [Bonusly tenant](https://bonus.ly/pricing) -* A user account in Bonusly with Admin permissions +* An Azure AD tenant +* A [Bonusly tenant](https://bonus.ly/pricing) +* A user account in Bonusly with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the [Bonusly Rest API](https://bonusly.gelato.io/reference), which is available to Bonusly developers. ## Adding Bonusly from the gallery + Before configuring Bonusly for automatic user provisioning with Azure AD, you need to add Bonusly from the Azure AD application gallery to your list of managed SaaS applications. **To add Bonusly from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] - -2. Navigate to **Enterprise applications** > **All applications**. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Enterprise applications Section][2] - -3. To add Bonusly, click the **New application** button on the top of the dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![The New application button][3] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -4. In the search box, type **Bonusly**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/AppSearch.png) +3. To add new application, click **New application** button on the top of dialog. -5. In the results panel, select **Bonusly**, and then click the **Add** button to add Bonusly to your list of SaaS applications. + ![The New application button](common/add-new-app.png) - ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/AppSearchResults.png) +4. In the search box, type **Bonusly**, select **Bonusly** from result panel then click **Add** button to add the application. - ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/AppCreation.png) + ![Bonusly in the results list](common/search-new-app.png) ## Assigning users to Bonusly @@ -69,13 +65,13 @@ Azure Active Directory uses a concept called "assignments" to determine which us Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Bonusly. Once decided, you can assign these users and/or groups to Bonusly by following the instructions here: -* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) +* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) ### Important tips for assigning users to Bonusly -* It is recommended that a single Azure AD user is assigned to Bonusly to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to Bonusly to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to Bonusly, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Bonusly, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Bonusly @@ -86,14 +82,16 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Bonusly in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Bonusly**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Bonusly**. -2. Select Bonusly from your list of SaaS applications. - - ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/AppInstanceSearch.png) + ![The Bonusly link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. - + ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/ProvisioningTab.png) 4. Set the **Provisioning Mode** to **Automatic**. @@ -102,6 +100,8 @@ This section guides you through the steps to configure the Azure AD provisioning 5. Under the **Admin Credentials** section, input the **Secret Token** of your Bonusly account as described in Step 6. + ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/secrettoken.png) + 6. The **Secret Token** for your Bonusly account is located in **Admin > Company > Integrations**. In the **If you want to code** section, click on **API > Create New API Access Token** to create a new Secret Token. ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/BonuslyIntegrations.png) @@ -119,7 +119,7 @@ This section guides you through the steps to configure the Azure AD provisioning 8. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Bonusly. If the connection fails, ensure your Bonusly account has Admin permissions and try again. ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/TestConnection.png) - + 9. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox **Send an email notification when a failure occurs**. ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/EmailNotification.png) @@ -148,7 +148,6 @@ This section guides you through the steps to configure the Azure AD provisioning ![Bonusly Provisioning](./media/bonusly-provisioning-tutorial/SaveProvisioning.png) - This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Bonusly. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). @@ -158,7 +157,6 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - ## Next steps * [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md) diff --git a/articles/active-directory/saas-apps/borrowbox-tutorial.md b/articles/active-directory/saas-apps/borrowbox-tutorial.md index 01563120d2c25..3e99cd2d66a4a 100644 --- a/articles/active-directory/saas-apps/borrowbox-tutorial.md +++ b/articles/active-directory/saas-apps/borrowbox-tutorial.md @@ -200,8 +200,8 @@ When you click the BorrowBox tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/bpmonline-tutorial.md b/articles/active-directory/saas-apps/bpmonline-tutorial.md index 54465579839e1..cfd76cd1bd90f 100644 --- a/articles/active-directory/saas-apps/bpmonline-tutorial.md +++ b/articles/active-directory/saas-apps/bpmonline-tutorial.md @@ -4,17 +4,17 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess -ms.assetid: 052db91d-ccff-4098-8ae3-2f76eca90539 +ms.assetid: 052db91d-ccff-4098-8ae3-2f76eca9053 ms.service: active-directory ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 04/16/2018 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,206 +22,174 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Bpm’online In this tutorial, you learn how to integrate Bpm’online with Azure Active Directory (Azure AD). - Integrating Bpm’online with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Bpm’online. -- You can enable your users to automatically get signed-on to Bpm’online (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Bpm’online. +* You can enable your users to be automatically signed-in to Bpm’online (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Bpm’online, you need the following items: -- An Azure AD subscription -- A Bpm’online single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Bpm’online single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Bpm’online from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Bpm’online supports **SP and IDP** initiated SSO ## Adding Bpm’online from the gallery + To configure the integration of Bpm’online into Azure AD, you need to add Bpm’online from the gallery to your list of managed SaaS apps. **To add Bpm’online from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add a new application, click the **New application** button at the top of the dialog. -1. In the search box, type **Bpm’online**, select **Bpm’online** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Bpm’online in the results list](./media/bpmonline-tutorial/tutorial_bpmonline_addfromgallery.png) +4. In the search box, type **Bpm’online**, select **Bpm’online** from the result panel then click the **Add** button to add the application. -## Configure and test Azure AD single sign-on - -In this section, you configure and test Azure AD single sign-on with Bpm’online based on a test user called "Britta Simon." + ![Bpm’online in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in Bpm’online is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Bpm’online needs to be established. +## Configure and test Azure AD single sign-on -In Bpm’online, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Bpm’online based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Bpm’online needs to be established. To configure and test Azure AD single sign-on with Bpm’online, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Bpm’online test user](#create-a-bpmonline-test-user)** - to have a counterpart of Britta Simon in Bpm’online that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Bpm’online Single Sign-On](#configure-bpmonline-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Bpm’online test user](#create-bpmonline-test-user)** - to have a counterpart of Britta Simon in Bpm’online that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Bpm’online application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Bpm’online, perform the following steps:** +To configure Azure AD single sign-on with Bpm’online, perform the following steps: -1. In the Azure portal, on the **Bpm’online** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Bpm’online** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Single sign-on dialog box](./media/bpmonline-tutorial/tutorial_bpmonline_samlbase.png) + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Bpm’online Domain and URLs** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Bpm’online Domain and URLs single sign-on information](./media/bpmonline-tutorial/tutorial_bpmonline_url.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) - a. In the **Identifier** textbox, type a URL using the following pattern: `https://.bpmonline.com/` +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://.bpmonline.com/ServiceModel/AuthService.svc/SsoLogin` + ![Bpm’online Domain and URLs single sign-on information](common/idp-intiated.png) -1. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.bpmonline.com/` - ![Bpm’online Domain and URLs single sign-on information](./media/bpmonline-tutorial/tutorial_bpmonline_url1.png) + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.bpmonline.com/ServiceModel/AuthService.svc/SsoLogin` - In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.bpmonline.com/` - - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Contact [Bpm’online Client support team](mailto:support@bpmonline.com) to get these values. +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: -1. On the **SAML Signing Certificate** section, click the copy button to copy **App Federation Metadata Url** and paste it into notepad. - - ![Configure Single Sign-On](./media/bpmonline-tutorial/tutorial_metadataurl.png) - -1. Click **Save** button. + ![Bpm’online Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) - ![Configure Single Sign-On Save button](./media/bpmonline-tutorial/tutorial_general_400.png) - -1. To configure single sign-on on **Bpm’online** side, you need to send the **App Federation Metadata Url** to [Bpm’online support team](mailto:support@bpmonline.com). They set this setting to have the SAML SSO connection set properly on both sides. + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.bpmonline.com/` -### Create an Azure AD test user + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Bpm’online Client support team](mailto:support@bpmonline.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -The objective of this section is to create a test user in the Azure portal called Britta Simon. +6. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. - ![Create an Azure AD test user][100] + ![The Certificate download link](common/copy-metadataurl.png) -**To create a test user in Azure AD, perform the following steps:** +### Configure Bpm’online Single Sign-On -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +To configure single sign-on on **Bpm’online** side, you need to send the **App Federation Metadata Url** to [Bpm’online support team](mailto:support@bpmonline.com). They set this setting to have the SAML SSO connection set properly on both sides. - ![The Azure Active Directory button](./media/bpmonline-tutorial/create_aaduser_01.png) +### Create an Azure AD test user -1. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/bpmonline-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/bpmonline-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/bpmonline-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Bpm’online test user - -In this section, you create a user called Britta Simon in Bpm’online. Work with [Bpm’online support team](mailto:support@bpmonline.com) to add the users in the Bpm’online platform. Users must be created and activated before you use single sign-on. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Bpm’online. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Bpm’online**. + + ![Enterprise applications blade](common/enterprise-applications.png) -**To assign Britta Simon to Bpm’online, perform the following steps:** +2. In the applications list, select **Bpm’online**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. + ![The Bpm’online link in the Applications list](common/all-applications.png) - ![Assign User][201] +3. In the menu on the left, select **Users and groups**. -1. In the applications list, select **Bpm’online**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![The Bpm’online link in the Applications list](./media/bpmonline-tutorial/tutorial_bpmonline_app.png) +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. In the menu on the left, click **Users and groups**. + ![The Add Assignment pane](common/add-assign-user.png) - ![The "Users and groups" link][202] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +7. In the **Add Assignment** dialog click the **Assign** button. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +### Create Bpm’online test user -1. Click **Select** button on **Users and groups** dialog. +In this section, you create a user called Britta Simon in Bpm’online. Work with [Bpm’online support team](mailto:support@bpmonline.com) to add the users in the Bpm’online platform. Users must be created and activated before you use single sign-on. -1. Click **Assign** button on **Add Assignment** dialog. - ### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Bpm’online tile in the Access Panel, you should get automatically signed-on to your Bpm’online application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - - - +When you click the Bpm’online tile in the Access Panel, you should be automatically signed in to the Bpm’online for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/bpmonline-tutorial/tutorial_general_01.png -[2]: ./media/bpmonline-tutorial/tutorial_general_02.png -[3]: ./media/bpmonline-tutorial/tutorial_general_03.png -[4]: ./media/bpmonline-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/bpmonline-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/bpmonline-tutorial/tutorial_general_200.png -[201]: ./media/bpmonline-tutorial/tutorial_general_201.png -[202]: ./media/bpmonline-tutorial/tutorial_general_202.png -[203]: ./media/bpmonline-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/cernercentral-provisioning-tutorial.md b/articles/active-directory/saas-apps/cernercentral-provisioning-tutorial.md index 2861e0ac641c0..0af710800b851 100644 --- a/articles/active-directory/saas-apps/cernercentral-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/cernercentral-provisioning-tutorial.md @@ -14,22 +14,21 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/27/2019 ms.author: asmalser-msft ms.collection: M365-identity-device-management --- # Tutorial: Configure Cerner Central for automatic user provisioning -The objective of this tutorial is to show you the steps you need to perform in Cerner Central and Azure AD to automatically provision and de-provision user accounts from Azure AD to a user roster in Cerner Central. - +The objective of this tutorial is to show you the steps you need to perform in Cerner Central and Azure AD to automatically provision and de-provision user accounts from Azure AD to a user roster in Cerner Central. ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active Directory tenant -* A Cerner Central tenant +* An Azure Active Directory tenant +* A Cerner Central tenant > [!NOTE] > Azure Active Directory integrates with Cerner Central using the [SCIM](http://www.simplecloud.info/) protocol. @@ -44,12 +43,11 @@ Before configuring and enabling the provisioning service, you should decide what ### Important tips for assigning users to Cerner Central -* It is recommended that a single Azure AD user be assigned to Cerner Central to test the provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user be assigned to Cerner Central to test the provisioning configuration. Additional users and/or groups may be assigned later. * Once initial testing is complete for a single user, Cerner Central recommends assigning the entire list of users intended to access any Cerner solution (not just Cerner Central) to be provisioned to Cerner’s user roster. Other Cerner solutions leverage this list of users in the user roster. -* When assigning a user to Cerner Central, you must select the **User** role in the assignment dialog. Users with the "Default Access" role are excluded from provisioning. - +* When assigning a user to Cerner Central, you must select the **User** role in the assignment dialog. Users with the "Default Access" role are excluded from provisioning. ## Configuring user provisioning to Cerner Central @@ -58,10 +56,8 @@ This section guides you through connecting your Azure AD to Cerner Central’s U > [!TIP] > You may also choose to enabled SAML-based Single Sign-On for Cerner Central, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features complement each other. For more information, see the [Cerner Central single sign-on tutorial](cernercentral-tutorial.md). - ### To configure automatic user account provisioning to Cerner Central in Azure AD: - In order to provision user accounts to Cerner Central, you’ll need to request a Cerner Central system account from Cerner, and generate an OAuth bearer token that Azure AD can use to connect to Cerner's SCIM endpoint. It is also recommended that the integration be performed in a Cerner sandbox environment before deploying to production. 1. The first step is to ensure the people managing the Cerner and Azure AD integration have a CernerCare account, which is required to access the documentation necessary to complete the instructions. If necessary, use the URLs below to create CernerCare accounts in each applicable environment. @@ -102,11 +98,11 @@ In order to provision user accounts to Cerner Central, you’ll need to request * In the **Tenant URL** field, enter a URL in the format below, replacing "User-Roster-Realm-ID" with the realm ID you acquired in step #4. -> Sandbox: -> https://user-roster-api.sandboxcernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/ -> -> Production: -> https://user-roster-api.cernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/ + > Sandbox: + > https://user-roster-api.sandboxcernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/ + > + > Production: + > https://user-roster-api.cernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/ * In the **Secret Token** field, enter the OAuth bearer token you generated in step #3 and click **Test Connection**. @@ -114,13 +110,13 @@ In order to provision user accounts to Cerner Central, you’ll need to request 1. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox below. -1. Click **Save**. +1. Click **Save**. 1. In the **Attribute Mappings** section, review the user and group attributes to be synchronized from Azure AD to Cerner Central. The attributes selected as **Matching** properties are used to match the user accounts and groups in Cerner Central for update operations. Select the Save button to commit any changes. 1. To enable the Azure AD provisioning service for Cerner Central, change the **Provisioning Status** to **On** in the **Settings** section -1. Click **Save**. +1. Click **Save**. This starts the initial synchronization of any users and/or groups assigned to Cerner Central in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service on your Cerner Central app. @@ -134,4 +130,5 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps + * [Learn how to review logs and get reports on provisioning activity](https://docs.microsoft.com/azure/active-directory/active-directory-saas-provisioning-reporting). diff --git a/articles/active-directory/saas-apps/certent-equity-management-tutorial.md b/articles/active-directory/saas-apps/certent-equity-management-tutorial.md new file mode 100644 index 0000000000000..05a8323900a06 --- /dev/null +++ b/articles/active-directory/saas-apps/certent-equity-management-tutorial.md @@ -0,0 +1,230 @@ +--- +title: 'Tutorial: Azure Active Directory integration with Certent Equity Management | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and Certent Equity Management. +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: 08f1452b-3947-48f1-a1a1-58ebe6ebf1cd +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/05/2019 +ms.author: jeedes + +ms.collection: M365-identity-device-management +--- +# Tutorial: Azure Active Directory integration with Certent Equity Management + +In this tutorial, you learn how to integrate Certent Equity Management with Azure Active Directory (Azure AD). +Integrating Certent Equity Management with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to Certent Equity Management. +* You can enable your users to be automatically signed-in to Certent Equity Management (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with Certent Equity Management, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Certent Equity Management single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Certent Equity Management supports **IDP** initiated SSO + +## Adding Certent Equity Management from the gallery + +To configure the integration of Certent Equity Management into Azure AD, you need to add Certent Equity Management from the gallery to your list of managed SaaS apps. + +**To add Certent Equity Management from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **Certent Equity Management**, select **Certent Equity Management** from result panel then click **Add** button to add the application. + + ![Certent Equity Management in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with Certent Equity Management based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Certent Equity Management needs to be established. + +To configure and test Azure AD single sign-on with Certent Equity Management, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Certent Equity Management Single Sign-On](#configure-certent-equity-management-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Certent Equity Management test user](#create-certent-equity-management-test-user)** - to have a counterpart of Britta Simon in Certent Equity Management that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Certent Equity Management, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Certent Equity Management** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: + + ![Certent Equity Management Domain and URLs single sign-on information](common/idp-intiated.png) + + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.certent.com/sys/sso/saml/acs.aspx` + + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.certent.com/sys/sso/saml/acs.aspx` + + > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact Certent Integration Analyst assigned by Customer Success Manager to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. Certent Equity Management application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog. + + ![image](common/edit-attribute.png) + +6. For classic SSO, Certent Equity Management application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table: + + | Name | Source Attribute| + | ---------------| --------------- | + | COMPANY | user.companyname | + | USER | user.userprincipalname | + | ROLE | user.assignedroles | + + > [!NOTE] + > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-enterprise-app-role-management) to know how to configure **Role** in Azure AD + + a. Click **Add new claim** to open the **Manage user claims** dialog. + + ![image](common/new-save-attribute.png) + + ![image](common/new-attribute-details.png) + + b. In the **Name** textbox, type the attribute name shown for that row. + + c. Leave the **Namespace** blank. + + d. Select Source as **Attribute**. + + e. From the **Source attribute** list, type the attribute value shown for that row. + + f. Click **Save**. + +7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) + +8. On the **Set up Certent Equity Management** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure Certent Equity Management Single Sign-On + +To configure single sign-on on **Certent Equity Management** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to Certent Integration Analyst assigned by Customer Success Manager. They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Certent Equity Management. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Certent Equity Management**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Certent Equity Management**. + + ![The Certent Equity Management link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create Certent Equity Management test user + +In this section, you create a user called Britta Simon in Certent Equity Management. Work with Certent Integration Analyst assigned by Customer Success Manager to add the users in the Certent Equity Management platform. Users must be created and activated before you use single sign-on. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the Certent Equity Management tile in the Access Panel, you should be automatically signed in to the Certent Equity Management for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/chronicx-tutorial.md b/articles/active-directory/saas-apps/chronicx-tutorial.md index ec2c7f96ef56e..6055c3f232986 100644 --- a/articles/active-directory/saas-apps/chronicx-tutorial.md +++ b/articles/active-directory/saas-apps/chronicx-tutorial.md @@ -195,8 +195,8 @@ When you click the ChronicX® tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/cisco-spark-provisioning-tutorial.md b/articles/active-directory/saas-apps/cisco-spark-provisioning-tutorial.md index 127b3a8d62791..7e1055157a970 100644 --- a/articles/active-directory/saas-apps/cisco-spark-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/cisco-spark-provisioning-tutorial.md @@ -9,21 +9,20 @@ manager: beatrizd ms.assetid: d4ca2365-6729-48f7-bb7f-c0f5ffe740a3 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 06/12/2018 +ms.date: 03/27/2019 ms.author: v-wingf ms.collection: M365-identity-device-management --- # Tutorial: Configure Cisco Spark for automatic user provisioning - The objective of this tutorial is to demonstrate the steps to be performed in Cisco Spark and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users to Cisco Spark. - > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). @@ -31,40 +30,34 @@ The objective of this tutorial is to demonstrate the steps to be performed in Ci The scenario outlined in this tutorial assumes that you already have the following prerequisites: -* An Azure AD tenant -* A Cisco Spark tenant -* A user account in Cisco Spark with Admin permissions - +* An Azure AD tenant +* A Cisco Spark tenant +* A user account in Cisco Spark with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the [Cisco Spark Webservice](https://developer.webex.com/getting-started.html), which is available to Cisco Spark teams. ## Adding Cisco Spark from the gallery + Before configuring Cisco Spark for automatic user provisioning with Azure AD, you need to add Cisco Spark from the Azure AD application gallery to your list of managed SaaS applications. **To add Cisco Spark from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications** > **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications Section][2] + ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add Cisco Spark, click the **New application** button on the top of the dialog. +3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) -4. In the search box, type **Cisco Spark**. +4. In the search box, type **Cisco Spark**, select **Cisco Spark** from result panel then click **Add** button to add the application. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/AppSearch.png) - -5. In the results panel, select **Cisco Spark**, and then click the **Add** button to add Cisco Spark to your list of SaaS applications. - - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/AppSearchResults.png) - - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/AppCreation.png) + ![Cisco Spark in the results list](common/search-new-app.png) ## Assigning users to Cisco Spark @@ -72,52 +65,60 @@ Azure Active Directory uses a concept called "assignments" to determine which us Before configuring and enabling automatic user provisioning, you should decide which users in Azure AD need access to Cisco Spark. Once decided, you can assign these users to Cisco Spark by following the instructions here: -* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) +* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) ### Important tips for assigning users to Cisco Spark -* It is recommended that a single Azure AD user is assigned to Cisco Spark to test the automatic user provisioning configuration. Additional users may be assigned later. +* It is recommended that a single Azure AD user is assigned to Cisco Spark to test the automatic user provisioning configuration. Additional users may be assigned later. -* When assigning a user to Cisco Spark, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Cisco Spark, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Cisco Spark This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in Cisco Spark based on user assignments in Azure AD. - ### To configure automatic user provisioning for Cisco Spark in Azure AD: +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Cisco Spark**. -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. + ![Enterprise applications blade](common/enterprise-applications.png) -2. Select Cisco Spark from your list of SaaS applications. +2. In the applications list, select **Cisco Spark**. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/Successcenter2.png) + ![The Cisco Spark link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/ProvisioningTab.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/ProvisioningTab.png) 4. Set the **Provisioning Mode** to **Automatic**. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/ProvisioningCredentials.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/ProvisioningCredentials.png) 5. Under the **Admin Credentials** section, input the **Tenant URL**, and **Secret Token** of your Cisco Spark's account. - * In the **Tenant URL** field, populate the Cisco Spark SCIM API URL for your tenant, which takes the form of `https://api.ciscospark.com/v1/scim/[Tenant ID]/`, where `[Tenant ID]` is an alphanumeric string as described in step 6. + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/secrettoken1.png) - * In the **Secret Token** field, populate the Secret Token as described in step 6. + * In the **Tenant URL** field, populate the Cisco Spark SCIM API URL for your tenant, which takes the form of `https://api.ciscospark.com/v1/scim/[Tenant ID]/`, where `[Tenant ID]` is an alphanumeric string as described in step 6. + + * In the **Secret Token** field, populate the Secret Token as described in step 6. + +6. The **Tenant ID** and **Secret Token** for your Cisco Spark account can be found by logging into the [Cisco Spark developer site](https://developer.webex.com/) with your Admin account. Once logged in - -1. The **Tenant ID** and **Secret Token** for your Cisco Spark account can be found by logging into the [Cisco Spark developer site](https://developer.webex.com/) with your Admin account. Once logged in - * Go to the [Getting Started page](https://developer.webex.com/getting-started.html) + * Scroll down to the [Authentication Section](https://developer.webex.com/getting-started.html#authentication) - ![Cisco Spark Authentication Token](./media/cisco-spark-provisioning-tutorial/SecretToken.png) + + ![Cisco Spark Authentication Token](./media/cisco-spark-provisioning-tutorial/SecretToken.png) + * The alphanumeric string in the box is your **Secret Token**. Copy this token to the clipboard + * Go to the [Get My Own Details page](https://developer.webex.com/endpoint-people-me-get.html) * Make sure that Test Mode is ON * Type the word "Bearer" followed by a space, and then paste the Secret Token into the Authorization field ![Cisco Spark Authentication Token](./media/cisco-spark-provisioning-tutorial/GetMyDetails.png) * Click Run + * In the response text to the right, the **Tenant ID** appears as "orgId": ```json @@ -133,38 +134,37 @@ This section guides you through the steps to configure the Azure AD provisioning } ``` -1. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Cisco Spark. If the connection fails, ensure your Cisco Spark account has Admin permissions and try again. +7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Cisco Spark. If the connection fails, ensure your Cisco Spark account has Admin permissions and try again. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/TestConnection.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/TestConnection.png) 8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/EmailNotification.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/EmailNotification.png) 9. Click **Save**. 10. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Cisco Spark**. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/UserMapping.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/UserMapping.png) 11. Review the user attributes that are synchronized from Azure AD to Cisco Spark in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Cisco Spark for update operations. Select the **Save** button to commit any changes. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/UserMappingAttributes.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/UserMappingAttributes.png) 12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md). 13. To enable the Azure AD provisioning service for Cisco Spark, change the **Provisioning Status** to **On** in the **Settings** section. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/ProvisioningStatus.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/ProvisioningStatus.png) 14. Define the users and/or groups that you would like to provision to Cisco Spark by choosing the desired values in **Scope** in the **Settings** section. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/SyncScope.png) + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/SyncScope.png) 15. When you are ready to provision, click **Save**. - ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/Save.png) - + ![Cisco Spark Provisioning](./media/cisco-spark-provisioning-tutorial/Save.png) This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Cisco Spark. @@ -179,7 +179,6 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - ## Next steps * [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md) diff --git a/articles/active-directory/saas-apps/cisco-spark-tutorial.md b/articles/active-directory/saas-apps/cisco-spark-tutorial.md index 3319fc59693e8..aea1ed367247e 100644 --- a/articles/active-directory/saas-apps/cisco-spark-tutorial.md +++ b/articles/active-directory/saas-apps/cisco-spark-tutorial.md @@ -112,7 +112,7 @@ To configure Azure AD single sign-on with Cisco Webex, perform the following ste > [!NOTE] > This Identifier value is not real. Update this value with the actual Identifier. If you have Service Provider Metadata, upload it in the **Basic SAML Configuration** section then the **Identifier (Entity ID)** value gets auto populated automatically. -5. Cisco Webex application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click on **Edit** icon to add the attributes. +5. Cisco Webex application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click on **Edit** icon to add the attributes. ![image](common/edit-attribute.png) @@ -257,9 +257,9 @@ When you click the Cisco Webex tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/ciscocloud-tutorial.md b/articles/active-directory/saas-apps/ciscocloud-tutorial.md index 628e4b39bb38a..e4ccf6f3c696f 100644 --- a/articles/active-directory/saas-apps/ciscocloud-tutorial.md +++ b/articles/active-directory/saas-apps/ciscocloud-tutorial.md @@ -218,8 +218,8 @@ When you click the Cisco Cloud tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/citrix-netscaler-tutorial.md b/articles/active-directory/saas-apps/citrix-netscaler-tutorial.md index 0d04640ad3fb6..2742a3cc7a0c8 100644 --- a/articles/active-directory/saas-apps/citrix-netscaler-tutorial.md +++ b/articles/active-directory/saas-apps/citrix-netscaler-tutorial.md @@ -382,9 +382,9 @@ When you click the Citrix Netscaler tile in the Access Panel, you should be auto ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/clickup-productivity-platform-tutorial.md b/articles/active-directory/saas-apps/clickup-productivity-platform-tutorial.md index 778163f8372c4..96f3fe25b82ed 100644 --- a/articles/active-directory/saas-apps/clickup-productivity-platform-tutorial.md +++ b/articles/active-directory/saas-apps/clickup-productivity-platform-tutorial.md @@ -211,9 +211,9 @@ When you click the ClickUp Productivity Platform tile in the Access Panel, you s ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/confirmit-horizons-tutorial.md b/articles/active-directory/saas-apps/confirmit-horizons-tutorial.md index 8ffcc3c80fbbe..7a2ece7ed6134 100644 --- a/articles/active-directory/saas-apps/confirmit-horizons-tutorial.md +++ b/articles/active-directory/saas-apps/confirmit-horizons-tutorial.md @@ -214,9 +214,9 @@ When you click the Confirmit Horizons tile in the Access Panel, you should be au ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/confluencemicrosoft-tutorial.md b/articles/active-directory/saas-apps/confluencemicrosoft-tutorial.md index 469845ddb1c99..cfc41fea060be 100644 --- a/articles/active-directory/saas-apps/confluencemicrosoft-tutorial.md +++ b/articles/active-directory/saas-apps/confluencemicrosoft-tutorial.md @@ -9,11 +9,12 @@ ms.reviewer: barbkess ms.assetid: 1ad1cf90-52bc-4b71-ab2b-9a5a1280fb2d ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 12/31/2018 +ms.date: 04/10/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -32,7 +33,7 @@ If you don't have an Azure subscription, [create a free account](https://azure.m ## Description: -Use your Microsoft Azure Active Directory account with Atlassian Confluence server to enable single sign-on. This way all your organization users can use the Azure AD credentials to login into the Confluence application. This plugin uses SAML 2.0 for federation. +Use your Microsoft Azure Active Directory account with Atlassian Confluence server to enable single sign-on. This way all your organization users can use the Azure AD credentials to signin into the Confluence application. This plugin uses SAML 2.0 for federation. ## Prerequisites @@ -74,6 +75,9 @@ As of now, following versions of Confluence are supported: - Confluence: 6.11.0 - Confluence: 6.12.0 +> [!NOTE] +> Please note that Confluence also supports Linux Ubuntu version 16.04 + ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. @@ -100,7 +104,7 @@ To configure the integration of Confluence SAML SSO by Microsoft into Azure AD, 4. In the search box, type **Confluence SAML SSO by Microsoft**, select **Confluence SAML SSO by Microsoft** from result panel then click **Add** button to add the application. - ![Confluence SAML SSO by Microsoft in the results list](common/search-new-app.png) + ![Confluence SAML SSO by Microsoft in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on @@ -156,7 +160,7 @@ To configure Azure AD single sign-on with Confluence SAML SSO by Microsoft, perf ### Configure Confluence SAML SSO by Microsoft Single Sign-On -1. In a different web browser window, log in to your Confluence instance as an administrator. +1. In a different web browser window, sign in to your Confluence instance as an administrator. 2. Hover on cog and click the **Add-ons**. @@ -183,18 +187,18 @@ To configure Azure AD single sign-on with Confluence SAML SSO by Microsoft, perf c. In **Login Button Name** type the name of button your organization wants the users to see on login screen. - d. In **SAML User ID Locations**, select either **User ID is in the NameIdentifier element of the Subject statement** or **User ID is in an Attribute element**. This ID has to be the Confluence user id. If the user id is not matched, then system will not allow users to log in. + d. In **SAML User ID Locations**, select either **User ID is in the NameIdentifier element of the Subject statement** or **User ID is in an Attribute element**. This ID has to be the Confluence user ID. If the user ID is not matched, then system will not allow users to sign in. > [!Note] > Default SAML User ID location is Name Identifier. You can change this to an attribute option and enter the appropriate attribute name. - e. If you select **User ID is in an Attribute element** option, then in **Attribute name** textbox type the name of the attribute where User Id is expected. + e. If you select **User ID is in an Attribute element** option, then in **Attribute name** textbox type the name of the attribute where User ID is expected. f. If you are using the federated domain (like ADFS etc.) with Azure AD, then click on the **Enable Home Realm Discovery** option and configure the **Domain Name**. g. In **Domain Name** type the domain name here in case of the ADFS-based login. - h. Check **Enable Single Sign out** if you wish to log out from Azure AD when a user logs out from Confluence. + h. Check **Enable Single Sign out** if you wish to sign out from Azure AD when a user signs out from Confluence. i. Click **Save** button to save the settings. @@ -219,8 +223,7 @@ The objective of this section is to create a test user in the Azure portal calle a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon\@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. c. Select **Show password** check box, and then write down the value that's displayed in the Password box. @@ -254,11 +257,11 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting ### Create Confluence SAML SSO by Microsoft test user -To enable Azure AD users to log in to Confluence on-premises server, they must be provisioned into Confluence SAML SSO by Microsoft. For Confluence SAML SSO by Microsoft, provisioning is a manual task. +To enable Azure AD users to sign in to Confluence on-premises server, they must be provisioned into Confluence SAML SSO by Microsoft. For Confluence SAML SSO by Microsoft, provisioning is a manual task. **To provision a user account, perform the following steps:** -1. Log in to your Confluence on-premises server as an administrator. +1. Sign in to your Confluence on-premises server as an administrator. 2. Hover on cog and click the **User management**. diff --git a/articles/active-directory/saas-apps/coralogix-tutorial.md b/articles/active-directory/saas-apps/coralogix-tutorial.md index b5949cedfcdc9..b783a8f0594f1 100644 --- a/articles/active-directory/saas-apps/coralogix-tutorial.md +++ b/articles/active-directory/saas-apps/coralogix-tutorial.md @@ -24,131 +24,131 @@ In this tutorial, you learn how to integrate Coralogix with Azure Active Directo Integrating Coralogix with Azure AD provides you with the following benefits: * You can control in Azure AD who has access to Coralogix. -* You can enable your users to be automatically signed-in to Coralogix (Single Sign-On) with their Azure AD accounts. -* You can manage your accounts in one central location - the Azure portal. +* You can enable your users to be automatically signed in to Coralogix (single sign-on) with their Azure AD accounts. +* You can manage your accounts in one central location: the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +For more information about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Coralogix, you need the following items: -* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) -* Coralogix single sign-on enabled subscription +- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/). +- A Coralogix single-sign-on enabled subscription. ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. -* Coralogix supports **SP** initiated SSO +* Coralogix supports SP-initiated SSO. -## Adding Coralogix from the gallery +## Add Coralogix from the gallery -To configure the integration of Coralogix into Azure AD, you need to add Coralogix from the gallery to your list of managed SaaS apps. +To configure the integration of Coralogix into Azure AD, first add Coralogix from the gallery to your list of managed SaaS apps. -**To add Coralogix from the gallery, perform the following steps:** +To add Coralogix from the gallery, take the following steps: -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the [Azure portal](https://portal.azure.com), in the left pane, select the **Azure Active Directory** icon. ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise Applications** and then select the **All Applications** option. +2. Go to **Enterprise Applications**, and then select **All Applications**. ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add new application, click **New application** button on the top of dialog. +3. To add a new application, select the **New application** button at the top of the dialog box. ![The New application button](common/add-new-app.png) -4. In the search box, type **Coralogix**, select **Coralogix** from result panel then click **Add** button to add the application. +4. In the search box, enter **Coralogix**. Select **Coralogix** from the results pane, and then select the **Add** button to add the application. ![Coralogix in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Coralogix based on a test user called **Britta Simon**. -For single sign-on to work, a link relationship between an Azure AD user and the related user in Coralogix needs to be established. +In this section, you configure and test Azure AD single sign-on with Coralogix based on a test user called Britta Simon. +For single sign-on to work, you need to establish a link between an Azure AD user and the related user in Coralogix. -To configure and test Azure AD single sign-on with Coralogix, you need to complete the following building blocks: +To configure and test Azure AD single sign-on with Coralogix, first complete the following building blocks: -1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Configure Coralogix Single Sign-On](#configure-coralogix-single-sign-on)** - to configure the Single Sign-On settings on application side. -3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Create Coralogix test user](#create-coralogix-test-user)** - to have a counterpart of Britta Simon in Coralogix that is linked to the Azure AD representation of user. -6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +1. [Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on) to enable your users to use this feature. +2. [Configure Coralogix single sign-on](#configure-coralogix-single-sign-on) to configure the single sign-on settings on the application side. +3. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with Britta Simon. +4. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on. +5. [Create a Coralogix test user](#create-a-coralogix-test-user) to have a counterpart of Britta Simon in Coralogix that is linked to the Azure AD representation of user. +6. [Test single sign-on](#test-single-sign-on) to verify that the configuration works. ### Configure Azure AD single sign-on In this section, you enable Azure AD single sign-on in the Azure portal. -To configure Azure AD single sign-on with Coralogix, perform the following steps: +To configure Azure AD single sign-on with Coralogix, take the following steps: 1. In the [Azure portal](https://portal.azure.com/), on the **Coralogix** application integration page, select **Single sign-on**. ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. +2. In the **Select a Single sign-on method** dialog box, select **SAML** to enable single sign-on. ![Single sign-on select mode](common/select-saml-option.png) -3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. +3. On the **Set up Single Sign-On with SAML** page, select the **Edit** icon to open the **Basic SAML Configuration** dialog box. ![Edit Basic SAML Configuration](common/edit-urls.png) -4. On the **Basic SAML Configuration** section, perform the following steps: +4. In the **Basic SAML Configuration** dialog box, take the following steps: ![Coralogix Domain and URLs single sign-on information](common/sp-identifier.png) - a. In the **Sign on URL** text box, type a URL using the following pattern: + a. In the **Sign on URL** box, enter a URL with the following pattern: `https://.coralogix.com` - b. In the **Identifier (Entity ID)** text box, type a URL: + b. In the **Identifier (Entity ID)** text box, enter a URL, such as: + + `https://api.coralogix.com/saml/metadata.xml` - | | - |--| - | `https://api.coralogix.com/saml/metadata.xml` | - | `https://aws-client-prod.coralogix.com/saml/metadata.xml` | + or + + `https://aws-client-prod.coralogix.com/saml/metadata.xml` > [!NOTE] - > The Sign on URL value is not real. Update the value with the actual Sign on URL. Contact [Coralogix Client support team](mailto:info@coralogix.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + > The sign-on URL value isn't real. Update the value with the actual sign-on URL. Contact the [Coralogix Client support team](mailto:info@coralogix.com) to get the value. You can also refer to the patterns in the **Basic SAML Configuration** section in the Azure portal. -5. Coralogix application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog. +5. The Coralogix application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on the application integration page. On the **Set up Single Sign-On with SAML** page, select the **Edit** button to open the **User Attributes** dialog box. ![image](common/edit-attribute.png) -6. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps: +6. In the **User Claims** section in the **User Attributes** dialog box, edit the claims by using the **Edit** icon. You can also add the claims by using **Add new claim** to configure the SAML token attribute as shown in the previous image. Then take the following steps: - a. Click **Edit icon** to open the **Manage user claims** dialog. + a. Select the **Edit icon** to open the **Manage user claims** dialog box. ![image](./media/coralogix-tutorial/tutorial_usermail.png) - ![image](./media/coralogix-tutorial/tutorial_usermailedit.png) b. From the **Choose name identifier format** list, select **Email address**. c. From the **Source attribute** list, select **user.mail**. - d. Click **Save**. + d. Select **Save**. -7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. +7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the **Federation Metadata XML** from the given options according to your requirements. Then save it on your computer. ![The Certificate download link](common/metadataxml.png) -8. On the **Set up Coralogix** section, copy the appropriate URL(s) as per your requirement. +8. In the **Set up Coralogix** section, copy the appropriate URL(s). ![Copy configuration URLs](common/copy-configuration-urls.png) a. Login URL - b. Azure Ad Identifier + b. Azure AD Identifier c. Logout URL -### Configure Coralogix Single Sign-On +### Configure Coralogix single sign-on -To configure single sign-on on **Coralogix** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Coralogix support team](mailto:info@coralogix.com). They set this setting to have the SAML SSO connection set properly on both sides. +To configure single sign-on on the **Coralogix** side, send the downloaded **Federation Metadata XML** and copied URLs from the Azure portal to the [Coralogix support team](mailto:info@coralogix.com). They ensure that the SAML SSO connection is set properly on both sides. ### Create an Azure AD test user @@ -158,28 +158,27 @@ The objective of this section is to create a test user in the Azure portal calle ![The "Users and groups" and "All users" links](common/users.png) -2. Select **New user** at the top of the screen. +2. At the top of the screen, select **New user**. ![New user Button](common/new-user.png) -3. In the User properties, perform the following steps. +3. In the **User** dialog box, take the following steps. ![The User dialog box](common/user-properties.png) - a. In the **Name** field enter **BrittaSimon**. + a. In the **Name** field, enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field, enter "brittasimon@yourcompanydomain.extension." For example, in this case, you might enter "brittasimon@contoso.com." - c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + c. Select the **Show password** check box, and then note the value that's displayed in the **Password** box. - d. Click **Create**. + d. Select **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Coralogix. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Coralogix**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, and then select **Coralogix**. ![Enterprise applications blade](common/enterprise-applications.png) @@ -191,29 +190,29 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting ![The "Users and groups" link](common/users-groups-blade.png) -4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. +4. Select the **Add user** button. Then select **Users and groups** in the **Add Assignment** dialog box. ![The Add Assignment pane](common/add-assign-user.png) -5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. +5. In the **Users and groups** dialog box, select **Britta Simon** in the users list. Then click the **Select** button at the bottom of the screen. -6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. +6. If you're expecting a role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list. Then click the **Select** button at the bottom of the screen. -7. In the **Add Assignment** dialog click the **Assign** button. +7. In the **Add Assignment** dialog box, select the **Assign** button. -### Create Coralogix test user +### Create a Coralogix test user -In this section, you create a user called Britta Simon in Coralogix. Work with [Coralogix support team](mailto:info@coralogix.com) to add the users in the Coralogix platform. Users must be created and activated before you use single sign-on. +In this section, you create a user called Britta Simon in Coralogix. Work with the [Coralogix support team](mailto:info@coralogix.com) to add the users in the Coralogix platform. You must create and activate users before you use single sign-on. ### Test single sign-on -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +In this section, you test your Azure AD single sign-on configuration by using the MyApps portal. -When you click the Coralogix tile in the Access Panel, you should be automatically signed in to the Coralogix for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). +When you select the Coralogix tile in the MyApps portal, you should be automatically signed in to Coralogix. For more information about the MyApps portal, see [What is the MyApps portal?](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -## Additional Resources +## Additional resources -- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [ List of tutorials on how to integrate SaaS apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) - [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) diff --git a/articles/active-directory/saas-apps/cornerstone-ondemand-provisioning-tutorial.md b/articles/active-directory/saas-apps/cornerstone-ondemand-provisioning-tutorial.md index 25f9784342f69..a2d405a116d44 100644 --- a/articles/active-directory/saas-apps/cornerstone-ondemand-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/cornerstone-ondemand-provisioning-tutorial.md @@ -14,17 +14,15 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/31/2018 +ms.date: 03/27/2019 ms.author: v-ant ms.collection: M365-identity-device-management --- # Tutorial: Configure Cornerstone OnDemand for automatic user provisioning - The objective of this tutorial is to demonstrate the steps to be performed in Cornerstone OnDemand and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Cornerstone OnDemand. - > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). @@ -32,68 +30,62 @@ The objective of this tutorial is to demonstrate the steps to be performed in Co The scenario outlined in this tutorial assumes that you already have the following prerequisites: -* An Azure AD tenant -* A Cornerstone OnDemand tenant -* A user account in Cornerstone OnDemand with Admin permissions - +* An Azure AD tenant +* A Cornerstone OnDemand tenant +* A user account in Cornerstone OnDemand with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the [Cornerstone OnDemand Webservice](https://help.csod.com/help/csod_0/Content/Resources/Documents/WebServices/CSOD_-_Summary_of_Web_Services_v20151106.pdf), which is available to Cornerstone OnDemand teams. ## Adding Cornerstone OnDemand from the gallery + Before configuring Cornerstone OnDemand for automatic user provisioning with Azure AD, you need to add Cornerstone OnDemand from the Azure AD application gallery to your list of managed SaaS applications. **To add Cornerstone OnDemand from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications** > **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications Section][2] - -3. To add Cornerstone OnDemand, click the **New application** button on the top of the dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -4. In the search box, type **Cornerstone OnDemand**. + ![The New application button](common/add-new-app.png) - ![Cornerstone OnDemand Provisioning](./media/cornerstone-ondemand-provisioning-tutorial/AppSearch.png) +4. In the search box, type **Cornerstone OnDemand**, select **Cornerstone OnDemand** from result panel then click **Add** button to add the application. -5. In the results panel, select **Cornerstone OnDemand**, and then click the **Add** button to add Cornerstone OnDemand to your list of SaaS applications. - - ![Cornerstone OnDemand Provisioning](./media/cornerstone-ondemand-provisioning-tutorial/AppSearchResults.png) - - ![Cornerstone OnDemand Provisioning](./media/cornerstone-ondemand-provisioning-tutorial/AppCreation.png) + ![Cornerstone OnDemand in the results list](common/search-new-app.png) ## Assigning users to Cornerstone OnDemand -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. +Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Cornerstone OnDemand. Once decided, you can assign these users and/or groups to Cornerstone OnDemand by following the instructions here: -* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) +* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) ### Important tips for assigning users to Cornerstone OnDemand -* It is recommended that a single Azure AD user is assigned to Cornerstone OnDemand to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to Cornerstone OnDemand to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to Cornerstone OnDemand, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Cornerstone OnDemand, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Cornerstone OnDemand This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Cornerstone OnDemand based on user and/or group assignments in Azure AD. - ### To configure automatic user provisioning for Cornerstone OnDemand in Azure AD: +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Cornerstone OnDemand**. -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. + ![Enterprise applications blade](common/enterprise-applications.png) -2. Select Cornerstone OnDemand from your list of SaaS applications. - - ![Cornerstone OnDemand Provisioning](./media/cornerstone-ondemand-provisioning-tutorial/Successcenter2.png) +2. In the applications list, select **Cornerstone OnDemand**. + + ![The Cornerstone OnDemand link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. @@ -105,11 +97,11 @@ This section guides you through the steps to configure the Azure AD provisioning 5. Under the **Admin Credentials** section, input the **Admin Username**, **Admin Password**, and **Domain** of your Cornerstone OnDemand's account. - * In the **Admin Username** field, populate the domain\username of the admin account on your Cornerstone OnDemand tenant. Example: contoso\admin. + * In the **Admin Username** field, populate the domain\username of the admin account on your Cornerstone OnDemand tenant. Example: contoso\admin. - * In the **Admin Password** field, populate the password corresponding to the admin username. + * In the **Admin Password** field, populate the password corresponding to the admin username. - * In the **Domain** field, populate the webservice URL of the Cornerstone OnDemand tenant. Example: The service is located at `https://ws-[corpname].csod.com/feed30/clientdataservice.asmx`, for Contoso the domain is `https://ws-contoso.csod.com/feed30/clientdataservice.asmx`. For more information on how to retrieve the webservice URL, see [here](https://help.csod.com/help/csod_0/Content/Resources/Documents/WebServices/CSOD_Web_Services_-_User-OU_Technical_Specification_v20160222.pdf). + * In the **Domain** field, populate the webservice URL of the Cornerstone OnDemand tenant. Example: The service is located at `https://ws-[corpname].csod.com/feed30/clientdataservice.asmx`, for Contoso the domain is `https://ws-contoso.csod.com/feed30/clientdataservice.asmx`. For more information on how to retrieve the webservice URL, see [here](https://help.csod.com/help/csod_0/Content/Resources/Documents/WebServices/CSOD_Web_Services_-_User-OU_Technical_Specification_v20160222.pdf). 6. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Cornerstone OnDemand. If the connection fails, ensure your Cornerstone OnDemand account has Admin permissions and try again. @@ -143,24 +135,23 @@ This section guides you through the steps to configure the Azure AD provisioning ![Cornerstone OnDemand Provisioning](./media/cornerstone-ondemand-provisioning-tutorial/Save.png) - This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Cornerstone OnDemand. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). + ## Connector Limitations * The Cornerstone OnDemand **Position** attribute expects a value that corresponds to the roles on the Cornerstone OnDemand portal. The list of valid **Position** values can be obtained by navigating to **Edit User Record > Organization Structure > Position** in the Cornerstone OnDemand portal. + ![Cornerstone OnDemand Provisioning Edit User](./media/cornerstone-ondemand-provisioning-tutorial/UserEdit.png) ![Cornerstone OnDemand Provisioning Position](./media/cornerstone-ondemand-provisioning-tutorial/UserPosition.png) ![Cornerstone OnDemand Provisioning Positions List](./media/cornerstone-ondemand-provisioning-tutorial/PostionId.png) - + ## Additional resources * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - ## Next steps * [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md) diff --git a/articles/active-directory/saas-apps/direct-tutorial.md b/articles/active-directory/saas-apps/direct-tutorial.md index 9f7cf3e3e0732..7c48ed733299e 100644 --- a/articles/active-directory/saas-apps/direct-tutorial.md +++ b/articles/active-directory/saas-apps/direct-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 7c2cd1f0-d14c-42f0-94a8-9b800008b285 ms.service: active-directory @@ -12,46 +13,35 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 09/06/2018 +ms.topic: tutorial +ms.date: 04/01/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with direct In this tutorial, you learn how to integrate direct with Azure Active Directory (Azure AD). - Integrating direct with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to direct -- You can enable your users to automatically get signed-on to direct (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to direct. +* You can enable your users to be automatically signed-in to direct (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with direct, you need the following items: -- An Azure AD subscription -- A direct single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* direct single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -1. Adding direct from the gallery -2. Configuring and testing Azure AD single sign-on +* direct supports **SP** and **IDP** initiated SSO ## Adding direct from the gallery @@ -59,141 +49,141 @@ To configure the integration of direct into Azure AD, you need to add direct fro **To add direct from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![Applications][3] + ![The New application button](common/add-new-app.png) -4. In the search box, type **direct**. Select **direct** from the results panel, and then select the **Add** button to add the application. +4. In the search box, type **direct**, select **direct** from result panel then click **Add** button to add the application. - ![Creating an Azure AD test user](./media/direct-tutorial/tutorial_direct_addfromgallery.png) + ![direct in the results list](common/search-new-app.png) -## Configuring and testing Azure AD single sign-on +## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with direct based on a test user called "Britta Simon." - -For single sign-on to work, Azure AD needs to know what the counterpart user in direct is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in direct needs to be established. - -In direct, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with direct based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in direct needs to be established. To configure and test Azure AD single sign-on with direct, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating a direct test user](#creating-a-direct-test-user)** - to have a counterpart of Britta Simon in direct that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure direct Single Sign-On](#configure-direct-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create direct test user](#create-direct-test-user)** - to have a counterpart of Britta Simon in direct that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your direct application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with direct, perform the following steps:** +To configure Azure AD single sign-on with direct, perform the following steps: -1. In the Azure portal, on the **direct** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **direct** application integration page, select **Single sign-on**. - ![Configure Single Sign-On][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/direct-tutorial/tutorial_direct_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -3. On the **direct Domain and URLs** section, If you wish to configure the application in **IDP** initiated mode: + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On](./media/direct-tutorial/tutorial_direct_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - In the **Identifier** textbox, type the URL: `https://direct4b.com/` + ![Edit Basic SAML Configuration](common/edit-urls.png) -4. Check **Show advanced URL settings**, If you wish to configure the application in **SP** initiated mode: +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step: - ![Configure Single Sign-On](./media/direct-tutorial/tutorial_direct_url1.png) + ![direct Domain and URLs single sign-on information](common/idp-identifier.png) - In the **Sign-on URL** textbox, type the URL: `https://direct4b.com/sso`  + In the **Identifier** text box, type a URL: + `https://direct4b.com/` -5. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - ![Configure Single Sign-On](./media/direct-tutorial/tutorial_direct_certificate.png) + ![image](common/both-preintegrated-signon.png) -6. Click **Save** button. + In the **Sign-on URL** text box, type a URL: + `https://direct4b.com/sso` - ![Configure Single Sign-On](./media/direct-tutorial/tutorial_general_400.png) +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -7. To configure single sign-on on **direct** side, you need to send the downloaded **Metadata XML** to [direct support team](https://direct4b.com/ja/support.html#inquiry). + ![The Certificate download link](common/metadataxml.png) -### Creating an Azure AD test user +7. On the **Set up direct** section, copy the appropriate URL(s) as per your requirement. -The objective of this section is to create a test user in the Azure portal called Britta Simon. + ![Copy configuration URLs](common/copy-configuration-urls.png) -![Create Azure AD User][100] + a. Login URL -**To create a test user in Azure AD, perform the following steps:** + b. Azure AD Identifier -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + c. Logout URL - ![Creating an Azure AD test user](./media/direct-tutorial/create_aaduser_01.png) +### Configure direct Single Sign-On -2. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/direct-tutorial/create_aaduser_02.png) +To configure single sign-on on **direct** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [direct support team](https://direct4b.com/ja/support.html#inquiry). They set this setting to have the SAML SSO connection set properly on both sides. -3. To open the **User** dialog, click **Add** on the top of the dialog. +### Create an Azure AD test user - ![Creating an Azure AD test user](./media/direct-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -4. On the **User** dialog page, perform the following steps: +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Creating an Azure AD test user](./media/direct-tutorial/create_aaduser_04.png) + ![The "Users and groups" and "All users" links](common/users.png) - a. In the **Name** textbox, type **BrittaSimon**. +2. Select **New user** at the top of the screen. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + ![New user Button](common/new-user.png) - c. Select **Show Password** and write down the value of the **Password**. +3. In the User properties, perform the following steps. - d. Click **Create**. + ![The User dialog box](common/user-properties.png) -### Creating a direct test user + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -In this section, you create a user called Britta Simon in direct. Work with [direct support team](https://direct4b.com/ja/support.html#inquiry) to add the users in the direct platform. Users must be created and activated before you use single sign-on. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to direct. -![Assign User][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **direct**. -**To assign Britta Simon to direct, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **direct**. - ![Assign User][201] + ![The direct link in the Applications list](common/all-applications.png) -2. In the applications list, select **direct**. +3. In the menu on the left, select **Users and groups**. - ![Configure Single Sign-On](./media/direct-tutorial/tutorial_direct_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -3. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][202] + ![The Add Assignment pane](common/add-assign-user.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![Assign User][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -5. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -6. Click **Select** button on **Users and groups** dialog. +### Create direct test user -7. Click **Assign** button on **Add Assignment** dialog. +In this section, you create a user called Britta Simon in direct. Work with [direct support team](https://direct4b.com/ja/support.html#inquiry) to add the users in the direct platform. Users must be created and activated before you use single sign-on. -### Testing single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. @@ -205,25 +195,15 @@ In this section, you test your Azure AD single sign-on configuration using the A a. Click on the **direct** tile in the Access Panel and you will be redirected to the application sign-on page. - b. Input your `subdomain` in the textbox displayed and press '次へ (Next)' and you should get automatically signed-on to your **direct** application . - -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). + b. Input your `subdomain` in the textbox displayed and press '次へ (Next)' and you should get automatically signed-on to your **direct** application . -## Additional resources +When you click the direct tile in the Access Panel, you should be automatically signed in to the direct for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: ./media/direct-tutorial/tutorial_general_01.png -[2]: ./media/direct-tutorial/tutorial_general_02.png -[3]: ./media/direct-tutorial/tutorial_general_03.png -[4]: ./media/direct-tutorial/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: ./media/direct-tutorial/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[200]: ./media/direct-tutorial/tutorial_general_200.png -[201]: ./media/direct-tutorial/tutorial_general_201.png -[202]: ./media/direct-tutorial/tutorial_general_202.png -[203]: ./media/direct-tutorial/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/docusign-tutorial.md b/articles/active-directory/saas-apps/docusign-tutorial.md index a9a273f0a6946..9a38fb7514ece 100644 --- a/articles/active-directory/saas-apps/docusign-tutorial.md +++ b/articles/active-directory/saas-apps/docusign-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: a691288b-84c1-40fb-84bd-5b06878865f0 ms.service: active-directory @@ -13,46 +13,37 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 11/19/2018 +ms.topic: tutorial +ms.date: 04/01/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with DocuSign In this tutorial, you learn how to integrate DocuSign with Azure Active Directory (Azure AD). - Integrating DocuSign with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to DocuSign. -- You can enable your users to automatically get signed-on to DocuSign (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to DocuSign. +* You can enable your users to be automatically signed-in to DocuSign (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with DocuSign, you need the following items: -- An Azure AD subscription -- A DocuSign single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* DocuSign single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* DocuSign supports **SP** initiated SSO -1. Adding DocuSign from the gallery -2. Configuring and testing Azure AD single sign-on +* DocuSign supports **Just In Time** user provisioning ## Adding DocuSign from the gallery @@ -60,70 +51,74 @@ To configure the integration of DocuSign into Azure AD, you need to add DocuSign **To add DocuSign from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **DocuSign**, select **DocuSign** from result panel then click **Add** button to add the application. - ![DocuSign in the results list](./media/docusign-tutorial/tutorial_docusign_addfromgallery.png) + ![DocuSign in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with DocuSign based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in DocuSign is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in DocuSign needs to be established. +In this section, you configure and test Azure AD single sign-on with DocuSign based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in DocuSign needs to be established. To configure and test Azure AD single sign-on with DocuSign, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating a DocuSign test user](#creating-a-docusign-test-user)** - to have a counterpart of Britta Simon in DocuSign that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure DocuSign Single Sign-On](#configure-docusign-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create DocuSign test user](#create-docusign-test-user)** - to have a counterpart of Britta Simon in DocuSign that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your DocuSign application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with DocuSign, perform the following steps:** +To configure Azure AD single sign-on with DocuSign, perform the following steps: -1. In the Azure portal, on the **DocuSign** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **DocuSign** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On](common/tutorial_general_301.png) + ![Single sign-on select mode](common/select-saml-option.png) 3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure Single Sign-On](common/editconfigure.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps: - ![DocuSign Domain and URLs single sign-on information](./media/docusign-tutorial/tutorial_docusign_url.png) + ![DocuSign Domain and URLs single sign-on information](common/sp-identifier.png) - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.docusign.com/organizations//saml2/login/sp/` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.docusign.com/organizations//saml2/login/sp/` - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.docusign.com/organizations//saml2` + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.docusign.com/organizations//saml2` > [!NOTE] > These values are not real. Update these values with the actual Sign-On URL and Identifier which is explained later **View SAML 2.0 Endpoints** section in the tutorial. -5. On the **SAML Signing Certificate** page, in the **SAML Signing Certificate** section, click **Download** to download **Certificate (Base64)** and then save certificate file on your computer. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/certificatebase64.png) - ![The Certificate download link](./media/docusign-tutorial/tutorial_docusign_certificate.png) +6. On the **Set up DocuSign** section, copy the appropriate URL(s) as per your requirement. -6. On the **Set up DocuSign** section, copy the appropriate URL as per your requirement. + ![Copy configuration URLs](common/copy-configuration-urls.png) a. Login URL @@ -131,35 +126,35 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf c. Logout URL - ![DocuSign Configuration](common/configuresection.png) +### Configure DocuSign Single Sign-On -7. In a different web browser window, login to your **DocuSign admin portal** as an administrator. +1. In a different web browser window, sign to your **DocuSign admin portal** as an administrator. -8. On the top right of the page click on profile **logo** and then click on **Go to Admin**. +2. On the top right of the page click on profile **logo** and then click on **Go to Admin**. ![Configuring single sign-on][51] -9. On your domain solutions page, click on **Domains** +3. On your domain solutions page, click on **Domains** ![Configuring single sign-on][50] -10. Under the **Domains** section, click **CLAIM DOMAIN**. +4. Under the **Domains** section, click **CLAIM DOMAIN**. ![Configuring single sign-on][52] -11. On the **Claim a domain** dialog, in the **Domain Name** textbox, type your company domain, and then click **CLAIM**. Make sure that you verify the domain and the status is active. +5. On the **Claim a domain** dialog, in the **Domain Name** textbox, type your company domain, and then click **CLAIM**. Make sure that you verify the domain and the status is active. ![Configuring single sign-on][53] -12. On your domain solutions page, click **Identity Providers**. +6. On your domain solutions page, click **Identity Providers**. ![Configuring single sign-on][54] -13. Under **Identity Providers** section, click **ADD IDENTITY PROVIDER**. +7. Under **Identity Providers** section, click **ADD IDENTITY PROVIDER**. ![Configuring single sign-on][55] -14. On the **Identity Provider Settings** page, perform the following steps: +8. On the **Identity Provider Settings** page, perform the following steps: ![Configuring single sign-on][56] @@ -200,91 +195,85 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf ![Configuring single sign-on][60] - * Copy the **Service Provider Issuer URL**, and then paste it into the **Identifier** textbox in **DocuSign Domain and URLs** section on the Azure portal. + * Copy the **Service Provider Issuer URL**, and then paste it into the **Identifier** textbox in **Basic SAML Configuration** section on the Azure portal. - * Copy the **Service Provider Login URL**, and then paste it into the **Sign On URL** textbox in **DocuSign Domain and URLs** section on the Azure portal. + * Copy the **Service Provider Login URL**, and then paste it into the **Sign On URL** textbox in **Basic SAML Configuration** section on the Azure portal. * Click **Close** -### Creating an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](common/create_aaduser_01.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![Creating an Azure AD test user](common/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** field, enter **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - d. Select **Create**. + d. Click **Create**. -### Creating a DocuSign test user - -The objective of this section is to create a user called Britta Simon in DocuSign. DocuSign supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access DocuSign if it doesn't exist yet. ->[!Note] ->If you need to create a user manually, contact [DocuSign support team](https://support.docusign.com/). - -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to DocuSign. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **DocuSign**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **DocuSign**. - ![Configure Single Sign-On](./media/docusign-tutorial/tutorial_docusign_app.png) + ![The DocuSign link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) 5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. In the **Add Assignment** dialog select the **Assign** button. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create DocuSign test user + +In this section, a user called Britta Simon is created in DocuSign. DocuSign supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in DocuSign, a new one is created after authentication. -### Testing single sign-on +>[!Note] +>If you need to create a user manually, contact [DocuSign support team](https://support.docusign.com/). + +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the DocuSign tile in the Access Panel, you should get automatically signed-on to your DocuSign application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +When you click the DocuSign tile in the Access Panel, you should be automatically signed in to the DocuSign for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -## Additional resources +## Additional Resources -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) - +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[1]: common/tutorial_general_01.png -[2]: common/tutorial_general_02.png -[3]: common/tutorial_general_03.png -[4]: common/tutorial_general_04.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[100]: common/tutorial_general_100.png + -[201]: common/tutorial_general_201.png -[202]: common/tutorial_general_202.png -[203]: common/tutorial_general_203.png [50]: ./media/docusign-tutorial/tutorial_docusign_18.png [51]: ./media/docusign-tutorial/tutorial_docusign_21.png [52]: ./media/docusign-tutorial/tutorial_docusign_22.png diff --git a/articles/active-directory/saas-apps/dossier-tutorial.md b/articles/active-directory/saas-apps/dossier-tutorial.md index 78a41683949c6..7315f4d84b4c4 100644 --- a/articles/active-directory/saas-apps/dossier-tutorial.md +++ b/articles/active-directory/saas-apps/dossier-tutorial.md @@ -4,54 +4,44 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 7a5fec92-9c01-4ced-99b2-a10e28fc028e ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 08/01/2018 +ms.topic: tutorial +ms.date: 04/04/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Dossier In this tutorial, you learn how to integrate Dossier with Azure Active Directory (Azure AD). - Integrating Dossier with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Dossier. -- You can enable your users to automatically get signed-on to Dossier (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Dossier. +* You can enable your users to be automatically signed-in to Dossier (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Dossier, you need the following items: -- An Azure AD subscription -- A Dossier single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Dossier single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -1. Adding Dossier from the gallery -2. Configuring and testing Azure AD single sign-on +* Dossier supports **SP** initiated SSO ## Adding Dossier from the gallery @@ -61,175 +51,164 @@ To configure the integration of Dossier into Azure AD, you need to add Dossier f 1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Dossier**, select **Dossier** from result panel then click **Add** button to add the application. - ![Dossier in the results list](./media/dossier-tutorial/tutorial_dossier_addfromgallery.png) + ![Dossier in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Dossier based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Dossier is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Dossier needs to be established. +In this section, you configure and test Azure AD single sign-on with Dossier based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Dossier needs to be established. To configure and test Azure AD single sign-on with Dossier, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Create a Dossier test user](#create-a-dossier-test-user)** - to have a counterpart of Britta Simon in Dossier that is linked to the Azure AD representation of user. +2. **[Configure Dossier Single Sign-On](#configure-dossier-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. 4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +5. **[Create Dossier test user](#create-dossier-test-user)** - to have a counterpart of Britta Simon in Dossier that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Dossier application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Dossier, perform the following steps:** +To configure Azure AD single sign-on with Dossier, perform the following steps: -1. In the Azure portal, on the **Dossier** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Dossier** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Single sign-on dialog box](./media/dossier-tutorial/tutorial_dossier_samlbase.png) + ![Single sign-on select mode](common/select-saml-option.png) -3. On the **Dossier Domain and URLs** section, perform the following steps: +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Dossier Domain and URLs single sign-on information](./media/dossier-tutorial/tutorial_dossier_url1.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) - a. In the **Sign-on URL** textbox, type a URL using the following pattern: - - | | | +4. On the **Basic SAML Configuration** section, perform the following steps: + + ![Dossier Domain and URLs single sign-on information](common/sp-identifier-reply.png) + + a. In the **Sign on URL** text box, type a URL using the following pattern: + + | | |-|-| | `https://.dossiersystems.com/azuresso/account/SignIn`| | `https://dossier./azuresso/account/SignIn`| | | - b. In the **Identifier** textbox, type a URL using the following pattern: `Dossier/` + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: `Dossier/` - > [!NOTE] + > [!NOTE] > For identifier value it should be in the format of `Dossier/` or any user personalized value. - c. In the **Reply URL** textbox, type a URL using the following pattern: + c. In the **Reply URL** textbox, type a URL using the following pattern: - | | | + | | |-|-| | `https://.dossiersystems.com/azuresso`| | `https://dossier./azuresso`| | | - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Contact [Dossier Client support team](mailto:support@intellimedia.ca) to get these values. -4. On the **SAML Signing Certificate** section, click the copy button to copy **App Federation Metadata Url** and paste it into Notepad. + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [Dossier Client support team](mailto:support@intellimedia.ca) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![The Certificate download link](./media/dossier-tutorial/tutorial_dossier_certificate.png) +4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click the copy button to copy **App Federation Metadata Url** from the given options as per your requirement and save it on your computer. -6. Click **Save** button. + ![The Certificate download link](common/copy-metadataurl.png) - ![Configure Single Sign-On Save button](./media/dossier-tutorial/tutorial_general_400.png) +6. On the **Set up Dossier** section, copy the appropriate URL(s) as per your requirement. -7. To configure single sign-on on **Dossier** side, you need to send the **App Federation Metadata Url** to [Dossier support team](mailto:support@intellimedia.ca). They set this setting to have the SAML SSO connection set properly on both sides. + ![Copy configuration URLs](common/copy-configuration-urls.png) -### Create an Azure AD test user + a. Login URL -The objective of this section is to create a test user in the Azure portal called Britta Simon. + b. Azure AD Identifier - ![Create an Azure AD test user][100] + c. Logout URL -**To create a test user in Azure AD, perform the following steps:** +### Configure Dossier Single Sign-On -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +To configure single sign-on on **Dossier** side, you need to send the **App Federation Metadata Url** to [Dossier support team](mailto:support@intellimedia.ca). They set this setting to have the SAML SSO connection set properly on both sides. - ![The Azure Active Directory button](./media/dossier-tutorial/create_aaduser_01.png) +### Create an Azure AD test user -2. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/dossier-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -3. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/dossier-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -4. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/dossier-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. -### Create a Dossier test user - -In this section, you create a user called Britta Simon in Dossier. Work with [Dossier support team](mailto:support@intellimedia.ca) to add the users in the Dossier platform. Users must be created and activated before you use single sign-on. - ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Dossier. -![Assign the user role][200] - -**To assign Britta Simon to Dossier, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Dossier**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Dossier**. - ![The Dossier link in the Applications list](./media/dossier-tutorial/tutorial_dossier_app.png) + ![The Dossier link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![The "Users and groups" link][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The Add Assignment pane][203] + ![The Add Assignment pane](common/add-assign-user.png) -5. On **Users and groups** dialog, select **Britta Simon** in the Users list. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. Click **Select** button on **Users and groups** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -7. Click **Assign** button on **Add Assignment** dialog. +7. In the **Add Assignment** dialog click the **Assign** button. -### Test single sign-on +### Create Dossier test user -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +In this section, you create a user called Britta Simon in Dossier. Work with [Dossier support team](mailto:support@intellimedia.ca) to add the users in the Dossier platform. Users must be created and activated before you use single sign-on. -When you click the Dossier tile in the Access Panel, you should get automatically signed-on to your Dossier application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Test single sign-on -## Additional resources +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the Dossier tile in the Access Panel, you should be automatically signed in to the Dossier for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/dossier-tutorial/tutorial_general_01.png -[2]: ./media/dossier-tutorial/tutorial_general_02.png -[3]: ./media/dossier-tutorial/tutorial_general_03.png -[4]: ./media/dossier-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/dossier-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/dossier-tutorial/tutorial_general_200.png -[201]: ./media/dossier-tutorial/tutorial_general_201.png -[202]: ./media/dossier-tutorial/tutorial_general_202.png -[203]: ./media/dossier-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/ebsco-tutorial.md b/articles/active-directory/saas-apps/ebsco-tutorial.md index d1e75fd10e1fa..a556e15d5242e 100644 --- a/articles/active-directory/saas-apps/ebsco-tutorial.md +++ b/articles/active-directory/saas-apps/ebsco-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 144f7f65-69e9-4016-a151-fe1104fd6ba8 ms.service: active-directory @@ -13,109 +13,108 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 01/31/2018 +ms.topic: tutorial +ms.date: 04/01/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with EBSCO In this tutorial, you learn how to integrate EBSCO with Azure Active Directory (Azure AD). - Integrating EBSCO with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to EBSCO. -- You can enable your users to automatically get signed-on to EBSCO (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to EBSCO. +* You can enable your users to be automatically signed-in to EBSCO (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with EBSCO, you need the following items: -- An Azure AD subscription -- An EBSCO single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* EBSCO single sign-on enabled subscription -To test the steps in this tutorial, you should follow these recommendations: +## Scenario description -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +* EBSCO supports **SP** and **IDP** initiated SSO -1. Adding EBSCO from the gallery -1. Configuring and testing Azure AD single sign-on +* EBSCO supports **Just In Time** user provisioning ## Adding EBSCO from the gallery + To configure the integration of EBSCO into Azure AD, you need to add EBSCO from the gallery to your list of managed SaaS apps. **To add EBSCO from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add a new application, click the **New application** button at the top of the dialog. -1. In the search box, type **EBSCO**, select **EBSCO** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![EBSCO in the results list](./media/ebsco-tutorial/tutorial_ebsco_addfromgallery.png) +4. In the search box, type **EBSCO**, select **EBSCO** from the result panel then click the **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![EBSCO in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with EBSCO based on a test user called "Britta Simon". +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in EBSCO is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in EBSCO needs to be established. +In this section, you configure and test Azure AD single sign-on with EBSCO based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in EBSCO needs to be established. To configure and test Azure AD single sign-on with EBSCO, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create an EBSCO test user](#create-an-ebsco-test-user)** - you can automate EBSCOhost user provisioning/personalization. EBSCO supports Just-In-Time user provisioning. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure EBSCO Single Sign-On](#configure-ebsco-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create EBSCO test user](#create-ebsco-test-user)** - to have a counterpart of Britta Simon in EBSCO that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your EBSCO application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with EBSCO, perform the following steps:** +To configure Azure AD single sign-on with EBSCO, perform the following steps: -1. In the Azure portal, on the **EBSCO** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **EBSCO** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/ebsco-tutorial/tutorial_ebsco_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click the **Edit** icon to open the **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **EBSCO Domain and URLs** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step: - ![EBSCO Domain and URLs single sign-on information](./media/ebsco-tutorial/tutorial_ebsco_url.png) + ![EBSCO Domain and URLs single sign-on information](common/idp-identifier.png) - In the **Identifier** textbox, type a URL: `pingsso.ebscohost.com` + In the **Identifier** text box, type a URL: + `pingsso.ebscohost.com` -1. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - ![EBSCO Domain and URLs single sign-on information](./media/ebsco-tutorial/tutorial_ebsco_url1.png) + ![image](common/both-preintegrated-signon.png) - In the **Sign-on URL** textbox, type a URL using the following pattern: `http://search.ebscohost.com/login.aspx?authtype=sso&custid=&profile=` - - > [!NOTE] - > The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact [EBSCO Client support team](mailto:sso@ebsco.com) to get the value. + In the **Sign-on URL** text box, type a URL using the following pattern: + `http://search.ebscohost.com/login.aspx?authtype=sso&custid=&profile=` + + > [!NOTE] + > The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact [EBSCO Client support team](mailto:sso@ebsco.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. o **Unique elements:** @@ -123,154 +122,138 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf o **Profile** = Clients can tailor the link to direct users to a specific profile (depending on what they purchase from EBSCO). They can enter a specific profile ID. The main IDs are eds (EBSCO Discovery Service) and ehost (EBSOCOhost databases). Instructions for the same are given [here](https://help.ebsco.com/interfaces/EBSCOhost/EBSCOhost_FAQs/How_do_I_set_up_direct_links_to_EBSCOhost_profiles_and_or_databases#profile). -1. EBSCO application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the "**User Attributes**" section on application integration page. The following screenshot shows an example for this. - - ![Configure Single Sign-On](./media/ebsco-tutorial/tutorial_ebsco_attribute.png) +6. EBSCO application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog. - > [!Note] - > The **name** attribute is mandatory and it is mapped with **User Identifier** in EBSCO application. This is added by default so you don't need to add this manually. - -1. In the **User Attributes** section on the **Single sign-on** dialog, configure SAML token attribute as shown in the image above and perform the following steps: - - | Attribute Name | Attribute Value | + ![image](common/edit-attribute.png) + + > [!Note] + > The **name** attribute is mandatory and it is mapped with **Name Identifier value** in EBSCO application. This is added by default so you don't need to add this manually. + +7. In addition to above, EBSCO application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table: + + | Name | Source Attribute| | ---------------| --------------- | | FirstName | user.givenname | | LastName | user.surname | | Email | user.mail | - a. Click **Add attribute** to open the **Add Attribute** dialog. + a. Click **Add new claim** to open the **Manage user claims** dialog. - ![Configure Single Sign-On](./media/ebsco-tutorial/tutorial_officespace_04.png) + ![image](common/new-save-attribute.png) + + ![image](common/new-attribute-details.png) - ![Configure Single Sign-On](./media/ebsco-tutorial/tutorial_attribute_05.png) - b. In the **Name** textbox, type the attribute name shown for that row. - - c. From the **Value** list, type the attribute value shown for that row. - - d. Click **Ok** -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + c. Leave the **Namespace** blank. - ![The Certificate download link](./media/ebsco-tutorial/tutorial_ebsco_certificate.png) + d. Select Source as **Attribute**. -1. Click **Save** button. + e. From the **Source attribute** list, type the attribute value shown for that row. - ![Configure Single Sign-On Save button](./media/ebsco-tutorial/tutorial_general_400.png) - -1. To configure single sign-on on **EBSCO** side, you need to send the downloaded **Metadata XML** to [EBSCO support team](mailto:sso@ebsco.com). They set this setting to have the SAML SSO connection set properly on both sides. + f. Click **Save**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) +8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -### Create an Azure AD test user + ![The Certificate download link](common/metadataxml.png) -The objective of this section is to create a test user in the Azure portal called Britta Simon. +9. On the **Set up EBSCO** section, copy the appropriate URL(s) as per your requirement. - ![Create an Azure AD test user][100] + ![Copy configuration URLs](common/copy-configuration-urls.png) -**To create a test user in Azure AD, perform the following steps:** + a. Login URL -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. + b. Azure AD Identifier - ![The Azure Active Directory button](./media/ebsco-tutorial/create_aaduser_01.png) + c. Logout URL -1. To display the list of users, go to **Users and groups**, and then click **All users**. +### Configure EBSCO Single Sign-On - ![The "Users and groups" and "All users" links](./media/ebsco-tutorial/create_aaduser_02.png) +To configure single sign-on on **EBSCO** side, you need to send the downloaded **Metadata XML** and appropriate copied URLs from Azure portal to [EBSCO support team](mailto:sso@ebsco.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. +### Create an Azure AD test user - ![The Add button](./media/ebsco-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. In the **User** dialog box, perform the following steps: +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![The User dialog box](./media/ebsco-tutorial/create_aaduser_04.png) + ![The "Users and groups" and "All users" links](common/users.png) - a. In the **Name** box, type **BrittaSimon**. +2. Select **New user** at the top of the screen. - b. In the **User name** box, type the email address of user Britta Simon. + ![New user Button](common/new-user.png) - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. +3. In the User properties, perform the following steps. - d. Click **Create**. - -### Create an EBSCO test user + ![The User dialog box](common/user-properties.png) -In the case of EBSCO, user provisioning is automatic. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -**To provision a user account, perform the following steps:** + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -Azure AD passes the required data to EBSCO application. EBSCO’s user provisioning can be automatic OR require a one-time form. It depends on whether the client has a lot of pre-existing EBSCOhost accounts with personal settings saved. The same can be discussed with the [EBSCO support team](mailto:sso@ebsco.com) during the implementation. Either way, the client doesn’t have to create any EBSCOhost accounts prior to testing. + d. Click **Create**. - >[!Note] - >You can automate EBSCOhost user provisioning/personalization. Contact [EBSCO support team](mailto:sso@ebsco.com) about Just-In-Time user provisioning. - ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to EBSCO. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **EBSCO**. -**To assign Britta Simon to EBSCO, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **EBSCO**. - ![Assign User][201] + ![The EBSCO link in the Applications list](common/all-applications.png) -1. In the applications list, select **EBSCO**. +3. In the menu on the left, select **Users and groups**. - ![The EBSCO link in the Applications list](./media/ebsco-tutorial/tutorial_ebsco_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create EBSCO test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +In the case of EBSCO, user provisioning is automatic. + +**To provision a user account, perform the following steps:** + +Azure AD passes the required data to EBSCO application. EBSCO’s user provisioning can be automatic OR require a one-time form. It depends on whether the client has a lot of pre-existing EBSCOhost accounts with personal settings saved. The same can be discussed with the [EBSCO support team](mailto:sso@ebsco.com) during the implementation. Either way, the client doesn’t have to create any EBSCOhost accounts prior to testing. + + >[!Note] + >You can automate EBSCOhost user provisioning/personalization. Contact [EBSCO support team](mailto:sso@ebsco.com) about Just-In-Time user provisioning. + +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. 1. When you click the EBSCO tile in the Access Panel, you should get automatically signed-on to your EBSCO application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). -1. Once you login to the application, click on the **sign in** button in the top right corner. +2. Once you login to the application, click on the **sign in** button in the top right corner. - ![The EBSCO signin in the Applications list](./media/ebsco-tutorial/tutorial_ebsco_signin.png) + ![The EBSCO sign-in in the Applications list](./media/ebsco-tutorial/tutorial_ebsco_signin.png) -1. You will receive a one-time prompt to pair the institutional/SAML login with an **Link your existing MyEBSCOhost account to your institution account now** OR **Create a new MyEBSCOhost account and link it to your institution account**. The account is used for personalization on the EBSCOhost application. Select the option **Create a new account** and you will see that the form for personalization is pre-completed with the values from the saml response as shown in the screenshot below. Click **‘Continue’** to save this selection. +3. You will receive a one-time prompt to pair the institutional/SAML login with an **Link your existing MyEBSCOhost account to your institution account now** OR **Create a new MyEBSCOhost account and link it to your institution account**. The account is used for personalization on the EBSCOhost application. Select the option **Create a new account** and you will see that the form for personalization is pre-completed with the values from the saml response as shown in the screenshot below. Click **‘Continue’** to save this selection. ![The EBSCO user in the Applications list](./media/ebsco-tutorial/tutorial_ebsco_user.png) -1. After completing the above setup, clear cookies/cache and login again. You won’t have to manually signin again and the personalization settings are remembered - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - +1. After completing the above setup, clear cookies/cache and login again. You won’t have to manually sign in again and the personalization settings are remembered - +## Additional sesources -[1]: ./media/ebsco-tutorial/tutorial_general_01.png -[2]: ./media/ebsco-tutorial/tutorial_general_02.png -[3]: ./media/ebsco-tutorial/tutorial_general_03.png -[4]: ./media/ebsco-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/ebsco-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/ebsco-tutorial/tutorial_general_200.png -[201]: ./media/ebsco-tutorial/tutorial_general_201.png -[202]: ./media/ebsco-tutorial/tutorial_general_202.png -[203]: ./media/ebsco-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/edigitalresearch-tutorial.md b/articles/active-directory/saas-apps/edigitalresearch-tutorial.md index 26ab31d1e7266..431dcb0652fac 100644 --- a/articles/active-directory/saas-apps/edigitalresearch-tutorial.md +++ b/articles/active-directory/saas-apps/edigitalresearch-tutorial.md @@ -36,7 +36,7 @@ If you want to know more details about SaaS app integration with Azure AD, see [ To configure Azure AD integration with eDigitalResearch, you need the following items: - An Azure AD subscription -- A eDigitalResearch single sign-on enabled subscription +- An eDigitalResearch single sign-on enabled subscription > [!NOTE] > To test the steps in this tutorial, we do not recommend using a production environment. @@ -86,7 +86,7 @@ To configure and test Azure AD single sign-on with eDigitalResearch, you need to 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a eDigitalResearch test user](#create-a-edigitalresearch-test-user)** - to have a counterpart of Britta Simon in eDigitalResearch that is linked to the Azure AD representation of user. +1. **[Create an eDigitalResearch test user](#create-an-edigitalresearch-test-user)** - to have a counterpart of Britta Simon in eDigitalResearch that is linked to the Azure AD representation of user. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. 1. **[Test single sign-on](#test-single-sign-on)** to verify whether the configuration works. @@ -166,7 +166,7 @@ The objective of this section is to create a test user in the Azure portal calle d. Click **Create**. -### Create a eDigitalResearch test user +### Create an eDigitalResearch test user The objective of this section is to create a user called Britta Simon in eDigitalResearch. diff --git a/articles/active-directory/saas-apps/edubrite-lms-tutorial.md b/articles/active-directory/saas-apps/edubrite-lms-tutorial.md new file mode 100644 index 0000000000000..dbfc0e880b0e8 --- /dev/null +++ b/articles/active-directory/saas-apps/edubrite-lms-tutorial.md @@ -0,0 +1,208 @@ +--- +title: 'Tutorial: Azure Active Directory integration with EduBrite LMS | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and EduBrite LMS. +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: f071670e-a1bd-45d6-bd71-b3ea6eb92bf9 +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/03/2019 +ms.author: jeedes + +ms.collection: M365-identity-device-management +--- +# Tutorial: Azure Active Directory integration with EduBrite LMS + +In this tutorial, you learn how to integrate EduBrite LMS with Azure Active Directory (Azure AD). +Integrating EduBrite LMS with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to EduBrite LMS. +* You can enable your users to be automatically signed-in to EduBrite LMS (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with EduBrite LMS, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* EduBrite LMS single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* EduBrite LMS supports **SP and IDP** initiated SSO + +* EduBrite LMS supports **Just In Time** user provisioning + +## Adding EduBrite LMS from the gallery + +To configure the integration of EduBrite LMS into Azure AD, you need to add EduBrite LMS from the gallery to your list of managed SaaS apps. + +**To add EduBrite LMS from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **EduBrite LMS**, select **EduBrite LMS** from result panel then click **Add** button to add the application. + + ![EduBrite LMS in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with EduBrite LMS based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in EduBrite LMS needs to be established. + +To configure and test Azure AD single sign-on with EduBrite LMS, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure EduBrite LMS Single Sign-On](#configure-edubrite-lms-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create EduBrite LMS test user](#create-edubrite-lms-test-user)** - to have a counterpart of Britta Simon in EduBrite LMS that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with EduBrite LMS, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **EduBrite LMS** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: + + ![EduBrite LMS Domain and URLs single sign-on information](common/idp-intiated.png) + + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.edubrite.com` + + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.edubrite.com/oltpublish/site/samlLoginResponse.do` + +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: + + ![EduBrite LMS Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) + + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.edubrite.com/oltpublish/site/samlLoginResponse.do` + + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [EduBrite LMS Client support team](mailto:support@edubrite.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/certificatebase64.png) + +7. On the **Set up EduBrite LMS** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure EduBrite LMS Single Sign-On + +To configure single sign-on on **EduBrite LMS** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [EduBrite LMS support team](mailto:support@edubrite.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to EduBrite LMS. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **EduBrite LMS**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **EduBrite LMS**. + + ![The EduBrite LMS link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create EduBrite LMS test user + +In this section, a user called Britta Simon is created in EduBrite LMS. EduBrite LMS supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in EduBrite LMS, a new one is created after authentication. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the EduBrite LMS tile in the Access Panel, you should be automatically signed in to the EduBrite LMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/empactis-tutorial.md b/articles/active-directory/saas-apps/empactis-tutorial.md index 35a356b3b1296..da564f944071a 100644 --- a/articles/active-directory/saas-apps/empactis-tutorial.md +++ b/articles/active-directory/saas-apps/empactis-tutorial.md @@ -182,9 +182,9 @@ When you click the Empactis tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/eplatform-tutorial.md b/articles/active-directory/saas-apps/eplatform-tutorial.md index 698e3412430af..bdfed87743399 100644 --- a/articles/active-directory/saas-apps/eplatform-tutorial.md +++ b/articles/active-directory/saas-apps/eplatform-tutorial.md @@ -219,9 +219,9 @@ When you click the ePlatform tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/evernote-tutorial.md b/articles/active-directory/saas-apps/evernote-tutorial.md index 174baae635842..53918ae5c2d17 100644 --- a/articles/active-directory/saas-apps/evernote-tutorial.md +++ b/articles/active-directory/saas-apps/evernote-tutorial.md @@ -9,14 +9,14 @@ ms.reviewer: barbkess ms.assetid: 28acce3e-22a0-4a37-8b66-6e518d777350 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 02/07/2019 +ms.date: 04/10/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Evernote @@ -49,7 +49,7 @@ To configure the integration of Evernote into Azure AD, you need to add Evernote **To add Evernote from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. ![The Azure Active Directory button](common/select-azuread.png) @@ -57,11 +57,11 @@ To configure the integration of Evernote into Azure AD, you need to add Evernote ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add new application, click **New application** button on the top of dialog. +3. To add a new application, click the **New application** button at the top of the dialog. ![The New application button](common/add-new-app.png) -4. In the search box, type **Evernote**, select **Evernote** from result panel then click **Add** button to add the application. +4. In the search box, type **Evernote**, select **Evernote** from the result panel then click the **Add** button to add the application. ![Evernote in the results list](common/search-new-app.png) @@ -93,11 +93,11 @@ To configure Azure AD single sign-on with Evernote, perform the following steps: ![Single sign-on select mode](common/select-saml-option.png) -3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. +3. On the **Set up Single Sign-On with SAML** page, click the **Edit** icon to open the **Basic SAML Configuration** dialog. ![Edit Basic SAML Configuration](common/edit-urls.png) -4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following step: +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step: ![Evernote Domain and URLs single sign-on information](common/idp-identifier.png) @@ -115,13 +115,23 @@ To configure Azure AD single sign-on with Evernote, perform the following steps: ![The Certificate download link](common/certificatebase64.png) -7. On the **Set up Evernote** section, copy the appropriate URL(s) as per your requirement. +7. To modify the **Signing** options, click the **Edit** button to open the **SAML Signing Certificate** dialog. + + ![image](common/edit-certificate.png) + + ![image](./media/evernote-tutorial/samlassertion.png) + + a. Select the **Sign SAML response and assertion** option for **Signing Option**. + + b. Click **Save** + +8. On the **Set up Evernote** section, copy the appropriate URL(s) as per your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png) a. Login URL - b. Azure Ad Identifier + b. Azure AD Identifier c. Logout URL @@ -167,8 +177,7 @@ The objective of this section is to create a test user in the Azure portal calle a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com c. Select **Show password** check box, and then write down the value that's displayed in the Password box. @@ -229,7 +238,7 @@ In this section, you test your Azure AD single sign-on configuration using the A When you click the Evernote tile in the Access Panel, you should be automatically signed in to the Evernote for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -## Additional Resources +## Additional resources - [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) diff --git a/articles/active-directory/saas-apps/excelityglobal-tutorial.md b/articles/active-directory/saas-apps/excelityglobal-tutorial.md index 1d82c19906cfa..09fbec77f9725 100644 --- a/articles/active-directory/saas-apps/excelityglobal-tutorial.md +++ b/articles/active-directory/saas-apps/excelityglobal-tutorial.md @@ -201,8 +201,8 @@ When you click the ExcelityGlobal tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/explanation-based-auditing-system-tutorial.md b/articles/active-directory/saas-apps/explanation-based-auditing-system-tutorial.md index 6fbfc51b7fcb7..3333878485146 100644 --- a/articles/active-directory/saas-apps/explanation-based-auditing-system-tutorial.md +++ b/articles/active-directory/saas-apps/explanation-based-auditing-system-tutorial.md @@ -176,9 +176,9 @@ When you click the Explanation-Based Auditing System tile in the Access Panel, y ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/firmplay-tutorial.md b/articles/active-directory/saas-apps/firmplay-tutorial.md index 3a6dbbdea84fd..0bf5ccf08240a 100644 --- a/articles/active-directory/saas-apps/firmplay-tutorial.md +++ b/articles/active-directory/saas-apps/firmplay-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: a6799629-7546-43f8-a966-956db32864b1 ms.service: active-directory @@ -12,243 +13,183 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 02/15/2017 +ms.topic: tutorial +ms.date: 04/01/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with FirmPlay - Employee Advocacy for Recruiting In this tutorial, you learn how to integrate FirmPlay - Employee Advocacy for Recruiting with Azure Active Directory (Azure AD). - Integrating FirmPlay - Employee Advocacy for Recruiting with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to FirmPlay - Employee Advocacy for Recruiting -- You can enable your users to automatically get signed-on to FirmPlay - Employee Advocacy for Recruiting (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure Management portal +* You can control in Azure AD who has access to FirmPlay - Employee Advocacy for Recruiting. +* You can enable your users to be automatically signed-in to FirmPlay - Employee Advocacy for Recruiting (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with FirmPlay - Employee Advocacy for Recruiting, you need the following items: -- An Azure AD subscription -- A FirmPlay - Employee Advocacy for Recruiting single-sign on enabled subscription - - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - - -To test the steps in this tutorial, you should follow these recommendations: - -- You should not use your production environment, unless this is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). - +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* FirmPlay - Employee Advocacy for Recruiting single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding FirmPlay - Employee Advocacy for Recruiting from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. +* FirmPlay - Employee Advocacy for Recruiting supports **SP** initiated SSO ## Adding FirmPlay - Employee Advocacy for Recruiting from the gallery + To configure the integration of FirmPlay - Employee Advocacy for Recruiting into Azure AD, you need to add FirmPlay - Employee Advocacy for Recruiting from the gallery to your list of managed SaaS apps. **To add FirmPlay - Employee Advocacy for Recruiting from the gallery, perform the following steps:** -1. In the **[Azure Management Portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. Click **Add** button on the top of the dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **FirmPlay - Employee Advocacy for Recruiting**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/firmplay-tutorial/tutorial_firmplay_001.png) +4. In the search box, type **FirmPlay - Employee Advocacy for Recruiting**, select **FirmPlay - Employee Advocacy for Recruiting** from result panel then click **Add** button to add the application. -1. In the results panel, select **FirmPlay - Employee Advocacy for Recruiting**, and then click **Add** button to add the application. + ![FirmPlay - Employee Advocacy for Recruiting in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/firmplay-tutorial/tutorial_firmplay_0001.png) +## Configure and test Azure AD single sign-on - -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with FirmPlay - Employee Advocacy for Recruiting based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in FirmPlay - Employee Advocacy for Recruiting is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in FirmPlay - Employee Advocacy for Recruiting needs to be established. - -This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in FirmPlay - Employee Advocacy for Recruiting. +In this section, you configure and test Azure AD single sign-on with FirmPlay - Employee Advocacy for Recruiting based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in FirmPlay - Employee Advocacy for Recruiting needs to be established. To configure and test Azure AD single sign-on with FirmPlay - Employee Advocacy for Recruiting, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a FirmPlay - Employee Advocacy for Recruiting test user](#creating-a-firmplay---employee-advocacy-for-recruiting-test-user)** - to have a counterpart of Britta Simon in FirmPlay: Employee Advocacy for Recruiting that is linked to the Azure AD representation of her. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. - -### Configuring Azure AD single sign-on +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure FirmPlay - Employee Advocacy for Recruiting Single Sign-On](#configure-firmplay---employee-advocacy-for-recruiting-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create FirmPlay - Employee Advocacy for Recruiting test user](#create-firmplay---employee-advocacy-for-recruiting-test-user)** - to have a counterpart of Britta Simon in FirmPlay - Employee Advocacy for Recruiting that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -In this section, you enable Azure AD single sign-on in the Azure Management portal and configure single sign-on in your FirmPlay - Employee Advocacy for Recruiting application. +### Configure Azure AD single sign-on -**To configure Azure AD single sign-on with FirmPlay - Employee Advocacy for Recruiting, perform the following steps:** +In this section, you enable Azure AD single sign-on in the Azure portal. -1. In the Azure Management portal, on the **FirmPlay - Employee Advocacy for Recruiting** application integration page, click **Single sign-on**. +To configure Azure AD single sign-on with FirmPlay - Employee Advocacy for Recruiting, perform the following steps: - ![Configure Single Sign-On][4] +1. In the [Azure portal](https://portal.azure.com/), on the **FirmPlay - Employee Advocacy for Recruiting** application integration page, select **Single sign-on**. -1. On the **Single sign-on** dialog, as **Mode** select **SAML-based Sign-on** to enable single sign on. - - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_01.png) + ![Configure single sign-on link](common/select-sso.png) -1. On the **FirmPlay - Employee Advocacy for Recruiting Domain and URLs** section, in the **Sign On URL** textbox, type a URL using the following pattern: `https://.firmplay.com/` +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_02.png) + ![Single sign-on select mode](common/select-saml-option.png) - > [!NOTE] - > Please note that this is not the real value. You have to update this value with the actual Sign On URL. Contact [FirmPlay - Employee Advocacy for Recruiting support team](mailto:engineering@firmplay.com) to get this value. +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **SAML Signing Certificate** section, click **Create new certificate**. + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_03.png) +4. On the **Basic SAML Configuration** section, perform the following steps: -1. On the **Create New Certificate** dialog, click the calendar icon and select an **expiry date**. Then click **Save** button. + ![FirmPlay - Employee Advocacy for Recruiting Domain and URLs single sign-on information](common/sp-signonurl.png) - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_general_300.png) + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.firmplay.com/` -1. On the **SAML Signing Certificate** section, select **Make new certificate active** and click **Save** button. + > [!NOTE] + > The value is not real. Update the value with the actual Sign-On URL. Contact [FirmPlay - Employee Advocacy for Recruiting Client support team](mailto:engineering@firmplay.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_04.png) +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. -1. On the pop-up **Rollover certificate** window, click **OK**. + ![The Certificate download link](common/certificatebase64.png) - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_general_400.png) +6. On the **Set up FirmPlay - Employee Advocacy for Recruiting** section, copy the appropriate URL(s) as per your requirement. -1. On the **SAML Signing Certificate** section, click **Certificate (base64)** and then save the certificate file on your computer. + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_05.png) + a. Login URL -1. On the **FirmPlay - Employee Advocacy for Recruiting Configuration** section, click **Configure FirmPlay - Employee Advocacy for Recruiting** to open **Configure sign-on** dialog. + b. Azure AD Identifier - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_06.png) + c. Logout URL - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_07.png) +### Configure FirmPlay - Employee Advocacy for Recruiting Single Sign-On -1. To get SSO configured for your application, contact [FirmPlay - Employee Advocacy for Recruiting support team](mailto:engineering@firmplay.com) and provide them with the following: +To configure single sign-on on **FirmPlay - Employee Advocacy for Recruiting** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [FirmPlay - Employee Advocacy for Recruiting support team](mailto:engineering@firmplay.com). They set this setting to have the SAML SSO connection set properly on both sides. - • The downloaded **Certificate file** +### Create an Azure AD test user - • The **SAML Single Sign-On Service URL** - - • The **SAML Entity ID** - - • The **Sign-Out URL** - +The objective of this section is to create a test user in the Azure portal called Britta Simon. -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure Management portal called Britta Simon. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) -**To create a test user in Azure AD, perform the following steps:** +2. Select **New user** at the top of the screen. -1. In the **Azure Management portal**, on the left navigation pane, click **Azure Active Directory** icon. + ![New user Button](common/new-user.png) - ![Creating an Azure AD test user](./media/firmplay-tutorial/create_aaduser_01.png) +3. In the User properties, perform the following steps. -1. Go to **Users and groups** and click **All users** to display the list of users. - - ![Creating an Azure AD test user](./media/firmplay-tutorial/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) -1. At the top of the dialog click **Add** to open the **User** dialog. - - ![Creating an Azure AD test user](./media/firmplay-tutorial/create_aaduser_03.png) - -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/firmplay-tutorial/create_aaduser_04.png) - - a. In the **Name** textbox, type **BrittaSimon**. - - b. In the **User name** textbox, type the **email address** of BrittaSimon. - - c. Select **Show Password** and write down the value of the **Password**. - - d. Click **Create**. - - - -### Creating a FirmPlay - Employee Advocacy for Recruiting test user - -In this section, you create a user called Britta Simon in FirmPlay - Employee Advocacy for Recruiting. Please work with [FirmPlay - Employee Advocacy for Recruiting support team](mailto:engineering@firmplay.com) to add the users in the FirmPlay - Employee Advocacy for Recruiting platform. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -### Assigning the Azure AD test user + d. Click **Create**. -In this section, you enable Britta Simon to use Azure single sign-on by granting her access to FirmPlay - Employee Advocacy for Recruiting. +### Assign the Azure AD test user -![Assign User][200] +In this section, you enable Britta Simon to use Azure single sign-on by granting access to FirmPlay - Employee Advocacy for Recruiting. -**To assign Britta Simon to FirmPlay - Employee Advocacy for Recruiting, perform the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **FirmPlay - Employee Advocacy for Recruiting**. -1. In the Azure Management portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Assign User][201] +2. In the applications list, select **FirmPlay - Employee Advocacy for Recruiting**. -1. In the applications list, select **FirmPlay - Employee Advocacy for Recruiting**. + ![The FirmPlay - Employee Advocacy for Recruiting link in the Applications list](common/all-applications.png) - ![Configure Single Sign-On](./media/firmplay-tutorial/tutorial_firmplay_50.png) +3. In the menu on the left, select **Users and groups**. -1. In the menu on the left, click **Users and groups**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![Assign User][202] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![The Add Assignment pane](common/add-assign-user.png) - ![Assign User][203] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. Click **Select** button on **Users and groups** dialog. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Assign** button on **Add Assignment** dialog. - +### Create FirmPlay - Employee Advocacy for Recruiting test user +In this section, you create a user called Britta Simon in FirmPlay - Employee Advocacy for Recruiting. Work with [FirmPlay - Employee Advocacy for Recruiting support team](mailto:engineering@firmplay.com) to add the users in the FirmPlay - Employee Advocacy for Recruiting platform. Users must be created and activated before you use single sign-on. -### Testing single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the FirmPlay - Employee Advocacy for Recruiting tile in the Access Panel, you should get automatically signed-on to your FirmPlay - Employee Advocacy for Recruiting application. - - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - +When you click the FirmPlay - Employee Advocacy for Recruiting tile in the Access Panel, you should be automatically signed in to the FirmPlay - Employee Advocacy for Recruiting for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: ./media/firmplay-tutorial/tutorial_general_01.png -[2]: ./media/firmplay-tutorial/tutorial_general_02.png -[3]: ./media/firmplay-tutorial/tutorial_general_03.png -[4]: ./media/firmplay-tutorial/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: ./media/firmplay-tutorial/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[200]: ./media/firmplay-tutorial/tutorial_general_200.png -[201]: ./media/firmplay-tutorial/tutorial_general_201.png -[202]: ./media/firmplay-tutorial/tutorial_general_202.png -[203]: ./media/firmplay-tutorial/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/five9-tutorial.md b/articles/active-directory/saas-apps/five9-tutorial.md index 0fb2f3633e4d6..03a83c3a0ea3f 100644 --- a/articles/active-directory/saas-apps/five9-tutorial.md +++ b/articles/active-directory/saas-apps/five9-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 88dc82ab-be0b-4017-8335-c47d00775d7b ms.service: active-directory @@ -12,133 +13,127 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/18/2017 +ms.topic: tutorial +ms.date: 04/04/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Five9 Plus Adapter (CTI, Contact Center Agents) In this tutorial, you learn how to integrate Five9 Plus Adapter (CTI, Contact Center Agents) with Azure Active Directory (Azure AD). - Integrating Five9 Plus Adapter (CTI, Contact Center Agents) with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Five9 Plus Adapter (CTI, Contact Center Agents) -- You can enable your users to automatically get signed-on to Five9 Plus Adapter (CTI, Contact Center Agents) (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Five9 Plus Adapter (CTI, Contact Center Agents). +* You can enable your users to be automatically signed-in to Five9 Plus Adapter (CTI, Contact Center Agents) (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Five9 Plus Adapter (CTI, Contact Center Agents), you need the following items: -- An Azure AD subscription -- A Five9 Plus Adapter (CTI, Contact Center Agents) single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial here: [Trial offer](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/). +* Five9 Plus Adapter (CTI, Contact Center Agents) single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Five9 Plus Adapter (CTI, Contact Center Agents) from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Five9 Plus Adapter (CTI, Contact Center Agents) supports **IDP** initiated SSO ## Adding Five9 Plus Adapter (CTI, Contact Center Agents) from the gallery + To configure the integration of Five9 Plus Adapter (CTI, Contact Center Agents) into Azure AD, you need to add Five9 Plus Adapter (CTI, Contact Center Agents) from the gallery to your list of managed SaaS apps. **To add Five9 Plus Adapter (CTI, Contact Center Agents) from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Five9 Plus Adapter (CTI, Contact Center Agents)**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/five9-tutorial/tutorial_five9_search.png) +4. In the search box, type **Five9 Plus Adapter (CTI, Contact Center Agents)**, select **Five9 Plus Adapter (CTI, Contact Center Agents)** from result panel then click **Add** button to add the application. -1. In the results panel, select **Five9 Plus Adapter (CTI, Contact Center Agents)**, and then click **Add** button to add the application. + ![Five9 Plus Adapter (CTI, Contact Center Agents) in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/five9-tutorial/tutorial_five9_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Five9 Plus Adapter (CTI, Contact Center Agents) based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with Five9 Plus Adapter (CTI, Contact Center Agents) based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Five9 Plus Adapter (CTI, Contact Center Agents) needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Five9 Plus Adapter (CTI, Contact Center Agents) is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Five9 Plus Adapter (CTI, Contact Center Agents) needs to be established. +To configure and test Azure AD single sign-on with Five9 Plus Adapter (CTI, Contact Center Agents), you need to complete the following building blocks: -In Five9 Plus Adapter (CTI, Contact Center Agents), assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Five9 Plus Adapter (CTI, Contact Center Agents) Single Sign-On](#configure-five9-plus-adapter-cti-contact-center-agents-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Five9 Plus Adapter (CTI, Contact Center Agents) test user](#create-five9-plus-adapter-cti-contact-center-agents-test-user)** - to have a counterpart of Britta Simon in Five9 Plus Adapter (CTI, Contact Center Agents) that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Five9 Plus Adapter (CTI, Contact Center Agents), you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Five9 Plus Adapter (CTI, Contact Center Agents) test user](#creating-a-five9-plus-adapter-cti-contact-center-agents-test-user)** - to have a counterpart of Britta Simon in Five9 Plus Adapter (CTI, Contact Center Agents) that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Five9 Plus Adapter (CTI, Contact Center Agents), perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Five9 Plus Adapter (CTI, Contact Center Agents) application. +1. In the [Azure portal](https://portal.azure.com/), on the **Five9 Plus Adapter (CTI, Contact Center Agents)** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Five9 Plus Adapter (CTI, Contact Center Agents), perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Five9 Plus Adapter (CTI, Contact Center Agents)** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/five9-tutorial/tutorial_five9_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Five9 Plus Adapter (CTI, Contact Center Agents) Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/five9-tutorial/tutorial_five9_url.png) - - a. In the **Identifier** textbox, type a URL using the following patterns: +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: + + ![Five9 Plus Adapter (CTI, Contact Center Agents) Domain and URLs single sign-on information](common/idp-intiated.png) + a. In the **Identifier** text box, type a URL using the following pattern: + | Environment | URL | | :-- | :-- | | For “Five9 Plus Adapter for Microsoft Dynamics CRM” | `https://app.five9.com/appsvcs/saml/metadata/alias/msdc` | | For “Five9 Plus Adapter for Zendesk” | `https://app.five9.com/appsvcs/saml/metadata/alias/zd` | | For “Five9 Plus Adapter for Agent Desktop Toolkit” | `https://app.five9.com/appsvcs/saml/metadata/alias/adt` | - b. In the **Reply URL** textbox, type a URL using the following pattern: + b. In the **Reply URL** text box, type a URL using the following pattern: - | Environment | URL | + | Environment | URL | | :-- | :-- | | For “Five9 Plus Adapter for Microsoft Dynamics CRM” | `https://app.five9.com/appsvcs/saml/SSO/alias/msdc` | | For “Five9 Plus Adapter for Zendesk” | `https://app.five9.com/appsvcs/saml/SSO/alias/zd` | | For “Five9 Plus Adapter for Agent Desktop Toolkit” | `https://app.five9.com/appsvcs/saml/SSO/alias/adt` | -1. On the **SAML Signing Certificate** section, click **Certificate(Base64)** and then save the certificate file on your computer. +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/five9-tutorial/tutorial_five9_certificate.png) + ![The Certificate download link](common/certificatebase64.png) -1. Click **Save** button. +7. On the **Set up Five9 Plus Adapter (CTI, Contact Center Agents)** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/five9-tutorial/tutorial_general_400.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. On the **Five9 Plus Adapter (CTI, Contact Center Agents) Configuration** section, click **Configure Five9 Plus Adapter (CTI, Contact Center Agents)** to open **Configure sign-on** window. Copy the **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + a. Login URL - ![Configure Single Sign-On](./media/five9-tutorial/tutorial_five9_configure.png) + b. Azure AD Identifier -1. To configure single sign-on on **Five9 Plus Adapter (CTI, Contact Center Agents)** side, you need to send the downloaded **Certificate(Base64), Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** to [Five9 Plus Adapter (CTI, Contact Center Agents) support team](https://www.five9.com/about/contact). Also additionally, for configuring SSO further please follow the below steps according to the adapter: + c. Logout URL + +### Configure Five9 Plus Adapter (CTI, Contact Center Agents) Single Sign-On + +1. To configure single sign-on on **Five9 Plus Adapter (CTI, Contact Center Agents)** side, you need to send the downloaded **Certificate(Base64)** and appropriate copied URL(s) to [Five9 Plus Adapter (CTI, Contact Center Agents) support team](https://www.five9.com/about/contact). Also additionally, for configuring SSO further please follow the below steps according to the adapter: a. “Five9 Plus Adapter for Agent Desktop Toolkit” Admin Guide: [https://webapps.five9.com/assets/files/for_customers/documentation/integrations/agent-desktop-toolkit/plus-agent-desktop-toolkit-administrators-guide.pdf](https://webapps.five9.com/assets/files/for_customers/documentation/integrations/agent-desktop-toolkit/plus-agent-desktop-toolkit-administrators-guide.pdf) @@ -146,99 +141,71 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf c. “Five9 Plus Adapter for Zendesk” Admin Guide: [https://webapps.five9.com/assets/files/for_customers/documentation/integrations/zendesk/zendesk-plus-administrators-guide.pdf](https://webapps.five9.com/assets/files/for_customers/documentation/integrations/zendesk/zendesk-plus-administrators-guide.pdf) +### Create an Azure AD test user -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> - -### Creating an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. -![Create Azure AD User][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. - - ![Creating an Azure AD test user](./media/five9-tutorial/create_aaduser_01.png) - -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/five9-tutorial/create_aaduser_02.png) +2. Select **New user** at the top of the screen. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/five9-tutorial/create_aaduser_03.png) + ![New user Button](common/new-user.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/five9-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** textbox, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating a Five9 Plus Adapter (CTI, Contact Center Agents) test user -In this section, you create a user called Britta Simon in Five9 Plus Adapter (CTI, Contact Center Agents). Work with [Five9 Plus Adapter (CTI, Contact Center Agents) support team](https://www.five9.com/about/contact) to add the users in the Five9 Plus Adapter (CTI, Contact Center Agents) platform. Users must be created and activated before you use single sign-on. - -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Five9 Plus Adapter (CTI, Contact Center Agents). -![Assign User][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Five9 Plus Adapter (CTI, Contact Center Agents)**. -**To assign Britta Simon to Five9 Plus Adapter (CTI, Contact Center Agents), perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Five9 Plus Adapter (CTI, Contact Center Agents)**. - ![Assign User][201] + ![The Five9 Plus Adapter (CTI, Contact Center Agents) link in the Applications list](common/all-applications.png) -1. In the applications list, select **Five9 Plus Adapter (CTI, Contact Center Agents)**. +3. In the menu on the left, select **Users and groups**. - ![Configure Single Sign-On](./media/five9-tutorial/tutorial_five9_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![Assign User][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create Five9 Plus Adapter (CTI, Contact Center Agents) test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +In this section, you create a user called Britta Simon in Five9 Plus Adapter (CTI, Contact Center Agents). Work with [Five9 Plus Adapter (CTI, Contact Center Agents) support team](https://www.five9.com/about/contact) to add the users in the Five9 Plus Adapter (CTI, Contact Center Agents) platform. Users must be created and activated before you use single sign-on. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +### Test single sign-on -When you click the Five9 Plus Adapter (CTI, Contact Center Agents) tile in the Access Panel, you should get automatically signed-on to your Five9 Plus Adapter (CTI, Contact Center Agents) application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the Five9 Plus Adapter (CTI, Contact Center Agents tile in the Access Panel, you should be automatically signed in to the Five9 Plus Adapter (CTI, Contact Center Agents) for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/five9-tutorial/tutorial_general_01.png -[2]: ./media/five9-tutorial/tutorial_general_02.png -[3]: ./media/five9-tutorial/tutorial_general_03.png -[4]: ./media/five9-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/five9-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/five9-tutorial/tutorial_general_200.png -[201]: ./media/five9-tutorial/tutorial_general_201.png -[202]: ./media/five9-tutorial/tutorial_general_202.png -[203]: ./media/five9-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/floqast-tutorial.md b/articles/active-directory/saas-apps/floqast-tutorial.md index 264904f1ab948..e23ec46b920fc 100644 --- a/articles/active-directory/saas-apps/floqast-tutorial.md +++ b/articles/active-directory/saas-apps/floqast-tutorial.md @@ -231,9 +231,9 @@ When you click the FloQast tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/fluxxlabs-tutorial.md b/articles/active-directory/saas-apps/fluxxlabs-tutorial.md index 0ff042658acc5..7810d11c9aa06 100644 --- a/articles/active-directory/saas-apps/fluxxlabs-tutorial.md +++ b/articles/active-directory/saas-apps/fluxxlabs-tutorial.md @@ -4,149 +4,147 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: d8fac770-bb57-4e1f-b50b-9ffeae239d07 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/20/2018 +ms.topic: tutorial +ms.date: 04/01/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Fluxx Labs In this tutorial, you learn how to integrate Fluxx Labs with Azure Active Directory (Azure AD). - Integrating Fluxx Labs with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Fluxx Labs. -- You can enable your users to automatically get signed-on to Fluxx Labs (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Fluxx Labs. +* You can enable your users to be automatically signed-in to Fluxx Labs (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Fluxx Labs, you need the following items: -- An Azure AD subscription -- A Fluxx Labs single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Fluxx Labs single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Fluxx Labs from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Fluxx Labs supports **IDP** initiated SSO ## Adding Fluxx Labs from the gallery + To configure the integration of Fluxx Labs into Azure AD, you need to add Fluxx Labs from the gallery to your list of managed SaaS apps. **To add Fluxx Labs from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) -1. To add new application, click **New application** button on the top of dialog. +3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) -1. In the search box, type **Fluxx Labs**, select **Fluxx Labs** from result panel then click **Add** button to add the application. +4. In the search box, type **Fluxx Labs**, select **Fluxx Labs** from result panel then click **Add** button to add the application. - ![Fluxx Labs in the results list](./media/fluxxlabs-tutorial/tutorial_fluxxlabs_addfromgallery.png) + ![Fluxx Labs in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Fluxx Labs based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Fluxx Labs is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Fluxx Labs needs to be established. - -In Fluxx Labs, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Fluxx Labs based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Fluxx Labs needs to be established. To configure and test Azure AD single sign-on with Fluxx Labs, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Fluxx Labs test user](#create-a-fluxx-labs-test-user)** - to have a counterpart of Britta Simon in Fluxx Labs that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Fluxx Labs Single Sign-On](#configure-fluxx-labs-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Fluxx Labs test user](#create-fluxx-labs-test-user)** - to have a counterpart of Britta Simon in Fluxx Labs that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Fluxx Labs application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Fluxx Labs, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Fluxx Labs** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Fluxx Labs, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Fluxx Labs** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure single sign-on link][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Single sign-on dialog box](./media/fluxxlabs-tutorial/tutorial_fluxxlabs_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **Fluxx Labs Domain and URLs** section, perform the following steps: +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: - ![Fluxx Labs Domain and URLs single sign-on information](./media/fluxxlabs-tutorial/tutorial_fluxxlabs_url.png) + ![Fluxx Labs Domain and URLs single sign-on information](common/idp-intiated.png) - a. In the **Identifier** textbox, type a URL using the following pattern: + a. In the **Identifier** text box, type a URL using the following pattern: - | Environment | URL Pattern| + | Environment | URL Pattern| |-------------|------------| | Production | `https://.fluxx.io` | | Pre production | `https://.preprod.fluxxlabs.com`| - - b. In the **Reply URL** textbox, type a URL using the following pattern: - | Environment | URL Pattern| + b. In the **Reply URL** text box, type a URL using the following pattern: + + | Environment | URL Pattern| |-------------|------------| | Production | `https://.fluxx.io/auth/saml/callback` | | Pre production | `https://.preprod.fluxxlabs.com/auth/saml/callback`| > [!NOTE] - > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Fluxx Labs support team](mailto:travis@fluxxlabs.com) to get these values. + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Fluxx Labs Client support team](mailto:travis@fluxxlabs.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/certificatebase64.png) -1. On the **SAML Signing Certificate** section, click **Certificate (Base64)** and then save the certificate file on your computer. +6. On the **Set up Fluxx Labs** section, copy the appropriate URL(s) as per your requirement. - ![The Certificate download link](./media/fluxxlabs-tutorial/tutorial_fluxxlabs_certificate.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. Click **Save** button. + a. Login URL - ![Configure Single Sign-On Save button](./media/fluxxlabs-tutorial/tutorial_general_400.png) + b. Azure AD Identifier -1. On the **Fluxx Labs Configuration** section, click **Configure Fluxx Labs** to open **Configure sign-on** window. Copy the **SAML Single Sign-On Service URL** from the **Quick Reference section.** + c. Logout URL - ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/tutorial_fluxxlabs_configure.png) +### Configure Fluxx Labs Single Sign-On -1. In a different web browser window, sign on to your Fluxx Labs company site as administrator. +1. In a different web browser window, sign in to your Fluxx Labs company site as administrator. -1. Select **Admin** below the **Settings** section. +2. Select **Admin** below the **Settings** section. ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config1.png) -1. In the Admin Panel, Select **Plug-ins** > **Integrations** and then select **SAML SSO-(Disabled)** +3. In the Admin Panel, Select **Plug-ins** > **Integrations** and then select **SAML SSO-(Disabled)** ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config2.png) -1. In the attribute section, perform the following steps: +4. In the attribute section, perform the following steps: ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config3.png) @@ -160,7 +158,7 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf e. In the **Audience(SP Entity ID)** textbox, enter the **Identifier** value, which you have entered in the Azure portal. - f. In the **Identity Provider SSO Target URL** textbox, paste the **SAML Single Sign-On Service URL** value, which you have copied from the Azure portal. + f. In the **Identity Provider SSO Target URL** textbox, paste the **Login URL** value, which you have copied from the Azure portal. g. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **Identity Provider Certificate** textbox. @@ -171,114 +169,91 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf > [!NOTE] > Once the content saved, the field will appear blank for security, but the value has been saved in the configuration. -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Create an Azure AD test user][100] - -**To create a test user in Azure AD, perform the following steps:** - -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![The Azure Active Directory button](./media/fluxxlabs-tutorial/create_aaduser_01.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. To display the list of users, go to **Users and groups**, and then click **All users**. +2. Select **New user** at the top of the screen. - ![The "Users and groups" and "All users" links](./media/fluxxlabs-tutorial/create_aaduser_02.png) + ![New user Button](common/new-user.png) -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. +3. In the User properties, perform the following steps. - ![The Add button](./media/fluxxlabs-tutorial/create_aaduser_03.png) + ![The User dialog box](common/user-properties.png) -1. In the **User** dialog box, perform the following steps: - - ![The User dialog box](./media/fluxxlabs-tutorial/create_aaduser_04.png) - - a. In the **Name** box, type **BrittaSimon**. - - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Fluxx Labs test user -To enable Azure AD users to log in to Fluxx Labs, they must be provisioned into Fluxx Labs. In the case of Fluxx Labs, provisioning is a manual task. +### Assign the Azure AD test user -**To provision a user account, perform the following steps:** +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Fluxx Labs. -1. Log in to your Fluxx Labs company site as an administrator. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Fluxx Labs**. -1. Click on the below displayed **icon**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config6.png) +2. In the applications list, select **Fluxx Labs**. -1. On the dashboard, click on the below displayed icon to open the **New PEOPLE** card. + ![The Fluxx Labs link in the Applications list](common/all-applications.png) - ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config4.png) +3. In the menu on the left, select **Users and groups**. -1. On the **NEW PEOPLE** section, perform the following steps: + ![The "Users and groups" link](common/users-groups-blade.png) - ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config5.png) +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - a. Fluxx Labs use email as the unique identifier for SSO logins. Populate the **SSO UID** field with the user’s email address, that matches the email address, which they are using as login with SSO. + ![The Add Assignment pane](common/add-assign-user.png) - b. Click **Save**. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -### Assign the Azure AD test user +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Fluxx Labs. - -![Assign the user role][200] +7. In the **Add Assignment** dialog click the **Assign** button. -**To assign Britta Simon to Fluxx Labs, perform the following steps:** +### Create Fluxx Labs test user -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +To enable Azure AD users to sign in to Fluxx Labs, they must be provisioned into Fluxx Labs. In the case of Fluxx Labs, provisioning is a manual task. - ![Assign User][201] +**To provision a user account, perform the following steps:** -1. In the applications list, select **Fluxx Labs**. +1. Sign in to your Fluxx Labs company site as an administrator. - ![The Fluxx Labs link in the Applications list](./media/fluxxlabs-tutorial/tutorial_fluxxlabs_app.png) +2. Click on the below displayed **icon**. -1. In the menu on the left, click **Users and groups**. + ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config6.png) - ![The "Users and groups" link][202] +3. On the dashboard, click on the below displayed icon to open the **New PEOPLE** card. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config4.png) - ![The Add Assignment pane][203] +4. On the **NEW PEOPLE** section, perform the following steps: -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config5.png) -1. Click **Select** button on **Users and groups** dialog. + a. Fluxx Labs use email as the unique identifier for SSO logins. Populate the **SSO UID** field with the user’s email address, that matches the email address, which they are using as login with SSO. -1. Click **Assign** button on **Add Assignment** dialog. + b. Click **Save**. -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Fluxx Labs tile in the Access Panel, you should get automatically signed-on to your Fluxx Labs application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources +When you click the Fluxx Labs tile in the Access Panel, you should be automatically signed in to the Fluxx Labs for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: ./media/fluxxlabs-tutorial/tutorial_general_01.png -[2]: ./media/fluxxlabs-tutorial/tutorial_general_02.png -[3]: ./media/fluxxlabs-tutorial/tutorial_general_03.png -[4]: ./media/fluxxlabs-tutorial/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: ./media/fluxxlabs-tutorial/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[200]: ./media/fluxxlabs-tutorial/tutorial_general_200.png -[201]: ./media/fluxxlabs-tutorial/tutorial_general_201.png -[202]: ./media/fluxxlabs-tutorial/tutorial_general_202.png -[203]: ./media/fluxxlabs-tutorial/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/fm-systems-tutorial.md b/articles/active-directory/saas-apps/fm-systems-tutorial.md index 66e44279de407..14153d46d3a49 100644 --- a/articles/active-directory/saas-apps/fm-systems-tutorial.md +++ b/articles/active-directory/saas-apps/fm-systems-tutorial.md @@ -4,236 +4,208 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: f78c58c5-6e98-458b-8991-78624a245665 ms.service: active-directory -ms.subservice: saas-app-tutorial +ms.workload: identity ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/17/2017 +ms.topic: tutorial +ms.date: 04/05/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with FM:Systems In this tutorial, you learn how to integrate FM:Systems with Azure Active Directory (Azure AD). - Integrating FM:Systems with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to FM:Systems -- You can enable your users to automatically get signed-on to FM:Systems (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to FM:Systems. +* You can enable your users to be automatically signed-in to FM:Systems (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with FM:Systems, you need the following items: -- An Azure AD subscription -- An FM:Systems single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* FM:Systems single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding FM:Systems from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* FM:Systems supports **IDP** initiated SSO ## Adding FM:Systems from the gallery + To configure the integration of FM:Systems into Azure AD, you need to add FM:Systems from the gallery to your list of managed SaaS apps. **To add FM:Systems from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - - ![Active Directory][1] +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. -1. Navigate to **Enterprise applications**. Then go to **All applications**. - - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![Applications][3] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -1. In the search box, type **FM:Systems**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Creating an Azure AD test user](./media/fm-systems-tutorial/tutorial_fmsystems_search.png) +3. To add new application, click **New application** button on the top of dialog. -1. In the results panel, select **FM:Systems**, and then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/fm-systems-tutorial/tutorial_fmsystems_addfromgallery.png) +4. In the search box, type **FM:Systems**, select **FM:Systems** from result panel then click **Add** button to add the application. -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with FM:Systems based on a test user called "Britta Simon". + ![FM:Systems in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in FM:Systems is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in FM:Systems needs to be established. +## Configure and test Azure AD single sign-on -In FM:Systems, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with FM:Systems based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in FM:Systems needs to be established. To configure and test Azure AD single sign-on with FM:Systems, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating an FM:Systems test user](#creating-an-fmsystems-test-user)** - to have a counterpart of Britta Simon in FM:Systems that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure FM:Systems Single Sign-On](#configure-fmsystems-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create FM:Systems test user](#create-fmsystems-test-user)** - to have a counterpart of Britta Simon in FM:Systems that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your FM:Systems application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with FM:Systems, perform the following steps:** +To configure Azure AD single sign-on with FM:Systems, perform the following steps: -1. In the Azure portal, on the **FM:Systems** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **FM:Systems** application integration page, select **Single sign-on**. - ![Configure Single Sign-On][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/fm-systems-tutorial/tutorial_fmsystems_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **FM:Systems Domain and URLs** section, perform the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On](./media/fm-systems-tutorial/tutorial_fmsystems_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - In the **Reply URL** textbox, type your FM:Systems **Reply URL**, type the URL using the following pattern: `https://.fmshosted.com/fminteract/ConsumerService2.aspx` + ![Edit Basic SAML Configuration](common/edit-urls.png) - > [!NOTE] - > This value is not real. Update this value with the actual Reply URL. Contact [FM:Systems support team](https://fmsystems.com/ask-us/) to get this value. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Configure Single Sign-On](./media/fm-systems-tutorial/tutorial_fmsystems_certificate.png) + ![FM:Systems Domain and URLs single sign-on information](common/both-replyurl.png) -1. Click **Save** button. + In the **Reply URL** text box, type a URL using the following pattern: + `https://.fmshosted.com/fminteract/ConsumerService2.aspx` + + > [!NOTE] + > This value is not real. Update this value with the actual Reply URL. Contact [FM:Systems Client support team](https://fmsystems.com/ask-us/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On](./media/fm-systems-tutorial/tutorial_general_400.png) +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -1. To configure single sign-on on **FM:Systems** side, you need to send the downloaded **Metadata XML** to [FM:Systems support team](https://fmsystems.com/ask-us/). They set this setting to have the SAML SSO connection set properly on both sides. You will get a notification when SSO has been enabled for your subscription. + ![The Certificate download link](common/metadataxml.png) -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) +6. On the **Set up FM:Systems** section, copy the appropriate URL(s) as per your requirement. -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + ![Copy configuration URLs](common/copy-configuration-urls.png) -![Create Azure AD User][100] + a. Login URL -**To create a test user in Azure AD, perform the following steps:** + b. Azure AD Identifier -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + c. Logout URL - ![Creating an Azure AD test user](./media/fm-systems-tutorial/create_aaduser_01.png) +### Configure FM:Systems Single Sign-On -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/fm-systems-tutorial/create_aaduser_02.png) +To configure single sign-on on **FM:Systems** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [FM:Systems support team](https://fmsystems.com/ask-us/). They set this setting to have the SAML SSO connection set properly on both sides. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/fm-systems-tutorial/create_aaduser_03.png) +### Create an Azure AD test user -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/fm-systems-tutorial/create_aaduser_04.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. - a. In the **Name** textbox, type **BrittaSimon**. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + ![The "Users and groups" and "All users" links](common/users.png) - c. Select **Show Password** and write down the value of the **Password**. +2. Select **New user** at the top of the screen. - d. Click **Create**. - -### Creating an FM:Systems test user + ![New user Button](common/new-user.png) -1. In a web browser window, log into your FM:Systems company site as an administrator. +3. In the User properties, perform the following steps. -1. Go to **System Administration \> Manage Security \> Users \> User list**. - - ![System Administration](./media/fm-systems-tutorial/ic795905.png "System Administration") + ![The User dialog box](common/user-properties.png) -1. Click **Create new user**. - - ![Create New User](./media/fm-systems-tutorial/ic795906.png "Create New User") + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com -1. In the **Create User** section, perform the following steps: - - ![Create User](./media/fm-systems-tutorial/ic795907.png "Create User") - - a. Type the **UserName**, the **Password**, **Confirm Password**, **E-mail** and the **Employee ID** of a valid Azure Active Directory account you want to provision into the related textboxes. - - b. Click **Next**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -### Assigning the Azure AD test user + d. Click **Create**. + +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to FM:Systems. -![Assign User][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **FM:Systems**. -**To assign Britta Simon to FM:Systems, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **FM:Systems**. - ![Assign User][201] + ![The FM:Systems link in the Applications list](common/all-applications.png) -1. In the applications list, select **FM:Systems**. +3. In the menu on the left, select **Users and groups**. - ![Configure Single Sign-On](./media/fm-systems-tutorial/tutorial_fmsystems_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![Assign User][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create FM:Systems test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +1. In a web browser window, sign into your FM:Systems company site as an administrator. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +2. Go to **System Administration \> Manage Security \> Users \> User list**. + + ![System Administration](./media/fm-systems-tutorial/ic795905.png "System Administration") -When you click the FM:Systems tile in the Access Panel, you should get automatically signed-on to your FM:Systems application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +3. Click **Create new user**. + + ![Create New User](./media/fm-systems-tutorial/ic795906.png "Create New User") -## Additional resources +4. In the **Create User** section, perform the following steps: + + ![Create User](./media/fm-systems-tutorial/ic795907.png "Create User") + + a. Type the **UserName**, the **Password**, **Confirm Password**, **E-mail** and the **Employee ID** of a valid Azure Active Directory account you want to provision into the related textboxes. + + b. Click **Next**. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the FM:Systems tile in the Access Panel, you should be automatically signed in to the FM:Systems for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/fm-systems-tutorial/tutorial_general_01.png -[2]: ./media/fm-systems-tutorial/tutorial_general_02.png -[3]: ./media/fm-systems-tutorial/tutorial_general_03.png -[4]: ./media/fm-systems-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/fm-systems-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/fm-systems-tutorial/tutorial_general_200.png -[201]: ./media/fm-systems-tutorial/tutorial_general_201.png -[202]: ./media/fm-systems-tutorial/tutorial_general_202.png -[203]: ./media/fm-systems-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/foreseecxsuite-tutorial.md b/articles/active-directory/saas-apps/foreseecxsuite-tutorial.md index fbc9dc64eb288..31b0616437b23 100644 --- a/articles/active-directory/saas-apps/foreseecxsuite-tutorial.md +++ b/articles/active-directory/saas-apps/foreseecxsuite-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 5f4b7830-6186-4d17-b77b-504d4192bfde ms.service: active-directory @@ -13,219 +13,197 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 05/24/2018 +ms.topic: tutorial +ms.date: 04/01/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with ForeSee CX Suite In this tutorial, you learn how to integrate ForeSee CX Suite with Azure Active Directory (Azure AD). - Integrating ForeSee CX Suite with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to ForeSee CX Suite. -- You can enable your users to automatically get signed-on to ForeSee CX Suite (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to ForeSee CX Suite. +* You can enable your users to be automatically signed-in to ForeSee CX Suite (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with ForeSee CX Suite, you need the following items: -- An Azure AD subscription -- A ForeSee CX Suite single sign-on enabled subscription +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* ForeSee CX Suite single sign-on enabled subscription -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +## Scenario description -To test the steps in this tutorial, you should follow these recommendations: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* ForeSee CX Suite supports **SP** initiated SSO -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: - -1. Adding ForeSee CX Suite from the gallery -1. Configuring and testing Azure AD single sign-on +* ForeSee CX Suite supports **Just In Time** user provisioning ## Adding ForeSee CX Suite from the gallery + To configure the integration of ForeSee CX Suite into Azure AD, you need to add ForeSee CX Suite from the gallery to your list of managed SaaS apps. **To add ForeSee CX Suite from the gallery, perform the following steps:** 1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) -1. To add new application, click **New application** button on the top of dialog. +3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) -1. In the search box, type **ForeSee CX Suite**, select **ForeSee CX Suite** from result panel then click **Add** button to add the application. +4. In the search box, type **ForeSee CX Suite**, select **ForeSee CX Suite** from result panel then click **Add** button to add the application. - ![ForeSee CX Suite in the results list](./media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_addfromgallery.png) + ![ForeSee CX Suite in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with ForeSee CX Suite based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in ForeSee CX Suite is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in ForeSee CX Suite needs to be established. +In this section, you configure and test Azure AD single sign-on with ForeSee CX Suite based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in ForeSee CX Suite needs to be established. To configure and test Azure AD single sign-on with ForeSee CX Suite, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a ForeSee CX Suite test user](#create-a-foresee-cx-suite-test-user)** - to have a counterpart of Britta Simon in ForeSee CX Suite that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure ForeSee CX Suite Single Sign-On](#configure-foresee-cx-suite-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create ForeSee CX Suite test user](#create-foresee-cx-suite-test-user)** - to have a counterpart of Britta Simon in ForeSee CX Suite that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your ForeSee CX Suite application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with ForeSee CX Suite, perform the following steps: -**To configure Azure AD single sign-on with ForeSee CX Suite, perform the following steps:** +1. In the [Azure portal](https://portal.azure.com/), on the **ForeSee CX Suite** application integration page, select **Single sign-on**. -1. In the Azure portal, on the **ForeSee CX Suite** application integration page, click **Single sign-on**. + ![Configure single sign-on link](common/select-sso.png) - ![Configure single sign-on link][4] +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. + ![Single sign-on select mode](common/select-saml-option.png) - ![Single sign-on dialog box](./media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **ForeSee CX Suite Domain and URLs** section, if you have **Service Provider metadata file**, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![ForeSee CX Suite Domain and URLs single sign-on information](./media/foreseecxsuite-tutorial/upload.png) +4. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file**, perform the following steps: a. Click **Upload metadata file**. - ![ForeSee CX Suite Domain and URLs single sign-on information](./media/foreseecxsuite-tutorial/tutorial_foreseen_uploadconfig.png) + ![Upload metadata file](common/upload-metadata.png) b. Click on **folder logo** to select the metadata file and click **Upload**. - c. After successful completion of uploading **Service Provider metadata file** the **Identifier** value get auto populated in **ForeSee CX Suite Domain and URLs** section textbox as shown below: + ![choose metadata file](common/browse-upload-metadata.png) - ![ForeSee CX Suite Domain and URLs single sign-on information](./media/foreseecxsuite-tutorial/urlupload.png) + c. After the metadata file is successfully uploaded, the **Identifier** value gets auto populated in Basic SAML Configuration section. -1. If you don't have **Service Provider metadata file**, perform the following steps: + ![ForeSee CX Suite Domain and URLs single sign-on information](common/sp-identifier.png) - ![ForeSee CX Suite Domain and URLs single sign-on information](./media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_url.png) + a. In the **Sign-on URL** text box, type a URL: + `https://cxsuite.foresee.com/` - a. In the **Sign-on URL** textbox, type the URL: `https://cxsuite.foresee.com/` + b. In the **Identifier** textbox, type a URL using the following pattern: https://www.okta.com/saml2/service-provider/ - b. In the **Identifier** textbox, type a URL using the following pattern: `https://www.okta.com/saml2/service-provider/` + > [!Note] + > If the **Identifier** value do not get auto polulated, then please fill in the value manually according to above pattern. The Identifier value is not real. Update this value with the actual Identifier. Contact [ForeSee CX Suite Client support team](mailto:support@foresee.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - > [!NOTE] - > The Identifier value is not real. Update this value with the actual Identifier. Contact [ForeSee CX Suite Client support team](mailto:support@foresee.com) to get this value. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + ![The Certificate download link](common/metadataxml.png) - ![The Certificate download link](./media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_certificate.png) +6. On the **Set up ForeSee CX Suite** section, copy the appropriate URL(s) as per your requirement. -1. Click **Save** button. + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On Save button](./media/foreseecxsuite-tutorial/tutorial_general_400.png) + a. Login URL -1. To configure single sign-on on **ForeSee CX Suite** side, you need to send the downloaded **Metadata XML** to [ForeSee CX Suite support team](mailto:support@foresee.com). They set this setting to have the SAML SSO connection set properly on both sides. + b. Azure AD Identifier -### Create an Azure AD test user - -The objective of this section is to create a test user in the Azure portal called Britta Simon. + c. Logout URL - ![Create an Azure AD test user][100] +### Configure ForeSee CX Suite Single Sign-On -**To create a test user in Azure AD, perform the following steps:** +To configure single sign-on on **ForeSee CX Suite** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ForeSee CX Suite support team](mailto:support@foresee.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +### Create an Azure AD test user - ![The Azure Active Directory button](./media/foreseecxsuite-tutorial/create_aaduser_01.png) - -1. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/foreseecxsuite-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/foreseecxsuite-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/foreseecxsuite-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. -### Create a ForeSee CX Suite test user - -In this section, you create a user called Britta Simon in ForeSee CX Suite. Work with [ForeSee CX Suite support team](mailto:support@foresee.com) to add the users or the domain which is needed to be whitelisted in the ForeSee CX Suite platform. If the domain is added by the team, users will get automatically provisioned to the ForeSee CX Suite platform. Users must be created and activated before you use single sign-on. - ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to ForeSee CX Suite. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ForeSee CX Suite**. -**To assign Britta Simon to ForeSee CX Suite, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **ForeSee CX Suite**. - ![Assign User][201] + ![The ForeSee CX Suite link in the Applications list](common/all-applications.png) -1. In the applications list, select **ForeSee CX Suite**. +3. In the menu on the left, select **Users and groups**. - ![The ForeSee CX Suite link in the Applications list](./media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create ForeSee CX Suite test user -1. Click **Assign** button on **Add Assignment** dialog. +In this section, you create a user called Britta Simon in ForeSee CX Suite. Work with [ForeSee CX Suite support team](mailto:support@foresee.com) to add the users or the domain which is needed to be whitelisted in the ForeSee CX Suite platform. If the domain is added by the team, users will get automatically provisioned to the ForeSee CX Suite platform. Users must be created and activated before you use single sign-on. -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the ForeSee CX Suite tile in the Access Panel, you should get automatically signed-on to your ForeSee CX Suite application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the ForeSee CX Suite tile in the Access Panel, you should be automatically signed in to the ForeSee CX Suite for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/foreseecxsuite-tutorial/tutorial_general_01.png -[2]: ./media/foreseecxsuite-tutorial/tutorial_general_02.png -[3]: ./media/foreseecxsuite-tutorial/tutorial_general_03.png -[4]: ./media/foreseecxsuite-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/foreseecxsuite-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/foreseecxsuite-tutorial/tutorial_general_200.png -[201]: ./media/foreseecxsuite-tutorial/tutorial_general_201.png -[202]: ./media/foreseecxsuite-tutorial/tutorial_general_202.png -[203]: ./media/foreseecxsuite-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/fulcrum-tutorial.md b/articles/active-directory/saas-apps/fulcrum-tutorial.md index 47020da4a916b..2fd18dbae0e23 100644 --- a/articles/active-directory/saas-apps/fulcrum-tutorial.md +++ b/articles/active-directory/saas-apps/fulcrum-tutorial.md @@ -226,9 +226,9 @@ When you click the Fulcrum tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/getthere-tutorial.md b/articles/active-directory/saas-apps/getthere-tutorial.md index aea1ec1c4a46a..49928caa24a5e 100644 --- a/articles/active-directory/saas-apps/getthere-tutorial.md +++ b/articles/active-directory/saas-apps/getthere-tutorial.md @@ -226,9 +226,9 @@ When you click the GetThere tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/github-provisioning-tutorial.md b/articles/active-directory/saas-apps/github-provisioning-tutorial.md index a4adde79ec7f1..70856051b973e 100644 --- a/articles/active-directory/saas-apps/github-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/github-provisioning-tutorial.md @@ -14,24 +14,22 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/27/2019 ms.author: asmalser-msft ms.collection: M365-identity-device-management --- - # Tutorial: Configure GitHub for automatic user provisioning - -The objective of this tutorial is to show you the steps you need to perform in GitHub and Azure AD to automatically provision and de-provision user accounts from Azure AD to GitHub. +The objective of this tutorial is to show you the steps you need to perform in GitHub and Azure AD to automatically provision and de-provision user accounts from Azure AD to GitHub. ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active directory tenant -* A GitHub organization created in [GitHub Enterprise Cloud](https://help.github.com/articles/github-s-products/#github-enterprise), which requires the [GitHub Enterprise billing plan](https://help.github.com/articles/github-s-billing-plans/#billing-plans-for-organizations) -* A user account in GitHub with Admin permissions to the organization +* An Azure Active directory tenant +* A GitHub organization created in [GitHub Enterprise Cloud](https://help.github.com/articles/github-s-products/#github-enterprise), which requires the [GitHub Enterprise billing plan](https://help.github.com/articles/github-s-billing-plans/#billing-plans-for-organizations) +* A user account in GitHub with Admin permissions to the organization > [!NOTE] > The Azure AD provisioning integration relies on the [GitHub SCIM API](https://developer.github.com/v3/scim/), which is available to [GitHub Enterprise Cloud](https://help.github.com/articles/github-s-products/#github-enterprise) customers on the [GitHub Enterprise billing plan](https://help.github.com/articles/github-s-billing-plans/#billing-plans-for-organizations). @@ -46,22 +44,19 @@ Before configuring and enabling the provisioning service, you need to decide wha ### Important tips for assigning users to GitHub -* It is recommended that a single Azure AD user is assigned to GitHub to test the provisioning configuration. Additional users and/or groups may be assigned later. - -* When assigning a user to GitHub, you must select either the **User** role, or another valid application-specific role (if available) in the assignment dialog. The **Default Access** role does not work for provisioning, and these users are skipped. +* It is recommended that a single Azure AD user is assigned to GitHub to test the provisioning configuration. Additional users and/or groups may be assigned later. +* When assigning a user to GitHub, you must select either the **User** role, or another valid application-specific role (if available) in the assignment dialog. The **Default Access** role does not work for provisioning, and these users are skipped. -## Configuring user provisioning to GitHub +## Configuring user provisioning to GitHub This section guides you through connecting your Azure AD to GitHub's user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in GitHub based on user and group assignment in Azure AD. > [!TIP] > You may also choose to enabled SAML-based Single Sign-On for GitHub, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other. - ### Configure automatic user account provisioning to GitHub in Azure AD - 1. In the [Azure portal](https://portal.azure.com), browse to the **Azure Active Directory > Enterprise Apps > All applications** section. 2. If you have already configured GitHub for single sign-on, search for your instance of GitHub using the search field. Otherwise, select **Add** and search for **GitHub** in the application gallery. Select GitHub from the search results, and add it to your list of applications. @@ -84,7 +79,7 @@ This section guides you through connecting your Azure AD to GitHub's user accoun 8. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox "Send an email notification when a failure occurs." -9. Click **Save**. +9. Click **Save**. 10. Under the Mappings section, select **Synchronize Azure Active Directory Users to GitHub**. @@ -92,13 +87,12 @@ This section guides you through connecting your Azure AD to GitHub's user accoun 12. To enable the Azure AD provisioning service for GitHub, change the **Provisioning Status** to **On** in the **Settings** section -13. Click **Save**. +13. Click **Save**. This operation starts the initial synchronization of any users and/or groups assigned to GitHub in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). - ## Additional resources * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) diff --git a/articles/active-directory/saas-apps/github-tutorial.md b/articles/active-directory/saas-apps/github-tutorial.md index 9dde716a223b0..04081d9707c1d 100644 --- a/articles/active-directory/saas-apps/github-tutorial.md +++ b/articles/active-directory/saas-apps/github-tutorial.md @@ -63,7 +63,7 @@ To configure the integration of GitHub into Azure AD, you need to add GitHub fro ![The New application button](common/add-new-app.png) -4. In the search box, type **GitHub**, select **GitHub** from result panel then click **Add** button to add the application. +4. In the search box, type **GitHub**, select **GitHub.com** from result panel then click **Add** button to add the application. ![GitHub in the results list](common/search-new-app.png) diff --git a/articles/active-directory/saas-apps/glassfrog-tutorial.md b/articles/active-directory/saas-apps/glassfrog-tutorial.md index b4df9e35fa915..4537fed720f23 100644 --- a/articles/active-directory/saas-apps/glassfrog-tutorial.md +++ b/articles/active-directory/saas-apps/glassfrog-tutorial.md @@ -4,186 +4,192 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 7cf5dae6-32d6-418e-8ef2-b2041e686086 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 10/17/2018 +ms.topic: tutorial +ms.date: 04/01/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with GlassFrog In this tutorial, you learn how to integrate GlassFrog with Azure Active Directory (Azure AD). - Integrating GlassFrog with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to GlassFrog. -- You can enable your users to automatically get signed-on to GlassFrog (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to GlassFrog. +* You can enable your users to be automatically signed-in to GlassFrog (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with GlassFrog, you need the following items: -- An Azure AD subscription -- A GlassFrog single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* GlassFrog single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding GlassFrog from the gallery -2. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* GlassFrog supports **SP** initiated SSO ## Adding GlassFrog from the gallery + To configure the integration of GlassFrog into Azure AD, you need to add GlassFrog from the gallery to your list of managed SaaS apps. **To add GlassFrog from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![image](./media/glassfrog-tutorial/selectazuread.png) + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) - ![image](./media/glassfrog-tutorial/a_select_app.png) - 3. To add new application, click **New application** button on the top of dialog. - ![image](./media/glassfrog-tutorial/a_new_app.png) + ![The New application button](common/add-new-app.png) 4. In the search box, type **GlassFrog**, select **GlassFrog** from result panel then click **Add** button to add the application. - ![image](./media/glassfrog-tutorial/tutorial_glassfrog_addfromgallery.png) + ![GlassFrog in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with GlassFrog based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in GlassFrog is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in GlassFrog needs to be established. +In this section, you configure and test Azure AD single sign-on with GlassFrog based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in GlassFrog needs to be established. To configure and test Azure AD single sign-on with GlassFrog, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Create a GlassFrog test user](#create-a-glassfrog-test-user)** - to have a counterpart of Britta Simon in GlassFrog that is linked to the Azure AD representation of user. +2. **[Configure GlassFrog Single Sign-On](#configure-glassfrog-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. 4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +5. **[Create GlassFrog test user](#create-glassfrog-test-user)** - to have a counterpart of Britta Simon in GlassFrog that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your GlassFrog application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with GlassFrog, perform the following steps:** +To configure Azure AD single sign-on with GlassFrog, perform the following steps: 1. In the [Azure portal](https://portal.azure.com/), on the **GlassFrog** application integration page, select **Single sign-on**. - ![image](./media/glassfrog-tutorial/b1_b2_select_sso.png) + ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![image](./media/glassfrog-tutorial/b1_b2_saml_sso.png) + ![Single sign-on select mode](common/select-saml-option.png) -3. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **Basic SAML Configuration** dialog. +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![image](./media/glassfrog-tutorial/b1-domains_and_urlsedit.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps: - In the **Sign-on URL** text box, type a URL using the following pattern: + ![GlassFrog Domain and URLs single sign-on information](common/sp-signonurl.png) + + In the **Sign-on URL** text box, type a URL using the following pattern: `https://app.glassfrog.com/people/sso?org_id=` - ![image](./media/glassfrog-tutorial/tutorial_glassfrog_url.png) + > [!NOTE] + > The value is not real. Update the value with the actual Sign-On URL. Contact [GlassFrog Client support team](mailto:support@glassfrog.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) - > [!NOTE] - > The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact [GlassFrog support team](https://support.glassfrog.com/support/solutions/9000107654) to get the value. - -5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** and save it on your computer. +6. On the **Set up GlassFrog** section, copy the appropriate URL(s) as per your requirement. - ![image](./media/glassfrog-tutorial/tutorial_glassfrog_certificate.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -6. To configure single sign-on on **GlassFrog** side, you need to send the downloaded **Federation Metadata XML** to [GlassFrog support team](mailto:support@alchemy.fr). They set this setting to have the SAML SSO connection set properly on both sides. + a. Login URL -### Create an Azure AD test user + b. Azure AD Identifier + + c. Logout URL + +### Configure GlassFrog Single Sign-On + +To configure single sign-on on **GlassFrog** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [GlassFrog support team](mailto:support@glassfrog.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![image](./media/glassfrog-tutorial/d_users_and_groups.png) + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![image](./media/glassfrog-tutorial/d_adduser.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![image](./media/glassfrog-tutorial/d_userproperties.png) + ![The User dialog box](common/user-properties.png) a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com - - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - d. Select **Create**. - -### Create a GlassFrog test user + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -In this section, you create a user called Britta Simon in GlassFrog. Work with [GlassFrog support team](https://support.glassfrog.com/support/solutions/9000107654) to add the users in the GlassFrog platform. Users must be created and activated before you use single sign-on. + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to GlassFrog. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **GlassFrog**. - ![image](./media/glassfrog-tutorial/d_all_applications.png) + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **GlassFrog**. - ![image](./media/glassfrog-tutorial/tutorial_glassfrog_app.png) + ![The GlassFrog link in the Applications list](common/all-applications.png) 3. In the menu on the left, select **Users and groups**. - ![image](./media/glassfrog-tutorial/d_leftpaneusers.png) + ![The "Users and groups" link](common/users-groups-blade.png) -4. Select the **Add** button, then select **Users and groups** in the **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![image](./media/glassfrog-tutorial/d_assign_user.png) + ![The Add Assignment pane](common/add-assign-user.png) -4. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -5. In the **Add Assignment** dialog select the **Assign** button. - -### Test single sign-on +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create GlassFrog test user + +In this section, you create a user called Britta Simon in GlassFrog. Work with [GlassFrog support team](mailto:support@glassfrog.com) to add the users in the GlassFrog platform. Users must be created and activated before you use single sign-on. + +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the GlassFrog tile in the Access Panel, you should get automatically signed-on to your GlassFrog application. -For more information about the Access Panel, see [Introduction to the Access Panel](../active-directory-saas-access-panel-introduction.md). +When you click the GlassFrog tile in the Access Panel, you should be automatically signed in to the GlassFrog for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources -## Additional resources +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/google-apps-provisioning-tutorial.md b/articles/active-directory/saas-apps/google-apps-provisioning-tutorial.md index 3ffcafc5a781f..bb5baa75ef0e2 100644 --- a/articles/active-directory/saas-apps/google-apps-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/google-apps-provisioning-tutorial.md @@ -13,7 +13,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/27/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -66,78 +66,77 @@ This section guides you through the process of connecting your Azure AD to the u > Another viable option for automating user provisioning to G Suite is to use [Google Apps Directory Sync (GADS)](https://support.google.com/a/answer/106368?hl=en). GADS provisions your on-premises Active Directory identities to G Suite. In contrast, the solution in this tutorial provisions your Azure Active Directory (cloud) users and email-enabled groups to G Suite. 1. Sign in to the [Google Apps Admin console](https://admin.google.com/) with your administrator account, and then select **Security**. If you don't see the link, it might be hidden under the **More Controls** menu at the bottom of the screen. - + ![Select security.][10] 1. On the **Security** page, select **API Reference**. - + ![Select API Reference.][15] 1. Select **Enable API access**. - + ![Select API Reference.][16] > [!IMPORTANT] > For every user that you intend to provision to G Suite, their user name in Azure Active Directory *must* be tied to a custom domain. For example, user names that look like bob@contoso.onmicrosoft.com are not accepted by G Suite. On the other hand, bob@contoso.com is accepted. You can change an existing user's domain by editing their properties in Azure AD. We've included instructions for how to set a custom domain for both Azure Active Directory and G Suite in the following steps. - + 1. If you haven't added a custom domain name to your Azure Active Directory yet, then take the following steps: - a. In the [Azure portal](https://portal.azure.com), on the left navigation pane, select **Active Directory**. In the directory list, select your directory. + a. In the [Azure portal](https://portal.azure.com), on the left navigation pane, select **Active Directory**. In the directory list, select your directory. b. Select **Domain name** on the left navigation pane, and then select **Add**. - - ![Domain](./media/google-apps-provisioning-tutorial/domain_1.png) - ![Domain add](./media/google-apps-provisioning-tutorial/domain_2.png) + ![Domain](./media/google-apps-provisioning-tutorial/domain_1.png) + + ![Domain add](./media/google-apps-provisioning-tutorial/domain_2.png) c. Type your domain name into the **Domain name** field. This domain name should be the same domain name that you intend to use for G Suite. Then select the **Add Domain** button. - - ![Domain name](./media/google-apps-provisioning-tutorial/domain_3.png) - d. Select **Next** to go to the verification page. To verify that you own this domain, edit the domain's DNS records according to the values that are provided on this page. You might choose to verify by using either **MX records** or **TXT records**, depending on what you select for the **Record Type** option. - + ![Domain name](./media/google-apps-provisioning-tutorial/domain_3.png) + + d. Select **Next** to go to the verification page. To verify that you own this domain, edit the domain's DNS records according to the values that are provided on this page. You might choose to verify by using either **MX records** or **TXT records**, depending on what you select for the **Record Type** option. + For more comprehensive instructions on how to verify domain names with Azure AD, see [Add your own domain name to Azure AD](https://go.microsoft.com/fwLink/?LinkID=278919&clcid=0x409). - - ![Domain](./media/google-apps-provisioning-tutorial/domain_4.png) - e. Repeat the preceding steps for all the domains that you intend to add to your directory. + ![Domain](./media/google-apps-provisioning-tutorial/domain_4.png) - > [!NOTE] - > For user provisioning, the custom domain must match the domain name of the source Azure AD. If they do not match, you may be able to solve the problem by implementing attribute mapping customization. + e. Repeat the preceding steps for all the domains that you intend to add to your directory. + > [!NOTE] + > For user provisioning, the custom domain must match the domain name of the source Azure AD. If they do not match, you may be able to solve the problem by implementing attribute mapping customization. 1. Now that you have verified all your domains with Azure AD, you must verify them again with Google Apps. For each domain that isn't already registered with Google, take the following steps: - + a. In the [Google Apps Admin Console](https://admin.google.com/), select **Domains**. - - ![Select Domains][20] + + ![Select Domains][20] b. Select **Add a domain or a domain alias**. - - ![Add a new domain][21] + + ![Add a new domain][21] c. Select **Add another domain**, and then type in the name of the domain that you want to add. - - ![Type in your domain name][22] + + ![Type in your domain name][22] d. Select **Continue and verify domain ownership**. Then follow the steps to verify that you own the domain name. For comprehensive instructions on how to verify your domain with Google, see [Verify your site ownership with Google Apps](https://support.google.com/webmasters/answer/35179). e. Repeat the preceding steps for any additional domains that you intend to add to Google Apps. - - > [!WARNING] - > If you change the primary domain for your G Suite tenant, and if you have already configured single sign-on with Azure AD, then you have to repeat step #3 under Step 2: Enable single sign-on. - + + > [!WARNING] + > If you change the primary domain for your G Suite tenant, and if you have already configured single sign-on with Azure AD, then you have to repeat step #3 under Step 2: Enable single sign-on. + 1. In the [Google Apps Admin console](https://admin.google.com/), select **Admin Roles**. - - ![Select Google Apps][26] + + ![Select Google Apps][26] 1. Determine which admin account you want to use to manage user provisioning. For the **admin role** of that account, edit the **Privileges** for that role. Make sure to enable all **Admin API Privileges** so that this account can be used for provisioning. - - ![Select Google Apps][27] - + + ![Select Google Apps][27] + > [!NOTE] > If you are configuring a production environment, the best practice is to create an admin account in G Suite specifically for this step. These accounts must have an admin role associated with them that has the necessary API privileges. - + 1. In the [Azure portal](https://portal.azure.com), browse to the **Azure Active Directory** > **Enterprise Apps** > **All applications** section. 1. If you have already configured G Suite for single sign-on, search for your instance of G Suite by using the search field. Otherwise, select **Add**, and then search for **G Suite** or **Google Apps** in the application gallery. Select your app from the search results, and then add it to your list of applications. @@ -146,13 +145,13 @@ This section guides you through the process of connecting your Azure AD to the u 1. Set the **Provisioning Mode** to **Automatic**. - ![Provisioning](./media/google-apps-provisioning-tutorial/provisioning.png) + ![Provisioning](./media/google-apps-provisioning-tutorial/provisioning.png) 1. Under the **Admin Credentials** section, select **Authorize**. It opens a Google authorization dialog box in a new browser window. 1. Confirm that you want to give Azure Active Directory permission to make changes to your G Suite tenant. Select **Accept**. - - ![Confirm permissions.][28] + + ![Confirm permissions.][28] 1. In the Azure portal, select **Test Connection** to ensure that Azure AD can connect to your app. If the connection fails, ensure that your G Suite account has Team Admin permissions. Then try the **Authorize** step again. @@ -178,8 +177,6 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) * [Configure single sign-on](google-apps-tutorial.md) - - [10]: ./media/google-apps-provisioning-tutorial/gapps-security.png diff --git a/articles/active-directory/saas-apps/greenorbit-tutorial.md b/articles/active-directory/saas-apps/greenorbit-tutorial.md new file mode 100644 index 0000000000000..94f65580f9b25 --- /dev/null +++ b/articles/active-directory/saas-apps/greenorbit-tutorial.md @@ -0,0 +1,201 @@ +--- +title: 'Tutorial: Azure Active Directory integration with GreenOrbit | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and GreenOrbit. +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: 93d37c7a-9322-4024-8eec-d57e0317eb10 +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/08/2019 +ms.author: jeedes + +ms.collection: M365-identity-device-management +--- +# Tutorial: Azure Active Directory integration with GreenOrbit + +In this tutorial, you learn how to integrate GreenOrbit with Azure Active Directory (Azure AD). +Integrating GreenOrbit with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to GreenOrbit. +* You can enable your users to be automatically signed-in to GreenOrbit (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with GreenOrbit, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* GreenOrbit single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* GreenOrbit supports **SP** initiated SSO + +* GreenOrbit supports **Just In Time** user provisioning + +## Adding GreenOrbit from the gallery + +To configure the integration of GreenOrbit into Azure AD, you need to add GreenOrbit from the gallery to your list of managed SaaS apps. + +**To add GreenOrbit from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add a new application, click the **New application** button at the top of the dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **GreenOrbit**, select **GreenOrbit** from the result panel then click the **Add** button to add the application. + + ![GreenOrbit in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with GreenOrbit based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in GreenOrbit needs to be established. + +To configure and test Azure AD single sign-on with GreenOrbit, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure GreenOrbit Single Sign-On](#configure-greenorbit-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create GreenOrbit test user](#create-greenorbit-test-user)** - to have a counterpart of Britta Simon in GreenOrbit that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with GreenOrbit, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **GreenOrbit** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, perform the following steps: + + ![GreenOrbit Domain and URLs single sign-on information](common/sp-identifier.png) + + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.GreenOrbit.com` + + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `http://.trial.GreenOrbit.com` + + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [GreenOrbit Client support team](mailto:support@greenorbit.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/certificatebase64.png) + +6. On the **Set up GreenOrbit** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure GreenOrbit Single Sign-On + +To configure single sign-on on **GreenOrbit** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [GreenOrbit support team](mailto:support@greenorbit.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to GreenOrbit. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **GreenOrbit**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **GreenOrbit**. + + ![The GreenOrbit link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create GreenOrbit test user + +In this section, a user called Britta Simon is created in GreenOrbit. GreenOrbit supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in GreenOrbit, a new one is created after authentication. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the GreenOrbit tile in the Access Panel, you should be automatically signed in to the GreenOrbit for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/grovo-tutorial.md b/articles/active-directory/saas-apps/grovo-tutorial.md index 6e86df24ee211..8f700de92b610 100644 --- a/articles/active-directory/saas-apps/grovo-tutorial.md +++ b/articles/active-directory/saas-apps/grovo-tutorial.md @@ -260,9 +260,9 @@ When you click the Grovo tile in the Access Panel, you should be automatically s ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/hackerone-tutorial.md b/articles/active-directory/saas-apps/hackerone-tutorial.md index 79a6b758b669e..e4ca76e3d05af 100644 --- a/articles/active-directory/saas-apps/hackerone-tutorial.md +++ b/articles/active-directory/saas-apps/hackerone-tutorial.md @@ -143,9 +143,9 @@ To configure Azure AD single sign-on with HackerOne, perform the following steps a. In the **Email Domain** textbox, type a registered domain. - b. In  **Single Sign On URL** textboxes, paste the value of **Login URL** which you have copied from Azure portal. + b. In **Single Sign On URL** textboxes, paste the value of **Login URL** which you have copied from Azure portal. - c. Open your downloaded **Certificate file** from Azure portal into Notepad, copy the content of it into your clipboard, and then paste it to the **X509 Certificate**  textbox. + c. Open your downloaded **Certificate file** from Azure portal into Notepad, copy the content of it into your clipboard, and then paste it to the **X509 Certificate** textbox. d. Click **Save**. diff --git a/articles/active-directory/saas-apps/helpscout-tutorial.md b/articles/active-directory/saas-apps/helpscout-tutorial.md index c8474760add35..3c51e45f68b8e 100644 --- a/articles/active-directory/saas-apps/helpscout-tutorial.md +++ b/articles/active-directory/saas-apps/helpscout-tutorial.md @@ -107,7 +107,7 @@ To configure Azure AD single sign-on with Help Scout, perform the following step b. **Reply URL** is the **Post-back URL (Assertion Consumer Service URL)** from Help Scout, starts with `https://` > [!NOTE] - > The values in these URLs are for demonstration only. You need to update these values from actual Reply URL and Identifier. You get these values from the **Single Sign-On** tab under Authentication section, which is explained later in the tutorial. + > The values in these URLs are for demonstration only. You need to update these values from actual Reply URL and Identifier. You get these values from the **Single Sign-On** tab under Authentication section, which is explained later in the tutorial. 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: @@ -153,7 +153,7 @@ To configure Azure AD single sign-on with Help Scout, perform the following step ![Configure Single Sign-On](./media/helpscout-tutorial/settings4.png) - a. In **Single Sign-On URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal. + a. In **Single Sign-On URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal. b. Click **Upload Certificate** to upload the **Certificate(Base64)** downloaded from Azure portal. diff --git a/articles/active-directory/saas-apps/heybuddy-tutorial.md b/articles/active-directory/saas-apps/heybuddy-tutorial.md index 8dfc65c35d90b..2168cc3412c4f 100644 --- a/articles/active-directory/saas-apps/heybuddy-tutorial.md +++ b/articles/active-directory/saas-apps/heybuddy-tutorial.md @@ -217,8 +217,8 @@ When you click the HeyBuddy tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/hightail-tutorial.md b/articles/active-directory/saas-apps/hightail-tutorial.md index 8ee3177643a38..67ebb0108b68d 100644 --- a/articles/active-directory/saas-apps/hightail-tutorial.md +++ b/articles/active-directory/saas-apps/hightail-tutorial.md @@ -253,8 +253,8 @@ When you click the Hightail tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/hrworks-single-sign-on-tutorial.md b/articles/active-directory/saas-apps/hrworks-single-sign-on-tutorial.md index 96c3f0a9b8a82..68f2610400669 100644 --- a/articles/active-directory/saas-apps/hrworks-single-sign-on-tutorial.md +++ b/articles/active-directory/saas-apps/hrworks-single-sign-on-tutorial.md @@ -217,9 +217,9 @@ When you click the HRworks Single Sign-On tile in the Access Panel, you should b ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/ibmopenpages-tutorial.md b/articles/active-directory/saas-apps/ibmopenpages-tutorial.md index 0c4776eb87cf4..6934eec054133 100644 --- a/articles/active-directory/saas-apps/ibmopenpages-tutorial.md +++ b/articles/active-directory/saas-apps/ibmopenpages-tutorial.md @@ -191,8 +191,8 @@ When you click the IBM OpenPages tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/igloo-software-tutorial.md b/articles/active-directory/saas-apps/igloo-software-tutorial.md index 0a24a2efdee96..4f0fcc649fc5d 100644 --- a/articles/active-directory/saas-apps/igloo-software-tutorial.md +++ b/articles/active-directory/saas-apps/igloo-software-tutorial.md @@ -247,8 +247,8 @@ When you click the Igloo Software tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/ilms-tutorial.md b/articles/active-directory/saas-apps/ilms-tutorial.md index 8ba9f937bf4ed..99e6fad0519ad 100644 --- a/articles/active-directory/saas-apps/ilms-tutorial.md +++ b/articles/active-directory/saas-apps/ilms-tutorial.md @@ -292,8 +292,8 @@ When you click the iLMS tile in the Access Panel, you should be automatically si ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/imagerelay-tutorial.md b/articles/active-directory/saas-apps/imagerelay-tutorial.md index 572d99bbe4c4f..3ba03065ee58f 100644 --- a/articles/active-directory/saas-apps/imagerelay-tutorial.md +++ b/articles/active-directory/saas-apps/imagerelay-tutorial.md @@ -255,8 +255,8 @@ When you click the Image Relay tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/imageworks-tutorial.md b/articles/active-directory/saas-apps/imageworks-tutorial.md index 614d89ccbd32c..545453f4c81bd 100644 --- a/articles/active-directory/saas-apps/imageworks-tutorial.md +++ b/articles/active-directory/saas-apps/imageworks-tutorial.md @@ -191,8 +191,8 @@ When you click the IMAGE WORKS tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/impacriskmanager-tutorial.md b/articles/active-directory/saas-apps/impacriskmanager-tutorial.md index 27e9b1527399f..46803366abfd5 100644 --- a/articles/active-directory/saas-apps/impacriskmanager-tutorial.md +++ b/articles/active-directory/saas-apps/impacriskmanager-tutorial.md @@ -213,8 +213,8 @@ When you click the IMPAC Risk Manager tile in the Access Panel, you should be au ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/infinitecampus-tutorial.md b/articles/active-directory/saas-apps/infinitecampus-tutorial.md index af9b7b678935d..810e27d218659 100644 --- a/articles/active-directory/saas-apps/infinitecampus-tutorial.md +++ b/articles/active-directory/saas-apps/infinitecampus-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 3995b544-e751-4e0f-ab8b-c9a3862da6ba ms.service: active-directory @@ -13,47 +13,36 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 10/30/2018 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Infinite Campus In this tutorial, you learn how to integrate Infinite Campus with Azure Active Directory (Azure AD). - Integrating Infinite Campus with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Infinite Campus. -- You can enable your users to automatically get signed-on to Infinite Campus (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Infinite Campus. +* You can enable your users to be automatically signed-in to Infinite Campus (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Infinite Campus, you need the following items: -- An Azure AD subscription -- An Infinite Campus single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). -- At minimum, you need to be an Azure Active Directory administrator, and have a Campus Product Security Role of "Student Information System (SIS)" to complete the configuration. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Infinite Campus single sign-on enabled subscription +* At minimum, you need to be an Azure Active Directory administrator, and have a Campus Product Security Role of "Student Information System (SIS)" to complete the configuration. ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -1. Adding Infinite Campus from the gallery -2. Configuring and testing Azure AD single sign-on +* Infinite Campus supports **SP** initiated SSO ## Adding Infinite Campus from the gallery @@ -61,71 +50,55 @@ To configure the integration of Infinite Campus into Azure AD, you need to add I **To add Infinite Campus from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add new application, click **New application** button on the top of dialog. +3. To add a new application, click the **New application** button at the top of the dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) -4. In the search box, type **Infinite Campus**, select **Infinite Campus** from result panel then click **Add** button to add the application. +4. In the search box, type **Infinite Campus**, select **Infinite Campus** from the result panel then click the **Add** button to add the application. - ![Infinite Campus in the results list](./media/infinitecampus-tutorial/tutorial_infinitecampus_addfromgallery.png) + ![Infinite Campus in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Infinite Campus based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Infinite Campus is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Infinite Campus needs to be established. +In this section, you configure and test Azure AD single sign-on with Infinite Campus based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Infinite Campus needs to be established. To configure and test Azure AD single sign-on with Infinite Campus, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating an Infinite Campus test user](#creating-an-infinite-campus-test-user)** - to have a counterpart of Britta Simon in Infinite Campus that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Infinite Campus Single Sign-On](#configure-infinite-campus-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Infinite Campus test user](#create-infinite-campus-test-user)** - to have a counterpart of Britta Simon in Infinite Campus that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Infinite Campus application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Infinite Campus, perform the following steps:** +To configure Azure AD single sign-on with Infinite Campus, perform the following steps: -1. In the Azure portal, on the **Infinite Campus** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Infinite Campus** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On](common/tutorial_general_301.png) + ![Single sign-on select mode](common/select-saml-option.png) 3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure Single Sign-On](common/editconfigure.png) - -4. On the **Basic SAML Configuration** section, if you have a **Service Provider metadata file** exported from Infinite Campus, complete steps 4.a through 4.d, and then skip to step 11.c. If you don't have a Service Provider Metadata file, skip to step 5. - - a. Click **Upload metadata file**. - - ![image](common/b9_saml.png) - - b. Click on **folder logo** to select the metadata file and click **Upload**. - - ![image](common/b9(1)_saml.png) - - c. Once the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in **Basic SAML Configuration** section textbox as shown below: - - ![image](./media/infinitecampus-tutorial/tutorial_infinitecampus_url.png) - - d. In the **Sign-on URL** textbox, type a URL using the following pattern (the domain will vary with Hosting Model): `https://.infinitecampus.com/campus/SSO//SIS` + ![Edit Basic SAML Configuration](common/edit-urls.png) -5. If you do not have **Service Provider metadata file**, perform the following steps (note that the domain will vary with Hosting Model): +4. On the Basic SAML Configuration section, perform the following steps (note that the domain will vary with Hosting Model, but the **FULLY-QUALIFIED-DOMAIN** value must match your Infinite Campus installation): a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.infinitecampus.com/campus/SSO//SIS` @@ -133,121 +106,105 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf c. In the **Reply URL** textbox, type a URL using the following pattern: `https://.infinitecampus.com/campus/SSO/` - ![Infinite Campus Domain and URLs single sign-on information](./media/infinitecampus-tutorial/tutorial_infinitecampus_url1.png) + ![Infinite Campus Domain and URLs single sign-on information](common/sp-identifier-reply.png) -6. On the **SAML Signing Certificate** page, in the **SAML Signing Certificate** section, click the copy **icon** to copy **App Federation Metadata Url** and paste it into notepad. +5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. - ![The Certificate download link](./media/infinitecampus-tutorial/tutorial_infinitecampus_certificate.png) + ![The Certificate download link](common/copy-metadataurl.png) -7. On the **Set up Infinite Campus** section, use the following values to validate when uploading or utilizing the Azure metadata file/URL. +### Configure Infinite Campus Single Sign-On - a. Login URL +1. In a different web browser window, sign in to Infinite Campus as a Security Administrator. - b. Azure AD Identifier - - c. Logout URL - - ![Infinite Campus Configuration](common/configuresection.png) - -8. In a different web browser window, login to Infinite Campus as a Security Administrator. - -9. On the left side of menu, click **System Administration**. +2. On the left side of menu, click **System Administration**. ![The Admin](./media/infinitecampus-tutorial/tutorial_infinitecampus_admin.png) -10. Navigate to **User Security** > **SAML Management** > **SSO Service Provider Configuration**. +3. Navigate to **User Security** > **SAML Management** > **SSO Service Provider Configuration**. ![The saml](./media/infinitecampus-tutorial/tutorial_infinitecampus_saml.png) -11. On the **SSO Service Provider Configuration** page, perform the following steps: +4. On the **SSO Service Provider Configuration** page, perform the following steps: ![The sso](./media/infinitecampus-tutorial/tutorial_infinitecampus_sso.png) a. Select **Enable SAML Single Sign On**. - + b. Edit the **Optional Attribute Name** to contain **name** - - c. On the **Select an option to retrieve Identity Provider (IDP) server data** section, select **Metadata URL**, paste the **App Federation Metadata Url** (from Step 6 above) in the box, and then click **Sync**. - d. Click on **Service Provider Metadata** link to save the **Service Provider metadata file** on your computer, and upload it in **Basic SAML Configuration** section to auto populate the **Identifier** and **Reply URL** values in the Azure portal (refer to step 4 for upload and automatic population of values, or step 5 for manual entry). + c. On the **Select an option to retrieve Identity Provider (IDP) server data** section, select **Metadata URL**, paste the **App Federation Metadata Url** value, which you have copied from the Azure portal in the box, and then click **Sync**. - e. After clicking **Sync** the values get auto-populated in **SSO Service Provider Configuration** page. + d. After clicking **Sync** the values get auto-populated in **SSO Service Provider Configuration** page. These values can be verified to match the values seen in Step 4 above. - f. Click **Save**. + e. Click **Save**. -### Creating an Azure AD test user +### Create an Azure AD test user -The objective of this section is to create a _single_ test user in the Azure portal called Britta Simon. +The objective of this section is to create a test user in the Azure portal called Britta Simon. 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](common/create_aaduser_01.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![Creating an Azure AD test user](common/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** field, enter **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com - - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. - d. Select **Create**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -### Creating an Infinite Campus test user + d. Click **Create**. -Infinite Campus has a demographics centered architecture. Please contact [Infinite Campus support team](mailto:sales@infinitecampus.com) to add the users in the Infinite Campus platform. +### Assign the Azure AD test user -### Assigning the Azure AD test user +> [!NOTE] +> If you want all of your Azure users to have single sign-on access to Infinite Campus and rely on Infinite Campus internal permissions system to control access, you can set the **User Assignment Required** property of the application to No and skip the following steps. In this section, you enable Britta Simon to use Azure single sign-on by granting access to Infinite Campus. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Infinite Campus**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Infinite Campus**. - ![Configure Single Sign-On](./media/infinitecampus-tutorial/tutorial_infinitecampus_app.png) + ![The Infinite Campus link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) 5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. In the **Add Assignment** dialog select the **Assign** button. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -### Testing single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +### Create Infinite Campus test user -When you click the Infinite Campus tile in the Access Panel, you should get automatically signed-on to your Infinite Campus application. If you are logging into the Infinite Campus application in the same browser you are administering Azure AD, ensure you are logged into Azure AD as the test user. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +Infinite Campus has a demographics centered architecture. Please contact [Infinite Campus support team](mailto:sales@infinitecampus.com) to add the users in the Infinite Campus platform. -## Additional resources +### Test single sign-on -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the Infinite Campus tile in the Access Panel, you should be automatically signed in to the Infinite Campus for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional resources -[1]: common/tutorial_general_01.png -[2]: common/tutorial_general_02.png -[3]: common/tutorial_general_03.png -[4]: common/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: common/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[201]: common/tutorial_general_201.png -[202]: common/tutorial_general_202.png -[203]: common/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/infogix-tutorial.md b/articles/active-directory/saas-apps/infogix-tutorial.md index e14e6b5397690..e34808e04a6f2 100644 --- a/articles/active-directory/saas-apps/infogix-tutorial.md +++ b/articles/active-directory/saas-apps/infogix-tutorial.md @@ -232,9 +232,9 @@ When you click the Infogix Data3Sixty Govern tile in the Access Panel, you shoul ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/inkling-tutorial.md b/articles/active-directory/saas-apps/inkling-tutorial.md index 0d5a9d3579453..fd84031dd9d26 100644 --- a/articles/active-directory/saas-apps/inkling-tutorial.md +++ b/articles/active-directory/saas-apps/inkling-tutorial.md @@ -191,8 +191,8 @@ When you click the Inkling tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/insidertrack-tutorial.md b/articles/active-directory/saas-apps/insidertrack-tutorial.md index b1f8c813a4b04..94e694f93d1c1 100644 --- a/articles/active-directory/saas-apps/insidertrack-tutorial.md +++ b/articles/active-directory/saas-apps/insidertrack-tutorial.md @@ -188,8 +188,8 @@ When you click the Insider Track tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/insideview-tutorial.md b/articles/active-directory/saas-apps/insideview-tutorial.md index f7286b4eee1d0..c5ebe8eed6c1d 100644 --- a/articles/active-directory/saas-apps/insideview-tutorial.md +++ b/articles/active-directory/saas-apps/insideview-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: c489a7ab-6b1f-4efb-8a66-8bc13bca78c3 ms.service: active-directory @@ -12,122 +13,117 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/29/2017 +ms.topic: tutorial +ms.date: 03/20/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with InsideView In this tutorial, you learn how to integrate InsideView with Azure Active Directory (Azure AD). - Integrating InsideView with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to InsideView -- You can enable your users to automatically get signed-on to InsideView (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to InsideView. +* You can enable your users to be automatically signed-in to InsideView (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with InsideView, you need the following items: -- An Azure AD subscription -- An InsideView single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* InsideView single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding InsideView from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* InsideView supports **IDP** initiated SSO ## Adding InsideView from the gallery -To configure the integration of InsideView in to Azure AD, you need to add InsideView from the gallery to your list of managed SaaS apps. + +To configure the integration of InsideView into Azure AD, you need to add InsideView from the gallery to your list of managed SaaS apps. **To add InsideView from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **InsideView**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/insideview-tutorial/tutorial_insideview_search.png) +4. In the search box, type **InsideView**, select **InsideView** from result panel then click **Add** button to add the application. -1. In the results panel, select **InsideView**, and then click **Add** button to add the application. + ![InsideView in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/insideview-tutorial/tutorial_insideview_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with InsideView based on a test user called "Britta Simon." +In this section, you configure and test Azure AD single sign-on with InsideView based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in InsideView needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in InsideView is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in InsideView needs to be established. +To configure and test Azure AD single sign-on with InsideView, you need to complete the following building blocks: -In InsideView, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure InsideView Single Sign-On](#configure-insideview-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create InsideView test user](#create-insideview-test-user)** - to have a counterpart of Britta Simon in InsideView that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with InsideView, you need to complete the following building blocks: +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with InsideView, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **InsideView** application integration page, select **Single sign-on**. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating an InsideView test user](#creating-an-insideview-test-user)** - to have a counterpart of Britta Simon in InsideView that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. + ![Configure single sign-on link](common/select-sso.png) -### Configuring Azure AD single sign-on +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your InsideView application. + ![Single sign-on select mode](common/select-saml-option.png) -**To configure Azure AD single sign-on with InsideView, perform the following steps:** +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. In the Azure portal, on the **InsideView** application integration page, click **Single sign-on**. + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On][4] +4. On the **Basic SAML Configuration** section, perform the following steps: -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/insideview-tutorial/tutorial_insideview_samlbase.png) + ![InsideView Domain and URLs single sign-on information](common/idp-reply.png) -1. On the **InsideView Domain and URLs** section, perform the following steps: + In the **Reply URL** text box, type a URL using the following pattern: + `https://my.insideview.com/iv//login.iv` - ![Configure Single Sign-On](./media/insideview-tutorial/tutorial_insideview_url.png) - - In the **Reply URL** textbox, type a URL using the following pattern: `https://my.insideview.com/iv//login.iv` + > [!NOTE] + > The value is not real. Update the value with the actual Reply URL. Contact [InsideView Client support team](mailto:support@insideview.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - > [!NOTE] - > This value is not real. Update this value with the actual Reply URL. Contact [InsideView support team](mailto:support@insideview.com) to get this value. - -1. On the **SAML Signing Certificate** section, click **Certificate (Raw)** and then save the certificate file on your computer. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/insideview-tutorial/tutorial_insideview_certificate.png) + ![The Certificate download link](common/certificateraw.png) -1. Click **Save** button. +6. On the **Set up InsideView** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/insideview-tutorial/tutorial_general_400.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. On the **InsideView Configuration** section, click **Configure InsideView** to open **Configure sign-on** window. Copy the **SAML Single Sign-On Service URL** from the **Quick Reference section.** + a. Login URL - ![Configure Single Sign-On](./media/insideview-tutorial/tutorial_insideview_configure.png) + b. Azure AD Identifier -1. In a different web browser window, log in to your InsideView company site as an administrator. + c. Logout URL + +### Configure InsideView Single Sign-On + +1. In a different web browser window, sign in to your InsideView company site as an administrator. 1. In the toolbar on the top, click **Admin**, **SingleSignOn Settings**, and then click **Add SAML**. @@ -136,118 +132,92 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf 1. In the **Add a New SAML** section, perform the following steps: ![Add a New SAML](./media/insideview-tutorial/ic794136.png "Add a New SAML") - + a. In the **STS Name** textbox, type a name for your configuration. - b. In **SamlP/WS-Fed Unsolicited EndPoint** textbox, paste the value of **SAML Single Sign-On Service URL**, which you have copied from Azure portal. - + b. In **SamlP/WS-Fed Unsolicited EndPoint** textbox, paste the value of **Login URL**, which you have copied from Azure portal. + c. Open your base-64 encoded certificate, which you have downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the **STS Certificate** textbox. d. In the **Crm User Id Mapping** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`. - + e. In the **Crm Email Mapping** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`. f. In the **Crm First Name Mapping** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`. - + g. In the **Crm lastName Mapping** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`. h. Click **Save**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> - -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. - -![Create Azure AD User][100] +### Create an Azure AD test user -**To create a test user in Azure AD, perform the following steps:** +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Creating an Azure AD test user](./media/insideview-tutorial/create_aaduser_01.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/insideview-tutorial/create_aaduser_02.png) +2. Select **New user** at the top of the screen. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/insideview-tutorial/create_aaduser_03.png) + ![New user Button](common/new-user.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/insideview-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** textbox, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating an InsideView test user -To enable Azure AD users to log in to InsideView, they must be provisioned in to InsideView. In the case of InsideView, provisioning is a manual task. +### Assign the Azure AD test user -To get users or contacts created in InsideView, Contact [InsideView support team](mailto:support@insideview.com). +In this section, you enable Britta Simon to use Azure single sign-on by granting access to InsideView. ->[!NOTE] ->You can use any other InsideView user account creation tools or APIs provided by InsideView to provision Azure AD user accounts. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **InsideView**. -### Assigning the Azure AD test user + ![Enterprise applications blade](common/enterprise-applications.png) -In this section, you enable Britta Simon to use Azure single sign-on by granting access to InsideView. +2. In the applications list, select **InsideView**. -![Assign User][200] + ![The InsideView link in the Applications list](common/all-applications.png) -**To assign Britta Simon to InsideView, perform the following steps:** +3. In the menu on the left, select **Users and groups**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![Assign User][201] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. In the applications list, select **InsideView**. + ![The Add Assignment pane](common/add-assign-user.png) - ![Configure Single Sign-On](./media/insideview-tutorial/tutorial_insideview_app.png) +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. In the menu on the left, click **Users and groups**. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. - ![Assign User][202] +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +### Create InsideView test user - ![Assign User][203] +To enable Azure AD users to sign in to InsideView, they must be provisioned in to InsideView. In the case of InsideView, provisioning is a manual task. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +To get users or contacts created in InsideView, Contact [InsideView support team](mailto:support@insideview.com). -1. Click **Select** button on **Users and groups** dialog. +> [!NOTE] +> You can use any other InsideView user account creation tools or APIs provided by InsideView to provision Azure AD user accounts. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the InsideView tile in the Access Panel, you should get automatically signed-on to your InsideView application. +When you click the InsideView tile in the Access Panel, you should be automatically signed in to the InsideView for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). ## Additional resources -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - - -[1]: ./media/insideview-tutorial/tutorial_general_01.png -[2]: ./media/insideview-tutorial/tutorial_general_02.png -[3]: ./media/insideview-tutorial/tutorial_general_03.png -[4]: ./media/insideview-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/insideview-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/insideview-tutorial/tutorial_general_200.png -[201]: ./media/insideview-tutorial/tutorial_general_201.png -[202]: ./media/insideview-tutorial/tutorial_general_202.png -[203]: ./media/insideview-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/insight4grc-tutorial.md b/articles/active-directory/saas-apps/insight4grc-tutorial.md index 625ac02e6a026..d0842d3a05ba0 100644 --- a/articles/active-directory/saas-apps/insight4grc-tutorial.md +++ b/articles/active-directory/saas-apps/insight4grc-tutorial.md @@ -192,9 +192,9 @@ When you click the Insight4GRC tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/insperityexpensable-tutorial.md b/articles/active-directory/saas-apps/insperityexpensable-tutorial.md index 19feeb0c291df..98d5d88998551 100644 --- a/articles/active-directory/saas-apps/insperityexpensable-tutorial.md +++ b/articles/active-directory/saas-apps/insperityexpensable-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: c579c453-580e-417d-8a5e-9b6b352795c0 ms.service: active-directory @@ -12,213 +13,183 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/13/2017 +ms.topic: tutorial +ms.date: 03/25/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Insperity ExpensAble In this tutorial, you learn how to integrate Insperity ExpensAble with Azure Active Directory (Azure AD). - Integrating Insperity ExpensAble with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Insperity ExpensAble -- You can enable your users to automatically get signed-on to Insperity ExpensAble (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Insperity ExpensAble. +* You can enable your users to be automatically signed-in to Insperity ExpensAble (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Insperity ExpensAble, you need the following items: -- An Azure AD subscription -- An Insperity ExpensAble single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Insperity ExpensAble single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Insperity ExpensAble from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Insperity ExpensAble supports **SP** initiated SSO ## Adding Insperity ExpensAble from the gallery + To configure the integration of Insperity ExpensAble into Azure AD, you need to add Insperity ExpensAble from the gallery to your list of managed SaaS apps. **To add Insperity ExpensAble from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add a new application, click the **New application** button on the top of the dialog. -1. In the search box, type **Insperity ExpensAble**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/insperityexpensable-tutorial/tutorial_insperityexpensable_search.png) +4. In the search box, type **Insperity ExpensAble**, select **Insperity ExpensAble** from the result panel then click the **Add** button to add the application. -1. In the results panel, select **Insperity ExpensAble**, and then click **Add** button to add the application. + ![Insperity ExpensAble in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/insperityexpensable-tutorial/tutorial_insperityexpensable_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Insperity ExpensAble based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with Insperity ExpensAble based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Insperity ExpensAble needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Insperity ExpensAble is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Insperity ExpensAble needs to be established. +To configure and test Azure AD single sign-on with Insperity ExpensAble, you need to complete the following building blocks: -In Insperity ExpensAble, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Insperity ExpensAble Single Sign-On](#configure-insperity-expensable-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Insperity ExpensAble test user](#create-insperity-expensable-test-user)** - to have a counterpart of Britta Simon in Insperity ExpensAble that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Insperity ExpensAble, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating an Insperity ExpensAble test user](#creating-an-insperity-expensable-test-user)** - to have a counterpart of Britta Simon in Insperity ExpensAble that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Insperity ExpensAble, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Insperity ExpensAble application. +1. In the [Azure portal](https://portal.azure.com/), on the **Insperity ExpensAble** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Insperity ExpensAble, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Insperity ExpensAble** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/insperityexpensable-tutorial/tutorial_insperityexpensable_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Insperity ExpensAble Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/insperityexpensable-tutorial/tutorial_insperityexpensable_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://server.expensable.com/esapp/Authenticate?companyId=` + ![Insperity ExpensAble Domain and URLs single sign-on information](common/sp-signonurl.png) - > [!NOTE] - > This value is not real. Update this value with the actual Sign-On URL. Contact [Insperity ExpensAble Client support team](http://expensable.com/support/support-overview) to get this value. - -1. On the **SAML Signing Certificate** section, click **Certificate(Base64)** and then save the certificate file on your computer. + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://server.expensable.com/esapp/Authenticate?companyId=` - ![Configure Single Sign-On](./media/insperityexpensable-tutorial/tutorial_insperityexpensable_certificate.png) + > [!NOTE] + > The value is not real. Update the value with the actual Sign-On URL. Contact [Insperity ExpensAble Client support team](http://expensable.com/support/support-overview) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. Click **Save** button. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/insperityexpensable-tutorial/tutorial_general_400.png) + ![The Certificate download link](common/certificatebase64.png) -1. On the **Insperity ExpensAble Configuration** section, click **Configure Insperity ExpensAble** to open **Configure sign-on** window. Copy the **SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** +6. On the **Set up Insperity ExpensAble** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/insperityexpensable-tutorial/tutorial_insperityexpensable_configure.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. To configure single sign-on on **Insperity ExpensAble** side, you need to send the downloaded **Metadata XML**, **SAML Single Sign-On Service URL** and **SAML Entity ID** to [Insperity ExpensAble support team](http://expensable.com/support/support-overview). They set this setting to have the SAML SSO connection set properly on both sides. + a. Login URL -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + b. Azure AD Identifier -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + c. Logout URL -![Create Azure AD User][100] +### Configure Insperity ExpensAble Single Sign-On -**To create a test user in Azure AD, perform the following steps:** +To configure single sign-on on **Insperity ExpensAble** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Insperity ExpensAble support team](http://expensable.com/support/support-overview). They set this setting to have the SAML SSO connection set properly on both sides. -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +### Create an Azure AD test user - ![Creating an Azure AD test user](./media/insperityexpensable-tutorial/create_aaduser_01.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/insperityexpensable-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/insperityexpensable-tutorial/create_aaduser_03.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/insperityexpensable-tutorial/create_aaduser_04.png) +2. Select **New user** at the top of the screen. - a. In the **Name** textbox, type **BrittaSimon**. + ![New user Button](common/new-user.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. +3. In the User properties, perform the following steps. - c. Select **Show Password** and write down the value of the **Password**. + ![The User dialog box](common/user-properties.png) - d. Click **Create**. - -### Creating an Insperity ExpensAble test user + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` + For example, BrittaSimon@contoso.com -The objective of this section is to create a user called Britta Simon in Insperity ExpensAble. Please work with [Insperity ExpensAble support team](http://expensable.com/support/support-overview) to add the users in the Insperity ExpensAble account. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -### Assigning the Azure AD test user + d. Click **Create**. + +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Insperity ExpensAble. -![Assign User][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Insperity ExpensAble**. -**To assign Britta Simon to Insperity ExpensAble, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Insperity ExpensAble**. - ![Assign User][201] + ![The Insperity ExpensAble link in the Applications list](common/all-applications.png) -1. In the applications list, select **Insperity ExpensAble**. +3. In the menu on the left, select **Users and groups**. - ![Configure Single Sign-On](./media/insperityexpensable-tutorial/tutorial_insperityexpensable_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![Assign User][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create Insperity ExpensAble test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +In this section, you create a user called Britta Simon in Insperity ExpensAble. Work with [Insperity ExpensAble support team](http://expensable.com/support/support-overview) to add the users in the Insperity ExpensAble platform. Users must be created and activated before you use single sign-on. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +### Test single sign-on -When you click the Insperity ExpensAble tile in the Access Panel, you should get automatically signed-on to your Insperity ExpensAble application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -## Additional resources +When you click the Insperity ExpensAble tile in the Access Panel, you should be automatically signed in to the Insperity ExpensAble for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: ./media/insperityexpensable-tutorial/tutorial_general_01.png -[2]: ./media/insperityexpensable-tutorial/tutorial_general_02.png -[3]: ./media/insperityexpensable-tutorial/tutorial_general_03.png -[4]: ./media/insperityexpensable-tutorial/tutorial_general_04.png -[100]: ./media/insperityexpensable-tutorial/tutorial_general_100.png -[200]: ./media/insperityexpensable-tutorial/tutorial_general_200.png -[201]: ./media/insperityexpensable-tutorial/tutorial_general_201.png -[202]: ./media/insperityexpensable-tutorial/tutorial_general_202.png -[203]: ./media/insperityexpensable-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/intacct-tutorial.md b/articles/active-directory/saas-apps/intacct-tutorial.md index 49581150c27e9..b30d4a2a06cbd 100644 --- a/articles/active-directory/saas-apps/intacct-tutorial.md +++ b/articles/active-directory/saas-apps/intacct-tutorial.md @@ -240,9 +240,9 @@ When you click the Intacct tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/intime-tutorial.md b/articles/active-directory/saas-apps/intime-tutorial.md index a50d15ca278d9..c72637bba7342 100644 --- a/articles/active-directory/saas-apps/intime-tutorial.md +++ b/articles/active-directory/saas-apps/intime-tutorial.md @@ -192,8 +192,8 @@ When you click the InTime tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/intralinks-tutorial.md b/articles/active-directory/saas-apps/intralinks-tutorial.md index 0dffc3641d679..3a46229b6ab74 100644 --- a/articles/active-directory/saas-apps/intralinks-tutorial.md +++ b/articles/active-directory/saas-apps/intralinks-tutorial.md @@ -188,8 +188,8 @@ When you click the Intralinks tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/ipasssmartconnect-tutorial.md b/articles/active-directory/saas-apps/ipasssmartconnect-tutorial.md index 671fd688cf21a..20228d84082c2 100644 --- a/articles/active-directory/saas-apps/ipasssmartconnect-tutorial.md +++ b/articles/active-directory/saas-apps/ipasssmartconnect-tutorial.md @@ -254,8 +254,8 @@ f. Client will get activated. ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/iqnavigatorvms-tutorial.md b/articles/active-directory/saas-apps/iqnavigatorvms-tutorial.md index 444f6ee43d051..ed39596c1c57f 100644 --- a/articles/active-directory/saas-apps/iqnavigatorvms-tutorial.md +++ b/articles/active-directory/saas-apps/iqnavigatorvms-tutorial.md @@ -190,8 +190,8 @@ When you click the IQNavigator VMS tile in the Access Panel, you should be autom ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/iqualify-tutorial.md b/articles/active-directory/saas-apps/iqualify-tutorial.md index 3e0ddbb9f026a..e321f3d78e38a 100644 --- a/articles/active-directory/saas-apps/iqualify-tutorial.md +++ b/articles/active-directory/saas-apps/iqualify-tutorial.md @@ -276,8 +276,8 @@ For more information about the Access Panel, see [Introduction to the Access ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/iris-intranet-tutorial.md b/articles/active-directory/saas-apps/iris-intranet-tutorial.md index f439dd8defff3..078a87fc7745e 100644 --- a/articles/active-directory/saas-apps/iris-intranet-tutorial.md +++ b/articles/active-directory/saas-apps/iris-intranet-tutorial.md @@ -182,9 +182,9 @@ When you click the Iris Intranet tile in the Access Panel, you should be automat ## Additional resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/itrp-tutorial.md b/articles/active-directory/saas-apps/itrp-tutorial.md index f7341ae21acb0..3234fb32406a9 100644 --- a/articles/active-directory/saas-apps/itrp-tutorial.md +++ b/articles/active-directory/saas-apps/itrp-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: e09716a3-4200-4853-9414-2390e6c10d98 ms.service: active-directory @@ -12,272 +13,240 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/29/2017 +ms.topic: tutorial +ms.date: 03/25/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with ITRP In this tutorial, you learn how to integrate ITRP with Azure Active Directory (Azure AD). - Integrating ITRP with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to ITRP -- You can enable your users to automatically get signed-on to ITRP (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to ITRP. +* You can enable your users to be automatically signed-in to ITRP (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with ITRP, you need the following items: -- An Azure AD subscription -- An ITRP single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* ITRP single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding ITRP from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* ITRP supports **SP** initiated SSO ## Adding ITRP from the gallery -To configure the integration of ITRP in to Azure AD, you need to add ITRP from the gallery to your list of managed SaaS apps. + +To configure the integration of ITRP into Azure AD, you need to add ITRP from the gallery to your list of managed SaaS apps. **To add ITRP from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **ITRP**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/itrp-tutorial/tutorial_itrp_search.png) +4. In the search box, type **ITRP**, select **ITRP** from result panel then click **Add** button to add the application. -1. In the results panel, select **ITRP**, and then click **Add** button to add the application. + ![ITRP in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/itrp-tutorial/tutorial_itrp_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on +In this section, you configure and test Azure AD single sign-on with ITRP based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in ITRP needs to be established. -In this section, you configure and test Azure AD single sign-on with ITRP based on a test user called "Britta Simon." +To configure and test Azure AD single sign-on with ITRP, you need to complete the following building blocks: -For single sign-on to work, Azure AD needs to know what the counterpart user in ITRP is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in ITRP needs to be established. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure ITRP Single Sign-On](#configure-itrp-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create ITRP test user](#create-itrp-test-user)** - to have a counterpart of Britta Simon in ITRP that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -In ITRP, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +### Configure Azure AD single sign-on -To configure and test Azure AD single sign-on with ITRP, you need to complete the following building blocks: +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with ITRP, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **ITRP** application integration page, select **Single sign-on**. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating an ITRP test user](#creating-an-itrp-test-user)** - to have a counterpart of Britta Simon in ITRP that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. + ![Configure single sign-on link](common/select-sso.png) -### Configuring Azure AD single sign-on +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your ITRP application. + ![Single sign-on select mode](common/select-saml-option.png) -**To configure Azure AD single sign-on with ITRP, perform the following steps:** +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. In the Azure portal, on the **ITRP** application integration page, click **Single sign-on**. + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On][4] +4. On the **Basic SAML Configuration** section, perform the following steps: -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/itrp-tutorial/tutorial_itrp_samlbase.png) + ![ITRP Domain and URLs single sign-on information](common/sp-identifier.png) -1. On the **ITRP Domain and URLs** section, perform the following steps: + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.itrp.com` - ![Configure Single Sign-On](./media/itrp-tutorial/tutorial_itrp_url.png) + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.itrp.com` - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.itrp.com` + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [ITRP Client support team](https://www.itrp.com/support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.itrp.com` +5. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog. - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [ITRP Client support team](https://www.itrp.com/support) to get these values. - -1. On the **SAML Signing Certificate** section, copy the **THUMBPRINT** value of certificate. + ![Edit SAML Signing Certificate](common/edit-certificate.png) - ![Configure Single Sign-On](./media/itrp-tutorial/tutorial_itrp_certificate.png) +6. In the **SAML Signing Certificate** section, copy the **Thumbprint** and save it on your computer. -1. Click **Save** button. + ![Copy Thumbprint value](common/copy-thumbprint.png) - ![Configure Single Sign-On](./media/itrp-tutorial/tutorial_general_400.png) +7. On the **Set up ITRP** section, copy the appropriate URL(s) as per your requirement. -1. On the **ITRP Configuration** section, click **Configure ITRP** to open **Configure sign-on** window. Copy the **SAML Single Sign-On Service URL and Sign-Out URL** from the **Quick Reference section.** + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On](./media/itrp-tutorial/tutorial_itrp_configure.png) + a. Login URL -1. In a different web browser window, log in to your ITRP company site as an administrator. + b. Azure AD Identifier + + c. Logout URL + +### Configure ITRP Single Sign-On + +1. In a different web browser window, sign in to your ITRP company site as an administrator. 1. In the toolbar on the top, click **Settings**. - + ![ITRP](./media/itrp-tutorial/ic775570.png "ITRP") 1. In the left navigation pane, select **Single Sign-On**. - + ![Single Sign-On](./media/itrp-tutorial/ic775571.png "Single Sign-On") 1. In the Single Sign-On configuration section, perform the following steps: - + ![Single Sign-On](./media/itrp-tutorial/ic775572.png "Single Sign-On") - - ![Single Sign-On](./media/itrp-tutorial/ic775573.png "Single Sign-On") - a. Click **Enable**. + ![Single Sign-On](./media/itrp-tutorial/ic775573.png "Single Sign-On") - b. In **Remote Log Out URL** textbox, paste the value of **Sign-Out URL**, which you have copied from Azure portal. + a. Click **Enabled**. - c. In **SAML SSO URL** textbox, paste the value of **SAML Single Sign-On Service URL**, which you have copied from Azure portal. + b. In **Remote Log Out URL** textbox, paste the value of **Logout URL**, which you have copied from Azure portal. - d.In **Certificate Fingerprint** textbox, paste the **Thumbprint** value of certificate, which you have copied from Azure portal. - -1. Click **Save**. + c. In **SAML SSO URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + d.In **Certificate Fingerprint** textbox, paste the **Thumbprint** value of certificate, which you have copied from Azure portal. -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + e. Click **Save**. -![Create Azure AD User][100] +### Create an Azure AD test user -**To create a test user in Azure AD, perform the following steps:** +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Creating an Azure AD test user](./media/itrp-tutorial/create_aaduser_01.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/itrp-tutorial/create_aaduser_02.png) +2. Select **New user** at the top of the screen. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/itrp-tutorial/create_aaduser_03.png) + ![New user Button](common/new-user.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/itrp-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** textbox, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating an ITRP test user -To enable Azure AD users to log in to ITRP, they must be provisioned in to ITRP. +### Assign the Azure AD test user -In the case of ITRP, provisioning is a manual task. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to ITRP. -**To provision a user account, perform the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ITRP**. -1. Log in to your **ITRP** tenant. + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the toolbar on the top, click **Records**. - - ![Admin](./media/itrp-tutorial/ic775575.png "Admin") +2. In the applications list, select **ITRP**. -1. From the popup menu, select **People**. - - ![People](./media/itrp-tutorial/ic775587.png "People") + ![The ITRP link in the Applications list](common/all-applications.png) -1. Click **Add New Person** (“+”). - - ![Admin](./media/itrp-tutorial/ic775576.png "Admin") +3. In the menu on the left, select **Users and groups**. -1. On the Add New Person dialog, perform the following steps: - - ![User](./media/itrp-tutorial/ic775577.png "User") - - a. Type the **Name**, **Email** of a valid AAD account you want to provision. + ![The "Users and groups" link](common/users-groups-blade.png) - b. Click **Save**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. ->[!NOTE] ->You can use any other ITRP user account creation tools or APIs provided by ITRP to provision AAD user accounts. -> + ![The Add Assignment pane](common/add-assign-user.png) -### Assigning the Azure AD test user +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to ITRP. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -![Assign User][200] +7. In the **Add Assignment** dialog click the **Assign** button. -**To assign Britta Simon to ITRP, perform the following steps:** +### Create ITRP test user -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +To enable Azure AD users to sign in to ITRP, they must be provisioned in to ITRP. In the case of ITRP, provisioning is a manual task. + +**To provision a user account, perform the following steps:** - ![Assign User][201] +1. Sign in to your **ITRP** tenant. -1. In the applications list, select **ITRP**. +1. In the toolbar on the top, click **Records**. - ![Configure Single Sign-On](./media/itrp-tutorial/tutorial_itrp_app.png) + ![Admin](./media/itrp-tutorial/ic775575.png "Admin") -1. In the menu on the left, click **Users and groups**. +1. From the popup menu, select **People**. - ![Assign User][202] + ![People](./media/itrp-tutorial/ic775587.png "People") -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +1. Click **Add New Person** (“+”). - ![Assign User][203] + ![Admin](./media/itrp-tutorial/ic775576.png "Admin") -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +1. On the Add New Person dialog, perform the following steps: -1. Click **Select** button on **Users and groups** dialog. + ![User](./media/itrp-tutorial/ic775577.png "User") -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on + a. Type the **Name**, **Email** of a valid AAD account you want to provision. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. + b. Click **Save**. -When you click the ITRP tile in the Access Panel, you should get automatically signed-on to your ITRP application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +> [!NOTE] +> You can use any other ITRP user account creation tools or APIs provided by ITRP to provision AAD user accounts. -## Additional resources +### Test single sign-on -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the ITRP tile in the Access Panel, you should be automatically signed in to the ITRP for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/itrp-tutorial/tutorial_general_01.png -[2]: ./media/itrp-tutorial/tutorial_general_02.png -[3]: ./media/itrp-tutorial/tutorial_general_03.png -[4]: ./media/itrp-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/itrp-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/itrp-tutorial/tutorial_general_200.png -[201]: ./media/itrp-tutorial/tutorial_general_201.png -[202]: ./media/itrp-tutorial/tutorial_general_202.png -[203]: ./media/itrp-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/ivanti-service-manager-tutorial.md b/articles/active-directory/saas-apps/ivanti-service-manager-tutorial.md index 4070d16e4b45d..2596fc104259c 100644 --- a/articles/active-directory/saas-apps/ivanti-service-manager-tutorial.md +++ b/articles/active-directory/saas-apps/ivanti-service-manager-tutorial.md @@ -207,9 +207,9 @@ When you click the Ivanti Service Manager (ISM) tile in the Access Panel, you sh ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/jira52microsoft-tutorial.md b/articles/active-directory/saas-apps/jira52microsoft-tutorial.md index 48c67e39f92b6..262fe22e9ebf8 100644 --- a/articles/active-directory/saas-apps/jira52microsoft-tutorial.md +++ b/articles/active-directory/saas-apps/jira52microsoft-tutorial.md @@ -9,11 +9,12 @@ ms.reviewer: barbkess ms.assetid: d0c00408-f9b8-4a79-bccc-c346a7331845 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 01/16/2019 +ms.date: 04/10/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -32,7 +33,7 @@ If you don't have an Azure subscription, [create a free account](https://azure.m ## Description -Use your Microsoft Azure Active Directory account with Atlassian JIRA server to enable single sign-on. This way all your organization users can use the Azure AD credentials to login into the JIRA application. This plugin uses SAML 2.0 for federation. +Use your Microsoft Azure Active Directory account with Atlassian JIRA server to enable single sign-on. This way all your organization users can use the Azure AD credentials to signin into the JIRA application. This plugin uses SAML 2.0 for federation. ## Prerequisites @@ -60,6 +61,9 @@ To test the steps in this tutorial, you should follow these recommendations: * JIRA Core and Software: 5.2 * JIRA also supports 6.0 to 7.12. For more details, click [JIRA SAML SSO by Microsoft](jiramicrosoft-tutorial.md) +> [!NOTE] +> Please note that JIRA also supports Linux Ubuntu version 16.04 + ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. @@ -86,7 +90,7 @@ To configure the integration of JIRA SAML SSO by Microsoft (V5.2) into Azure AD, 4. In the search box, type **JIRA SAML SSO by Microsoft (V5.2)**, select **JIRA SAML SSO by Microsoft (V5.2)** from result panel then click **Add** button to add the application. - ![JIRA SAML SSO by Microsoft (V5.2) in the results list](common/search-new-app.png) + ![JIRA SAML SSO by Microsoft (V5.2) in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on @@ -142,7 +146,7 @@ To configure Azure AD single sign-on with JIRA SAML SSO by Microsoft (V5.2), per ### Configure JIRA SAML SSO by Microsoft (V5.2) Single Sign-On -1. In a different web browser window, log in to your JIRA instance as an administrator. +1. In a different web browser window, sign in to your JIRA instance as an administrator. 2. Hover on cog and click the **Add-ons**. @@ -173,18 +177,18 @@ To configure Azure AD single sign-on with JIRA SAML SSO by Microsoft (V5.2), per c. In **Login Button Name** type the name of button your organization wants the users to see on login screen. - d. In **SAML User ID Locations** select either **User ID is in the NameIdentifier element of the Subject statement** or **User ID is in an Attribute element**. This ID has to be the JIRA user id. If the user id is not matched, then system will not allow users to log in. + d. In **SAML User ID Locations** select either **User ID is in the NameIdentifier element of the Subject statement** or **User ID is in an Attribute element**. This ID has to be the JIRA user ID. If the user ID is not matched, then system will not allow users to sign in. > [!Note] > Default SAML User ID location is Name Identifier. You can change this to an attribute option and enter the appropriate attribute name. - e. If you select **User ID is in an Attribute element** option, then in **Attribute name** textbox type the name of the attribute where User Id is expected. + e. If you select **User ID is in an Attribute element** option, then in **Attribute name** textbox type the name of the attribute where User ID is expected. f. If you are using the federated domain (like ADFS etc.) with Azure AD, then click on the **Enable Home Realm Discovery** option and configure the **Domain Name**. g. In **Domain Name** type the domain name here in case of the ADFS-based login. - h. Check **Enable Single Sign out** if you wish to log out from Azure AD when a user logs out from JIRA. + h. Check **Enable Single Sign out** if you wish to sign out from Azure AD when a user signs out from JIRA. i. Click **Save** button to save the settings. @@ -209,8 +213,7 @@ The objective of this section is to create a test user in the Azure portal calle a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon\@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. c. Select **Show password** check box, and then write down the value that's displayed in the Password box. @@ -244,11 +247,11 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting ### Create JIRA SAML SSO by Microsoft (V5.2) test user -To enable Azure AD users to log in to JIRA on-premises server, they must be provisioned into JIRA on-premises server. +To enable Azure AD users to sign in to JIRA on-premises server, they must be provisioned into JIRA on-premises server. **To provision a user account, perform the following steps:** -1. Log in to your JIRA on-premises server as an administrator. +1. Sign in to your JIRA on-premises server as an administrator. 2. Hover on cog and click the **User management**. diff --git a/articles/active-directory/saas-apps/jiramicrosoft-tutorial.md b/articles/active-directory/saas-apps/jiramicrosoft-tutorial.md index a7c9adced7e86..c5822817d0368 100644 --- a/articles/active-directory/saas-apps/jiramicrosoft-tutorial.md +++ b/articles/active-directory/saas-apps/jiramicrosoft-tutorial.md @@ -9,11 +9,12 @@ ms.reviewer: barbkess ms.assetid: 4b663047-7f88-443b-97bd-54224b232815 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 12/19/2018 +ms.date: 04/10/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -32,7 +33,7 @@ If you don't have an Azure subscription, [create a free account](https://azure.m ## Description -Use your Microsoft Azure Active Directory account with Atlassian JIRA server to enable single sign-on. This way all your organization users can use the Azure AD credentials to login into the JIRA application. This plugin uses SAML 2.0 for federation. +Use your Microsoft Azure Active Directory account with Atlassian JIRA server to enable single sign-on. This way all your organization users can use the Azure AD credentials to signin into the JIRA application. This plugin uses SAML 2.0 for federation. ## Prerequisites @@ -61,6 +62,9 @@ To test the steps in this tutorial, you should follow these recommendations: * JIRA Service Desk 3.0.0 to 3.5.0 * JIRA also supports 5.2. For more details, click [Microsoft Azure Active Directory single sign-on for JIRA 5.2](jira52microsoft-tutorial.md) +> [!NOTE] +> Please note that JIRA also supports Linux Ubuntu version 16.04 + ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. @@ -143,7 +147,7 @@ To configure Azure AD single sign-on with JIRA SAML SSO by Microsoft, perform th ### Configure JIRA SAML SSO by Microsoft Single Sign-On -1. In a different web browser window, log in to your JIRA instance as an administrator. +1. In a different web browser window, sign in to your JIRA instance as an administrator. 2. Hover on cog and click the **Add-ons**. @@ -185,18 +189,18 @@ To configure Azure AD single sign-on with JIRA SAML SSO by Microsoft, perform th c. In **Login Button Name** type the name of button your organization wants the users to see on login screen. - d. In **SAML User ID Locations** select either **User ID is in the NameIdentifier element of the Subject statement** or **User ID is in an Attribute element**. This ID has to be the JIRA user id. If the user id is not matched, then system will not allow users to log in. + d. In **SAML User ID Locations** select either **User ID is in the NameIdentifier element of the Subject statement** or **User ID is in an Attribute element**. This ID has to be the JIRA user ID. If the user ID is not matched, then system will not allow users to sign in. > [!Note] > Default SAML User ID location is Name Identifier. You can change this to an attribute option and enter the appropriate attribute name. - e. If you select **User ID is in an Attribute element** option, then in **Attribute name** textbox type the name of the attribute where User Id is expected. + e. If you select **User ID is in an Attribute element** option, then in **Attribute name** textbox type the name of the attribute where User ID is expected. f. If you are using the federated domain (like ADFS etc.) with Azure AD, then click on the **Enable Home Realm Discovery** option and configure the **Domain Name**. g. In **Domain Name** type the domain name here in case of the ADFS-based login. - h. Check **Enable Single Sign out** if you wish to log out from Azure AD when a user logs out from JIRA. + h. Check **Enable Single Sign out** if you wish to sign out from Azure AD when a user sign out from JIRA. i. Click **Save** button to save the settings. @@ -221,8 +225,7 @@ The objective of this section is to create a test user in the Azure portal calle a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon\@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. c. Select **Show password** check box, and then write down the value that's displayed in the Password box. @@ -256,11 +259,11 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting ### Create JIRA SAML SSO by Microsoft test user -To enable Azure AD users to log in to JIRA on-premises server, they must be provisioned into JIRA SAML SSO by Microsoft. For JIRA SAML SSO by Microsoft, provisioning is a manual task. +To enable Azure AD users to sign in to JIRA on-premises server, they must be provisioned into JIRA SAML SSO by Microsoft. For JIRA SAML SSO by Microsoft, provisioning is a manual task. **To provision a user account, perform the following steps:** -1. Log in to your JIRA on-premises server as an administrator. +1. Sign in to your JIRA on-premises server as an administrator. 2. Hover on cog and click the **User management**. diff --git a/articles/active-directory/saas-apps/jitbit-helpdesk-tutorial.md b/articles/active-directory/saas-apps/jitbit-helpdesk-tutorial.md index 901bdc10b35bd..6ae9066deff9e 100644 --- a/articles/active-directory/saas-apps/jitbit-helpdesk-tutorial.md +++ b/articles/active-directory/saas-apps/jitbit-helpdesk-tutorial.md @@ -248,8 +248,8 @@ When you click the Jitbit Helpdesk tile in the Access Panel, you should be autom ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/jive-tutorial.md b/articles/active-directory/saas-apps/jive-tutorial.md index f565158ef2878..d54becd127597 100644 --- a/articles/active-directory/saas-apps/jive-tutorial.md +++ b/articles/active-directory/saas-apps/jive-tutorial.md @@ -220,9 +220,9 @@ When you click the Jive tile in the Access Panel, you should be automatically si ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/jobbadmin-tutorial.md b/articles/active-directory/saas-apps/jobbadmin-tutorial.md index 7195297f0460a..f57a8cb311059 100644 --- a/articles/active-directory/saas-apps/jobbadmin-tutorial.md +++ b/articles/active-directory/saas-apps/jobbadmin-tutorial.md @@ -193,8 +193,8 @@ When you click the Jobbadmin tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/jobscore-tutorial.md b/articles/active-directory/saas-apps/jobscore-tutorial.md index c2d123a7c46c1..2f74fc609b3c3 100644 --- a/articles/active-directory/saas-apps/jobscore-tutorial.md +++ b/articles/active-directory/saas-apps/jobscore-tutorial.md @@ -188,8 +188,8 @@ When you click the JobScore tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/joinme-tutorial.md b/articles/active-directory/saas-apps/joinme-tutorial.md index e55e31e28a7a5..0ff6fe7ed4621 100644 --- a/articles/active-directory/saas-apps/joinme-tutorial.md +++ b/articles/active-directory/saas-apps/joinme-tutorial.md @@ -172,9 +172,9 @@ When you click the join.me tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/jostle-tutorial.md b/articles/active-directory/saas-apps/jostle-tutorial.md index 22e8dc8bb5ec5..428f7fd51f16a 100644 --- a/articles/active-directory/saas-apps/jostle-tutorial.md +++ b/articles/active-directory/saas-apps/jostle-tutorial.md @@ -194,8 +194,8 @@ When you click the Jostle tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/kenexasurvey-tutorial.md b/articles/active-directory/saas-apps/kenexasurvey-tutorial.md index e3af6ac9764b0..d8189f01d376b 100644 --- a/articles/active-directory/saas-apps/kenexasurvey-tutorial.md +++ b/articles/active-directory/saas-apps/kenexasurvey-tutorial.md @@ -199,9 +199,9 @@ When you click the IBM Kenexa Survey Enterprise tile in the Access Panel, you sh ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/kindling-tutorial.md b/articles/active-directory/saas-apps/kindling-tutorial.md index cbca368451cf7..8a457ac5f9434 100644 --- a/articles/active-directory/saas-apps/kindling-tutorial.md +++ b/articles/active-directory/saas-apps/kindling-tutorial.md @@ -192,8 +192,8 @@ When you click the Kindling tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/kintone-tutorial.md b/articles/active-directory/saas-apps/kintone-tutorial.md index da7353ed8a6c5..45e474e9735ff 100644 --- a/articles/active-directory/saas-apps/kintone-tutorial.md +++ b/articles/active-directory/saas-apps/kintone-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: c2b947dc-e1a8-4f5f-b40e-2c5180648e4f ms.service: active-directory @@ -12,283 +13,249 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/20/2017 +ms.topic: tutorial +ms.date: 03/26/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Kintone In this tutorial, you learn how to integrate Kintone with Azure Active Directory (Azure AD). - Integrating Kintone with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Kintone -- You can enable your users to automatically get signed-on to Kintone (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Kintone. +* You can enable your users to be automatically signed-in to Kintone (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Kintone, you need the following items: -- An Azure AD subscription -- A Kintone single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Kintone single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Kintone from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Kintone supports **SP** initiated SSO ## Adding Kintone from the gallery + To configure the integration of Kintone into Azure AD, you need to add Kintone from the gallery to your list of managed SaaS apps. **To add Kintone from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. - ![Applications][3] + ![The New application button](common/add-new-app.png) -1. In the search box, type **Kintone**. +4. In the search box, type **Kintone**, select **Kintone** from result panel then click **Add** button to add the application. - ![Creating an Azure AD test user](./media/kintone-tutorial/tutorial_kintone_search.png) + ![Kintone in the results list](common/search-new-app.png) -1. In the results panel, select **Kintone**, and then click **Add** button to add the application. +## Configure and test Azure AD single sign-on - ![Creating an Azure AD test user](./media/kintone-tutorial/tutorial_kintone_addfromgallery.png) +In this section, you configure and test Azure AD single sign-on with Kintone based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Kintone needs to be established. -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Kintone based on a test user called "Britta Simon". +To configure and test Azure AD single sign-on with Kintone, you need to complete the following building blocks: -For single sign-on to work, Azure AD needs to know what the counterpart user in Kintone is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Kintone needs to be established. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Kintone Single Sign-On](#configure-kintone-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Kintone test user](#create-kintone-test-user)** - to have a counterpart of Britta Simon in Kintone that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -In Kintone, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +### Configure Azure AD single sign-on -To configure and test Azure AD single sign-on with Kintone, you need to complete the following building blocks: +In this section, you enable Azure AD single sign-on in the Azure portal. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Kintone test user](#creating-a-kintone-test-user)** - to have a counterpart of Britta Simon in Kintone that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +To configure Azure AD single sign-on with Kintone, perform the following steps: -### Configuring Azure AD single sign-on +1. In the [Azure portal](https://portal.azure.com/), on the **Kintone** application integration page, select **Single sign-on**. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Kintone application. + ![Configure single sign-on link](common/select-sso.png) -**To configure Azure AD single sign-on with Kintone, perform the following steps:** +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. In the Azure portal, on the **Kintone** application integration page, click **Single sign-on**. + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On][4] +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/kintone-tutorial/tutorial_kintone_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **Kintone Domain and URLs** section, perform the following steps: +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Configure Single Sign-On](./media/kintone-tutorial/tutorial_kintone_url.png) + ![Kintone Domain and URLs single sign-on information](common/sp-identifier.png) - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.kintone.com` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.kintone.com` - b. In the **Identifier** textbox, type a URL using the following pattern: + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: | | |--| - | `https://.cybozu.com`| - | `https://.kintone.com`| + | `https://.cybozu.com` | + | `https://.kintone.com` | + + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Kintone Client support team](https://www.kintone.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/certificatebase64.png) - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [Kintone Client support team](https://www.kintone.com/contact/) to get these values. - -1. On the **SAML Signing Certificate** section, click **Certificate (Base64)** and then save the certificate file on your computer. +6. On the **Set up Kintone** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/kintone-tutorial/tutorial_kintone_certificate.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. Click **Save** button. + a. Login URL - ![Configure Single Sign-On](./media/kintone-tutorial/tutorial_general_400.png) + b. Azure AD Identifier -1. On the **Kintone Configuration** section, click **Configure Kintone** to open **Configure sign-on** window. Copy the **Sign-Out URL, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + c. Logout URL - ![Configure Single Sign-On](./media/kintone-tutorial/tutorial_kintone_configure.png) +### Configure Kintone Single Sign-On -1. In a different web browser window, log into your **Kintone** company site as an administrator. +1. In a different web browser window, sign into your **Kintone** company site as an administrator. + +1. Click **Settings icon**. -1. Click **Settings**. - ![Settings](./media/kintone-tutorial/ic785879.png "Settings") 1. Click **Users & System Administration**. - + ![Users & System Administration](./media/kintone-tutorial/ic785880.png "Users & System Administration") 1. Under **System Administration \> Security** click **Login**. - + ![Login](./media/kintone-tutorial/ic785881.png "Login") 1. Click **Enable SAML authentication**. - + ![SAML Authentication](./media/kintone-tutorial/ic785882.png "SAML Authentication") 1. In the SAML Authentication section, perform the following steps: - + ![SAML Authentication](./media/kintone-tutorial/ic785883.png "SAML Authentication") - - a. In the **Login URL** textbox, paste the value of **SAML Single Sign-On Service URL** which you have copied from Azure portal. - - b. In the **Logout URL** textbox, paste the value of **Sign-Out URL** which you have copied from Azure portal. - - c. Click **Browse** to upload your downloaded certificate. - + + a. In the **Login URL** textbox, paste the value of **Login URL** which you have copied from Azure portal. + + b. In the **Logout URL** textbox, paste the value of **Logout URL** which you have copied from Azure portal. + + c. Click **Browse** to upload your downloaded certificate file from Azure portal. + d. Click **Save**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> +### Create an Azure AD test user -### Creating an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. -![Create Azure AD User][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](./media/kintone-tutorial/create_aaduser_01.png) + ![New user Button](common/new-user.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/kintone-tutorial/create_aaduser_02.png) +3. In the User properties, perform the following steps. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/kintone-tutorial/create_aaduser_03.png) + ![The User dialog box](common/user-properties.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/kintone-tutorial/create_aaduser_04.png) + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` + For example, BrittaSimon@contoso.com - a. In the **Name** textbox, type **BrittaSimon**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + d. Click **Create**. - c. Select **Show Password** and write down the value of the **Password**. +### Assign the Azure AD test user - d. Click **Create**. - -### Creating a Kintone test user +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Kintone. -To enable Azure AD users to log in to Kintone, they must be provisioned into Kintone. -In the case of Kintone, provisioning is a manual task. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Kintone**. -### To provision a user account, perform the following steps: + ![Enterprise applications blade](common/enterprise-applications.png) -1. Log in to your **Kintone** company site as an administrator. +2. In the applications list, select **Kintone**. -1. Click **Setting**. - - ![Settings](./media/kintone-tutorial/ic785879.png "Settings") + ![The Kintone link in the Applications list](common/all-applications.png) -1. Click **Users & System Administration**. - - ![User & System Administration](./media/kintone-tutorial/ic785880.png "User & System Administration") +3. In the menu on the left, select **Users and groups**. -1. Under **User Administration**, click **Departments & Users**. - - ![Department & Users](./media/kintone-tutorial/ic785888.png "Department & Users") + ![The "Users and groups" link](common/users-groups-blade.png) -1. Click **New User**. - - ![New Users](./media/kintone-tutorial/ic785889.png "New Users") +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. In the **New User** section, perform the following steps: - - ![New Users](./media/kintone-tutorial/ic785890.png "New Users") - - a. Type a **Display Name**, **Login Name**, **New Password**, **Confirm Password**, **E-mail Address**, and other details of a valid AAD account you want to provision into the related textboxes. - - b. Click **Save**. + ![The Add Assignment pane](common/add-assign-user.png) -> [!NOTE] -> You can use any other Kintone user account creation tools or APIs provided by Kintone to provision AAD user accounts. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -### Assigning the Azure AD test user +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Kintone. +7. In the **Add Assignment** dialog click the **Assign** button. -![Assign User][200] +### Create Kintone test user -**To assign Britta Simon to Kintone, perform the following steps:** +To enable Azure AD users to sign in to Kintone, they must be provisioned into Kintone. In the case of Kintone, provisioning is a manual task. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +### To provision a user account, perform the following steps: - ![Assign User][201] +1. Sign in to your **Kintone** company site as an administrator. -1. In the applications list, select **Kintone**. +1. Click **Settings icon**. - ![Configure Single Sign-On](./media/kintone-tutorial/tutorial_kintone_app.png) + ![Settings](./media/kintone-tutorial/ic785879.png "Settings") -1. In the menu on the left, click **Users and groups**. +1. Click **Users & System Administration**. - ![Assign User][202] + ![User & System Administration](./media/kintone-tutorial/ic785880.png "User & System Administration") -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +1. Under **User Administration**, click **Departments & Users**. - ![Assign User][203] + ![Department & Users](./media/kintone-tutorial/ic785888.png "Department & Users") -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +1. Click **New User**. -1. Click **Select** button on **Users and groups** dialog. + ![New Users](./media/kintone-tutorial/ic785889.png "New Users") -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +1. In the **New User** section, perform the following steps: -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. + ![New Users](./media/kintone-tutorial/ic785890.png "New Users") -When you click the Kintone tile in the Access Panel, you should get automatically signed-on to your Kintone application. + a. Type a **Display Name**, **Login Name**, **New Password**, **Confirm Password**, **E-mail Address**, and other details of a valid Azure AD account you want to provision into the related textboxes. -## Additional resources + b. Click **Save**. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +> [!NOTE] +> You can use any other Kintone user account creation tools or APIs provided by Kintone to provision AAD user accounts. +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the Kintone tile in the Access Panel, you should be automatically signed in to the Kintone for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/kintone-tutorial/tutorial_general_01.png -[2]: ./media/kintone-tutorial/tutorial_general_02.png -[3]: ./media/kintone-tutorial/tutorial_general_03.png -[4]: ./media/kintone-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/kintone-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/kintone-tutorial/tutorial_general_200.png -[201]: ./media/kintone-tutorial/tutorial_general_201.png -[202]: ./media/kintone-tutorial/tutorial_general_202.png -[203]: ./media/kintone-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/klue-tutorial.md b/articles/active-directory/saas-apps/klue-tutorial.md index 81d589909cc42..b9db2bd6f7e9e 100644 --- a/articles/active-directory/saas-apps/klue-tutorial.md +++ b/articles/active-directory/saas-apps/klue-tutorial.md @@ -229,9 +229,9 @@ When you click the Klue tile in the Access Panel, you should be automatically si ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/lcvista-tutorial.md b/articles/active-directory/saas-apps/lcvista-tutorial.md index 81457ac1541d6..e5022d810d47c 100644 --- a/articles/active-directory/saas-apps/lcvista-tutorial.md +++ b/articles/active-directory/saas-apps/lcvista-tutorial.md @@ -211,8 +211,8 @@ When you click the LCVista tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/lean-tutorial.md b/articles/active-directory/saas-apps/lean-tutorial.md index 5a2091e32afc7..7331c68178e44 100644 --- a/articles/active-directory/saas-apps/lean-tutorial.md +++ b/articles/active-directory/saas-apps/lean-tutorial.md @@ -192,9 +192,9 @@ When you click the Lean tile in the Access Panel, you should be automatically si ## Additional resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/learning-at-work-tutorial.md b/articles/active-directory/saas-apps/learning-at-work-tutorial.md index e49fa5af65492..91db19c66274d 100644 --- a/articles/active-directory/saas-apps/learning-at-work-tutorial.md +++ b/articles/active-directory/saas-apps/learning-at-work-tutorial.md @@ -191,8 +191,8 @@ When you click the Learning at Work tile in the Access Panel, you should be auto ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/learningpool-tutorial.md b/articles/active-directory/saas-apps/learningpool-tutorial.md index bb4b7464efb74..45436c8e576e2 100644 --- a/articles/active-directory/saas-apps/learningpool-tutorial.md +++ b/articles/active-directory/saas-apps/learningpool-tutorial.md @@ -234,9 +234,9 @@ When you click the Learningpool Act tile in the Access Panel, you should be auto ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/learningseatlms-tutorial.md b/articles/active-directory/saas-apps/learningseatlms-tutorial.md index 5df8ccd76dcc3..4837e9502df5f 100644 --- a/articles/active-directory/saas-apps/learningseatlms-tutorial.md +++ b/articles/active-directory/saas-apps/learningseatlms-tutorial.md @@ -198,8 +198,8 @@ When you click the Learning Seat LMS tile in the Access Panel, you should be aut ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/lecorpio-tutorial.md b/articles/active-directory/saas-apps/lecorpio-tutorial.md index a47f4960183d4..934dcb179da03 100644 --- a/articles/active-directory/saas-apps/lecorpio-tutorial.md +++ b/articles/active-directory/saas-apps/lecorpio-tutorial.md @@ -191,8 +191,8 @@ When you click the Lecorpio tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/lessonly-tutorial.md b/articles/active-directory/saas-apps/lessonly-tutorial.md index bbf13d2412d20..caa58abcfd4d2 100644 --- a/articles/active-directory/saas-apps/lessonly-tutorial.md +++ b/articles/active-directory/saas-apps/lessonly-tutorial.md @@ -231,9 +231,9 @@ When you click the Lessonly.com tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/linkedinelevate-provisioning-tutorial.md b/articles/active-directory/saas-apps/linkedinelevate-provisioning-tutorial.md index d3e03305e4a81..9ed09034541cd 100644 --- a/articles/active-directory/saas-apps/linkedinelevate-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/linkedinelevate-provisioning-tutorial.md @@ -14,30 +14,29 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/28/2018 +ms.date: 03/28/2019 ms.author: asmalser-msft ms.collection: M365-identity-device-management --- # Tutorial: Configure LinkedIn Elevate for automatic user provisioning - -The objective of this tutorial is to show you the steps you need to perform in LinkedIn Elevate and Azure AD to automatically provision and de-provision user accounts from Azure AD to LinkedIn Elevate. +The objective of this tutorial is to show you the steps you need to perform in LinkedIn Elevate and Azure AD to automatically provision and de-provision user accounts from Azure AD to LinkedIn Elevate. ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active Directory tenant -* A LinkedIn Elevate tenant -* An administrator account in LinkedIn Elevate with access to the LinkedIn Account Center +* An Azure Active Directory tenant +* A LinkedIn Elevate tenant +* An administrator account in LinkedIn Elevate with access to the LinkedIn Account Center > [!NOTE] > Azure Active Directory integrates with LinkedIn Elevate using the [SCIM](http://www.simplecloud.info/) protocol. ## Assigning users to LinkedIn Elevate -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD will be synchronized. +Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD will be synchronized. Before configuring and enabling the provisioning service, you will need to decide what users and/or groups in Azure AD represent the users who need access to LinkedIn Elevate. Once decided, you can assign these users to LinkedIn Elevate by following the instructions here: @@ -45,10 +44,9 @@ Before configuring and enabling the provisioning service, you will need to decid ### Important tips for assigning users to LinkedIn Elevate -* It is recommended that a single Azure AD user be assigned to LinkedIn Elevate to test the provisioning configuration. Additional users and/or groups may be assigned later. - -* When assigning a user to LinkedIn Elevate, you must select the **User** role in the assignment dialog. The "Default Access" role does not work for provisioning. +* It is recommended that a single Azure AD user be assigned to LinkedIn Elevate to test the provisioning configuration. Additional users and/or groups may be assigned later. +* When assigning a user to LinkedIn Elevate, you must select the **User** role in the assignment dialog. The "Default Access" role does not work for provisioning. ## Configuring user provisioning to LinkedIn Elevate @@ -56,79 +54,73 @@ This section guides you through connecting your Azure AD to LinkedIn Elevate's S **Tip:** You may also choose to enabled SAML-based Single Sign-On for LinkedIn Elevate, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features complement each other. - ### To configure automatic user account provisioning to LinkedIn Elevate in Azure AD: - The first step is to retrieve your LinkedIn access token. If you are an Enterprise administrator, you can self-provision an access token. In your account center, go to **Settings > Global Settings** and open the **SCIM Setup** panel. > [!NOTE] > If you are accessing the account center directly rather than through a link, you can reach it using the following steps. -1) Sign in to Account Center. +1. Sign in to Account Center. -2) Select **Admin > Admin Settings** . +2. Select **Admin > Admin Settings** . -3) Click **Advanced Integrations** on the left sidebar. You are - directed to the account center. +3. Click **Advanced Integrations** on the left sidebar. You are directed to the account center. -4) Click **+ Add new SCIM configuration** and follow the procedure by - filling in each field. +4. Click **+ Add new SCIM configuration** and follow the procedure by filling in each field. -> When auto­assign licenses is not enabled, it means that only user -> data is synced. + > [!NOTE] + > When auto­assign licenses is not enabled, it means that only user data is synced. -![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate1.PNG) + ![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate1.PNG) -> When auto­license assignment is enabled, you need to note the -> application instance and license type. Licenses are assigned on a -> first come, first serve basis until all the licenses are taken. + > [!NOTE] + > When auto­license assignment is enabled, you need to note the application instance and license type. Licenses are assigned on a first come, first serve basis until all the licenses are taken. -![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate2.PNG) + ![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate2.PNG) -5) Click **Generate token**. You should see your access token display +5. Click **Generate token**. You should see your access token display under the **Access token** field. -6) Save your access token to your clipboard or computer before leaving +6. Save your access token to your clipboard or computer before leaving the page. -7) Next, sign in to the [Azure portal](https://portal.azure.com), and browse to the **Azure Active Directory > Enterprise Apps > All applications** section. +7. Next, sign in to the [Azure portal](https://portal.azure.com), and browse to the **Azure Active Directory > Enterprise Apps > All applications** section. -8) If you have already configured LinkedIn Elevate for single sign-on, search for your instance of LinkedIn Elevate using the search field. Otherwise, select **Add** and search for **LinkedIn Elevate** in the application gallery. Select LinkedIn Elevate from the search results, and add it to your list of applications. +8. If you have already configured LinkedIn Elevate for single sign-on, search for your instance of LinkedIn Elevate using the search field. Otherwise, select **Add** and search for **LinkedIn Elevate** in the application gallery. Select LinkedIn Elevate from the search results, and add it to your list of applications. -9) Select your instance of LinkedIn Elevate, then select the **Provisioning** tab. +9. Select your instance of LinkedIn Elevate, then select the **Provisioning** tab. -10) Set the **Provisioning Mode** to **Automatic**. +10. Set the **Provisioning Mode** to **Automatic**. -![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate3.PNG) + ![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate3.PNG) -11) Fill in the following fields under **Admin Credentials** : +11. Fill in the following fields under **Admin Credentials** : -* In the **Tenant URL** field, enter https://api.linkedin.com. + * In the **Tenant URL** field, enter `https://api.linkedin.com`. -* In the **Secret Token** field, enter the access token you generated in step 1 and click **Test Connection** . + * In the **Secret Token** field, enter the access token you generated in step 1 and click **Test Connection** . -* You should see a success notification on the upper­right side of + * You should see a success notification on the upper­right side of your portal. -12) Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox below. +12. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox below. -13) Click **Save**. +13. Click **Save**. -14) In the **Attribute Mappings** section, review the user and group attributes that will be synchronized from Azure AD to LinkedIn Elevate. Note that the attributes selected as **Matching** properties will be used to match the user accounts and groups in LinkedIn Elevate for update operations. Select the Save button to commit any changes. +14. In the **Attribute Mappings** section, review the user and group attributes that will be synchronized from Azure AD to LinkedIn Elevate. Note that the attributes selected as **Matching** properties will be used to match the user accounts and groups in LinkedIn Elevate for update operations. Select the Save button to commit any changes. -![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate4.PNG) + ![LinkedIn Elevate Provisioning](./media/linkedinelevate-provisioning-tutorial/linkedin_elevate4.PNG) -15) To enable the Azure AD provisioning service for LinkedIn Elevate, change the **Provisioning Status** to **On** in the **Settings** section +15. To enable the Azure AD provisioning service for LinkedIn Elevate, change the **Provisioning Status** to **On** in the **Settings** section -16) Click **Save**. +16. Click **Save**. This will start the initial synchronization of any users and/or groups assigned to LinkedIn Elevate in the Users and Groups section. Note that the initial sync will take longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service on your LinkedIn Elevate app. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). - ## Additional Resources * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) diff --git a/articles/active-directory/saas-apps/linkedinsalesnavigator-provisioning-tutorial.md b/articles/active-directory/saas-apps/linkedinsalesnavigator-provisioning-tutorial.md index c74bf3db38b8a..5e0e84c23032f 100644 --- a/articles/active-directory/saas-apps/linkedinsalesnavigator-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/linkedinsalesnavigator-provisioning-tutorial.md @@ -14,30 +14,29 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/28/2019 ms.author: asmalser-msft ms.collection: M365-identity-device-management --- # Tutorial: Configure LinkedIn Sales Navigator for automatic user provisioning - -The objective of this tutorial is to show you the steps you need to perform in LinkedIn Sales Navigator and Azure AD to automatically provision and de-provision user accounts from Azure AD to LinkedIn Sales Navigator. +The objective of this tutorial is to show you the steps you need to perform in LinkedIn Sales Navigator and Azure AD to automatically provision and de-provision user accounts from Azure AD to LinkedIn Sales Navigator. ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active Directory tenant -* A LinkedIn Sales Navigator tenant -* An administrator account in LinkedIn Sales Navigator with access to the LinkedIn Account Center +* An Azure Active Directory tenant +* A LinkedIn Sales Navigator tenant +* An administrator account in LinkedIn Sales Navigator with access to the LinkedIn Account Center > [!NOTE] > Azure Active Directory integrates with LinkedIn Sales Navigator using the [SCIM](http://www.simplecloud.info/) protocol. ## Assigning users to LinkedIn Sales Navigator -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD will be synchronized. +Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD will be synchronized. Before configuring and enabling the provisioning service, you will need to decide what users and/or groups in Azure AD represent the users who need access to LinkedIn Sales Navigator. Once decided, you can assign these users to LinkedIn Sales Navigator by following the instructions here: @@ -45,10 +44,9 @@ Before configuring and enabling the provisioning service, you will need to decid ### Important tips for assigning users to LinkedIn Sales Navigator -* It is recommended that a single Azure AD user be assigned to LinkedIn Sales Navigator to test the provisioning configuration. Additional users and/or groups may be assigned later. - -* When assigning a user to LinkedIn Sales Navigator, you must select the **User** role in the assignment dialog. The "Default Access" role does not work for provisioning. +* It is recommended that a single Azure AD user be assigned to LinkedIn Sales Navigator to test the provisioning configuration. Additional users and/or groups may be assigned later. +* When assigning a user to LinkedIn Sales Navigator, you must select the **User** role in the assignment dialog. The "Default Access" role does not work for provisioning. ## Configuring user provisioning to LinkedIn Sales Navigator @@ -57,79 +55,71 @@ This section guides you through connecting your Azure AD to LinkedIn Sales Navig > [!TIP] > You may also choose to enabled SAML-based Single Sign-On for LinkedIn Sales Navigator, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features complement each other. - ### To configure automatic user account provisioning to LinkedIn Sales Navigator in Azure AD: - The first step is to retrieve your LinkedIn access token. If you are an Enterprise administrator, you can self-provision an access token. In your account center, go to **Settings > Global Settings** and open the **SCIM Setup** panel. > [!NOTE] > If you are accessing the account center directly rather than through a link, you can reach it using the following steps. -1) Sign in to Account Center. +1. Sign in to Account Center. -2) Select **Admin > Admin Settings** . +2. Select **Admin > Admin Settings** . -3) Click **Advanced Integrations** on the left sidebar. You are - directed to the account center. +3. Click **Advanced Integrations** on the left sidebar. You are directed to the account center. -4) Click **+ Add new SCIM configuration** and follow the procedure by - filling in each field. +4. Click **+ Add new SCIM configuration** and follow the procedure by filling in each field. -> When auto­assign licenses is not enabled, it means that only user -> data is synced. + > [!NOTE] + > When auto­assign licenses is not enabled, it means that only user data is synced. -![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_1.PNG) + ![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_1.PNG) -> When auto­license assignment is enabled, you need to note the -> application instance and license type. Licenses are assigned on a -> first come, first serve basis until all the licenses are taken. + > [!NOTE] + > When auto­license assignment is enabled, you need to note the application instance and license type. Licenses are assigned on a first come, first serve basis until all the licenses are taken. -![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_2.PNG) + ![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_2.PNG) -5) Click **Generate token**. You should see your access token display - under the **Access token** field. +5. Click **Generate token**. You should see your access token display under the **Access token** field. -6) Save your access token to your clipboard or computer before leaving - the page. +6. Save your access token to your clipboard or computer before leaving the page. -7) Next, sign in to the [Azure portal](https://portal.azure.com), and browse to the **Azure Active Directory > Enterprise Apps > All applications** section. +7. Next, sign in to the [Azure portal](https://portal.azure.com), and browse to the **Azure Active Directory > Enterprise Apps > All applications** section. -8) If you have already configured LinkedIn Sales Navigator for single sign-on, search for your instance of LinkedIn Sales Navigator using the search field. Otherwise, select **Add** and search for **LinkedIn Sales Navigator** in the application gallery. Select LinkedIn Sales Navigator from the search results, and add it to your list of applications. +8. If you have already configured LinkedIn Sales Navigator for single sign-on, search for your instance of LinkedIn Sales Navigator using the search field. Otherwise, select **Add** and search for **LinkedIn Sales Navigator** in the application gallery. Select LinkedIn Sales Navigator from the search results, and add it to your list of applications. -9) Select your instance of LinkedIn Sales Navigator, then select the **Provisioning** tab. +9. Select your instance of LinkedIn Sales Navigator, then select the **Provisioning** tab. -10) Set the **Provisioning Mode** to **Automatic**. +10. Set the **Provisioning Mode** to **Automatic**. -![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_3.PNG) + ![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_3.PNG) -11) Fill in the following fields under **Admin Credentials** : +11. Fill in the following fields under **Admin Credentials** : -* In the **Tenant URL** field, enter https://api.linkedin.com. + * In the **Tenant URL** field, enter https://api.linkedin.com. -* In the **Secret Token** field, enter the access token you generated in step 1 and click **Test Connection** . + * In the **Secret Token** field, enter the access token you generated in step 1 and click **Test Connection** . -* You should see a success notification on the upper­right side of + * You should see a success notification on the upper­right side of your portal. -12) Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox below. +12. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox below. -13) Click **Save**. +13. Click **Save**. -14) In the **Attribute Mappings** section, review the user and group attributes that will be synchronized from Azure AD to LinkedIn Sales Navigator. Note that the attributes selected as **Matching** properties will be used to match the user accounts and groups in LinkedIn Sales Navigator for update operations. Select the Save button to commit any changes. +14. In the **Attribute Mappings** section, review the user and group attributes that will be synchronized from Azure AD to LinkedIn Sales Navigator. Note that the attributes selected as **Matching** properties will be used to match the user accounts and groups in LinkedIn Sales Navigator for update operations. Select the Save button to commit any changes. -![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_4.PNG) + ![LinkedIn Sales Navigator Provisioning](./media/linkedinsalesnavigator-provisioning-tutorial/linkedin_4.PNG) -15) To enable the Azure AD provisioning service for LinkedIn Sales Navigator, change the **Provisioning Status** to **On** in the **Settings** section +15. To enable the Azure AD provisioning service for LinkedIn Sales Navigator, change the **Provisioning Status** to **On** in the **Settings** section -16) Click **Save**. +16. Click **Save**. This will start the initial synchronization of any users and/or groups assigned to LinkedIn Sales Navigator in the Users and Groups section. Note that the initial sync will take longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service on your LinkedIn Sales Navigator app. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). - ## Additional Resources * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) diff --git a/articles/active-directory/saas-apps/logicmonitor-tutorial.md b/articles/active-directory/saas-apps/logicmonitor-tutorial.md index 1cc6eb81a43be..ae8c9bf83cb4c 100644 --- a/articles/active-directory/saas-apps/logicmonitor-tutorial.md +++ b/articles/active-directory/saas-apps/logicmonitor-tutorial.md @@ -234,9 +234,9 @@ When you click the LogicMonitor tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/lucidchart-provisioning-tutorial.md b/articles/active-directory/saas-apps/lucidchart-provisioning-tutorial.md index 188e4862e7030..cb06464bf1d7f 100644 --- a/articles/active-directory/saas-apps/lucidchart-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/lucidchart-provisioning-tutorial.md @@ -14,27 +14,26 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/27/2019 ms.author: asmalser-msft ms.collection: M365-identity-device-management --- # Tutorial: Configure LucidChart for automatic user provisioning - The objective of this tutorial is to show you the steps you need to perform in LucidChart and Azure AD to automatically provision and de-provision user accounts from Azure AD to LucidChart. ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active directory tenant -* A LucidChart tenant with the [Enterprise plan](https://www.lucidchart.com/user/117598685#/subscriptionLevel) or better enabled -* A user account in LucidChart with Admin permissions +* An Azure Active directory tenant +* A LucidChart tenant with the [Enterprise plan](https://www.lucidchart.com/user/117598685#/subscriptionLevel) or better enabled +* A user account in LucidChart with Admin permissions ## Assigning users to LucidChart -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD is synchronized. +Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD is synchronized. Before configuring and enabling the provisioning service, you need to decide what users and/or groups in Azure AD represent the users who need access to your LucidChart app. Once decided, you can assign these users to your LucidChart app by following the instructions here: @@ -42,22 +41,19 @@ Before configuring and enabling the provisioning service, you need to decide wha ### Important tips for assigning users to LucidChart -* It is recommended that a single Azure AD user is assigned to LucidChart to test the provisioning configuration. Additional users and/or groups may be assigned later. - -* When assigning a user to LucidChart, you must select either the **User** role, or another valid application-specific role (if available) in the assignment dialog. The **Default Access** role does not work for provisioning, and these users are skipped. +* It is recommended that a single Azure AD user is assigned to LucidChart to test the provisioning configuration. Additional users and/or groups may be assigned later. +* When assigning a user to LucidChart, you must select either the **User** role, or another valid application-specific role (if available) in the assignment dialog. The **Default Access** role does not work for provisioning, and these users are skipped. -## Configuring user provisioning to LucidChart +## Configuring user provisioning to LucidChart This section guides you through connecting your Azure AD to LucidChart's user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in LucidChart based on user and group assignment in Azure AD. > [!TIP] > You may also choose to enabled SAML-based Single Sign-On for LucidChart, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other. - ### Configure automatic user account provisioning to LucidChart in Azure AD - 1. In the [Azure portal](https://portal.azure.com), browse to the **Azure Active Directory > Enterprise Apps > All applications** section. 2. If you have already configured LucidChart for single sign-on, search for your instance of LucidChart using the search field. Otherwise, select **Add** and search for **LucidChart** in the application gallery. Select LucidChart from the search results, and add it to your list of applications. @@ -68,7 +64,7 @@ This section guides you through connecting your Azure AD to LucidChart's user ac ![LucidChart Provisioning](./media/lucidchart-provisioning-tutorial/LucidChart1.png) -5. Under the **Admin Credentials** section, input the **Secret Token** generated by your LucidChart's account (you can find the token under your account: **Team** > **App Integration** > **SCIM**). +5. Under the **Admin Credentials** section, input the **Secret Token** generated by your LucidChart's account (you can find the token under your account: **Team** > **App Integration** > **SCIM**). ![LucidChart Provisioning](./media/lucidchart-provisioning-tutorial/LucidChart2.png) @@ -76,7 +72,7 @@ This section guides you through connecting your Azure AD to LucidChart's user ac 7. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox "Send an email notification when a failure occurs." -8. Click **Save**. +8. Click **Save**. 9. Under the Mappings section, select **Synchronize Azure Active Directory Users to LucidChart**. @@ -84,13 +80,12 @@ This section guides you through connecting your Azure AD to LucidChart's user ac 11. To enable the Azure AD provisioning service for LucidChart, change the **Provisioning Status** to **On** in the **Settings** section -12. Click **Save**. +12. Click **Save**. This operation starts the initial synchronization of any users and/or groups assigned to LucidChart in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). - ## Additional resources * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) diff --git a/articles/active-directory/saas-apps/lucidchart-tutorial.md b/articles/active-directory/saas-apps/lucidchart-tutorial.md index b01204661c447..c19aa381ffc7a 100644 --- a/articles/active-directory/saas-apps/lucidchart-tutorial.md +++ b/articles/active-directory/saas-apps/lucidchart-tutorial.md @@ -214,8 +214,8 @@ When you click the Lucidchart tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/lynda-tutorial.md b/articles/active-directory/saas-apps/lynda-tutorial.md index 3740d3c289bae..6263ce220867d 100644 --- a/articles/active-directory/saas-apps/lynda-tutorial.md +++ b/articles/active-directory/saas-apps/lynda-tutorial.md @@ -195,9 +195,9 @@ When you click the Lynda.com tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/manabipocket-tutorial.md b/articles/active-directory/saas-apps/manabipocket-tutorial.md index 286de9ac30e5d..a9e98566ffed7 100644 --- a/articles/active-directory/saas-apps/manabipocket-tutorial.md +++ b/articles/active-directory/saas-apps/manabipocket-tutorial.md @@ -4,212 +4,195 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 8e521099-bf7d-43ab-a0e0-86aa1c9e577e ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/20/2018 +ms.topic: tutorial +ms.date: 04/02/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Manabi Pocket In this tutorial, you learn how to integrate Manabi Pocket with Azure Active Directory (Azure AD). - Integrating Manabi Pocket with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Manabi Pocket. -- You can enable your users to automatically get signed-on to Manabi Pocket (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Manabi Pocket. +* You can enable your users to be automatically signed-in to Manabi Pocket (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Manabi Pocket, you need the following items: -- An Azure AD subscription -- A Manabi Pocket single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Manabi Pocket single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Manabi Pocket from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Manabi Pocket supports **SP** initiated SSO ## Adding Manabi Pocket from the gallery + To configure the integration of Manabi Pocket into Azure AD, you need to add Manabi Pocket from the gallery to your list of managed SaaS apps. **To add Manabi Pocket from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Manabi Pocket**, select **Manabi Pocket** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Manabi Pocket in the results list](./media/manabipocket-tutorial/tutorial_manabipocket_addfromgallery.png) +4. In the search box, type **Manabi Pocket**, select **Manabi Pocket** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![Manabi Pocket in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with Manabi Pocket based on a test user called "Britta Simon". +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in Manabi Pocket is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Manabi Pocket needs to be established. +In this section, you configure and test Azure AD single sign-on with Manabi Pocket based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Manabi Pocket needs to be established. To configure and test Azure AD single sign-on with Manabi Pocket, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Manabi Pocket test user](#create-a-manabi-pocket-test-user)** - to have a counterpart of Britta Simon in Manabi Pocket that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Manabi Pocket Single Sign-On](#configure-manabi-pocket-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Manabi Pocket test user](#create-manabi-pocket-test-user)** - to have a counterpart of Britta Simon in Manabi Pocket that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Manabi Pocket application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Manabi Pocket, perform the following steps:** +To configure Azure AD single sign-on with Manabi Pocket, perform the following steps: -1. In the Azure portal, on the **Manabi Pocket** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Manabi Pocket** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Single sign-on dialog box](./media/manabipocket-tutorial/tutorial_manabipocket_samlbase.png) + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Manabi Pocket Domain and URLs** section, perform the following steps: +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Manabi Pocket Domain and URLs single sign-on information](./media/manabipocket-tutorial/tutorial_manabipocket_url.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) - a. In the **Sign-on URL** textbox, type the URL: `https://ed-cl.com/` +4. On the **Basic SAML Configuration** section, perform the following steps: - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.ed-cl.com//idp/provider` + ![Manabi Pocket Domain and URLs single sign-on information](common/sp-identifier.png) - > [!NOTE] - > The Identifier value is not real. Update this value with the actual Identifier . Contact [Manabi Pocket Client support team](mailto:info-ed-cl@ntt.com) to get this value. + a. In the **Sign on URL** text box, type a URL: + `https://ed-cl.com/` -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.ed-cl.com//idp/provider` - ![The Certificate download link](./media/manabipocket-tutorial/tutorial_manabipocket_certificate.png) + > [!NOTE] + > The Identifier value is not real. Update this value with the actual Identifier. Contact [Manabi Pocket Client support team](mailto:info-ed-cl@ntt.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. Click **Save** button. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On Save button](./media/manabipocket-tutorial/tutorial_general_400.png) + ![The Certificate download link](common/metadataxml.png) -1. To configure single sign-on on **Manabi Pocket** side, you need to send the downloaded **Metadata XML** to [Manabi Pocket support team](mailto:info-ed-cl@ntt.com). They set this setting to have the SAML SSO connection set properly on both sides. +6. On the **Set up Manabi Pocket** section, copy the appropriate URL(s) as per your requirement. -### Create an Azure AD test user + ![Copy configuration URLs](common/copy-configuration-urls.png) -The objective of this section is to create a test user in the Azure portal called Britta Simon. + a. Login URL - ![Create an Azure AD test user][100] + b. Azure AD Identifier -**To create a test user in Azure AD, perform the following steps:** + c. Logout URL -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +### Configure Manabi Pocket Single Sign-On - ![The Azure Active Directory button](./media/manabipocket-tutorial/create_aaduser_01.png) +To configure single sign-on on **Manabi Pocket** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Manabi Pocket support team](mailto:info-ed-cl@ntt.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. To display the list of users, go to **Users and groups**, and then click **All users**. +### Create an Azure AD test user - ![The "Users and groups" and "All users" links](./media/manabipocket-tutorial/create_aaduser_02.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![The Add button](./media/manabipocket-tutorial/create_aaduser_03.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **User** dialog box, perform the following steps: +2. Select **New user** at the top of the screen. - ![The User dialog box](./media/manabipocket-tutorial/create_aaduser_04.png) + ![New user Button](common/new-user.png) - a. In the **Name** box, type **BrittaSimon**. +3. In the User properties, perform the following steps. - b. In the **User name** box, type the email address of user Britta Simon. + ![The User dialog box](common/user-properties.png) - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - d. Click **Create**. - -### Create a Manabi Pocket test user + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -In this section, you create a user called Britta Simon in Manabi Pocket. Work with [Manabi Pocket support team](mailto:info-ed-cl@ntt.com) to add the users in the Manabi Pocket platform. Users must be created and activated before you use single sign-on. + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Manabi Pocket. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Manabi Pocket**. -**To assign Britta Simon to Manabi Pocket, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Manabi Pocket**. - ![Assign User][201] + ![The Manabi Pocket link in the Applications list](common/all-applications.png) -1. In the applications list, select **Manabi Pocket**. +3. In the menu on the left, select **Users and groups**. - ![The Manabi Pocket link in the Applications list](./media/manabipocket-tutorial/tutorial_manabipocket_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create Manabi Pocket test user -1. Click **Assign** button on **Add Assignment** dialog. +In this section, you create a user called Britta Simon in Manabi Pocket. Work with [Manabi Pocket support team](mailto:info-ed-cl@ntt.com) to add the users in the Manabi Pocket platform. Users must be created and activated before you use single sign-on. -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Manabi Pocket tile in the Access Panel, you should get automatically signed-on to your Manabi Pocket application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources +When you click the Manabi Pocket tile in the Access Panel, you should be automatically signed in to the Manabi Pocket for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: ./media/manabipocket-tutorial/tutorial_general_01.png -[2]: ./media/manabipocket-tutorial/tutorial_general_02.png -[3]: ./media/manabipocket-tutorial/tutorial_general_03.png -[4]: ./media/manabipocket-tutorial/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: ./media/manabipocket-tutorial/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[200]: ./media/manabipocket-tutorial/tutorial_general_200.png -[201]: ./media/manabipocket-tutorial/tutorial_general_201.png -[202]: ./media/manabipocket-tutorial/tutorial_general_202.png -[203]: ./media/manabipocket-tutorial/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/marketo-tutorial.md b/articles/active-directory/saas-apps/marketo-tutorial.md index c14cc42386c9c..c587ee465c0f4 100644 --- a/articles/active-directory/saas-apps/marketo-tutorial.md +++ b/articles/active-directory/saas-apps/marketo-tutorial.md @@ -296,9 +296,9 @@ When you click the Marketo tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/maxxpoint-tutorial.md b/articles/active-directory/saas-apps/maxxpoint-tutorial.md index ec2a40b848a5c..f323d195624da 100644 --- a/articles/active-directory/saas-apps/maxxpoint-tutorial.md +++ b/articles/active-directory/saas-apps/maxxpoint-tutorial.md @@ -191,9 +191,9 @@ When you click the MaxxPoint tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mcm-tutorial.md b/articles/active-directory/saas-apps/mcm-tutorial.md index 9550f91991efb..221919b38ea2a 100644 --- a/articles/active-directory/saas-apps/mcm-tutorial.md +++ b/articles/active-directory/saas-apps/mcm-tutorial.md @@ -193,9 +193,9 @@ When you click the MCM tile in the Access Panel, you should be automatically sig ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_addfromgallery.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_addfromgallery.png deleted file mode 100644 index 4d1f9456fba02..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_app.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_app.png deleted file mode 100644 index 2ca2dd632bff4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_certificate.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_certificate.png deleted file mode 100644 index 985cfcd71722d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_configure.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_configure.png deleted file mode 100644 index 1bac1afa1d6af..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_samlbase.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_samlbase.png deleted file mode 100644 index 2331d719e7838..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_search.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_search.png deleted file mode 100644 index 70f04e3cedafe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_url.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_url.png deleted file mode 100644 index a096ad0c5f1bc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_10,000ftplans_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/10000ftplans-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/asana-provisioning-tutorial/asanaazureprovisioning.png b/articles/active-directory/saas-apps/media/asana-provisioning-tutorial/asanaazureprovisioning.png index 779bb64d45f55..49a38b1078698 100644 Binary files a/articles/active-directory/saas-apps/media/asana-provisioning-tutorial/asanaazureprovisioning.png and b/articles/active-directory/saas-apps/media/asana-provisioning-tutorial/asanaazureprovisioning.png differ diff --git a/articles/active-directory/saas-apps/media/atlassian-cloud-provisioning-tutorial/tutorial-general-03.png b/articles/active-directory/saas-apps/media/atlassian-cloud-provisioning-tutorial/tutorial-general-03.png index d56f6b9d57f2b..cac732f7ddc91 100644 Binary files a/articles/active-directory/saas-apps/media/atlassian-cloud-provisioning-tutorial/tutorial-general-03.png and b/articles/active-directory/saas-apps/media/atlassian-cloud-provisioning-tutorial/tutorial-general-03.png differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_addfromgallery.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_addfromgallery.png deleted file mode 100644 index a6db822344a18..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_app.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_app.png deleted file mode 100644 index fb42b50d145a4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_attribute.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_attribute.png deleted file mode 100644 index c1198efcec9e7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_certificate.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_certificate.png deleted file mode 100644 index eeb6606f57a2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_samlbase.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_search.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_search.png deleted file mode 100644 index 602abecffb9d0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_url.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_url.png deleted file mode 100644 index fd036dda6aa6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_url1.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_url1.png deleted file mode 100644 index d916750cc6c11..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_betterworks_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/betterworks-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppCreation.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppCreation.png index 28f58e36c3c7c..8e3802ba083ce 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppCreation.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppCreation.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppInstanceSearch.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppInstanceSearch.png index a07562349f786..7bbd1b19d53ad 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppInstanceSearch.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppInstanceSearch.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearch.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearch.png index 43161924b3a00..f51e85015278b 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearch.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearch.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearchResults.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearchResults.png index 79ac78131a0cd..2826e042054f2 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearchResults.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/AppSearchResults.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonsulyRestApi.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonsulyRestApi.png index f5116a06ab3cd..225715e04dda2 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonsulyRestApi.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonsulyRestApi.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonuslyIntegrations.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonuslyIntegrations.png index 99f6a43cf83c5..c67a377fda244 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonuslyIntegrations.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/BonuslyIntegrations.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/CreateToken.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/CreateToken.png index ab2e30b45683d..1adf39dee319e 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/CreateToken.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/CreateToken.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/EmailNotification.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/EmailNotification.png index ab1771b16eaa6..c30218412add5 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/EmailNotification.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/EmailNotification.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningCredentials.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningCredentials.png index f8263a04eeb39..1fc76bc1f17c1 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningCredentials.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningCredentials.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningStatus.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningStatus.png index 64863f7c95fbb..6b127261a9abc 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningStatus.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningStatus.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningTab.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningTab.png index 445d215a3c669..71727edcd35e2 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningTab.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ProvisioningTab.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/SaveProvisioning.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/SaveProvisioning.png index 67db9eecce2f7..2dae2253d2ff3 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/SaveProvisioning.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/SaveProvisioning.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ScopeSync.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ScopeSync.png index e698e807c1ea3..ed624f0c1e4b4 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ScopeSync.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/ScopeSync.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/TestConnection.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/TestConnection.png index 9eccc657a8dbf..24f762834e652 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/TestConnection.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/TestConnection.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token01.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token01.png index 5a0e09055835c..ec8de0d15a6c0 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token01.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token01.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token02.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token02.png index 753ef31194dde..7b74c976557d4 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token02.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/Token02.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserAttributeMapping.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserAttributeMapping.png index e49cb58d7199a..df8a2a103ef18 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserAttributeMapping.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserAttributeMapping.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserMappings.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserMappings.png index 9dc5b6c7da4a1..84a187fb5df26 100644 Binary files a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserMappings.png and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/UserMappings.png differ diff --git a/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/secrettoken.png b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/secrettoken.png new file mode 100644 index 0000000000000..1b76d685b612e Binary files /dev/null and b/articles/active-directory/saas-apps/media/bonusly-provisioning-tutorial/secrettoken.png differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_addfromgallery.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_addfromgallery.png deleted file mode 100644 index d580f4209b8b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_app.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_app.png deleted file mode 100644 index d4fa569c53a60..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_appid.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_appid.png deleted file mode 100644 index 716f21483401e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_appid.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_appregistrations.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_appregistrations.png deleted file mode 100644 index 812837b4098b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_appregistrations.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_endpoint.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_endpoint.png deleted file mode 100644 index 0059f7a0f7ebe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_endpoint.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_endpointicon.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_endpointicon.png deleted file mode 100644 index 76fb18b8e649c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_endpointicon.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_samlbase.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_url.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_url.png deleted file mode 100644 index f2618f1dbedf8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_url1.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_url1.png deleted file mode 100644 index 6cc57a9c6529c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_bpmonline_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_metadataurl.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_metadataurl.png deleted file mode 100644 index cde4610937f8c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_metadataurl.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/bpmonline-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/cernercentral-provisioning-tutorial/cerner.png b/articles/active-directory/saas-apps/media/cernercentral-provisioning-tutorial/cerner.png index 0f9dc911539ae..2669f7adedb51 100644 Binary files a/articles/active-directory/saas-apps/media/cernercentral-provisioning-tutorial/cerner.png and b/articles/active-directory/saas-apps/media/cernercentral-provisioning-tutorial/cerner.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppCreation.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppCreation.png index ba52556b992a6..e6464145235a6 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppCreation.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppCreation.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearch.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearch.png index 900e279189ed0..5b7a162f12388 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearch.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearch.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearchResults.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearchResults.png index eb784a53d3674..bdc8391ccabcd 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearchResults.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/AppSearchResults.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/EmailNotification.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/EmailNotification.png index 8ca56ffc08ffc..6859c1fdd8ad4 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/EmailNotification.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/EmailNotification.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/GetMyDetails.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/GetMyDetails.png index be1af36818b9e..23156be549e48 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/GetMyDetails.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/GetMyDetails.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningCredentials.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningCredentials.png index b5fa7a54d0102..1fc76bc1f17c1 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningCredentials.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningCredentials.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningStatus.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningStatus.png index 013aea0f1bf61..3e33584bb58f1 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningStatus.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningStatus.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningTab.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningTab.png index a8161b4632083..800b306706098 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningTab.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/ProvisioningTab.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Save.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Save.png index 27503e5c2dd56..7f6d7439ff2a3 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Save.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Save.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SecretToken.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SecretToken.png index 2d872749f004b..cba47c71e9247 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SecretToken.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SecretToken.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Successcenter2.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Successcenter2.png index 61843e8735ec8..52484845e4bc3 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Successcenter2.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/Successcenter2.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SyncScope.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SyncScope.png index ef05eb075958c..a710d4a67d325 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SyncScope.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/SyncScope.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/TestConnection.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/TestConnection.png index aa8b705352206..45e0150b357f2 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/TestConnection.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/TestConnection.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMapping.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMapping.png index cae2e09160146..aa2d11f1e7947 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMapping.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMapping.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMappingAttributes.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMappingAttributes.png index 81e14ed16a770..e5d39e0dd7821 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMappingAttributes.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/UserMappingAttributes.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/secrettoken1.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/secrettoken1.png new file mode 100644 index 0000000000000..af382d310c519 Binary files /dev/null and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/secrettoken1.png differ diff --git a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/tutorial_ciscospark_addfromgallery.png b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/tutorial_ciscospark_addfromgallery.png index 50460cf8c99b7..e92a9930c7818 100644 Binary files a/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/tutorial_ciscospark_addfromgallery.png and b/articles/active-directory/saas-apps/media/cisco-spark-provisioning-tutorial/tutorial_ciscospark_addfromgallery.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/AppInstanceSearch.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/AppInstanceSearch.png index fc95dc5a6fa1f..ccb3bdf60be37 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/AppInstanceSearch.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/AppInstanceSearch.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/Successcenter1.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/Successcenter1.png index ff255653439e1..c582ca4839a77 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/Successcenter1.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/Successcenter1.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appcreation.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appcreation.png index 033a65bdf263f..c7f008eb5786f 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appcreation.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appcreation.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearch.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearch.png index 879b4e34c4080..c106bbcf8f3cb 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearch.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearch.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearchresults.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearchresults.png index fed43fc39c0c6..60d424ab0c59a 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearchresults.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/appsearchresults.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/emailnotification.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/emailnotification.png index b33905b99ee02..06db7783eb345 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/emailnotification.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/emailnotification.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/postionid.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/postionid.png index 270d92e970e76..65e0ac83aa667 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/postionid.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/postionid.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningcredentials.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningcredentials.png index d87c2edb3bb66..2df1b14d9bf04 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningcredentials.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningcredentials.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningstatus.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningstatus.png index 31a4461a251d6..96fdbece1c786 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningstatus.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningstatus.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningtab.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningtab.png index 95e19219f26e3..49f2f7020bc19 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningtab.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/provisioningtab.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/save.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/save.png index e431ceed946d1..fee6170e67c16 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/save.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/save.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/successcenter2.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/successcenter2.png index 347ec9a922063..16808aed2574e 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/successcenter2.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/successcenter2.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/syncscope.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/syncscope.png index 4922f604ef73c..04bfdd76643bd 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/syncscope.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/syncscope.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/testconnection.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/testconnection.png index 02fadb4aeafd4..77158329e96f9 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/testconnection.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/testconnection.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/useredit.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/useredit.png index db7ec835f74a0..cf7fc396de84a 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/useredit.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/useredit.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermapping.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermapping.png index 1fbd68d6a69c1..f9810d71596c5 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermapping.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermapping.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermappingattributes.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermappingattributes.png index 884ed93f210bb..c1015ec3a9eed 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermappingattributes.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/usermappingattributes.png differ diff --git a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/userposition.png b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/userposition.png index deac43cf7391c..b44911ead9ae0 100644 Binary files a/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/userposition.png and b/articles/active-directory/saas-apps/media/cornerstone-ondemand-provisioning-tutorial/userposition.png differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_addfromgallery.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_addfromgallery.png deleted file mode 100644 index 7566cae318717..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_app.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_app.png deleted file mode 100644 index 3c59f29ca2c37..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_certificate.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_certificate.png deleted file mode 100644 index bc0fba3decbd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_configure.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_configure.png deleted file mode 100644 index 42cd3060ea234..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_samlbase.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_samlbase.png deleted file mode 100644 index e6d6f36019182..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_search.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_search.png deleted file mode 100644 index 2c4459e2817ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_url.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_url.png deleted file mode 100644 index 7e8871ddd690a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_url1.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_url1.png deleted file mode 100644 index 15c4aa77b32d7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_direct_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/direct-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_001.png b/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_001.png deleted file mode 100644 index 6ce33063b403b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_002.png b/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_002.png deleted file mode 100644 index d9f9eb8a13257..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_002.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_003.png b/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_003.png deleted file mode 100644 index 2ea4aab1800e0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_003.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_04.png deleted file mode 100644 index 781205fba8219..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_00.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_00.png deleted file mode 100644 index 334ba2110095a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_00.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_01.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_01.png deleted file mode 100644 index f5353f3ed2b38..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_02.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_02.png deleted file mode 100644 index 96aa0aaa350f3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_03.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_03.png deleted file mode 100644 index 20383988c0e13..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_04.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_04.png deleted file mode 100644 index 4b5a06b4469b4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_05.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_05.png deleted file mode 100644 index f3f1b8b2a2754..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_06.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_06.png deleted file mode 100644 index 90e8e663f8540..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_10.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_10.png deleted file mode 100644 index b42484dfb6387..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_10.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_11.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_11.png deleted file mode 100644 index 297c379b020be..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_11.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_12.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_12.png deleted file mode 100644 index cb244d76e63d9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_12.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_13.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_13.png deleted file mode 100644 index d0c41b5610ab1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_13.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_14.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_14.png deleted file mode 100644 index 5a697a59ed118..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_14.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_15.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_15.png deleted file mode 100644 index 58e77c589143a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_15.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_16.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_16.png deleted file mode 100644 index 0ae42448c8b8c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_16.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_17.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_17.png deleted file mode 100644 index 7cdf4b1d798cc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_17.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_addfromgallery.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_addfromgallery.png deleted file mode 100644 index 4da0d2f674105..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_app.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_app.png deleted file mode 100644 index 216ff8ede0ea0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_certificate.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_certificate.png deleted file mode 100644 index 466fe88cb2ac0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_configure.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_configure.png deleted file mode 100644 index 8cd66fb0479a5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_configuresignon.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_configuresignon.png deleted file mode 100644 index 3de848ec2f520..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_configuresignon.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_samlbase.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_search.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_search.png deleted file mode 100644 index d149d178507dc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_url.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_url.png deleted file mode 100644 index 85df8b5f311cb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_url1.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_url1.png deleted file mode 100644 index fee51be325a1c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_docusign_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ccf27fd4cba3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_03.png deleted file mode 100644 index d56f6b9d57f2b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_203.png deleted file mode 100644 index 2f3911fc297e2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_300.png deleted file mode 100644 index 5a9f929f06020..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/docusign-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_addfromgallery.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_addfromgallery.png deleted file mode 100644 index 43352ea33735f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_app.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_app.png deleted file mode 100644 index bd7acb1a74271..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_certificate.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_certificate.png deleted file mode 100644 index 392ed605c94f8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_configure.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_configure.png deleted file mode 100644 index 91418fe0c8c9c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_samlbase.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_samlbase.png deleted file mode 100644 index 26de6ebb04065..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_url1.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_url1.png deleted file mode 100644 index ad651dbfb3a34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_url2.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_url2.png deleted file mode 100644 index 61d8a7185c661..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_dossier_url2.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/dossier-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_addfromgallery.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_addfromgallery.png deleted file mode 100644 index ca2fa8209e74c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_app.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_app.png deleted file mode 100644 index 53e750a085a72..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_attribute.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_attribute.png deleted file mode 100644 index 47060a15aeafe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_certificate.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_certificate.png deleted file mode 100644 index bf1c86caf98b3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_configure.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_configure.png deleted file mode 100644 index 71355a0a0df36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_samlbase.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_url.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_url.png deleted file mode 100644 index ea54fe70d5f0d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_url1.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_url1.png deleted file mode 100644 index a3696b9893706..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_userclaims.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_userclaims.png deleted file mode 100644 index 22916707add16..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_ebsco_userclaims.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/ebsco-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/evernote-tutorial/samlassertion.png b/articles/active-directory/saas-apps/media/evernote-tutorial/samlassertion.png new file mode 100644 index 0000000000000..a9cf9fad219e4 Binary files /dev/null and b/articles/active-directory/saas-apps/media/evernote-tutorial/samlassertion.png differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_04.png deleted file mode 100644 index bbe13b96cb032..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_0001.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_0001.png deleted file mode 100644 index 2f245dbdcebbd..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_0001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_001.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_001.png deleted file mode 100644 index 9b26dad1bb65d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_01.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_01.png deleted file mode 100644 index 64941fea59f05..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_02.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_02.png deleted file mode 100644 index 650aff06a79ba..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_03.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_03.png deleted file mode 100644 index 5ad82f093af33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_04.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_04.png deleted file mode 100644 index 9a3d99c6354ab..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_05.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_05.png deleted file mode 100644 index 00cd53e108208..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_06.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_06.png deleted file mode 100644 index 3c1e0995eb86b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_07.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_07.png deleted file mode 100644 index 5f77597e9361d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_50.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_50.png deleted file mode 100644 index 8dc7ac15148fc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_firmplay_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_02.png deleted file mode 100644 index 719c2277e9d95..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_03.png deleted file mode 100644 index 1f3d381fc718b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_100.png deleted file mode 100644 index 6284443d7f7df..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_203.png deleted file mode 100644 index afc9c1d33207e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_300.png deleted file mode 100644 index 5a9f929f06020..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_400.png deleted file mode 100644 index e4fc4a2fb2d42..0000000000000 Binary files a/articles/active-directory/saas-apps/media/firmplay-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_04.png deleted file mode 100644 index 781205fba8219..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 626684f2721e5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_addfromgallery.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_addfromgallery.png deleted file mode 100644 index 6a9c2c44f81e7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_app.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_app.png deleted file mode 100644 index 943feba27401a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_certificate.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_certificate.png deleted file mode 100644 index edeb8fcf1e403..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_configure.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_configure.png deleted file mode 100644 index 64db13a160302..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_samlbase.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_samlbase.png deleted file mode 100644 index 2331d719e7838..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_search.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_search.png deleted file mode 100644 index 83645680f0b2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_url.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_url.png deleted file mode 100644 index a674760ebdeda..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_five9_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ccf27fd4cba3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_203.png deleted file mode 100644 index 2f3911fc297e2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/five9-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_addfromgallery.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_addfromgallery.png deleted file mode 100644 index 26604fe43919a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_app.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_app.png deleted file mode 100644 index 324e693c3828b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_certificate.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_certificate.png deleted file mode 100644 index dbfe5a3164158..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_configure.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_configure.png deleted file mode 100644 index cf986c14eceeb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_samlbase.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_samlbase.png deleted file mode 100644 index 4a656fbdd0a34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_url.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_url.png deleted file mode 100644 index 966aa5135d005..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_fluxxlabs_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fluxxlabs-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC700993.png deleted file mode 100644 index 3a303b64c0a0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC700994.png deleted file mode 100644 index a193ab9aa932e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC749321.png deleted file mode 100644 index 9f523d7bf9342..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC790810.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC790810.png deleted file mode 100644 index d022f10954981..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC790810.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795899.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795899.png deleted file mode 100644 index 09f4794de0d99..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795899.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795900.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795900.png deleted file mode 100644 index e5dcfc4f7cf98..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795900.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795901.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795901.png deleted file mode 100644 index 7adc80092ee5a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795901.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795902.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795902.png deleted file mode 100644 index 5da913984cca5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795902.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795903.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795903.png deleted file mode 100644 index c569891eaee77..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795903.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795904.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795904.png deleted file mode 100644 index 468a050e1b62f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795904.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795908.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795908.png deleted file mode 100644 index f9b756c4a6842..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC795908.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC800213.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC800213.png deleted file mode 100644 index fbeff3eced019..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/IC800213.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_addfromgallery.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_addfromgallery.png deleted file mode 100644 index badc82f201087..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_app.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_app.png deleted file mode 100644 index 161cef09a0e87..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_certificate.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_certificate.png deleted file mode 100644 index 615621246fa39..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_configure.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_configure.png deleted file mode 100644 index 89d9823d2c5b7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_samlbase.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_search.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_search.png deleted file mode 100644 index f9a9fbc866779..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_url.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_url.png deleted file mode 100644 index 6bd2bdbf42c1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_fmsystems_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/fm-systems-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_addfromgallery.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_addfromgallery.png deleted file mode 100644 index fd5dbc806df9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_app.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_app.png deleted file mode 100644 index 6e29b112ea375..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_certificate.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_certificate.png deleted file mode 100644 index 5d31805a6a017..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_configure.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_configure.png deleted file mode 100644 index 1dadc31e96bce..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_samlbase.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_samlbase.png deleted file mode 100644 index 27b8a56d48d35..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_url.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_url.png deleted file mode 100644 index d95fe9909280a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseecxsuite_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseen_uploadconfig.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseen_uploadconfig.png deleted file mode 100644 index 96075ff29bd28..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_foreseen_uploadconfig.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/upload.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/upload.png deleted file mode 100644 index b6d899d59f903..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/upload.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/urlupload.png b/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/urlupload.png deleted file mode 100644 index 83b83807e0d48..0000000000000 Binary files a/articles/active-directory/saas-apps/media/foreseecxsuite-tutorial/urlupload.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/github-provisioning-tutorial/github1.png b/articles/active-directory/saas-apps/media/github-provisioning-tutorial/github1.png index 849a744b41be9..aed1859cb7d76 100644 Binary files a/articles/active-directory/saas-apps/media/github-provisioning-tutorial/github1.png and b/articles/active-directory/saas-apps/media/github-provisioning-tutorial/github1.png differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/a_new_app.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/a_new_app.png deleted file mode 100644 index 91b82d91754f9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/a_new_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/a_select_app.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/a_select_app.png deleted file mode 100644 index 303e5d5cec13b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/a_select_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1-domains_and_urlsedit.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1-domains_and_urlsedit.png deleted file mode 100644 index 8d5923b677728..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1-domains_and_urlsedit.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_saml_sso.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_saml_sso.png deleted file mode 100644 index 69a2132bcd402..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_saml_sso.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_saml_ssso.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_saml_ssso.png deleted file mode 100644 index 320d593226975..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_saml_ssso.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_select_sso.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_select_sso.png deleted file mode 100644 index 0faa78258e79b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b1_b2_select_sso.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b9(1)_saml.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/b9(1)_saml.png deleted file mode 100644 index 5e0f1d81c58e6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b9(1)_saml.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b9_saml.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/b9_saml.png deleted file mode 100644 index fc9302a934687..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/b9_saml.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/certificatebase64.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/certificatebase64.png deleted file mode 100644 index 0ba3c8f9188a4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/certificatebase64.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d1_samlsonfigure.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/d1_samlsonfigure.png deleted file mode 100644 index 8d524172bfff7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d1_samlsonfigure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_adduser.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_adduser.png deleted file mode 100644 index 3cd3495767a28..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_adduser.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_all_applications.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_all_applications.png deleted file mode 100644 index dd91cce5e0c9e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_all_applications.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_assign_user.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_assign_user.png deleted file mode 100644 index b5d160e0613e9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_assign_user.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_leftpaneusers.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_leftpaneusers.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_leftpaneusers.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_userproperties.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_userproperties.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_userproperties.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_users_and_groups.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_users_and_groups.png deleted file mode 100644 index 71803b1d712d2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/d_users_and_groups.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/i2-attribute.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/i2-attribute.png deleted file mode 100644 index 7be8251b91b92..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/i2-attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/i3-attribute.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/i3-attribute.png deleted file mode 100644 index e737926a52989..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/i3-attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/i4-attribute.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/i4-attribute.png deleted file mode 100644 index 37b696a42a72b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/i4-attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/selectazuread.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/selectazuread.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/selectazuread.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_applicationname_certificateedit.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_applicationname_certificateedit.png deleted file mode 100644 index 02f38971ccfca..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_applicationname_certificateedit.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_addfromgallery.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_addfromgallery.png deleted file mode 100644 index 0c24f8b4b7a65..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_app.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_app.png deleted file mode 100644 index 7c8c3e21a7807..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_certificate.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_certificate.png deleted file mode 100644 index d402ba86a9282..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_url.png b/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_url.png deleted file mode 100644 index 909bcf2bb0c70..0000000000000 Binary files a/articles/active-directory/saas-apps/media/glassfrog-tutorial/tutorial_glassfrog_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC700993.png deleted file mode 100644 index 3a303b64c0a0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC700994.png deleted file mode 100644 index a193ab9aa932e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC749321.png deleted file mode 100644 index 9f523d7bf9342..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794128.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794128.png deleted file mode 100644 index a8c7826a5eeee..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794128.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794129.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794129.png deleted file mode 100644 index f020d9d754752..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794129.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794130.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794130.png deleted file mode 100644 index 5c13526eb1a14..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794130.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794131.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794131.png deleted file mode 100644 index de6b3e20ed1dd..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794131.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794132.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794132.png deleted file mode 100644 index ed3288cb64762..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794132.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794133.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794133.png deleted file mode 100644 index 716d63d5109c0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794133.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794134.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794134.png deleted file mode 100644 index 391bdb80d9705..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794134.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794137.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794137.png deleted file mode 100644 index d16f5057d4683..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794137.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794138.png b/articles/active-directory/saas-apps/media/insideview-tutorial/IC794138.png deleted file mode 100644 index 4d80c3f707c09..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/IC794138.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_addfromgallery.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_addfromgallery.png deleted file mode 100644 index 94fc42d340b67..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_app.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_app.png deleted file mode 100644 index 7a4261236a92c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_certificate.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_certificate.png deleted file mode 100644 index 2bec36afd30fc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_configure.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_configure.png deleted file mode 100644 index b8d469ca1f9f4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_samlbase.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_search.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_search.png deleted file mode 100644 index fb97184768493..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_url.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_url.png deleted file mode 100644 index 64b7514332710..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_insideview_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insideview-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_01.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_01.png deleted file mode 100644 index 04cf34c73db27..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_02.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_02.png deleted file mode 100644 index f60efa1809a05..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_03.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_03.png deleted file mode 100644 index f6030f31cc889..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_04.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_04.png deleted file mode 100644 index e67b8db623a9e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_05.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_05.png deleted file mode 100644 index b2b1cc09ee85e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_50.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_50.png deleted file mode 100644 index 42725e5160eeb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_addfromgallery.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_addfromgallery.png deleted file mode 100644 index fd4f716bd59f2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_app.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_app.png deleted file mode 100644 index 64e2723f98c8e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_certificate.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_certificate.png deleted file mode 100644 index 5c229db09babb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_configure.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_configure.png deleted file mode 100644 index 1737b35d66ee3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_samlbase.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_search.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_search.png deleted file mode 100644 index f2271188cd013..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_url.png b/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_url.png deleted file mode 100644 index c1c80ae3f76fe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/insperityexpensable-tutorial/tutorial_insperityexpensable_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC700993.png deleted file mode 100644 index 3a303b64c0a0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC700994.png deleted file mode 100644 index a193ab9aa932e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC749321.png deleted file mode 100644 index 9f523d7bf9342..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC767830.png deleted file mode 100644 index 0ae42448c8b8c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC771709.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC771709.png deleted file mode 100644 index fe94fdb5f87c1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC771709.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775551.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775551.png deleted file mode 100644 index 771995fb5ceec..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775551.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775565.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775565.png deleted file mode 100644 index b13ed30245ca1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775565.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775566.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775566.png deleted file mode 100644 index 80ee26db86434..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775566.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775567.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775567.png deleted file mode 100644 index c907ee4cff81f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775567.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775568.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775568.png deleted file mode 100644 index c113b88130f53..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775568.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775569.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775569.png deleted file mode 100644 index c13c93cb4ca67..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775569.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775574.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775574.png deleted file mode 100644 index 453c350c12421..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775574.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775588.png b/articles/active-directory/saas-apps/media/itrp-tutorial/IC775588.png deleted file mode 100644 index 9b2b2e6ce1d5d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/IC775588.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_addfromgallery.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_addfromgallery.png deleted file mode 100644 index b79399f7ca708..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_app.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_app.png deleted file mode 100644 index 0ebe88eb34478..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_certificate.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_certificate.png deleted file mode 100644 index acc774f6fe97f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_configure.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_configure.png deleted file mode 100644 index 792f63057fcc5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_samlbase.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_search.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_search.png deleted file mode 100644 index 7171d53fd772d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_url.png b/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_url.png deleted file mode 100644 index ce316f41290c8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/itrp-tutorial/tutorial_itrp_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC700993.png deleted file mode 100644 index 3a303b64c0a0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC700994.png deleted file mode 100644 index a193ab9aa932e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC749321.png deleted file mode 100644 index 9f523d7bf9342..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785859.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785859.png deleted file mode 100644 index 5000a04fb0dad..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785859.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785867.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785867.png deleted file mode 100644 index 3681157dbacdc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785867.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785871.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785871.png deleted file mode 100644 index a1600f7d86c0c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785871.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785872.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785872.png deleted file mode 100644 index dec33e243a2d6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785872.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785873.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785873.png deleted file mode 100644 index 4306cd503ef77..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785873.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785875.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785875.png deleted file mode 100644 index 165c0d5fd1e6d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785875.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785878.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785878.png deleted file mode 100644 index cd612c1c7e6bb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785878.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785884.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785884.png deleted file mode 100644 index 7a07c6013b5d1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785884.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785891.png b/articles/active-directory/saas-apps/media/kintone-tutorial/IC785891.png deleted file mode 100644 index 313cf76263c83..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/IC785891.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/SaaSApp_Kintone.png b/articles/active-directory/saas-apps/media/kintone-tutorial/SaaSApp_Kintone.png deleted file mode 100644 index 5c8f23b5a77a2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/SaaSApp_Kintone.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_addfromgallery.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_addfromgallery.png deleted file mode 100644 index 6d5a8418b93ba..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_app.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_app.png deleted file mode 100644 index a5f3e44c5ed53..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_certificate.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_certificate.png deleted file mode 100644 index fdc4bed5d9da9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_configure.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_configure.png deleted file mode 100644 index 491ea85174aa1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_samlbase.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_search.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_search.png deleted file mode 100644 index 54dc201483a0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_url.png b/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_url.png deleted file mode 100644 index 85e6f77143d0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/kintone-tutorial/tutorial_kintone_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate1.png b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate1.png index a171762b2848d..6f3c5058b5a7d 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate1.png and b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate1.png differ diff --git a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate2.png b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate2.png index 2f1fc422597a5..c09b49c656266 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate2.png and b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate2.png differ diff --git a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate3.png b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate3.png index 911e5c3cb6fb1..342ba43ba9be0 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate3.png and b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate3.png differ diff --git a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate4.png b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate4.png index 44a930cc7b256..abc39f3a0da3e 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate4.png and b/articles/active-directory/saas-apps/media/linkedinelevate-provisioning-tutorial/linkedin_elevate4.png differ diff --git a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_1.png b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_1.png index a171762b2848d..6f3c5058b5a7d 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_1.png and b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_1.png differ diff --git a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_2.png b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_2.png index 2f1fc422597a5..c09b49c656266 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_2.png and b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_2.png differ diff --git a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_3.png b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_3.png index bf92429d86a57..5157a6abdc41d 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_3.png and b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_3.png differ diff --git a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_4.png b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_4.png index 44a930cc7b256..abc39f3a0da3e 100644 Binary files a/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_4.png and b/articles/active-directory/saas-apps/media/linkedinsalesnavigator-provisioning-tutorial/linkedin_4.png differ diff --git a/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart1.png b/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart1.png index 059a27270bf96..ba41c477a0791 100644 Binary files a/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart1.png and b/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart1.png differ diff --git a/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart2.png b/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart2.png index 11112615082a0..7def6cdc9328f 100644 Binary files a/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart2.png and b/articles/active-directory/saas-apps/media/lucidchart-provisioning-tutorial/lucidchart2.png differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_addfromgallery.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_addfromgallery.png deleted file mode 100644 index 225692facdcf2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_app.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_app.png deleted file mode 100644 index 20a129a284056..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_certificate.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_certificate.png deleted file mode 100644 index 057308c74f7ad..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_configure.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_configure.png deleted file mode 100644 index ccfb89bcb0945..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_samlbase.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_samlbase.png deleted file mode 100644 index d6d9e49b22775..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_url.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_url.png deleted file mode 100644 index e70281be5f94b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_url1.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_url1.png deleted file mode 100644 index bd767604a4da3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_manabipocket_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/manabipocket-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/merchlogix-provisioning-tutorial/Merchlogix1.png b/articles/active-directory/saas-apps/media/merchlogix-provisioning-tutorial/Merchlogix1.png index 1c56eba29101b..51a1af31212d5 100644 Binary files a/articles/active-directory/saas-apps/media/merchlogix-provisioning-tutorial/Merchlogix1.png and b/articles/active-directory/saas-apps/media/merchlogix-provisioning-tutorial/Merchlogix1.png differ diff --git a/articles/active-directory/saas-apps/media/pingboard-provisioning-tutorial/pingboardazureprovisioning.png b/articles/active-directory/saas-apps/media/pingboard-provisioning-tutorial/pingboardazureprovisioning.png index 0ff5663d812af..db79babee81d0 100644 Binary files a/articles/active-directory/saas-apps/media/pingboard-provisioning-tutorial/pingboardazureprovisioning.png and b/articles/active-directory/saas-apps/media/pingboard-provisioning-tutorial/pingboardazureprovisioning.png differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_03.png deleted file mode 100644 index 1f3d381fc718b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_addfromgallery.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_addfromgallery.png deleted file mode 100644 index 1202d68d79a5a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_app.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_app.png deleted file mode 100644 index ddc1c8d3100c0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_certificate.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_certificate.png deleted file mode 100644 index d402ba86a9282..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_configure.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_configure.png deleted file mode 100644 index c45b70e2a2d6d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_samlbase.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_samlbase.png deleted file mode 100644 index 10738b32fce9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_search.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_search.png deleted file mode 100644 index a6f3b86b16ab9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_url.png b/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_url.png deleted file mode 100644 index 478b66b8fb7c8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/procoresso-tutorial/tutorial_procoresso_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/attribute.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/attribute.png deleted file mode 100644 index 26ce13a23991e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_addfromgallery.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_addfromgallery.png deleted file mode 100644 index 3b658231f0d05..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_app.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_app.png deleted file mode 100644 index f21875c0fe872..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_certificate.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_certificate.png deleted file mode 100644 index d6fd3d21672df..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_configure.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_configure.png deleted file mode 100644 index 41e302cfb9db5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_samlbase.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_samlbase.png deleted file mode 100644 index 85ed744135e14..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_url.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_url.png deleted file mode 100644 index 9732c343760e4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_url1.png b/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_url1.png deleted file mode 100644 index c07cb5fd19f94..0000000000000 Binary files a/articles/active-directory/saas-apps/media/qumucloud-tutorial/tutorial_qumucloud_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/logo.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/logo.png deleted file mode 100644 index 5f4c8d1c27df6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/logo.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_01.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_01.png deleted file mode 100644 index cc562d1c6b25c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_02.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_02.png deleted file mode 100644 index 24bcb8b1d8563..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_03.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_03.png deleted file mode 100644 index 1e57ad992ec90..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_04.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_04.png deleted file mode 100644 index 16a8ae96cb7f5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_05.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_05.png deleted file mode 100644 index 8e0f86416c1de..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_50.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_50.png deleted file mode 100644 index 4e5cf84c44054..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_addfromgallery.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_addfromgallery.png deleted file mode 100644 index 4ea3c95e48990..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_app.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_app.png deleted file mode 100644 index d86a6f331c72a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_certificate.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_certificate.png deleted file mode 100644 index 0c5af0089ce7f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_configure.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_configure.png deleted file mode 100644 index 00ddbaec1ab25..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_samlbase.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_search.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_search.png deleted file mode 100644 index 46c335a4e7195..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_url.png b/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_url.png deleted file mode 100644 index 8a4676311f741..0000000000000 Binary files a/articles/active-directory/saas-apps/media/reward-gateway-tutorial/tutorial_rewardgateway_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_001.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_001.png deleted file mode 100644 index 6ce33063b403b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_002.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_002.png deleted file mode 100644 index d9f9eb8a13257..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_002.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_003.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_003.png deleted file mode 100644 index 2ea4aab1800e0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_003.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_06.png deleted file mode 100644 index a19bca7802f19..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_300.png deleted file mode 100644 index 5a9f929f06020..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_0001.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_0001.png deleted file mode 100644 index e4f4ce7f8ff80..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_0001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_001.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_001.png deleted file mode 100644 index 92a78d38bd26f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_01.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_01.png deleted file mode 100644 index 7a3b61122b716..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_02.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_02.png deleted file mode 100644 index 208239a26a3ee..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_03.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_03.png deleted file mode 100644 index 96a3bf7d035e3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_04.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_04.png deleted file mode 100644 index 14734dece3da4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_05.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_05.png deleted file mode 100644 index 999ff92991508..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_06.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_06.png deleted file mode 100644 index 7ec480a809c3e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_07.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_07.png deleted file mode 100644 index c3df42774be74..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_50.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_50.png deleted file mode 100644 index 6dfeba7766a1d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_addfromgallery.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_addfromgallery.png deleted file mode 100644 index 956830888e538..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_app.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_app.png deleted file mode 100644 index c0d19399a9263..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_attribute.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_attribute.png deleted file mode 100644 index 7468b6fbeeecb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_certificate.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_certificate.png deleted file mode 100644 index a14b3e28f54b7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_configure.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_configure.png deleted file mode 100644 index 49b08c776bda9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_samlbase.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_search.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_search.png deleted file mode 100644 index fc7930d18386f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_url.png b/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_url.png deleted file mode 100644 index 0446a9ce3e9c0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/rolepoint-tutorial/tutorial_rolepoint_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/salesforcexml.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/salesforcexml.png index d8a2dde763714..9ca2d9f1cc789 100644 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/salesforcexml.png and b/articles/active-directory/saas-apps/media/salesforce-tutorial/salesforcexml.png differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_02.png deleted file mode 100644 index ef5c35e21cbd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_03.png deleted file mode 100644 index 91b82d91754f9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_04.png deleted file mode 100644 index f3b1e9e9b1833..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_100.png deleted file mode 100644 index 71803b1d712d2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_201.png deleted file mode 100644 index ef5c35e21cbd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_203.png deleted file mode 100644 index 650ebfeea6d6a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_300.png deleted file mode 100644 index 320d593226975..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_301.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_301.png deleted file mode 100644 index 27854b6850610..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_301.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_302.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_302.png deleted file mode 100644 index be099046360f6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_302.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_addfromgallery.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_addfromgallery.png deleted file mode 100644 index fe6a559f4f52b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_app.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_app.png deleted file mode 100644 index ed30537dea696..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_certificate.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_certificate.png deleted file mode 100644 index 145ca55976f8a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_configure.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_configure.png deleted file mode 100644 index 71fc3567657ec..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_configuresignon.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_configuresignon.png deleted file mode 100644 index 22e7dd80cf6f6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_configuresignon.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_samlbase.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_samlbase.png deleted file mode 100644 index e40abfe40c3bc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_search.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_search.png deleted file mode 100644 index 074b7bfbc28c1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_url.png b/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_url.png deleted file mode 100644 index 0cd61e96c29a6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/salesforce-tutorial/tutorial_salesforce_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/claimsaad1.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/claimsaad1.png new file mode 100644 index 0000000000000..7fb93e825071a Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/claimsaad1.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/claimsaad2.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/claimsaad2.png new file mode 100644 index 0000000000000..25db91356b70b Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/claimsaad2.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/configuration1.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/configuration1.png new file mode 100644 index 0000000000000..905cd53c2819e Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/configuration1.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/configuration2.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/configuration2.png new file mode 100644 index 0000000000000..9208a89f208d2 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/configuration2.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/edit-attribute.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/edit-attribute.png new file mode 100644 index 0000000000000..b30356a68f626 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/edit-attribute.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/edit_attribute.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/edit_attribute.png new file mode 100644 index 0000000000000..b30356a68f626 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/edit_attribute.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameidattribute.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameidattribute.png new file mode 100644 index 0000000000000..43edb1d0a085f Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameidattribute.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameidattribute1.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameidattribute1.png new file mode 100644 index 0000000000000..9f33c76437563 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameidattribute1.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameiddetails.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameiddetails.png new file mode 100644 index 0000000000000..86db4c3b77602 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/nameiddetails.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/testingsso.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/testingsso.png new file mode 100644 index 0000000000000..d87df40ab46ac Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/testingsso.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-addfromgallery.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-addfromgallery.png new file mode 100644 index 0000000000000..3790aab9b797c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-addfromgallery.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-addidentityprovider.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-addidentityprovider.png new file mode 100644 index 0000000000000..e44b301e1e513 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-addidentityprovider.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-aliasname.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-aliasname.png new file mode 100644 index 0000000000000..fad5c912935cd Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-aliasname.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-app.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-app.png new file mode 100644 index 0000000000000..8c52be12600d2 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-app.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-artifactendpoint.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-artifactendpoint.png new file mode 100644 index 0000000000000..c03f9ff7be21f Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-artifactendpoint.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-authentication.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-authentication.png new file mode 100644 index 0000000000000..d6afba115301a Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-authentication.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-generatesp.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-generatesp.png new file mode 100644 index 0000000000000..57606c1fff32c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-generatesp.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect.png new file mode 100644 index 0000000000000..693e132498f0b Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect1.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect1.png new file mode 100644 index 0000000000000..015b5768de19c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect1.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-identityprovider.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-identityprovider.png new file mode 100644 index 0000000000000..9ebd8bfc3e600 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-identityprovider.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-metadatafile.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-metadatafile.png new file mode 100644 index 0000000000000..5aefeedc8cd81 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-metadatafile.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameid.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameid.png new file mode 100644 index 0000000000000..54531e854d9ff Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameid.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameiddetails.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameiddetails.png new file mode 100644 index 0000000000000..86db4c3b77602 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameiddetails.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameiddetails1.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameiddetails1.png new file mode 100644 index 0000000000000..dda73abd8375a Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-nameiddetails1.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-profileparameter.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-profileparameter.png new file mode 100644 index 0000000000000..55636f487bc55 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-profileparameter.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-providername.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-providername.png new file mode 100644 index 0000000000000..b1a954c39a48f Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-providername.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-samlconfig.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-samlconfig.png new file mode 100644 index 0000000000000..2eddf978ba248 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-samlconfig.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-sapbusinessclient.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-sapbusinessclient.png new file mode 100644 index 0000000000000..48dfb4b1433f7 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-sapbusinessclient.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-trustedprovider.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-trustedprovider.png new file mode 100644 index 0000000000000..a4cfbd702d455 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-trustedprovider.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-uploadmetadata.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-uploadmetadata.png new file mode 100644 index 0000000000000..71ed6bc7b40d8 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-uploadmetadata.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-url.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-url.png new file mode 100644 index 0000000000000..502adb29e718c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-url.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-userpwd.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-userpwd.png new file mode 100644 index 0000000000000..29f0b23fc8435 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweaver-userpwd.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweavercertificate.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweavercertificate.png new file mode 100644 index 0000000000000..07774a28bad2f Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-sapnetweavercertificate.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-usermailedit.jpg b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-usermailedit.jpg new file mode 100644 index 0000000000000..a766b9d9fb6d6 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-usermailedit.jpg differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-usermailedit.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-usermailedit.png new file mode 100644 index 0000000000000..a1c906d595929 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial-usermailedit.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_addfromgallery.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_addfromgallery.png new file mode 100644 index 0000000000000..3790aab9b797c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_addfromgallery.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_addidentityprovider.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_addidentityprovider.png new file mode 100644 index 0000000000000..e44b301e1e513 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_addidentityprovider.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_aliasname.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_aliasname.png new file mode 100644 index 0000000000000..fad5c912935cd Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_aliasname.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_app.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_app.png new file mode 100644 index 0000000000000..8c52be12600d2 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_app.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_artifactendpoint.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_artifactendpoint.png new file mode 100644 index 0000000000000..c03f9ff7be21f Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_artifactendpoint.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_authentication.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_authentication.png new file mode 100644 index 0000000000000..d6afba115301a Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_authentication.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_certificate.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_certificate.png new file mode 100644 index 0000000000000..07774a28bad2f Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_certificate.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_generatesp.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_generatesp.png new file mode 100644 index 0000000000000..57606c1fff32c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_generatesp.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_httpredirect.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_httpredirect.png new file mode 100644 index 0000000000000..693e132498f0b Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_httpredirect.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_httpredirect1.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_httpredirect1.png new file mode 100644 index 0000000000000..015b5768de19c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_httpredirect1.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_identityprovider.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_identityprovider.png new file mode 100644 index 0000000000000..9ebd8bfc3e600 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_identityprovider.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_metadatafile.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_metadatafile.png new file mode 100644 index 0000000000000..5aefeedc8cd81 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_metadatafile.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameid.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameid.png new file mode 100644 index 0000000000000..54531e854d9ff Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameid.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameiddetails.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameiddetails.png new file mode 100644 index 0000000000000..86db4c3b77602 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameiddetails.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameiddetails1.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameiddetails1.png new file mode 100644 index 0000000000000..dda73abd8375a Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_nameiddetails1.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_profileparameter.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_profileparameter.png new file mode 100644 index 0000000000000..55636f487bc55 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_profileparameter.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_providername.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_providername.png new file mode 100644 index 0000000000000..b1a954c39a48f Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_providername.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_samlconfig.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_samlconfig.png new file mode 100644 index 0000000000000..2eddf978ba248 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_samlconfig.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_sapbusinessclient.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_sapbusinessclient.png new file mode 100644 index 0000000000000..48dfb4b1433f7 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_sapbusinessclient.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_trustedprovider.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_trustedprovider.png new file mode 100644 index 0000000000000..a4cfbd702d455 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_trustedprovider.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_uploadmetadata.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_uploadmetadata.png new file mode 100644 index 0000000000000..71ed6bc7b40d8 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_uploadmetadata.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_url.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_url.png new file mode 100644 index 0000000000000..502adb29e718c Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_url.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_userpwd.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_userpwd.png new file mode 100644 index 0000000000000..29f0b23fc8435 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_sapnetweaver_userpwd.png differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_usermailedit.jpg b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_usermailedit.jpg new file mode 100644 index 0000000000000..a766b9d9fb6d6 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_usermailedit.jpg differ diff --git a/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_usermailedit.png b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_usermailedit.png new file mode 100644 index 0000000000000..a1c906d595929 Binary files /dev/null and b/articles/active-directory/saas-apps/media/sapfiori-tutorial/tutorial_usermailedit.png differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_04.png deleted file mode 100644 index 781205fba8219..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 626684f2721e5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ccf27fd4cba3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_203.png deleted file mode 100644 index 2f3911fc297e2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_addfromgallery.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_addfromgallery.png deleted file mode 100644 index 97e157cbc071a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_app.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_app.png deleted file mode 100644 index 4d11c9dc02104..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_certificate.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_certificate.png deleted file mode 100644 index 180b0f7df1dfd..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_configure.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_configure.png deleted file mode 100644 index 509603a0ff20c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_samlbase.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_search.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_search.png deleted file mode 100644 index 9bdfd7ea30788..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_url.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_url.png deleted file mode 100644 index 06737433b0ca5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_url1.png b/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_url1.png deleted file mode 100644 index 4f5477c94944a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/scclifecycle-tutorial/tutorial_scclifecycle_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_addfromgallery.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_addfromgallery.png deleted file mode 100644 index 22d64124447b4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_app.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_app.png deleted file mode 100644 index 1695b7b40b29c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_appid.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_appid.png deleted file mode 100644 index a26bd53fffc9c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_appid.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_appregistrations.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_appregistrations.png deleted file mode 100644 index 812837b4098b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_appregistrations.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_attribute.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_attribute.png deleted file mode 100644 index 19b13c5a93f91..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_attribute1.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_attribute1.png deleted file mode 100644 index b65d64a031ec8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_attribute1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_certificate.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_certificate.png deleted file mode 100644 index 56525b0bf6073..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_configure.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_configure.png deleted file mode 100644 index 631a1a50b44af..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_endpoint.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_endpoint.png deleted file mode 100644 index 3f3907c258931..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_endpoint.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_endpointicon.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_endpointicon.png deleted file mode 100644 index 76fb18b8e649c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_endpointicon.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_intgpage.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_intgpage.png deleted file mode 100644 index 130ae22d64567..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_intgpage.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_newintg.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_newintg.png deleted file mode 100644 index 892b3dcc7c2c5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_newintg.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_samlbase.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_samlbase.png deleted file mode 100644 index 0822d7e353fab..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_url.png b/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_url.png deleted file mode 100644 index fe77d991fd9e8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/signalfx-tutorial/tutorial_signalfx_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_addfromgallery.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_addfromgallery.png deleted file mode 100644 index aab7f8c496815..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_app.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_app.png deleted file mode 100644 index cc681aef0e9d3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_certificate.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_certificate.png deleted file mode 100644 index 872a6d09cf0cc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_configure.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_configure.png deleted file mode 100644 index 71355a0a0df36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_samlbase.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_samlbase.png deleted file mode 100644 index 0822d7e353fab..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_url.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_url.png deleted file mode 100644 index 51e23de49b543..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_url1.png b/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_url1.png deleted file mode 100644 index ab7053aa5b168..0000000000000 Binary files a/articles/active-directory/saas-apps/media/skytap-tutorial/tutorial_skytap_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack1.png b/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack1.png index 840dfb76c0ccc..35381d59c73c9 100644 Binary files a/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack1.png and b/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack1.png differ diff --git a/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack3.png b/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack3.png index 13b0d3d264822..d3b18293bce6e 100644 Binary files a/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack3.png and b/articles/active-directory/saas-apps/media/slack-provisioning-tutorial/slack3.png differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/logo.png b/articles/active-directory/saas-apps/media/soonr-tutorial/logo.png deleted file mode 100644 index a95f42242414a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/logo.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_02.png deleted file mode 100644 index 1169c44b3f0da..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_203.png deleted file mode 100644 index 0b25f47c92ad6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_05.png deleted file mode 100644 index fc4a3792022a5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_01.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_01.png deleted file mode 100644 index c3abec493a478..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_02.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_02.png deleted file mode 100644 index f21ab13e87714..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_03.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_03.png deleted file mode 100644 index fd337c52411c1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_04.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_04.png deleted file mode 100644 index 290a2ceb59b31..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_05.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_05.png deleted file mode 100644 index 1fc8196804b70..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_50.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_50.png deleted file mode 100644 index 0bab2385c96e4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_addfromgallery.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_addfromgallery.png deleted file mode 100644 index 9d622006b0bea..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_app.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_app.png deleted file mode 100644 index 20b849d6c8893..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_certificate.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_certificate.png deleted file mode 100644 index 52cdbc9a17215..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_configure.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_configure.png deleted file mode 100644 index 686cab6eb1ede..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_samlbase.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_search.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_search.png deleted file mode 100644 index 713c054e06d30..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_url.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_url.png deleted file mode 100644 index e5351f3a6e7ec..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_url1.png b/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_url1.png deleted file mode 100644 index 98b26db7409e1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/soonr-tutorial/tutorial_soonr_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC700993.png deleted file mode 100644 index 3a303b64c0a0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC700994.png deleted file mode 100644 index a193ab9aa932e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC749321.png deleted file mode 100644 index 9f523d7bf9342..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797044.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797044.png deleted file mode 100644 index 2a5152ba3c6fe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797044.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797045.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797045.png deleted file mode 100644 index fd72f6f8d0c63..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797045.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797046.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797046.png deleted file mode 100644 index 5ced3889c3c33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797046.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797047.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797047.png deleted file mode 100644 index 78eee864986a7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797047.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797048.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797048.png deleted file mode 100644 index 64550e33229cc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797048.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797049.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797049.png deleted file mode 100644 index bbd3817da08ae..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797049.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797050.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797050.png deleted file mode 100644 index 4a2a487cc3119..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797050.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797053.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797053.png deleted file mode 100644 index 9c47e15ace783..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797053.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797055.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797055.png deleted file mode 100644 index f1c649a578e88..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/IC797055.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_addfromgallery.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_addfromgallery.png deleted file mode 100644 index 856d903338db2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_app.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_app.png deleted file mode 100644 index 702263ee0a2f5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_certificate.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_certificate.png deleted file mode 100644 index 52da78eea83e1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_configure.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_configure.png deleted file mode 100644 index 71bc54a9f5d4c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_samlbase.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_samlbase.png deleted file mode 100644 index 693251f78c65d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_search.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_search.png deleted file mode 100644 index 77d7802141340..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_url.png b/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_url.png deleted file mode 100644 index cd68937a3c06a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/spring-cm-tutorial/tutorial_springcm_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_05.png deleted file mode 100644 index 2823aabb51d5e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_09.png deleted file mode 100644 index 00d737e82fa81..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/logo.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/logo.png deleted file mode 100644 index fa65f003a1ef3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/logo.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_02.png deleted file mode 100644 index 1169c44b3f0da..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_06.png deleted file mode 100644 index 6a2812dfc6d0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_203.png deleted file mode 100644 index 0b25f47c92ad6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_05.png deleted file mode 100644 index fc4a3792022a5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_01.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_01.png deleted file mode 100644 index 4ae18354b8ad0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_02.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_02.png deleted file mode 100644 index 87c1f07c2de9d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_03.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_03.png deleted file mode 100644 index 1098079ad4036..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_04.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_04.png deleted file mode 100644 index f8ab853ae4030..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_05.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_05.png deleted file mode 100644 index 97a10d5e5c328..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_50.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_50.png deleted file mode 100644 index d66ae31e06a0c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_addfromgallery.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_addfromgallery.png deleted file mode 100644 index 36e16ba1f65b0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_app.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_app.png deleted file mode 100644 index f208b98c2eac3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_certificate.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_certificate.png deleted file mode 100644 index 849f5782c16c9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_configure.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_configure.png deleted file mode 100644 index cc791d1ca16eb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_samlbase.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_search.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_search.png deleted file mode 100644 index 0b7062338f0a7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_url.png b/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_url.png deleted file mode 100644 index 2c3740ec0f821..0000000000000 Binary files a/articles/active-directory/saas-apps/media/statuspage-tutorial/tutorial_statuspage_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC700993.png deleted file mode 100644 index 4804fd82c80f4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC700994.png deleted file mode 100644 index ea35c2884d6f2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC749321.png deleted file mode 100644 index 252a1f8e16ca4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795881.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795881.png deleted file mode 100644 index e818a2a16e296..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795881.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795882.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795882.png deleted file mode 100644 index eb545836b1ef5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795882.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795883.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795883.png deleted file mode 100644 index 1ba2dfb9ad71b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795883.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795884.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795884.png deleted file mode 100644 index 92f5d6b5925fc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795884.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795885.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795885.png deleted file mode 100644 index cd824990fd393..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795885.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795886.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795886.png deleted file mode 100644 index ba973af92dc84..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795886.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795897.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795897.png deleted file mode 100644 index 541c9a1c7d24b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC795897.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC796918.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC796918.png deleted file mode 100644 index d76918375a623..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC796918.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC796919.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC796919.png deleted file mode 100644 index 66b0f6fa80177..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/IC796919.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/logo.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/logo.png deleted file mode 100644 index 9563cee27212b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/logo.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_02.png deleted file mode 100644 index 1169c44b3f0da..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_203.png deleted file mode 100644 index 0b25f47c92ad6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_officespace_05.png deleted file mode 100644 index fc4a3792022a5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_addfromgallery.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_addfromgallery.png deleted file mode 100644 index 294cf7d5daf45..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_app.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_app.png deleted file mode 100644 index c8e2488cef60b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_certificate.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_certificate.png deleted file mode 100644 index c9adc9bd57ec9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_configure.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_configure.png deleted file mode 100644 index d25e07af419da..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_samlbase.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_search.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_search.png deleted file mode 100644 index e800f5d12fe1d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_url.png b/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_url.png deleted file mode 100644 index 47a64a0f06829..0000000000000 Binary files a/articles/active-directory/saas-apps/media/sugarcrm-tutorial/tutorial_sugarcrm_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/3.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/3.png deleted file mode 100644 index da12c29486c8f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/3.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-001.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-001.png deleted file mode 100644 index 81368b3eb5f1b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-add-attribute.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-add-attribute.png deleted file mode 100644 index 7be8251b91b92..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-add-attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-addfromgallery.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-addfromgallery.png deleted file mode 100644 index 3c29e78b6786b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-app.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-app.png deleted file mode 100644 index 65ff7b1a4ce70..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-attribute.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-attribute.png deleted file mode 100644 index 15b06b9c30ba9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-certificate.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-certificate.png deleted file mode 100644 index d402ba86a9282..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-manage-attribute.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-manage-attribute.png deleted file mode 100644 index 17236ea03b661..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-manage-attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-url.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-url.png deleted file mode 100644 index d8f9c0f15c179..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial-tableauserver-url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_81.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_81.png deleted file mode 100644 index b1ddf3b26bf16..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_81.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_82.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_82.png deleted file mode 100644 index 646af82d3df09..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_82.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_83.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_83.png deleted file mode 100644 index 23dc278784569..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_general_83.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_001.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_001.png deleted file mode 100644 index 9dae59e0d612a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_01.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_01.png deleted file mode 100644 index 07397e9dbee04..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_02.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_02.png deleted file mode 100644 index 564cc65c96827..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_03.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_03.png deleted file mode 100644 index d184c321eb7d8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_04.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_04.png deleted file mode 100644 index 365cc3de7c3c8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_05.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_05.png deleted file mode 100644 index 525e89ec77f79..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_50.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_50.png deleted file mode 100644 index 98f82cf627144..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_51.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_51.png deleted file mode 100644 index dff7b4d65d11f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_51.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_addfromgallery.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_addfromgallery.png deleted file mode 100644 index 50437805e48a0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_app.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_app.png deleted file mode 100644 index d3aeb88dd5822..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_certificate.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_certificate.png deleted file mode 100644 index 138ffd52f05c8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_configure.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_configure.png deleted file mode 100644 index 5818fc9814198..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_samlbase.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_search.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_search.png deleted file mode 100644 index ba75422b31b4d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_url.png b/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_url.png deleted file mode 100644 index 3b0f04a9a08ea..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tableauserver-tutorial/tutorial_tableauserver_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_300.png deleted file mode 100644 index 5a9f929f06020..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_0001.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_0001.png deleted file mode 100644 index 3f89d84fdb6c9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_0001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_001.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_001.png deleted file mode 100644 index 3191dee28b694..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_01.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_01.png deleted file mode 100644 index 38199b7fc07b3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_02.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_02.png deleted file mode 100644 index 11225df9cf458..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_03.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_03.png deleted file mode 100644 index 5ad82f093af33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_04.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_04.png deleted file mode 100644 index 16f800d9c7cc0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_05.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_05.png deleted file mode 100644 index 3cb87bb29f88f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_50.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_50.png deleted file mode 100644 index 0d267b282770e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_addfromgallery.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_addfromgallery.png deleted file mode 100644 index 43422263c1f7f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_app.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_app.png deleted file mode 100644 index b2b7641d76410..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_certificate.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_certificate.png deleted file mode 100644 index c6fc02697e86a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_configure.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_configure.png deleted file mode 100644 index f2442d5971242..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_samlbase.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_samlbase.png deleted file mode 100644 index 4a656fbdd0a34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_url.png b/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_url.png deleted file mode 100644 index 99bd98e7a1ee1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/teamwork-tutorial/tutorial_teamwork_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC700993.png deleted file mode 100644 index eeaf5329b9f23..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC700994.png deleted file mode 100644 index 573b1873b4ad0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC749321.png deleted file mode 100644 index 63e61973930ce..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805836.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805836.png deleted file mode 100644 index 8e4cecc787a6f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805836.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805837.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805837.png deleted file mode 100644 index b0069af0136a3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805837.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805838.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805838.png deleted file mode 100644 index 140dcc0e5b33e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805838.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805839.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805839.png deleted file mode 100644 index 52e93eb2d9f1b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805839.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805840.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805840.png deleted file mode 100644 index bc65b2f74043b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805840.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805841.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805841.png deleted file mode 100644 index 0c627225d7ef6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805841.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805842.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805842.png deleted file mode 100644 index 0c500e192cf37..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805842.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805845.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805845.png deleted file mode 100644 index edca6172dd0a8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805845.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805846.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805846.png deleted file mode 100644 index 6101fbe1c5bbe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/IC805846.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_001.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_001.png deleted file mode 100644 index 6ce33063b403b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_002.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_002.png deleted file mode 100644 index d9f9eb8a13257..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_002.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_003.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_003.png deleted file mode 100644 index 2ea4aab1800e0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_003.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_300.png deleted file mode 100644 index 5a9f929f06020..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_addfromgallery.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_addfromgallery.png deleted file mode 100644 index ca708f8def854..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_app.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_app.png deleted file mode 100644 index 1b01342377f06..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_certificate.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_certificate.png deleted file mode 100644 index ff7373a694054..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_configure.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_configure.png deleted file mode 100644 index 354cf1abf575c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_samlbase.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_samlbase.png deleted file mode 100644 index 56783ed76d246..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_search.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_search.png deleted file mode 100644 index 71c8b23b677bb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_url.png b/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_url.png deleted file mode 100644 index f18efb8f2f7f8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/thirdlight-tutorial/tutorial_thirdlight_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes1.png b/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes1.png index 7d9f58db39492..fdd849304d38c 100644 Binary files a/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes1.png and b/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes1.png differ diff --git a/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes2.png b/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes2.png index 6e862c64af94a..d3262ea875ebc 100644 Binary files a/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes2.png and b/articles/active-directory/saas-apps/media/thousandeyes-provisioning-tutorial/thousandeyes2.png differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_04.png deleted file mode 100644 index 763d732635c97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_02.png deleted file mode 100644 index 5b5c001a9496a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_203.png deleted file mode 100644 index 7c1ca86c0fe11..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_01.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_01.png deleted file mode 100644 index 07fe3d59bcc27..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_03.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_03.png deleted file mode 100644 index ea1f6744b3ecd..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_04.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_04.png deleted file mode 100644 index 79a849536d114..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_05.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_05.png deleted file mode 100644 index 5f1b3ac49efdc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_50.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_50.png deleted file mode 100644 index ef1291e4d6875..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_addfromgallery.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_addfromgallery.png deleted file mode 100644 index 645c4ec725cbe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_app.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_app.png deleted file mode 100644 index 41985fae7dfb5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_certificate.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_certificate.png deleted file mode 100644 index 9625ceb1c439e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_configure.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_configure.png deleted file mode 100644 index 5e17a29278163..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_samlbase.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_samlbase.png deleted file mode 100644 index a90b33a5af4cb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_search.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_search.png deleted file mode 100644 index 6d6d98f7d5d60..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_url.png b/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_url.png deleted file mode 100644 index 05600a7cda06f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/tigertext-tutorial/tutorial_tigertext_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_01.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_01.png deleted file mode 100644 index 4c452bd92fa84..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_02.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_02.png deleted file mode 100644 index 4f4b721cddb44..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_03.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_03.png deleted file mode 100644 index 116cd5c0fd23f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_04.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_04.png deleted file mode 100644 index 8edf2bf3f8862..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_05.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_05.png deleted file mode 100644 index ab14109303527..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_50.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_50.png deleted file mode 100644 index bdd44c86396d9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_addfromgallery.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_addfromgallery.png deleted file mode 100644 index bacf39328ba92..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_app.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_app.png deleted file mode 100644 index 65f583b38a582..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_certificate.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_certificate.png deleted file mode 100644 index 3f53e57694d33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_configure.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_configure.png deleted file mode 100644 index 7a2ea075a531f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_samlbase.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_search.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_search.png deleted file mode 100644 index cae1d5578c346..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_url.png b/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_url.png deleted file mode 100644 index cf8fcb703ba65..0000000000000 Binary files a/articles/active-directory/saas-apps/media/trakstar-tutorial/tutorial_trakstar_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/logo.png b/articles/active-directory/saas-apps/media/turborater-tutorial/logo.png deleted file mode 100644 index 2598980f67fbe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/logo.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_addfromgallery.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_addfromgallery.png deleted file mode 100644 index 712d9b5af19ed..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_app.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_app.png deleted file mode 100644 index 1b293d16fcdb8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_certificate.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_certificate.png deleted file mode 100644 index 03d3916847d73..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_configure.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_configure.png deleted file mode 100644 index f618fa00d7528..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_samlbase.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_url.png b/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_url.png deleted file mode 100644 index 973867610e548..0000000000000 Binary files a/articles/active-directory/saas-apps/media/turborater-tutorial/tutorial_turborater_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_addfromgallery.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_addfromgallery.png deleted file mode 100644 index 5a3b7335300b1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_app.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_app.png deleted file mode 100644 index 16c674e1bffe9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_certificate.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_certificate.png deleted file mode 100644 index c9c23e104f3be..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_configure.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_configure.png deleted file mode 100644 index 3f0b8c8463747..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_samlbase.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_samlbase.png deleted file mode 100644 index ddf4f895d5ff8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_url1.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_url1.png deleted file mode 100644 index c6bea9a5f532a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_url2.png b/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_url2.png deleted file mode 100644 index 3e78bbd9f408f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uberflip-tutorial/tutorial_uberflip_url2.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_01.png deleted file mode 100644 index 3cd3495767a28..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_02.png deleted file mode 100644 index b8696cbe66987..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/new_attribute_details.png b/articles/active-directory/saas-apps/media/useall-tutorial/new_attribute_details.png deleted file mode 100644 index e737926a52989..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/new_attribute_details.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/new_save_attribute.png b/articles/active-directory/saas-apps/media/useall-tutorial/new_save_attribute.png deleted file mode 100644 index 7be8251b91b92..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/new_save_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_attribute.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_attribute.png deleted file mode 100644 index 95cfb529cf744..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_02.png deleted file mode 100644 index ef5c35e21cbd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_03.png deleted file mode 100644 index 91b82d91754f9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_100.png deleted file mode 100644 index 71803b1d712d2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_201.png deleted file mode 100644 index ef5c35e21cbd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_203.png deleted file mode 100644 index 650ebfeea6d6a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_300.png deleted file mode 100644 index 320d593226975..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_301.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_301.png deleted file mode 100644 index 27854b6850610..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_301.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_addfromgallery.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_addfromgallery.png deleted file mode 100644 index d9b91e182801c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_app.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_app.png deleted file mode 100644 index 9a2eaa6a375d8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_certificate.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_certificate.png deleted file mode 100644 index 0b1d3faf84b32..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_configure.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_configure.png deleted file mode 100644 index 4eeab84910d3c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_editurl.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_editurl.png deleted file mode 100644 index 35c8462157eca..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_editurl.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_samlbase.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_samlbase.png deleted file mode 100644 index ddf4f895d5ff8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_url.png b/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_url.png deleted file mode 100644 index 4e5b1c986c4bb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/useall-tutorial/tutorial_useall_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_05.png deleted file mode 100644 index 2823aabb51d5e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_09.png deleted file mode 100644 index 00d737e82fa81..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_06.png deleted file mode 100644 index 6a2812dfc6d0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_01.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_01.png deleted file mode 100644 index 3f816fc4569fa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_02.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_02.png deleted file mode 100644 index a8b71250a427d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_03.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_03.png deleted file mode 100644 index 72a5f82f83451..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_04.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_04.png deleted file mode 100644 index e0b28299bd302..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_05.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_05.png deleted file mode 100644 index 931a6a844397a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_50.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_50.png deleted file mode 100644 index ddf1c5f19a681..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_addfromgallery.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_addfromgallery.png deleted file mode 100644 index 5fefc4b6f8ecd..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_app.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_app.png deleted file mode 100644 index 5a34ebf23a658..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_certificate.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_certificate.png deleted file mode 100644 index 11b19999345f4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_configure.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_configure.png deleted file mode 100644 index a378ed331e002..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_samlbase.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_samlbase.png deleted file mode 100644 index 4a656fbdd0a34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_search.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_search.png deleted file mode 100644 index f06968401165d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_url.png b/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_url.png deleted file mode 100644 index 3802f149a78d8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/userecho-tutorial/tutorial_userecho_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_addfromgallery.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_addfromgallery.png deleted file mode 100644 index fa0e62ba99c15..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_app.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_app.png deleted file mode 100644 index 28282d26eb759..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_certificate.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_certificate.png deleted file mode 100644 index ebb92ff97680a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_configure.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_configure.png deleted file mode 100644 index e835329866285..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_samlbase.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_samlbase.png deleted file mode 100644 index 2331d719e7838..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_search.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_search.png deleted file mode 100644 index 539bbd4a42a1d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_url.png b/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_url.png deleted file mode 100644 index ba34ba4323794..0000000000000 Binary files a/articles/active-directory/saas-apps/media/uservoice-tutorial/tutorial_uservoice_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic1.png b/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic1.png index 10c72a5475bea..4bf7f81c71e21 100644 Binary files a/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic1.png and b/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic1.png differ diff --git a/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic2.png b/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic2.png index 1e2f76b60f74b..62c7793e7d289 100644 Binary files a/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic2.png and b/articles/active-directory/saas-apps/media/velpic-provisioning-tutorial/Velpic2.png differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_03.png deleted file mode 100644 index 1f3d381fc718b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_addfromgallery.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_addfromgallery.png deleted file mode 100644 index 066e83baa7cd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_app.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_app.png deleted file mode 100644 index 2156c3cca4c8e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_certificate.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_certificate.png deleted file mode 100644 index 12f4ea29b12f3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_samlbase.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_search.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_search.png deleted file mode 100644 index 693c235b8d5ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_url.png b/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_url.png deleted file mode 100644 index ecbda2b5d5819..0000000000000 Binary files a/articles/active-directory/saas-apps/media/velpicsaml-tutorial/tutorial_velpicsaml_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_addfromgallery.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_addfromgallery.png deleted file mode 100644 index 866034fdf7ea9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_app.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_app.png deleted file mode 100644 index 79006661bcf42..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_certificate.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_certificate.png deleted file mode 100644 index 5de32f5b9df81..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_configure.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_configure.png deleted file mode 100644 index 653cca749c320..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_samlbase.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_samlbase.png deleted file mode 100644 index 4a656fbdd0a34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_search.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_search.png deleted file mode 100644 index a0a10408504bc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_url.png b/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_url.png deleted file mode 100644 index 8fb89ba4493af..0000000000000 Binary files a/articles/active-directory/saas-apps/media/veritas-tutorial/tutorial_veritas_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_addfromgallery.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_addfromgallery.png deleted file mode 100644 index d9b26763edb26..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_app.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_app.png deleted file mode 100644 index 6ad0d4d862f9e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_attribute.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_attribute.png deleted file mode 100644 index c427d65d94d8c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_certificate.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_certificate.png deleted file mode 100644 index 947a5f9ffa958..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_configure.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_configure.png deleted file mode 100644 index 30ad473032927..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_samlbase.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_samlbase.png deleted file mode 100644 index 2331d719e7838..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_url.png b/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_url.png deleted file mode 100644 index 122d799961344..0000000000000 Binary files a/articles/active-directory/saas-apps/media/versal-tutorial/tutorial_versal_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_addfromgallery.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_addfromgallery.png deleted file mode 100644 index 2562e8fe21de2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_app.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_app.png deleted file mode 100644 index aca430503efad..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_certificate.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_certificate.png deleted file mode 100644 index decbed37f14da..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_configure.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_configure.png deleted file mode 100644 index 8d71db4a66a45..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_samlbase.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_samlbase.png deleted file mode 100644 index 0822d7e353fab..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_url.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_url.png deleted file mode 100644 index 6426081e9139e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_url1.png b/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_url1.png deleted file mode 100644 index c7955216af454..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vibehcm-tutorial/tutorial_vibehcm_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_addfromgallery.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_addfromgallery.png deleted file mode 100644 index 90c0d24c59336..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_app.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_app.png deleted file mode 100644 index 469667618cc60..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_certificate.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_certificate.png deleted file mode 100644 index d1a9b789c70e6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_configure.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_configure.png deleted file mode 100644 index e1b604dcdae2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_samlbase.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_samlbase.png deleted file mode 100644 index bca43fa509d51..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_url1.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_url1.png deleted file mode 100644 index 3a916bac0732c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_url2.png b/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_url2.png deleted file mode 100644 index e8cf2a9b6743b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vidyard-tutorial/tutorial_vidyard_url2.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_04.png deleted file mode 100644 index 781205fba8219..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 626684f2721e5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ccf27fd4cba3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_203.png deleted file mode 100644 index 2f3911fc297e2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_addfromgallery.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_addfromgallery.png deleted file mode 100644 index a9d5495ce7405..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_app.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_app.png deleted file mode 100644 index 74b1be0d7ea7d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_certificate.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_certificate.png deleted file mode 100644 index 6235482820f83..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_configure.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_configure.png deleted file mode 100644 index e3d24af64c042..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_samlbase.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_samlbase.png deleted file mode 100644 index 2331d719e7838..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_url.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_url.png deleted file mode 100644 index b2fdb003fdd77..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_url1.png b/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_url1.png deleted file mode 100644 index a3e2401baf498..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vodeclic-tutorial/tutorial_vodeclic_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_01.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_01.png deleted file mode 100644 index bb4b228171774..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_03.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_03.png deleted file mode 100644 index 8f6b86ab6391f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_04.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_04.png deleted file mode 100644 index 122a43dfab11d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_05.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_05.png deleted file mode 100644 index 7f27c520f5b89..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_50.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_50.png deleted file mode 100644 index 9ea5fd2c1f080..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_addfromgallery.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_addfromgallery.png deleted file mode 100644 index 65a80a2a37138..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_app.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_app.png deleted file mode 100644 index 00c74bc4785c6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_certificate.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_certificate.png deleted file mode 100644 index a89494c3ac3cb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_configure.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_configure.png deleted file mode 100644 index 4ae38d951d571..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_samlbase.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_samlbase.png deleted file mode 100644 index 2b1d8e020d8a1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_search.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_search.png deleted file mode 100644 index cbfd2792a10e7..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_url.png b/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_url.png deleted file mode 100644 index 461d1ea27aa08..0000000000000 Binary files a/articles/active-directory/saas-apps/media/vxmaintain-tutorial/tutorial_vxmaintain_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_addfromgallery.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_addfromgallery.png deleted file mode 100644 index 91300fd578f2d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_app.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_app.png deleted file mode 100644 index 767beb10bddcd..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_certificate.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_certificate.png deleted file mode 100644 index f72adc6724b7d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_configure.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_configure.png deleted file mode 100644 index 1d354567f3624..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_samlbase.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_samlbase.png deleted file mode 100644 index 0822d7e353fab..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_url.png b/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_url.png deleted file mode 100644 index 355f0dedfa393..0000000000000 Binary files a/articles/active-directory/saas-apps/media/waywedo-tutorial/tutorial_waywedo_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_001.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_001.png deleted file mode 100644 index 6ce33063b403b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_002.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_002.png deleted file mode 100644 index d9f9eb8a13257..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_002.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_003.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_003.png deleted file mode 100644 index 2ea4aab1800e0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_003.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/ssoconfig1.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/ssoconfig1.png deleted file mode 100644 index 8c506854b1c21..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/ssoconfig1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/ssoconfig2.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/ssoconfig2.png deleted file mode 100644 index 4bbe88438287c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/ssoconfig2.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_300.png deleted file mode 100644 index 5a9f929f06020..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_addfromgallery.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_addfromgallery.png deleted file mode 100644 index a04512ff1d2c3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_app.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_app.png deleted file mode 100644 index 2b2f0cc5db308..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_certificate.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_certificate.png deleted file mode 100644 index c80ecdee4d808..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_configure.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_configure.png deleted file mode 100644 index a5616717ea7af..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_samlbase.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_search.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_search.png deleted file mode 100644 index 0279ca2bc612e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_ssoconfig6.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_ssoconfig6.png deleted file mode 100644 index 4399034071f08..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_ssoconfig6.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_ssoconfig7.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_ssoconfig7.png deleted file mode 100644 index 9f56dcdb5caa3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_ssoconfig7.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_url.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_url.png deleted file mode 100644 index 25aed8acdc946..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_url1.png b/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_url1.png deleted file mode 100644 index 18fde09adbcec..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wdesk-tutorial/tutorial_wdesk_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_01.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_01.png deleted file mode 100644 index d68c61073733f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_02.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_02.png deleted file mode 100644 index 650f1d08b0a51..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_03.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_03.png deleted file mode 100644 index 935186f6cd924..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_04.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_04.png deleted file mode 100644 index 5ba9dda0e476a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_05.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_05.png deleted file mode 100644 index efee5c93f49b9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_06.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_06.png deleted file mode 100644 index 8d47e801d15db..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_50.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_50.png deleted file mode 100644 index 9f1d1df06744d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_addfromgallery.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_addfromgallery.png deleted file mode 100644 index ee529446f7b8f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_app.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_app.png deleted file mode 100644 index 9f150ceb182d4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_certificate.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_certificate.png deleted file mode 100644 index 8d1c0ea208c91..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_configure.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_configure.png deleted file mode 100644 index 7147011e266ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_samlbase.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_samlbase.png deleted file mode 100644 index 2331d719e7838..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_search.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_search.png deleted file mode 100644 index 8ee9124fd78af..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_url1.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_url1.png deleted file mode 100644 index d61695b8a51f1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_url2.png b/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_url2.png deleted file mode 100644 index 61b6ba03c695a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/weekdone-tutorial/tutorial_weekdone_url2.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC700993.png deleted file mode 100644 index eeaf5329b9f23..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC700994.png deleted file mode 100644 index ea35c2884d6f2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC749321.png deleted file mode 100644 index 63e61973930ce..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787182.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787182.png deleted file mode 100644 index bfb40aead8194..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787182.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787186.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787186.png deleted file mode 100644 index 2101ca9263f1a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787186.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787187.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787187.png deleted file mode 100644 index 3fc076cf2c8bf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787187.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787188.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787188.png deleted file mode 100644 index 915eb474f9104..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787188.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787189.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787189.png deleted file mode 100644 index 960b46ea33f38..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787189.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787190.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787190.png deleted file mode 100644 index 777ff45218901..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787190.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787191.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787191.png deleted file mode 100644 index d7e4bbe9db449..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787191.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787192.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787192.png deleted file mode 100644 index adc95c664ca55..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787192.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787195.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787195.png deleted file mode 100644 index d279d66d69449..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/IC787195.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_addfromgallery.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_addfromgallery.png deleted file mode 100644 index 590fa6960f853..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_app.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_app.png deleted file mode 100644 index 09eb52c18cce0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_certificate.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_certificate.png deleted file mode 100644 index c56d886912efc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_configure.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_configure.png deleted file mode 100644 index cf31589ca4b2e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_samlbase.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_samlbase.png deleted file mode 100644 index ddaae1150b100..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_search.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_search.png deleted file mode 100644 index dc948ffd58135..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_url.png b/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_url.png deleted file mode 100644 index da94b4826f6ff..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wikispaces-tutorial/tutorial_wikispaces_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_001.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_001.png deleted file mode 100644 index 6ce33063b403b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_002.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_002.png deleted file mode 100644 index d9f9eb8a13257..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_002.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_003.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_003.png deleted file mode 100644 index 2ea4aab1800e0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_003.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_300.png deleted file mode 100644 index 5a9f929f06020..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_05.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_officespace_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_addfromgallery.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_addfromgallery.png deleted file mode 100644 index 9233c15f8c383..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_app.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_app.png deleted file mode 100644 index ca2cbcb6491d6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_certificate.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_certificate.png deleted file mode 100644 index 5b02fe71b6400..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_samlbase.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_samlbase.png deleted file mode 100644 index 014a10508ea99..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_search.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_search.png deleted file mode 100644 index 4a00fc5be7714..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url.png deleted file mode 100644 index 28278feae3dc0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url1.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url1.png deleted file mode 100644 index afaafff439585..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url11.png b/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url11.png deleted file mode 100644 index 9c7263b7d8dbb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wingspanetmf-tutorial/tutorial_wingspanetmf_url11.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_06.png deleted file mode 100644 index a19bca7802f19..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_001.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_001.png deleted file mode 100644 index 201adf65bc123..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_001.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_01.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_01.png deleted file mode 100644 index 84c91f72d1a53..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_03.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_03.png deleted file mode 100644 index 903454433864c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_04.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_04.png deleted file mode 100644 index 3308d6ecc2497..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_05.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_05.png deleted file mode 100644 index 7650aea56d9e0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_50.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_50.png deleted file mode 100644 index 4394e699549e6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_addfromgallery.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_addfromgallery.png deleted file mode 100644 index 601d5f099b9b2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_app.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_app.png deleted file mode 100644 index 3f2d9a7774722..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_certificate.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_certificate.png deleted file mode 100644 index 4172d26038c58..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_configure.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_configure.png deleted file mode 100644 index 331bb7c118bda..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_samlbase.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_samlbase.png deleted file mode 100644 index 10fd8a7b36d8c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_url.png b/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_url.png deleted file mode 100644 index d4e85b3f96c5b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC700993.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC700993.png deleted file mode 100644 index c301e5f5b0d37..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC700994.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC700994.png deleted file mode 100644 index ea35c2884d6f2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC749321.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC749321.png deleted file mode 100644 index 63e61973930ce..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC749322.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC749322.png deleted file mode 100644 index a45b53803d99f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC767830.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC767830.png deleted file mode 100644 index 56a8200c0f604..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794105.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794105.png deleted file mode 100644 index e1ade1b3771d3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794105.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794106.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794106.png deleted file mode 100644 index e191fd75f1935..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794106.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794107.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794107.png deleted file mode 100644 index 786a70ce30640..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794107.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794109.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794109.png deleted file mode 100644 index 4e19fe72732cc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794109.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794110.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794110.png deleted file mode 100644 index 8eebcc4fd0264..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794110.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794111.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794111.png deleted file mode 100644 index 3e760dc27cefb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794111.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794112.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794112.png deleted file mode 100644 index 0eec0d275dd53..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794112.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794119.png b/articles/active-directory/saas-apps/media/work-com-tutorial/IC794119.png deleted file mode 100644 index 55fc916b0e07b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/IC794119.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_addfromgallery.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_addfromgallery.png deleted file mode 100644 index 4f705670ce77b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_app.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_app.png deleted file mode 100644 index 9676974018281..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_certificate.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_certificate.png deleted file mode 100644 index 3bada9cf2c94f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_configure.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_configure.png deleted file mode 100644 index 36dd5c7d50896..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_samlbase.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_samlbase.png deleted file mode 100644 index 057aa48065e37..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_search.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_search.png deleted file mode 100644 index 663430b65ad1b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_url.png b/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_url.png deleted file mode 100644 index 1ec3a936442b3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/work-com-tutorial/tutorial_work-com_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_addfromgallery.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_addfromgallery.png deleted file mode 100644 index 08f12e92eb45d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_app.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_app.png deleted file mode 100644 index f1e4f8b25c6cf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_certificate.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_certificate.png deleted file mode 100644 index 84c5146246b1a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_configure.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_configure.png deleted file mode 100644 index 150292fb75fa4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_samlbase.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_samlbase.png deleted file mode 100644 index 1e8b30611de20..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_search.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_search.png deleted file mode 100644 index cb6b5af54b07f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_url.png b/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_url.png deleted file mode 100644 index 30c2c01302a0e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/workfront-tutorial/tutorial_workfront_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_addfromgallery.png b/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_addfromgallery.png deleted file mode 100644 index ef28a54cf7c93..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_app.png b/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_app.png deleted file mode 100644 index e36a834014d43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_certificate.png b/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_certificate.png deleted file mode 100644 index d402ba86a9282..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_url.png b/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_url.png deleted file mode 100644 index 62df9febeea14..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_url1.png b/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_url1.png deleted file mode 100644 index 2787eef8a6ecb..0000000000000 Binary files a/articles/active-directory/saas-apps/media/wrike-tutorial/tutorial_wrike_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_05.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_05.png deleted file mode 100644 index 5f140fd4ace96..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_06.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_06.png deleted file mode 100644 index 1bd23ba3d1ecc..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_07.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_07.png deleted file mode 100644 index afd9773ef8abe..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_08.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_08.png deleted file mode 100644 index 5848bd737d9ef..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_08.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_09.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_09.png deleted file mode 100644 index 44711b75f9600..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/create_aaduser_09.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 6df23a91aba59..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_01.png deleted file mode 100644 index 19cb268bb31b8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_02.png deleted file mode 100644 index 1ff3f25482e34..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_05.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_05.png deleted file mode 100644 index 1c6123495dc33..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_06.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_06.png deleted file mode 100644 index 2384e9f3e4830..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_06.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_07.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_07.png deleted file mode 100644 index 45c1f3640a356..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_07.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_203.png deleted file mode 100644 index 9a5e9e7eea18e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_205.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_205.png deleted file mode 100644 index f2fd98d2920aa..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_205.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_01.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_01.png deleted file mode 100644 index 1d03566f63d23..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_02.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_02.png deleted file mode 100644 index 922c47d5b17ee..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_03.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_03.png deleted file mode 100644 index 99ae0ac4fcbe5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_04.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_04.png deleted file mode 100644 index 28cfc77aa4c8f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_05.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_05.png deleted file mode 100644 index d0acaab6e67de..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_50.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_50.png deleted file mode 100644 index 9b406788ecd9a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_50.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_addfromgallery.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_addfromgallery.png deleted file mode 100644 index a7cc766ae9769..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_app.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_app.png deleted file mode 100644 index 2183b32e5bdd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_certificate.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_certificate.png deleted file mode 100644 index dcf05fc984cdf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_configure.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_configure.png deleted file mode 100644 index 60eaa24e13294..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_samlbase.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_search.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_search.png deleted file mode 100644 index a9d54c9297c3b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_url.png b/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_url.png deleted file mode 100644 index efc35b9ad1d64..0000000000000 Binary files a/articles/active-directory/saas-apps/media/yardielearning-tutorial/tutorial_yardielearning_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_01.png deleted file mode 100644 index 3cd3495767a28..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_02.png deleted file mode 100644 index b8696cbe66987..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_04.png deleted file mode 100644 index fdea60786b792..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic700993.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic700993.png deleted file mode 100644 index 3f5f326881fd3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic700993.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic700994.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic700994.png deleted file mode 100644 index a0ebd34608586..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic700994.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic749321.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic749321.png deleted file mode 100644 index ff400197962cd..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic749321.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic749322.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic749322.png deleted file mode 100644 index 5b1b025378c4f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic749322.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic767830.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic767830.png deleted file mode 100644 index 0ae42448c8b8c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic767830.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781035.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781035.png deleted file mode 100644 index 3b84821f867f3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781035.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781036.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781036.png deleted file mode 100644 index b6777e412f7f8..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781036.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781037.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781037.png deleted file mode 100644 index a26cd2e7f9743..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781037.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781038.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781038.png deleted file mode 100644 index a8afbe83db4db..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic781038.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800209.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800209.png deleted file mode 100644 index ebb6f0c57e96f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800209.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800210.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800210.png deleted file mode 100644 index 5153b67fa2e5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800210.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800214.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800214.png deleted file mode 100644 index d2b0790e59f09..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800214.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800215.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800215.png deleted file mode 100644 index 0e3dc5c6e5b32..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800215.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800216.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800216.png deleted file mode 100644 index aa854845545f4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800216.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800217.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800217.png deleted file mode 100644 index aa2f9f57d9043..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800217.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800218.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800218.png deleted file mode 100644 index 6000ff0d22f3e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800218.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800219.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800219.png deleted file mode 100644 index 09541a803731c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800219.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800220.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800220.png deleted file mode 100644 index 852e50155c132..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800220.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800221.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800221.png deleted file mode 100644 index 02664b0112b77..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800221.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800222.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800222.png deleted file mode 100644 index 0f908cc9e7be4..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/ic800222.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_03.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_04.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_05.png deleted file mode 100644 index e8b4a3bd51636..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_02.png deleted file mode 100644 index ef5c35e21cbd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_03.png deleted file mode 100644 index 91b82d91754f9..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_04.png deleted file mode 100644 index f3b1e9e9b1833..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_100.png deleted file mode 100644 index 71803b1d712d2..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_201.png deleted file mode 100644 index ef5c35e21cbd0..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_203.png deleted file mode 100644 index 650ebfeea6d6a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_300.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_300.png deleted file mode 100644 index 320d593226975..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_300.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_301.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_301.png deleted file mode 100644 index 464552aece75e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_301.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_302.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_302.png deleted file mode 100644 index 25aa94876ccc6..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_302.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_addfromgallery.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_addfromgallery.png deleted file mode 100644 index 3c29e78b6786b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_app.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_app.png deleted file mode 100644 index 65ff7b1a4ce70..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_attribute.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_attribute.png deleted file mode 100644 index cd125990c7329..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_attribute.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_certificate.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_certificate.png deleted file mode 100644 index 861686d413350..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_configure.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_configure.png deleted file mode 100644 index cd74c107ab856..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_samlbase.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_samlbase.png deleted file mode 100644 index 132144e668d1b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_search.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_search.png deleted file mode 100644 index 734ba2965afb5..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_search.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_url.png b/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_url.png deleted file mode 100644 index fa83f5bf4469d..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscaler-three-tutorial/tutorial_zscalerthree_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_01.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_02.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_02.png deleted file mode 100644 index 5a52c44d9b21a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_03.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_03.png deleted file mode 100644 index 21ce52515ad1e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_04.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_04.png deleted file mode 100644 index f0f43fff2dcd1..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/create_aaduser_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_attribute_05.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_attribute_05.png deleted file mode 100644 index 832f8580c4b6e..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_attribute_05.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_01.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_01.png deleted file mode 100644 index 210e0ec9e5e9b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_01.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_02.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_02.png deleted file mode 100644 index e61077146deac..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_02.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_03.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_03.png deleted file mode 100644 index 974ef922ee80b..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_04.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_04.png deleted file mode 100644 index 014502ab06379..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_100.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_100.png deleted file mode 100644 index 4fe5408cdbfaf..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_100.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_200.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_200.png deleted file mode 100644 index 84a3a8cb56791..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_200.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_201.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_201.png deleted file mode 100644 index 39bc0e0407d5c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_201.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_202.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_202.png deleted file mode 100644 index f873c028bcb36..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_202.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_203.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_203.png deleted file mode 100644 index 45bebd18fce2f..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_203.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_400.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_400.png deleted file mode 100644 index bf1f9ced09e43..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_general_400.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_officespace_03.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_officespace_03.png deleted file mode 100644 index 5ee2505b75f97..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_officespace_03.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_officespace_04.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_officespace_04.png deleted file mode 100644 index 368f89c787428..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_officespace_04.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addfromgallery.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addfromgallery.png deleted file mode 100644 index f12550b9ee681..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addfromgallery.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_app.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_app.png deleted file mode 100644 index 6b2ecfaad0b0a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_app.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_certificate.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_certificate.png deleted file mode 100644 index 5891e0c193a38..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_certificate.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_configure.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_configure.png deleted file mode 100644 index 777907b494f88..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_configure.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_samlbase.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_samlbase.png deleted file mode 100644 index ec9a394b6c54c..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_samlbase.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_url.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_url.png deleted file mode 100644 index 1ae7cd84dd6a3..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_url.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_url1.png b/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_url1.png deleted file mode 100644 index b9b79b06ca32a..0000000000000 Binary files a/articles/active-directory/saas-apps/media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_url1.png and /dev/null differ diff --git a/articles/active-directory/saas-apps/mercell-tutorial.md b/articles/active-directory/saas-apps/mercell-tutorial.md index ba7a4e9a3953e..56442c4d2166c 100644 --- a/articles/active-directory/saas-apps/mercell-tutorial.md +++ b/articles/active-directory/saas-apps/mercell-tutorial.md @@ -179,9 +179,9 @@ When you click the Mercell tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mercerhrs-tutorial.md b/articles/active-directory/saas-apps/mercerhrs-tutorial.md index 5357ed270eec0..150633ff3b825 100644 --- a/articles/active-directory/saas-apps/mercerhrs-tutorial.md +++ b/articles/active-directory/saas-apps/mercerhrs-tutorial.md @@ -190,9 +190,9 @@ When you click the Mercer BenefitsCentral (MBC) tile in the Access Panel, you sh ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/merchlogix-provisioning-tutorial.md b/articles/active-directory/saas-apps/merchlogix-provisioning-tutorial.md index 8228ec8a449fc..c026298520a81 100644 --- a/articles/active-directory/saas-apps/merchlogix-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/merchlogix-provisioning-tutorial.md @@ -7,21 +7,21 @@ author: zhchia writer: zhchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 9df4c7c5-9a58-478e-93b7-2f77aae12807 ms.service: active-directory ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 03/01/2019 +ms.date: 03/27/2019 ms.author: zhchia ms.collection: M365-identity-device-management --- # Tutorial: Configure MerchLogix for automatic user provisioning -The objective of this tutorial is to demonstrate the steps to be performed in MerchLogix and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to MerchLogix. +The objective of this tutorial is to demonstrate the steps to be performed in MerchLogix and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to MerchLogix. > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). @@ -30,11 +30,12 @@ The objective of this tutorial is to demonstrate the steps to be performed in Me The scenario outlined in this tutorial assumes that you already have the following prerequisites: -* An Azure AD tenant -* A MerchLogix tenant -* A technical contact at MerchLogix who can provide the SCIM endpoint URL and secret token required for user provisioning +* An Azure AD tenant +* A MerchLogix tenant +* A technical contact at MerchLogix who can provide the SCIM endpoint URL and secret token required for user provisioning ## Adding MerchLogix from the gallery + Before configuring MerchLogix for automatic user provisioning with Azure AD, you need to add MerchLogix from the Azure AD application gallery to your list of managed SaaS applications. **To add MerchLogix from the Azure AD application gallery, perform the following steps:** @@ -46,7 +47,7 @@ Before configuring MerchLogix for automatic user provisioning with Azure AD, you 2. Navigate to **Enterprise applications** > **All applications**. ![The Enterprise applications Section][2] - + 3. To add MerchLogix, click the **New application** button on the top of the dialog. ![The New application button][3] @@ -63,13 +64,13 @@ Azure Active Directory uses a concept called "assignments" to determine which us Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to MerchLogix. Once decided, you can assign these users and/or groups to MerchLogix by following the instructions here: -* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) +* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) ### Important tips for assigning users to MerchLogix -* It is recommended that a single Azure AD user is assigned to MerchLogix to test your initial automatic user provisioning configuration. Additional users and/or groups may be assigned later once the tests are successful. +* It is recommended that a single Azure AD user is assigned to MerchLogix to test your initial automatic user provisioning configuration. Additional users and/or groups may be assigned later once the tests are successful. -* When assigning a user to MerchLogix, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to MerchLogix, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to MerchLogix @@ -92,13 +93,12 @@ This section guides you through the steps to configure the Azure AD provisioning 5. Under the **Admin Credentials** section: - * In the **Tenant URL** field, enter the SCIM endpoint URL provided by your MerchLogix technical contact. + * In the **Tenant URL** field, enter the SCIM endpoint URL provided by your MerchLogix technical contact. - * In the **Secret Token** field, enter secret token provided by your MerchLogix technical contact. + * In the **Secret Token** field, enter secret token provided by your MerchLogix technical contact. 6. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to MerchLogix. If the connection fails, ensure your MerchLogix account has Admin permissions and try again. - 7. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**. 8. Click **Save**. @@ -115,7 +115,6 @@ This section guides you through the steps to configure the Azure AD provisioning 14. When you are ready to provision, click **Save**. - This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on MerchLogix. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). diff --git a/articles/active-directory/saas-apps/merchlogix-tutorial.md b/articles/active-directory/saas-apps/merchlogix-tutorial.md index 3489a9e9209a6..2ba759c374f0e 100644 --- a/articles/active-directory/saas-apps/merchlogix-tutorial.md +++ b/articles/active-directory/saas-apps/merchlogix-tutorial.md @@ -190,9 +190,9 @@ When you click the Merchlogix tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/metanetworksconnector-tutorial.md b/articles/active-directory/saas-apps/metanetworksconnector-tutorial.md index 82da871d09330..6d31180d127f3 100644 --- a/articles/active-directory/saas-apps/metanetworksconnector-tutorial.md +++ b/articles/active-directory/saas-apps/metanetworksconnector-tutorial.md @@ -275,9 +275,9 @@ When you click the Meta Networks Connector tile in the Access Panel, you should ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mindflash-tutorial.md b/articles/active-directory/saas-apps/mindflash-tutorial.md index 38de2dbeda40f..fffafafd78aca 100644 --- a/articles/active-directory/saas-apps/mindflash-tutorial.md +++ b/articles/active-directory/saas-apps/mindflash-tutorial.md @@ -216,9 +216,9 @@ When you click the Mindflash tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mindwireless-tutorial.md b/articles/active-directory/saas-apps/mindwireless-tutorial.md index b03b0bb1b0cd4..93a1623af9b3f 100644 --- a/articles/active-directory/saas-apps/mindwireless-tutorial.md +++ b/articles/active-directory/saas-apps/mindwireless-tutorial.md @@ -218,9 +218,9 @@ When you click the mindWireless tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mitel-connect-tutorial.md b/articles/active-directory/saas-apps/mitel-connect-tutorial.md new file mode 100644 index 0000000000000..159a32aff5669 --- /dev/null +++ b/articles/active-directory/saas-apps/mitel-connect-tutorial.md @@ -0,0 +1,197 @@ +--- +title: 'Tutorial: Azure Active Directory integration with Mitel Connect | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and Mitel Connect. +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: 204f540b-09f1-452b-a52f-78143710ef76 +ms.service: Azure-Active-Directory +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/02/2019 +ms.author: jeedes + +--- +# Tutorial: Azure Active Directory integration with Mitel Connect + +In this tutorial, you learn how to integrate Mitel Connect with Azure Active Directory (Azure AD). +Integrating Mitel Connect with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to Mitel Connect. +* You can enable your users to be automatically signed-in to Mitel Connect (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with Mitel Connect, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Mitel Connect single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Mitel Connect supports **SP** initiated SSO + +## Adding Mitel Connect from the gallery + +To configure the integration of Mitel Connect into Azure AD, you need to add Mitel Connect from the gallery to your list of managed SaaS apps. + +**To add Mitel Connect from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **Mitel Connect**, select **Mitel Connect** from result panel then click **Add** button to add the application. + + ![Mitel Connect in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with Mitel Connect based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Mitel Connect needs to be established. + +To configure and test Azure AD single sign-on with Mitel Connect, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Mitel Connect Single Sign-On](#configure-mitel-connect-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Mitel Connect test user](#create-mitel-connect-test-user)** - to have a counterpart of Britta Simon in Mitel Connect that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Mitel Connect, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Mitel Connect** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, perform the following steps: + + ![Mitel Connect Domain and URLs single sign-on information](common/sp-identifier.png) + + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://auth.mitel.io/authorize?client_id=` + + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://authentication.api.mitel.io/2017-09-01/saml2/` + + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Mitel Connect Client support team](https://www.mitel.com/support/mitel-technical-support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) + +6. On the **Set up Mitel Connect** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure Mitel Connect Single Sign-On + +To configure single sign-on on **Mitel Connect** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Mitel Connect support team](https://www.mitel.com/support/mitel-technical-support). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field, enter **BrittaSimon**. + + b. In the **User name** field, type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Mitel Connect. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Mitel Connect**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Mitel Connect**. + + ![The Mitel Connect link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog, click the **Assign** button. + +### Create Mitel Connect test user + +In this section, you create a user called Britta Simon in Mitel Connect. Work with [Mitel Connect support team](https://www.mitel.com/support/mitel-technical-support) to add the users in the Mitel Connect platform. Users must be created and activated before you use single sign-on. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the Mitel Connect tile in the Access Panel, you should be automatically signed in to the Mitel Connect for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/mixpanel-tutorial.md b/articles/active-directory/saas-apps/mixpanel-tutorial.md index 1bc09cddc48ee..4624a2f868e3d 100644 --- a/articles/active-directory/saas-apps/mixpanel-tutorial.md +++ b/articles/active-directory/saas-apps/mixpanel-tutorial.md @@ -220,9 +220,9 @@ When you click the Mixpanel tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mobi-tutorial.md b/articles/active-directory/saas-apps/mobi-tutorial.md index 29abbf8a901d4..857c7fd060e52 100644 --- a/articles/active-directory/saas-apps/mobi-tutorial.md +++ b/articles/active-directory/saas-apps/mobi-tutorial.md @@ -197,9 +197,9 @@ When you click the MOBI tile in the Access Panel, you should be automatically si ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mobicontrol-tutorial.md b/articles/active-directory/saas-apps/mobicontrol-tutorial.md index 409cf0cdc45bb..0cd84d31d4bba 100644 --- a/articles/active-directory/saas-apps/mobicontrol-tutorial.md +++ b/articles/active-directory/saas-apps/mobicontrol-tutorial.md @@ -180,9 +180,9 @@ When you click the MobiControl tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mobileiron-tutorial.md b/articles/active-directory/saas-apps/mobileiron-tutorial.md index 7db9f0f17c445..1b10e5da2a1bf 100644 --- a/articles/active-directory/saas-apps/mobileiron-tutorial.md +++ b/articles/active-directory/saas-apps/mobileiron-tutorial.md @@ -97,7 +97,7 @@ To configure Azure AD single sign-on with MobileIron, perform the following step ![Edit Basic SAML Configuration](common/edit-urls.png) -4. On the **Basic SAML Configuration** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: +4. On the **Basic SAML Configuration** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: ![MobileIron Domain and URLs single sign-on information](common/idp-intiated.png) diff --git a/articles/active-directory/saas-apps/mobilexpense-tutorial.md b/articles/active-directory/saas-apps/mobilexpense-tutorial.md index 4f75900f59ef4..53bb5458cfc66 100644 --- a/articles/active-directory/saas-apps/mobilexpense-tutorial.md +++ b/articles/active-directory/saas-apps/mobilexpense-tutorial.md @@ -197,9 +197,9 @@ When you click the Mobile Xpense tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/moconavi-tutorial.md b/articles/active-directory/saas-apps/moconavi-tutorial.md index ee7116c66819b..cd815a4630780 100644 --- a/articles/active-directory/saas-apps/moconavi-tutorial.md +++ b/articles/active-directory/saas-apps/moconavi-tutorial.md @@ -219,9 +219,9 @@ In this section, you create a user called Britta Simon in moconavi. Work with [ ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/montageonline-tutorial.md b/articles/active-directory/saas-apps/montageonline-tutorial.md index 87cadc493012d..6e50cf764a142 100644 --- a/articles/active-directory/saas-apps/montageonline-tutorial.md +++ b/articles/active-directory/saas-apps/montageonline-tutorial.md @@ -196,9 +196,9 @@ When you click the Montage Online tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/moveittransfer-tutorial.md b/articles/active-directory/saas-apps/moveittransfer-tutorial.md index 91f88a74e7b12..e5d817b90eb98 100644 --- a/articles/active-directory/saas-apps/moveittransfer-tutorial.md +++ b/articles/active-directory/saas-apps/moveittransfer-tutorial.md @@ -243,9 +243,9 @@ When you click the MOVEit Transfer - Azure AD integration tile in the Access Pan ## Additional resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/moxiengage-tutorial.md b/articles/active-directory/saas-apps/moxiengage-tutorial.md index e6e056a7a6a0f..687c06f280260 100644 --- a/articles/active-directory/saas-apps/moxiengage-tutorial.md +++ b/articles/active-directory/saas-apps/moxiengage-tutorial.md @@ -187,9 +187,9 @@ When you click the Moxi Engage tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/moxtra-tutorial.md b/articles/active-directory/saas-apps/moxtra-tutorial.md index 5d28a3d4ba0c3..db17bf4467345 100644 --- a/articles/active-directory/saas-apps/moxtra-tutorial.md +++ b/articles/active-directory/saas-apps/moxtra-tutorial.md @@ -268,9 +268,9 @@ When you click the Moxtra tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mozy-enterprise-tutorial.md b/articles/active-directory/saas-apps/mozy-enterprise-tutorial.md index f66afdc93af31..8f2597ff371f1 100644 --- a/articles/active-directory/saas-apps/mozy-enterprise-tutorial.md +++ b/articles/active-directory/saas-apps/mozy-enterprise-tutorial.md @@ -244,9 +244,9 @@ When you click the Mozy Enterprise tile in the Access Panel, you should be autom ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/myawardpoints-tutorial.md b/articles/active-directory/saas-apps/myawardpoints-tutorial.md index ab4e229d4a171..38861bd9c59f7 100644 --- a/articles/active-directory/saas-apps/myawardpoints-tutorial.md +++ b/articles/active-directory/saas-apps/myawardpoints-tutorial.md @@ -190,8 +190,8 @@ When you click the My Award Points Top Sub/Top Team tile in the Access Panel, yo ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/mypolicies-tutorial.md b/articles/active-directory/saas-apps/mypolicies-tutorial.md index 26c5f27a89ccf..d1c90bbeebe4d 100644 --- a/articles/active-directory/saas-apps/mypolicies-tutorial.md +++ b/articles/active-directory/saas-apps/mypolicies-tutorial.md @@ -190,9 +190,9 @@ When you click the myPolicies tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/myworkdrive-tutorial.md b/articles/active-directory/saas-apps/myworkdrive-tutorial.md index 653397246c077..ae98da36de174 100644 --- a/articles/active-directory/saas-apps/myworkdrive-tutorial.md +++ b/articles/active-directory/saas-apps/myworkdrive-tutorial.md @@ -205,9 +205,9 @@ When you click the MyWorkDrive tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/n2f-expensereports-tutorial.md b/articles/active-directory/saas-apps/n2f-expensereports-tutorial.md index 68cf461d04944..14bef61189787 100644 --- a/articles/active-directory/saas-apps/n2f-expensereports-tutorial.md +++ b/articles/active-directory/saas-apps/n2f-expensereports-tutorial.md @@ -247,9 +247,9 @@ When you click the N2F - Expense reports tile in the Access Panel, you should be ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/namely-tutorial.md b/articles/active-directory/saas-apps/namely-tutorial.md index 85d349048a62b..9b8e46f809e87 100644 --- a/articles/active-directory/saas-apps/namely-tutorial.md +++ b/articles/active-directory/saas-apps/namely-tutorial.md @@ -240,9 +240,9 @@ When you click the Namely tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/neotalogicstudio-tutorial.md b/articles/active-directory/saas-apps/neotalogicstudio-tutorial.md index 9184b47cc61fe..c52b696b924ec 100644 --- a/articles/active-directory/saas-apps/neotalogicstudio-tutorial.md +++ b/articles/active-directory/saas-apps/neotalogicstudio-tutorial.md @@ -190,9 +190,9 @@ When you click the Neota Logic Studio tile in the Access Panel, you should be au ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/netdocuments-tutorial.md b/articles/active-directory/saas-apps/netdocuments-tutorial.md index 67392e20127a0..2881f8b981a8e 100644 --- a/articles/active-directory/saas-apps/netdocuments-tutorial.md +++ b/articles/active-directory/saas-apps/netdocuments-tutorial.md @@ -231,9 +231,9 @@ When you click the NetDocuments tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/netop-portal-tutorial.md b/articles/active-directory/saas-apps/netop-portal-tutorial.md index 6e8316a502227..724d925ddf2f0 100644 --- a/articles/active-directory/saas-apps/netop-portal-tutorial.md +++ b/articles/active-directory/saas-apps/netop-portal-tutorial.md @@ -215,8 +215,8 @@ When you click the Netop Portal tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/netsuite-tutorial.md b/articles/active-directory/saas-apps/netsuite-tutorial.md index 13a7816f26772..45752a9b7edb2 100644 --- a/articles/active-directory/saas-apps/netsuite-tutorial.md +++ b/articles/active-directory/saas-apps/netsuite-tutorial.md @@ -169,19 +169,19 @@ To configure Azure AD single sign-on with NetSuite, perform the following steps: 1. Open a new tab in your browser, and sign into your NetSuite company site as an administrator. -2. In the toolbar at the top of the page, click **Setup**, then navigate to **Company** and click **Enable Features**. +2. In the toolbar at the top of the page, click **Setup**, then navigate to **Company** and click **Enable Features**. ![Configure Single Sign-On](./media/NetSuite-tutorial/ns-setupsaml.png) -3. In the toolbar at the middle of the page, click **SuiteCloud**. +3. In the toolbar at the middle of the page, click **SuiteCloud**. ![Configure Single Sign-On](./media/NetSuite-tutorial/ns-suitecloud.png) -4. Under **Manage Authentication** section, select **SAML SINGLE SIGN-ON** to enable the SAML SINGLE SIGN-ON option in NetSuite. +4. Under **Manage Authentication** section, select **SAML SINGLE SIGN-ON** to enable the SAML SINGLE SIGN-ON option in NetSuite. ![Configure Single Sign-On](./media/NetSuite-tutorial/ns-ticksaml.png) -5. In the toolbar at the top of the page, click **Setup**. +5. In the toolbar at the top of the page, click **Setup**. ![Configure Single Sign-On](./media/NetSuite-tutorial/ns-setup.png) diff --git a/articles/active-directory/saas-apps/new-relic-tutorial.md b/articles/active-directory/saas-apps/new-relic-tutorial.md index 8a457ec14ceb7..e03e3f2d86b99 100644 --- a/articles/active-directory/saas-apps/new-relic-tutorial.md +++ b/articles/active-directory/saas-apps/new-relic-tutorial.md @@ -233,9 +233,9 @@ When you click the New Relic tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/nexonia-tutorial.md b/articles/active-directory/saas-apps/nexonia-tutorial.md index 5116ab78fc0f0..808ac4a29e501 100644 --- a/articles/active-directory/saas-apps/nexonia-tutorial.md +++ b/articles/active-directory/saas-apps/nexonia-tutorial.md @@ -190,9 +190,9 @@ When you click the Nexonia tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/nimblex-tutorial.md b/articles/active-directory/saas-apps/nimblex-tutorial.md index c82403d1ffe8a..38694608d1445 100644 --- a/articles/active-directory/saas-apps/nimblex-tutorial.md +++ b/articles/active-directory/saas-apps/nimblex-tutorial.md @@ -223,9 +223,9 @@ When you click the Nimblex tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/nomadesk-tutorial.md b/articles/active-directory/saas-apps/nomadesk-tutorial.md index 0cf296db88a4f..07c6d75679a66 100644 --- a/articles/active-directory/saas-apps/nomadesk-tutorial.md +++ b/articles/active-directory/saas-apps/nomadesk-tutorial.md @@ -195,9 +195,9 @@ When you click the Nomadesk tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/nomadic-tutorial.md b/articles/active-directory/saas-apps/nomadic-tutorial.md index 6d6ad4062a03d..02c913c99a7c8 100644 --- a/articles/active-directory/saas-apps/nomadic-tutorial.md +++ b/articles/active-directory/saas-apps/nomadic-tutorial.md @@ -194,9 +194,9 @@ When you click the Nomadic tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/novatus-tutorial.md b/articles/active-directory/saas-apps/novatus-tutorial.md index c94d5e0d1cbaa..fb136ed498c89 100644 --- a/articles/active-directory/saas-apps/novatus-tutorial.md +++ b/articles/active-directory/saas-apps/novatus-tutorial.md @@ -193,9 +193,9 @@ When you click the Novatus tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/nuclino-tutorial.md b/articles/active-directory/saas-apps/nuclino-tutorial.md index 65f8c32fada5e..159ff177ec299 100644 --- a/articles/active-directory/saas-apps/nuclino-tutorial.md +++ b/articles/active-directory/saas-apps/nuclino-tutorial.md @@ -264,9 +264,9 @@ When you click the Nuclino tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/oc-tanner-tutorial.md b/articles/active-directory/saas-apps/oc-tanner-tutorial.md index 8dfe2d8353dc4..8cfa150bfdb2a 100644 --- a/articles/active-directory/saas-apps/oc-tanner-tutorial.md +++ b/articles/active-directory/saas-apps/oc-tanner-tutorial.md @@ -201,8 +201,8 @@ When you click the O.C. Tanner - AppreciateHub tile in the Access Panel, you sho ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/officespace-tutorial.md b/articles/active-directory/saas-apps/officespace-tutorial.md index c4bf29f9dea59..bca762983ca2b 100644 --- a/articles/active-directory/saas-apps/officespace-tutorial.md +++ b/articles/active-directory/saas-apps/officespace-tutorial.md @@ -251,9 +251,9 @@ When you click the OfficeSpace Software tile in the Access Panel, you should be ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/on24-tutorial.md b/articles/active-directory/saas-apps/on24-tutorial.md index 021ab624a4cb9..f49e2aee79e49 100644 --- a/articles/active-directory/saas-apps/on24-tutorial.md +++ b/articles/active-directory/saas-apps/on24-tutorial.md @@ -236,9 +236,9 @@ When you click the ON24 Virtual Environment SAML Connection tile in the Access P ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/oneteam-tutorial.md b/articles/active-directory/saas-apps/oneteam-tutorial.md index 7ca3a9e1b515c..76c5deae3524f 100644 --- a/articles/active-directory/saas-apps/oneteam-tutorial.md +++ b/articles/active-directory/saas-apps/oneteam-tutorial.md @@ -203,9 +203,9 @@ When you click the Oneteam tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/onetrust-tutorial.md b/articles/active-directory/saas-apps/onetrust-tutorial.md index cf787985a6c4f..32c1daa2ac95b 100644 --- a/articles/active-directory/saas-apps/onetrust-tutorial.md +++ b/articles/active-directory/saas-apps/onetrust-tutorial.md @@ -203,9 +203,9 @@ When you click the OneTrust Privacy Management Software tile in the Access Panel ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/onit-tutorial.md b/articles/active-directory/saas-apps/onit-tutorial.md index 0580af6117d0d..c819cbe72c2b5 100644 --- a/articles/active-directory/saas-apps/onit-tutorial.md +++ b/articles/active-directory/saas-apps/onit-tutorial.md @@ -266,9 +266,9 @@ When you click the Onit tile in the Access Panel, you should be automatically si ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/ontrack-tutorial.md b/articles/active-directory/saas-apps/ontrack-tutorial.md index c23fccb3e892b..33774ac0132c3 100644 --- a/articles/active-directory/saas-apps/ontrack-tutorial.md +++ b/articles/active-directory/saas-apps/ontrack-tutorial.md @@ -229,9 +229,9 @@ When you click the OnTrack tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/opal-tutorial.md b/articles/active-directory/saas-apps/opal-tutorial.md index 65a8d6454f7f0..b356b6b0d286f 100644 --- a/articles/active-directory/saas-apps/opal-tutorial.md +++ b/articles/active-directory/saas-apps/opal-tutorial.md @@ -220,9 +220,9 @@ When you click the Opal tile in the Access Panel, you should be automatically si ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/opsgenie-tutorial.md b/articles/active-directory/saas-apps/opsgenie-tutorial.md index 33d396a400413..2ffe0fdfa3e1d 100644 --- a/articles/active-directory/saas-apps/opsgenie-tutorial.md +++ b/articles/active-directory/saas-apps/opsgenie-tutorial.md @@ -228,9 +228,9 @@ When you click the OpsGenie tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/optimizely-tutorial.md b/articles/active-directory/saas-apps/optimizely-tutorial.md index 46f30d7290684..6e043daca59f7 100644 --- a/articles/active-directory/saas-apps/optimizely-tutorial.md +++ b/articles/active-directory/saas-apps/optimizely-tutorial.md @@ -249,9 +249,9 @@ When you click the Optimizely tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/orgchartnow-tutorial.md b/articles/active-directory/saas-apps/orgchartnow-tutorial.md index 936433eaca0fa..4bd4468c42490 100644 --- a/articles/active-directory/saas-apps/orgchartnow-tutorial.md +++ b/articles/active-directory/saas-apps/orgchartnow-tutorial.md @@ -231,9 +231,9 @@ When you click the OrgChart Now tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/origami-tutorial.md b/articles/active-directory/saas-apps/origami-tutorial.md index 8f4f0d1dc819e..a51845b988c6a 100644 --- a/articles/active-directory/saas-apps/origami-tutorial.md +++ b/articles/active-directory/saas-apps/origami-tutorial.md @@ -242,9 +242,9 @@ When you click the Origami tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/overdrive-books-tutorial.md b/articles/active-directory/saas-apps/overdrive-books-tutorial.md index 1a5fe2f8b20b2..230627770b58a 100644 --- a/articles/active-directory/saas-apps/overdrive-books-tutorial.md +++ b/articles/active-directory/saas-apps/overdrive-books-tutorial.md @@ -194,9 +194,9 @@ When you click the Overdrive tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/pacific-timesheet-tutorial.md b/articles/active-directory/saas-apps/pacific-timesheet-tutorial.md index 6db409aa32a04..b679b7530ad82 100644 --- a/articles/active-directory/saas-apps/pacific-timesheet-tutorial.md +++ b/articles/active-directory/saas-apps/pacific-timesheet-tutorial.md @@ -191,9 +191,9 @@ When you click the Pacific Timesheet tile in the Access Panel, you should be aut ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/pagedna-tutorial.md b/articles/active-directory/saas-apps/pagedna-tutorial.md new file mode 100644 index 0000000000000..4014572d0d5f9 --- /dev/null +++ b/articles/active-directory/saas-apps/pagedna-tutorial.md @@ -0,0 +1,213 @@ +--- +title: 'Tutorial: Azure Active Directory integration with PageDNA | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and PageDNA. +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: c8765864-45f4-48c2-9d86-986a4aa431e4 +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/03/2019 +ms.author: jeedes + +ms.collection: M365-identity-device-management +--- +# Tutorial: Azure Active Directory integration with PageDNA + +In this tutorial, you learn how to integrate PageDNA with Azure Active Directory (Azure AD). +Integrating PageDNA with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to PageDNA. +* You can enable your users to be automatically signed-in to PageDNA (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with PageDNA, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* PageDNA single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* PageDNA supports **SP** initiated SSO + +* PageDNA supports **Just In Time** user provisioning + +## Adding PageDNA from the gallery + +To configure the integration of PageDNA into Azure AD, you need to add PageDNA from the gallery to your list of managed SaaS apps. + +**To add PageDNA from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **PageDNA**, select **PageDNA** from result panel then click **Add** button to add the application. + + ![PageDNA in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with PageDNA based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in PageDNA needs to be established. + +To configure and test Azure AD single sign-on with PageDNA, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure PageDNA Single Sign-On](#configure-pagedna-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create PageDNA test user](#create-pagedna-test-user)** - to have a counterpart of Britta Simon in PageDNA that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with PageDNA, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **PageDNA** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, perform the following steps: + + ![PageDNA Domain and URLs single sign-on information](common/sp-identifier.png) + + a. In the **Sign on URL** text box, type a URL using the following pattern: + + || + |--| + | `https://stores.pagedna.com/` | + | `https://` | + | `https:///` | + | `https://www.nationsprint.com/` | + | | + + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + + || + |--| + | `https://stores.pagedna.com//saml2ep.cgi` | + | `https://www.nationsprint.com//saml2ep.cgi` | + | | + + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [PageDNA Client support team](mailto:success@pagedna.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/certificateraw.png) + +6. On the **Set up PageDNA** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure PageDNA Single Sign-On + +To configure single sign-on on **PageDNA** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [PageDNA support team](mailto:success@pagedna.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to PageDNA. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **PageDNA**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **PageDNA**. + + ![The PageDNA link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create PageDNA test user + +In this section, a user called Britta Simon is created in PageDNA. PageDNA supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in PageDNA, a new one is created after authentication. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the PageDNA tile in the Access Panel, you should be automatically signed in to the PageDNA for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/pagerduty-tutorial.md b/articles/active-directory/saas-apps/pagerduty-tutorial.md index 648e4e867c071..50368af25494e 100644 --- a/articles/active-directory/saas-apps/pagerduty-tutorial.md +++ b/articles/active-directory/saas-apps/pagerduty-tutorial.md @@ -242,9 +242,9 @@ When you click the PagerDuty tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/paloaltonetworks-aperture-tutorial.md b/articles/active-directory/saas-apps/paloaltonetworks-aperture-tutorial.md index 8242bc8b5573b..5f4c6e60cb857 100644 --- a/articles/active-directory/saas-apps/paloaltonetworks-aperture-tutorial.md +++ b/articles/active-directory/saas-apps/paloaltonetworks-aperture-tutorial.md @@ -222,9 +222,9 @@ When you click the Palo Alto Networks - Aperture tile in the Access Panel, you s ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/panopto-tutorial.md b/articles/active-directory/saas-apps/panopto-tutorial.md index 03edf860e3309..23884e18ede64 100644 --- a/articles/active-directory/saas-apps/panopto-tutorial.md +++ b/articles/active-directory/saas-apps/panopto-tutorial.md @@ -220,9 +220,9 @@ When you click the Panopto tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/panorama9-tutorial.md b/articles/active-directory/saas-apps/panorama9-tutorial.md index 77012368ce56d..82df5c80cd517 100644 --- a/articles/active-directory/saas-apps/panorama9-tutorial.md +++ b/articles/active-directory/saas-apps/panorama9-tutorial.md @@ -233,9 +233,9 @@ When you click the Panorama9 tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/pantheon-tutorial.md b/articles/active-directory/saas-apps/pantheon-tutorial.md index e51d8ae249116..1577bfbc478a5 100644 --- a/articles/active-directory/saas-apps/pantheon-tutorial.md +++ b/articles/active-directory/saas-apps/pantheon-tutorial.md @@ -215,9 +215,9 @@ When you click the Pantheon tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/patentsquare-tutorial.md b/articles/active-directory/saas-apps/patentsquare-tutorial.md index 364fbb746ce78..953cb0de8dd9c 100644 --- a/articles/active-directory/saas-apps/patentsquare-tutorial.md +++ b/articles/active-directory/saas-apps/patentsquare-tutorial.md @@ -191,9 +191,9 @@ When you click the PatentSQUARE tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/peakon-tutorial.md b/articles/active-directory/saas-apps/peakon-tutorial.md index a8c233a4f3514..9d7e001b96fce 100644 --- a/articles/active-directory/saas-apps/peakon-tutorial.md +++ b/articles/active-directory/saas-apps/peakon-tutorial.md @@ -249,9 +249,9 @@ When you click the Peakon tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/pegasystems-tutorial.md b/articles/active-directory/saas-apps/pegasystems-tutorial.md index 6672b4b6c723d..3f9ffc44bd7d2 100644 --- a/articles/active-directory/saas-apps/pegasystems-tutorial.md +++ b/articles/active-directory/saas-apps/pegasystems-tutorial.md @@ -274,8 +274,8 @@ When you click the Pega Systems tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/people-tutorial.md b/articles/active-directory/saas-apps/people-tutorial.md index a21e8aa8cd0c6..d02728494a528 100644 --- a/articles/active-directory/saas-apps/people-tutorial.md +++ b/articles/active-directory/saas-apps/people-tutorial.md @@ -206,9 +206,9 @@ When you click the People tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/peoplecart-tutorial.md b/articles/active-directory/saas-apps/peoplecart-tutorial.md index a73f092ec601e..0d9015ba3aaaf 100644 --- a/articles/active-directory/saas-apps/peoplecart-tutorial.md +++ b/articles/active-directory/saas-apps/peoplecart-tutorial.md @@ -191,9 +191,9 @@ When you click the Peoplecart tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/perceptionunitedstates-tutorial.md b/articles/active-directory/saas-apps/perceptionunitedstates-tutorial.md index c7003ce697f83..3d42547081fc5 100644 --- a/articles/active-directory/saas-apps/perceptionunitedstates-tutorial.md +++ b/articles/active-directory/saas-apps/perceptionunitedstates-tutorial.md @@ -227,9 +227,9 @@ When you click the Perception United States (Non-UltiPro) tile in the Access Pan ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/percolate-tutorial.md b/articles/active-directory/saas-apps/percolate-tutorial.md index 90d6e436816a7..10eaeba798528 100644 --- a/articles/active-directory/saas-apps/percolate-tutorial.md +++ b/articles/active-directory/saas-apps/percolate-tutorial.md @@ -230,9 +230,9 @@ When you click the Percolate tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/performancecentre-tutorial.md b/articles/active-directory/saas-apps/performancecentre-tutorial.md index a8fe648b07740..44f4c3708ebac 100644 --- a/articles/active-directory/saas-apps/performancecentre-tutorial.md +++ b/articles/active-directory/saas-apps/performancecentre-tutorial.md @@ -232,9 +232,9 @@ When you click the PerformanceCentre tile in the Access Panel, you should be aut ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/periscope-data-tutorial.md b/articles/active-directory/saas-apps/periscope-data-tutorial.md index 298db843b717d..07cf7df0a34c0 100644 --- a/articles/active-directory/saas-apps/periscope-data-tutorial.md +++ b/articles/active-directory/saas-apps/periscope-data-tutorial.md @@ -228,9 +228,9 @@ When you click the Periscope Data tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/phraseanet-tutorial.md b/articles/active-directory/saas-apps/phraseanet-tutorial.md index ebd6a9a70fe24..4f9e052d38552 100644 --- a/articles/active-directory/saas-apps/phraseanet-tutorial.md +++ b/articles/active-directory/saas-apps/phraseanet-tutorial.md @@ -188,9 +188,9 @@ When you click the Phraseanet tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/pingboard-provisioning-tutorial.md b/articles/active-directory/saas-apps/pingboard-provisioning-tutorial.md index 97715ecd552a1..d91f23a12f70a 100644 --- a/articles/active-directory/saas-apps/pingboard-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/pingboard-provisioning-tutorial.md @@ -15,7 +15,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 10/19/2017 +ms.date: 03/27/2019 ms.author: asmalser ms.reviewer: asmalser @@ -30,11 +30,11 @@ The purpose of this tutorial is to show you the steps you need to follow to enab The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure AD tenant -* A Pingboard tenant [Pro account](https://pingboard.com/pricing) -* A user account in Pingboard with admin permissions +* An Azure AD tenant +* A Pingboard tenant [Pro account](https://pingboard.com/pricing) +* A user account in Pingboard with admin permissions -> [!NOTE] +> [!NOTE] > Azure AD provisioning integration relies on the [Pingboard API](https://pingboard.docs.apiary.io/#), which is available to your account. ## Assign users to Pingboard @@ -67,7 +67,7 @@ This section guides you through connecting your Azure AD to the Pingboard user a 1. Set **Provisioning Mode** to **Automatic**. ![Pingboard Provisioning](./media/pingboard-provisioning-tutorial/pingboardazureprovisioning.png) - + 1. Under the **Admin Credentials** section, use the following steps: a. In **Tenant URL**, enter `https://your_domain.pingboard.com/scim/v2`, and replace "your_domain" with your real domain. @@ -84,7 +84,7 @@ This section guides you through connecting your Azure AD to the Pingboard user a 1. Enter the email address of a person or group that you want to receive provisioning error notifications in **Notification Email**. Select the check box underneath. -1. Select **Save**. +1. Select **Save**. 1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Pingboard**. diff --git a/articles/active-directory/saas-apps/pingboard-tutorial.md b/articles/active-directory/saas-apps/pingboard-tutorial.md index ef0baa3fd5059..0ee6b53b3facd 100644 --- a/articles/active-directory/saas-apps/pingboard-tutorial.md +++ b/articles/active-directory/saas-apps/pingboard-tutorial.md @@ -246,9 +246,9 @@ When you click the Pingboard tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/plangrid-tutorial.md b/articles/active-directory/saas-apps/plangrid-tutorial.md index 1fe8f322c0dff..0e78740577596 100644 --- a/articles/active-directory/saas-apps/plangrid-tutorial.md +++ b/articles/active-directory/saas-apps/plangrid-tutorial.md @@ -192,9 +192,9 @@ When you click the PlanGrid tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/planmyleave-tutorial.md b/articles/active-directory/saas-apps/planmyleave-tutorial.md index 69933770661ce..a33a0ce011b22 100644 --- a/articles/active-directory/saas-apps/planmyleave-tutorial.md +++ b/articles/active-directory/saas-apps/planmyleave-tutorial.md @@ -216,9 +216,9 @@ When you click the PlanMyLeave tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/pluralsight-tutorial.md b/articles/active-directory/saas-apps/pluralsight-tutorial.md index c941063e0454f..f6c2865e4ac2f 100644 --- a/articles/active-directory/saas-apps/pluralsight-tutorial.md +++ b/articles/active-directory/saas-apps/pluralsight-tutorial.md @@ -217,7 +217,7 @@ When you click the Pluralsight tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) - [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) diff --git a/articles/active-directory/saas-apps/policystat-tutorial.md b/articles/active-directory/saas-apps/policystat-tutorial.md index de4521a123d89..1110039b16410 100644 --- a/articles/active-directory/saas-apps/policystat-tutorial.md +++ b/articles/active-directory/saas-apps/policystat-tutorial.md @@ -253,9 +253,9 @@ When you click the PolicyStat tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/postbeyond-tutorial.md b/articles/active-directory/saas-apps/postbeyond-tutorial.md index f39bc5998d14f..ec13394957f82 100644 --- a/articles/active-directory/saas-apps/postbeyond-tutorial.md +++ b/articles/active-directory/saas-apps/postbeyond-tutorial.md @@ -190,9 +190,9 @@ When you click the PostBeyond tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/powerschool-performance-matters-tutorial.md b/articles/active-directory/saas-apps/powerschool-performance-matters-tutorial.md index 996206811c382..12697d3cdb453 100644 --- a/articles/active-directory/saas-apps/powerschool-performance-matters-tutorial.md +++ b/articles/active-directory/saas-apps/powerschool-performance-matters-tutorial.md @@ -193,8 +193,8 @@ When you click the Powerschool Performance Matters tile in the Access Panel, you ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/predictix-assortment-planning-tutorial.md b/articles/active-directory/saas-apps/predictix-assortment-planning-tutorial.md index 4a4091fdcd788..19088faf4e10f 100644 --- a/articles/active-directory/saas-apps/predictix-assortment-planning-tutorial.md +++ b/articles/active-directory/saas-apps/predictix-assortment-planning-tutorial.md @@ -203,9 +203,9 @@ When you click the Predictix Assortment Planning tile in the Access Panel, you s ## Additional resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/predictixordering-tutorial.md b/articles/active-directory/saas-apps/predictixordering-tutorial.md index 33d7e92e47611..b85785aaabcd2 100644 --- a/articles/active-directory/saas-apps/predictixordering-tutorial.md +++ b/articles/active-directory/saas-apps/predictixordering-tutorial.md @@ -195,9 +195,9 @@ When you click the Predictix Ordering tile in the Access Panel, you should be au ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/predictixpricereporting-tutorial.md b/articles/active-directory/saas-apps/predictixpricereporting-tutorial.md index 563571beb769e..55b4c889becfb 100644 --- a/articles/active-directory/saas-apps/predictixpricereporting-tutorial.md +++ b/articles/active-directory/saas-apps/predictixpricereporting-tutorial.md @@ -195,9 +195,9 @@ When you click the Predictix Price Reporting tile in the Access Panel, you shoul ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/procoresso-tutorial.md b/articles/active-directory/saas-apps/procoresso-tutorial.md index b476bfb1ee23e..9dfb856244e76 100644 --- a/articles/active-directory/saas-apps/procoresso-tutorial.md +++ b/articles/active-directory/saas-apps/procoresso-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 9818edd3-48c0-411d-b05a-3ec805eafb2e ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 11/13/2018 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,37 +22,27 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Procore SSO In this tutorial, you learn how to integrate Procore SSO with Azure Active Directory (Azure AD). - Integrating Procore SSO with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Procore SSO. -- You can enable your users to automatically get signed-on to Procore SSO (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Procore SSO. +* You can enable your users to be automatically signed-in to Procore SSO (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Procore SSO, you need the following items: -- An Azure AD subscription -- A Procore SSO single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Procore SSO single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -1. Adding Procore SSO from the gallery -2. Configuring and testing Azure AD single sign-on +* Procore SSO supports **IDP** initiated SSO ## Adding Procore SSO from the gallery @@ -60,63 +50,65 @@ To configure the integration of Procore SSO into Azure AD, you need to add Proco **To add Procore SSO from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Procore SSO**, select **Procore SSO** from result panel then click **Add** button to add the application. - ![Procore SSO in the results list](./media/procoresso-tutorial/tutorial_procoresso_addfromgallery.png) + ![Procore SSO in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Procore SSO based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Procore SSO is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Procore SSO needs to be established. +In this section, you configure and test Azure AD single sign-on with Procore SSO based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Procore SSO needs to be established. To configure and test Azure AD single sign-on with Procore SSO, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating a Procore SSO test user](#creating-a-procore-sso-test-user)** - to have a counterpart of Britta Simon in Procore SSO that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Procore SSO Single Sign-On](#configure-procore-sso-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Procore SSO test user](#create-procore-sso-test-user)** - to have a counterpart of Britta Simon in Procore SSO that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Procore SSO application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Procore SSO, perform the following steps:** +To configure Azure AD single sign-on with Procore SSO, perform the following steps: -1. In the Azure portal, on the **Procore SSO** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Procore SSO** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On](common/tutorial_general_301.png) + ![Single sign-on select mode](common/select-saml-option.png) 3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure Single Sign-On](common/editconfigure.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure. -4. On the **Basic SAML Configuration** section, the user does not have to perform any steps as the app is already pre-integrated with Azure. + ![Procore SSO Domain and URLs single sign-on information](common/preintegrated.png) - ![Procore SSO Domain and URLs single sign-on information](./media/procoresso-tutorial/tutorial_procoresso_url.png) +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -5. On the **SAML Signing Certificate** page, in the **SAML Signing Certificate** section, click **Download** to download **Federation Metadata XML** and then save Metadata file on your computer. + ![The Certificate download link](common/metadataxml.png) - ![The Certificate download link](./media/procoresso-tutorial/tutorial_procoresso_certificate.png) +6. On the **Set up Procore SSO** section, copy the appropriate URL(s) as per your requirement. -6. On the **Set up Procore SSO** section, copy the appropriate URL as per your requirement. + ![Copy configuration URLs](common/copy-configuration-urls.png) a. Login URL @@ -124,15 +116,15 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf c. Logout URL - ![Procore SSO Configuration](common/configuresection.png) +### Configure Procore SSO Single Sign-On -7. To configure single sign-on on **Procore SSO** side, login to your procore company site as an administrator. +1. To configure single sign-on on **Procore SSO** side, sign in to your procore company site as an administrator. -8. From the toolbox drop down, click on **Admin** to open the SSO settings page. +2. From the toolbox drop down, click on **Admin** to open the SSO settings page. ![Configure Single Sign-On](./media/procoresso-tutorial/procore_tool_admin.png) -9. Paste the values in the boxes as described below- +3. Paste the values in the boxes as described below- ![Configure Single Sign-On](./media/procoresso-tutorial/procore_setting_admin.png) @@ -142,52 +134,65 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf c. Now open the **Federation Metadata XML** downloaded above from the Azure portal and copy the certificate in the tag named **X509Certificate**. Paste the copied value into the **Single Sign On x509 Certificate** box. -10. Click on **Save Changes**. +4. Click on **Save Changes**. -11. After these settings, you needs to send the **domain name** (e.g **contoso.com**) through which you are logging into Procore to the [Procore Support team](https://support.procore.com/) and they will activate federated SSO for that domain. +5. After these settings, you needs to send the **domain name** (e.g **contoso.com**) through which you are logging into Procore to the [Procore Support team](https://support.procore.com/) and they will activate federated SSO for that domain. - - -### Creating an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](common/create_aaduser_01.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![Creating an Azure AD test user](common/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** field, enter **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - d. Select **Create**. + d. Click **Create**. -### Creating a Procore SSO test user +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Procore SSO. -Please follow the below steps to create a Procore test user on Procore SSOc side. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Procore SSO**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Procore SSO**. + + ![The Procore SSO link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Login to your procore company site as an administrator. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create Procore SSO test user + +Please follow the below steps to create a Procore test user on Procore SSO side. + +1. Sign in to your procore company site as an administrator. 2. From the toolbox drop down, click on **Directory** to open the company directory page. @@ -201,7 +206,7 @@ Please follow the below steps to create a Procore test user on Procore SSOc side b. In the **Last name** textbox, type user's last name like **Simon**. - c. In the **Email Address** textbox, type user's email address like **BrittaSimon\@contoso.com**. + c. In the **Email Address** textbox, type user's email address like BrittaSimon@contoso.com. d. Select **Permission Template** as **Apply Permission Template Later**. @@ -215,51 +220,17 @@ Please follow the below steps to create a Procore test user on Procore SSOc side ![Configure Single Sign-On](./media/procoresso-tutorial/Procore_user_save.png) -### Assigning the Azure AD test user - -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Procore SSO. - -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. - - ![Assign User][201] - -2. In the applications list, select **Procore SSO**. - - ![Configure Single Sign-On](./media/procoresso-tutorial/tutorial_procoresso_app.png) - -3. In the menu on the left, click **Users and groups**. - - ![Assign User][202] - -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. - - ![Assign User][203] - -5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - -6. In the **Add Assignment** dialog select the **Assign** button. - -### Testing single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Procore SSO tile in the Access Panel, you should get automatically signed-on to your Procore SSO application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources +When you click the Procore SSO tile in the Access Panel, you should be automatically signed in to the Procore SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: common/tutorial_general_01.png -[2]: common/tutorial_general_02.png -[3]: common/tutorial_general_03.png -[4]: common/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: common/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[201]: common/tutorial_general_201.png -[202]: common/tutorial_general_202.png -[203]: common/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/projectplace-tutorial.md b/articles/active-directory/saas-apps/projectplace-tutorial.md index 5699dbb6bda44..29714b0125fc2 100644 --- a/articles/active-directory/saas-apps/projectplace-tutorial.md +++ b/articles/active-directory/saas-apps/projectplace-tutorial.md @@ -215,9 +215,9 @@ When you click the Projectplace tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/promapp-tutorial.md b/articles/active-directory/saas-apps/promapp-tutorial.md index da02c93ddf84b..ac87195661e15 100644 --- a/articles/active-directory/saas-apps/promapp-tutorial.md +++ b/articles/active-directory/saas-apps/promapp-tutorial.md @@ -231,9 +231,9 @@ When you click the Promapp tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/promaster-tutorial.md b/articles/active-directory/saas-apps/promaster-tutorial.md index 667e27a1d2194..5bdf977f11138 100644 --- a/articles/active-directory/saas-apps/promaster-tutorial.md +++ b/articles/active-directory/saas-apps/promaster-tutorial.md @@ -202,9 +202,9 @@ When you click the ProMaster (by Inlogik) tile in the Access Panel, you should b ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/proxyclick-tutorial.md b/articles/active-directory/saas-apps/proxyclick-tutorial.md index 35b144cb6d734..55ce350777004 100644 --- a/articles/active-directory/saas-apps/proxyclick-tutorial.md +++ b/articles/active-directory/saas-apps/proxyclick-tutorial.md @@ -247,9 +247,9 @@ When you click the Proxyclick tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/purecloud-by-genesys-tutorial.md b/articles/active-directory/saas-apps/purecloud-by-genesys-tutorial.md index b289e1a083eab..9a9dc018c1cf7 100644 --- a/articles/active-directory/saas-apps/purecloud-by-genesys-tutorial.md +++ b/articles/active-directory/saas-apps/purecloud-by-genesys-tutorial.md @@ -286,9 +286,9 @@ When you click the PureCloud by Genesys tile in the Access Panel, you should be ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/purelyhr-tutorial.md b/articles/active-directory/saas-apps/purelyhr-tutorial.md index 9366a055516e9..12454ac6523b1 100644 --- a/articles/active-directory/saas-apps/purelyhr-tutorial.md +++ b/articles/active-directory/saas-apps/purelyhr-tutorial.md @@ -212,9 +212,9 @@ When you click the PurelyHR tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/qprism-tutorial.md b/articles/active-directory/saas-apps/qprism-tutorial.md index cfc5f38d7fc72..3622b81abafb1 100644 --- a/articles/active-directory/saas-apps/qprism-tutorial.md +++ b/articles/active-directory/saas-apps/qprism-tutorial.md @@ -180,9 +180,9 @@ When you click the QPrism tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/qualtrics-tutorial.md b/articles/active-directory/saas-apps/qualtrics-tutorial.md index 2928a123b2a5a..92e0bd29b042d 100644 --- a/articles/active-directory/saas-apps/qualtrics-tutorial.md +++ b/articles/active-directory/saas-apps/qualtrics-tutorial.md @@ -197,9 +197,9 @@ When you click the Qualtrics tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/questetra-bpm-suite-tutorial.md b/articles/active-directory/saas-apps/questetra-bpm-suite-tutorial.md index bcd81225294ce..6709221862213 100644 --- a/articles/active-directory/saas-apps/questetra-bpm-suite-tutorial.md +++ b/articles/active-directory/saas-apps/questetra-bpm-suite-tutorial.md @@ -240,9 +240,9 @@ When you click the Questetra BPM Suite tile in the Access Panel, you should be a ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/quickhelp-tutorial.md b/articles/active-directory/saas-apps/quickhelp-tutorial.md index 8980ae90fde1b..ff47305bc4abf 100644 --- a/articles/active-directory/saas-apps/quickhelp-tutorial.md +++ b/articles/active-directory/saas-apps/quickhelp-tutorial.md @@ -218,9 +218,9 @@ When you click the QuickHelp tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/qumucloud-tutorial.md b/articles/active-directory/saas-apps/qumucloud-tutorial.md index 434af252780f8..0dcc0e2ee2027 100644 --- a/articles/active-directory/saas-apps/qumucloud-tutorial.md +++ b/articles/active-directory/saas-apps/qumucloud-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: d8c4a97b-4de6-49d4-b64e-42222c2ec6c9 ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 03/13/2018 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,234 +22,219 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Qumu Cloud In this tutorial, you learn how to integrate Qumu Cloud with Azure Active Directory (Azure AD). - Integrating Qumu Cloud with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Qumu Cloud. -- You can enable your users to automatically get signed-on to Qumu Cloud (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Qumu Cloud. +* You can enable your users to be automatically signed-in to Qumu Cloud (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Qumu Cloud, you need the following items: -- An Azure AD subscription -- A Qumu Cloud single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Qumu Cloud single sign-on enabled subscription -To test the steps in this tutorial, you should follow these recommendations: +## Scenario description -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +* Qumu Cloud supports **SP** and **IDP** initiated SSO -1. Adding Qumu Cloud from the gallery -1. Configuring and testing Azure AD single sign-on +* Qumu Cloud supports **Just In Time** user provisioning ## Adding Qumu Cloud from the gallery + To configure the integration of Qumu Cloud into Azure AD, you need to add Qumu Cloud from the gallery to your list of managed SaaS apps. **To add Qumu Cloud from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Qumu Cloud**, select **Qumu Cloud** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Qumu Cloud in the results list](./media/qumucloud-tutorial/tutorial_qumucloud_addfromgallery.png) +4. In the search box, type **Qumu Cloud**, select **Qumu Cloud** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![Qumu Cloud in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with Qumu Cloud based on a test user called "Britta Simon". +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in Qumu Cloud is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Qumu Cloud needs to be established. +In this section, you configure and test Azure AD single sign-on with Qumu Cloud based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Qumu Cloud needs to be established. To configure and test Azure AD single sign-on with Qumu Cloud, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Qumu Cloud test user](#create-a-qumu-cloud-test-user)** - to have a counterpart of Britta Simon in Qumu Cloud that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Qumu Cloud Single Sign-On](#configure-qumu-cloud-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Qumu Cloud test user](#create-qumu-cloud-test-user)** - to have a counterpart of Britta Simon in Qumu Cloud that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Qumu Cloud application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Qumu Cloud, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Qumu Cloud** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -**To configure Azure AD single sign-on with Qumu Cloud, perform the following steps:** + ![Single sign-on select mode](common/select-saml-option.png) -1. In the Azure portal, on the **Qumu Cloud** application integration page, click **Single sign-on**. +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure single sign-on link][4] + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/qumucloud-tutorial/tutorial_qumucloud_samlbase.png) +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: -1. On the **Qumu Cloud Domain and URLs** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: + ![Qumu Cloud Domain and URLs single sign-on information](common/idp-intiated.png) - ![Qumu Cloud Domain and URLs single sign-on information](./media/qumucloud-tutorial/tutorial_qumucloud_url.png) + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.qumucloud.com/saml/SSO` - a. In the **Identifier** textbox, type a URL using the following pattern: `https://.qumucloud.com/saml/SSO` + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.qumucloud.com/saml/SSO` - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://.qumucloud.com/saml/SSO` +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: -1. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: + ![Qumu Cloud Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) - ![Qumu Cloud Domain and URLs single sign-on information](./media/qumucloud-tutorial/tutorial_qumucloud_url1.png) + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.qumucloud.com` - In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.qumucloud.com` - - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Contact [Qumu Cloud Client support team](mailto:support@qumu.com) to get these values. + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Qumu Cloud Client support team](mailto:support@qumu.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. Qumu Cloud application expects the SAML assertions in a specific format. Please configure the following claims for this application. You can manage the values of these attributes from the "**User Attributes**" section on application integration page. The following screenshot shows an example for this. - - ![Configure Single Sign-On](./media/qumucloud-tutorial/attribute.png) - -1. Click **View and edit all other user attributes** checkbox in the **User Attributes** section to expand the attributes. Perform the following steps on each of the displayed attributes- +6. Qumu Cloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog. - | Attribute Name | Attribute Value | + ![image](common/edit-attribute.png) + +7. In addition to above, Qumu Cloud application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table: + + | Name | Source Attribute| | ---------------| --------------- | | urn:oid:2.5.4.42 | user.givenname | | urn:oid:2.5.4.4 | user.surname | | urn:oid:0.9.2342.19200300.100.1.3 | user.mail | | urn:oid:0.9.2342.19200300.100.1.1 | user.userprincipalname | - a. Click the attribute to open the **Edit Attribute** window. + a. Click **Add new claim** to open the **Manage user claims** dialog. + + ![image](common/new-save-attribute.png) - ![Configure Single Sign-On](./media/qumucloud-tutorial/tutorial_attribute_04.png) + ![image](common/new-attribute-details.png) b. In the **Name** textbox, type the attribute name shown for that row. - ![Configure Single Sign-On](./media/qumucloud-tutorial/tutorial_attribute_05.png) + c. Leave the **Namespace** blank. - c. From the **Value** list, type the attribute value shown for that row. + d. Select Source as **Attribute**. - d. Keep the **Namespace** textbox blank. - - e. Click **Ok**. + e. From the **Source attribute** list, type the attribute value shown for that row. -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + f. Click **Save**. - ![The Certificate download link](./media/qumucloud-tutorial/tutorial_qumucloud_certificate.png) +8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -1. Click **Save** button. + ![The Certificate download link](common/metadataxml.png) - ![Configure Single Sign-On Save button](./media/qumucloud-tutorial/tutorial_general_400.png) - -1. To configure single sign-on on **Qumu Cloud** side, you need to send the downloaded **Metadata XML** to [Qumu Cloud support team](mailto:support@qumu.com). They set this setting to have the SAML SSO connection set properly on both sides. +9. On the **Set up Qumu Cloud** section, copy the appropriate URL(s) as per your requirement. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) + ![Copy configuration URLs](common/copy-configuration-urls.png) -### Create an Azure AD test user + a. Login URL -The objective of this section is to create a test user in the Azure portal called Britta Simon. + b. Azure AD Identifier - ![Create an Azure AD test user][100] + c. Logout URL -**To create a test user in Azure AD, perform the following steps:** +### Configure Qumu Cloud Single Sign-On -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +To configure single sign-on on **Qumu Cloud** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Qumu Cloud support team](mailto:support@qumu.com). They set this setting to have the SAML SSO connection set properly on both sides. - ![The Azure Active Directory button](./media/qumucloud-tutorial/create_aaduser_01.png) +### Create an Azure AD test user -1. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/qumucloud-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/qumucloud-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/qumucloud-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Qumu Cloud test user - -The objective of this section is to create a user called Britta Simon in Qumu Cloud. Qumu Cloud supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access Qumu Cloud if it doesn't exist yet. ->[!Note] ->If you need to create a user manually, contact [Qumu Cloud Client support team](mailto:support@qumu.com). ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Qumu Cloud. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Qumu Cloud**. -**To assign Britta Simon to Qumu Cloud, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Qumu Cloud**. - ![Assign User][201] + ![The Qumu Cloud link in the Applications list](common/all-applications.png) -1. In the applications list, select **Qumu Cloud**. +3. In the menu on the left, select **Users and groups**. - ![The Qumu Cloud link in the Applications list](./media/qumucloud-tutorial/tutorial_qumucloud_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create Qumu Cloud test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +In this section, a user called Britta Simon is created in Qumu Cloud. Qumu Cloud supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Qumu Cloud, a new one is created after authentication. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +>[!Note] +>If you need to create a user manually, contact [Qumu Cloud Client support team](mailto:support@qumu.com). -When you click the Qumu Cloud tile in the Access Panel, you should get automatically signed-on to your Qumu Cloud application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Test single sign-on -## Additional resources +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the Qumu Cloud tile in the Access Panel, you should be automatically signed in to the Qumu Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/qumucloud-tutorial/tutorial_general_01.png -[2]: ./media/qumucloud-tutorial/tutorial_general_02.png -[3]: ./media/qumucloud-tutorial/tutorial_general_03.png -[4]: ./media/qumucloud-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/qumucloud-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/qumucloud-tutorial/tutorial_general_200.png -[201]: ./media/qumucloud-tutorial/tutorial_general_201.png -[202]: ./media/qumucloud-tutorial/tutorial_general_202.png -[203]: ./media/qumucloud-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/rackspacesso-tutorial.md b/articles/active-directory/saas-apps/rackspacesso-tutorial.md index 6a3c24b913e66..c53ebf09f066c 100644 --- a/articles/active-directory/saas-apps/rackspacesso-tutorial.md +++ b/articles/active-directory/saas-apps/rackspacesso-tutorial.md @@ -184,9 +184,9 @@ When you click the Rackspace SSO tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/rally-software-tutorial.md b/articles/active-directory/saas-apps/rally-software-tutorial.md index 251d889ad6635..9f5f6c5739fa1 100644 --- a/articles/active-directory/saas-apps/rally-software-tutorial.md +++ b/articles/active-directory/saas-apps/rally-software-tutorial.md @@ -233,9 +233,9 @@ When you click the Rally Software tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/realtimeboard-tutorial.md b/articles/active-directory/saas-apps/realtimeboard-tutorial.md index 36227f24abfcd..c8979925a112f 100644 --- a/articles/active-directory/saas-apps/realtimeboard-tutorial.md +++ b/articles/active-directory/saas-apps/realtimeboard-tutorial.md @@ -193,9 +193,9 @@ When you click the RealtimeBoard tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/recognize-tutorial.md b/articles/active-directory/saas-apps/recognize-tutorial.md index 86c4c34cfba07..471281027dab4 100644 --- a/articles/active-directory/saas-apps/recognize-tutorial.md +++ b/articles/active-directory/saas-apps/recognize-tutorial.md @@ -252,9 +252,9 @@ When you click the Recognize tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/redvector-tutorial.md b/articles/active-directory/saas-apps/redvector-tutorial.md index 62b5f96ac6510..a8e4f2cb13e50 100644 --- a/articles/active-directory/saas-apps/redvector-tutorial.md +++ b/articles/active-directory/saas-apps/redvector-tutorial.md @@ -190,9 +190,9 @@ When you click the RedVector tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/reflektive-tutorial.md b/articles/active-directory/saas-apps/reflektive-tutorial.md index 3886c37e5d284..fe03552394f3d 100644 --- a/articles/active-directory/saas-apps/reflektive-tutorial.md +++ b/articles/active-directory/saas-apps/reflektive-tutorial.md @@ -199,9 +199,9 @@ When you click the Reflektive tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/reward-gateway-tutorial.md b/articles/active-directory/saas-apps/reward-gateway-tutorial.md index 361277ef0e8ed..306b15baea218 100644 --- a/articles/active-directory/saas-apps/reward-gateway-tutorial.md +++ b/articles/active-directory/saas-apps/reward-gateway-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 34336386-998a-4d47-ab55-721d97708e5e ms.service: active-directory @@ -12,228 +13,198 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/30/2017 +ms.topic: tutorial +ms.date: 03/26/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Reward Gateway In this tutorial, you learn how to integrate Reward Gateway with Azure Active Directory (Azure AD). - Integrating Reward Gateway with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Reward Gateway -- You can enable your users to automatically get signed-on to Reward Gateway (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Reward Gateway. +* You can enable your users to be automatically signed-in to Reward Gateway (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Reward Gateway, you need the following items: -- An Azure AD subscription -- A Reward Gateway single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Reward Gateway single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Reward Gateway from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Reward Gateway supports **IDP** initiated SSO ## Adding Reward Gateway from the gallery + To configure the integration of Reward Gateway into Azure AD, you need to add Reward Gateway from the gallery to your list of managed SaaS apps. **To add Reward Gateway from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Reward Gateway**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/reward-gateway-tutorial/tutorial_rewardgateway_search.png) +4. In the search box, type **Reward Gateway**, select **Reward Gateway** from result panel then click **Add** button to add the application. -1. In the results panel, select **Reward Gateway**, and then click **Add** button to add the application. + ![Reward Gateway in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/reward-gateway-tutorial/tutorial_rewardgateway_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Reward Gateway based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with Reward Gateway based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Reward Gateway needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Reward Gateway is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Reward Gateway needs to be established. +To configure and test Azure AD single sign-on with Reward Gateway, you need to complete the following building blocks: -In Reward Gateway, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Reward Gateway Single Sign-On](#configure-reward-gateway-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Reward Gateway test user](#create-reward-gateway-test-user)** - to have a counterpart of Britta Simon in Reward Gateway that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Reward Gateway, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Reward Gateway test user](#creating-a-reward-gateway-test-user)** - to have a counterpart of Britta Simon in Reward Gateway that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Reward Gateway, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Reward Gateway application. +1. In the [Azure portal](https://portal.azure.com/), on the **Reward Gateway** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Reward Gateway, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Reward Gateway** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/reward-gateway-tutorial/tutorial_rewardgateway_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Reward Gateway Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/reward-gateway-tutorial/tutorial_rewardgateway_url.png) +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: - a. In the **Identifier** textbox, type a URL using the following pattern: + ![Reward Gateway Domain and URLs single sign-on information](common/idp-intiated.png) + a. In the **Identifier** text box, type a URL using the following pattern: + | | |--| - | `https://.rewardgateway.com` | - | `https://.rewardgateway.co.uk/` | - | `https://.rewardgateway.co.nz/` | - | `https://.rewardgateway.com.au/` | + | `https://.rewardgateway.com`| + | `https://.rewardgateway.co.uk/`| + | `https://.rewardgateway.co.nz/`| + | `https://.rewardgateway.com.au/`| - b. In the **Reply URL** textbox, type a URL using the following pattern: + b. In the **Reply URL** text box, type a URL using the following pattern: | | |--| - | `https://.rewardgateway.com/Authentication/EndLogin?idp=` | - | `https://.rewardgateway.co.uk/Authentication/EndLogin?idp=` | - | `https://.rewardgateway.co.nz/Authentication/EndLogin?idp=` | - | `https://.rewardgateway.com.au/Authentication/EndLogin?idp=` | + | `https://.rewardgateway.com/Authentication/EndLogin?idp=`| + | `https://.rewardgateway.co.uk/Authentication/EndLogin?idp=`| + | `https://.rewardgateway.co.nz/Authentication/EndLogin?idp=`| + | `https://.rewardgateway.com.au/Authentication/EndLogin?idp=`| - > [!NOTE] + > [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. To get these values start setting up an Integration on the Reward Manager Portal. Details can be found on https://success.rewardgateway.com/authentication-integrations/microsoft-azure-for-authentication - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. - - ![Configure Single Sign-On](./media/reward-gateway-tutorial/tutorial_rewardgateway_certificate.png) -1. Click **Save** button. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/reward-gateway-tutorial/tutorial_general_400.png) + ![The Certificate download link](common/metadataxml.png) -1. To configure single sign-on on **Reward Gateway** side, start setting up an Integration on the Reward Manager Portal. Use the downloaded metadata to obtain your Signing Certificate and upload that during the configuration. Details can be found on https://success.rewardgateway.com/authentication-integrations/microsoft-azure-for-authentication +6. On the **Set up Reward Gateway** section, copy the appropriate URL(s) as per your requirement. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + ![Copy configuration URLs](common/copy-configuration-urls.png) -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. - -![Create Azure AD User][100] + a. Login URL -**To create a test user in Azure AD, perform the following steps:** + b. Azure Ad Identifier -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + c. Logout URL - ![Creating an Azure AD test user](./media/reward-gateway-tutorial/create_aaduser_01.png) +### Configure Reward Gateway Single Sign-On -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/reward-gateway-tutorial/create_aaduser_02.png) +To configure single sign-on on **Reward Gateway** side, start setting up an Integration on the Reward Manager Portal. Use the downloaded metadata to obtain your Signing Certificate and upload that during the configuration. Details can be found on https://success.rewardgateway.com/authentication-integrations/microsoft-azure-for-authentication -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/reward-gateway-tutorial/create_aaduser_03.png) +### Create an Azure AD test user -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/reward-gateway-tutorial/create_aaduser_04.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. - a. In the **Name** textbox, type **BrittaSimon**. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + ![The "Users and groups" and "All users" links](common/users.png) - c. Select **Show Password** and write down the value of the **Password**. +2. Select **New user** at the top of the screen. - d. Click **Create**. - -### Creating a Reward Gateway test user + ![New user Button](common/new-user.png) -In this section, you create a user called Britta Simon in Reward Gateway. Work with Reward Gateway [support team](mailto:clientsupport@rewardgateway.com) to add the users in the Reward Gateway platform. +3. In the User properties, perform the following steps. -### Assigning the Azure AD test user + ![The User dialog box](common/user-properties.png) -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Reward Gateway. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` + For example, BrittaSimon@contoso.com -![Assign User][200] + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -**To assign Britta Simon to Reward Gateway, perform the following steps:** + d. Click **Create**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +### Assign the Azure AD test user - ![Assign User][201] +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Reward Gateway. -1. In the applications list, select **Reward Gateway**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Reward Gateway**. - ![Configure Single Sign-On](./media/reward-gateway-tutorial/tutorial_rewardgateway_app.png) + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the menu on the left, click **Users and groups**. +2. In the applications list, select **Reward Gateway**. - ![Assign User][202] + ![The Reward Gateway link in the Applications list](common/all-applications.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +3. In the menu on the left, select **Users and groups**. - ![Assign User][203] + ![The "Users and groups" link](common/users-groups-blade.png) -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Click **Select** button on **Users and groups** dialog. + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -When you click the Reward Gateway tile in the Access Panel, you should get automatically signed-on to your Reward Gateway application. +7. In the **Add Assignment** dialog click the **Assign** button. -## Additional resources +### Create Reward Gateway test user -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you create a user called Britta Simon in Reward Gateway. Work with [Reward Gateway support team](mailto:clientsupport@rewardgateway.com) to add the users in the Reward Gateway platform. Users must be created and activated before you use single sign-on. +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the Reward Gateway tile in the Access Panel, you should be automatically signed in to the Reward Gateway for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/reward-gateway-tutorial/tutorial_general_01.png -[2]: ./media/reward-gateway-tutorial/tutorial_general_02.png -[3]: ./media/reward-gateway-tutorial/tutorial_general_03.png -[4]: ./media/reward-gateway-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/reward-gateway-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/reward-gateway-tutorial/tutorial_general_200.png -[201]: ./media/reward-gateway-tutorial/tutorial_general_201.png -[202]: ./media/reward-gateway-tutorial/tutorial_general_202.png -[203]: ./media/reward-gateway-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/rightscale-tutorial.md b/articles/active-directory/saas-apps/rightscale-tutorial.md index 2a2a32ac310cc..916604693e2da 100644 --- a/articles/active-directory/saas-apps/rightscale-tutorial.md +++ b/articles/active-directory/saas-apps/rightscale-tutorial.md @@ -129,7 +129,7 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf 1. On the **Rightscale Configuration** section, click **Configure Rightscale** to open **Configure sign-on** window. Copy the **SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** ![Configure Single Sign-On](./media/rightscale-tutorial/tutorial_rightscale_configure.png) - + 1. To get SSO configured for your application, you need to sign-on to your RightScale tenant as an administrator. a. In the menu on the top, click the **Settings** tab and select **Single Sign-On**. @@ -161,7 +161,7 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf ![Configure Single Sign-On](./media/rightscale-tutorial/tutorial_rightscale_009.png) h. Click **Save**. - + > [!TIP] > You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) > diff --git a/articles/active-directory/saas-apps/rolepoint-tutorial.md b/articles/active-directory/saas-apps/rolepoint-tutorial.md index 0708be67a317e..f9e45821ce054 100644 --- a/articles/active-directory/saas-apps/rolepoint-tutorial.md +++ b/articles/active-directory/saas-apps/rolepoint-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 68d37f40-15da-45f5-a9e1-d53f78e786d1 ms.service: active-directory @@ -12,216 +13,185 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 04/27/2017 +ms.topic: tutorial +ms.date: 03/15/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with RolePoint In this tutorial, you learn how to integrate RolePoint with Azure Active Directory (Azure AD). - Integrating RolePoint with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to RolePoint -- You can enable your users to automatically get signed-on to RolePoint (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to RolePoint. +* You can enable your users to be automatically signed-in to RolePoint (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with RolePoint, you need the following items: -- An Azure AD subscription -- A RolePoint single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* RolePoint single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding RolePoint from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* RolePoint supports **SP** initiated SSO ## Adding RolePoint from the gallery + To configure the integration of RolePoint into Azure AD, you need to add RolePoint from the gallery to your list of managed SaaS apps. **To add RolePoint from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - - ![Active Directory][1] +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. -1. Navigate to **Enterprise applications**. Then go to **All applications**. + ![The Azure Active Directory button](common/select-azuread.png) - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][3] + ![The Enterprise applications blade](common/enterprise-applications.png) -1. In the search box, type **RolePoint**. +3. To add new application, click **New application** button on the top of dialog. - ![Creating an Azure AD test user](./media/rolepoint-tutorial/tutorial_rolepoint_search.png) + ![The New application button](common/add-new-app.png) -1. In the results panel, select **RolePoint**, and then click **Add** button to add the application. +4. In the search box, type **RolePoint**, select **RolePoint** from result panel then click **Add** button to add the application. - ![Creating an Azure AD test user](./media/rolepoint-tutorial/tutorial_rolepoint_addfromgallery.png) + ![RolePoint in the results list](common/search-new-app.png) -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with RolePoint based on a test user called "Britta Simon." +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in RolePoint is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in RolePoint needs to be established. - -This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in RolePoint. +In this section, you configure and test Azure AD single sign-on with RolePoint based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in RolePoint needs to be established. To configure and test Azure AD single sign-on with RolePoint, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a RolePoint test user](#creating-a-rolepoint-test-user)** - to have a counterpart of Britta Simon in RolePoint that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure RolePoint Single Sign-On](#configure-rolepoint-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create RolePoint test user](#create-rolepoint-test-user)** - to have a counterpart of Britta Simon in RolePoint that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your RolePoint application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with RolePoint, perform the following steps:** +To configure Azure AD single sign-on with RolePoint, perform the following steps: -1. In the Azure portal, on the **RolePoint** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **RolePoint** application integration page, select **Single sign-on**. - ![Configure Single Sign-On][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/rolepoint-tutorial/tutorial_rolepoint_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **RolePoint Domain and URLs** section, perform the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On](./media/rolepoint-tutorial/tutorial_rolepoint_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.rolepoint.com/login` - - b. In the **Identifier** textbox, type a URL using the following pattern: - `https://app.rolepoint.com/` + ![Edit Basic SAML Configuration](common/edit-urls.png) - > [!NOTE] - > These values are not the real. Update these values with the actual Sign-on URL and Identifier. Here we suggest you to use the unique value of string in the Identifier.Contact [RolePoint support team](mailto:info@rolepoint.com) to get the value. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Configure Single Sign-On](./media/rolepoint-tutorial/tutorial_rolepoint_certificate.png) + ![RolePoint Domain and URLs single sign-on information](common/sp-identifier.png) -1. Click **Save** button. + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.rolepoint.com/login` - ![Configure Single Sign-On](./media/rolepoint-tutorial/tutorial_general_400.png) + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://app.rolepoint.com/` + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Here we suggest you to use the unique value of string in the Identifier. Contact [RolePoint Client support team](mailto:info@rolepoint.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. To configure single sign-on on **RolePoint** side, you need to send the downloaded **Metadata XML** to [RolePoint support team](mailto:info@rolepoint.com). +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + ![The Certificate download link](common/metadataxml.png) -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. +6. On the **Set up RolePoint** section, copy the appropriate URL(s) as per your requirement. -![Create Azure AD User][100] + ![Copy configuration URLs](common/copy-configuration-urls.png) -**To create a test user in Azure AD, perform the following steps:** + a. Login URL -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + b. Azure AD Identifier - ![Creating an Azure AD test user](./media/rolepoint-tutorial/create_aaduser_01.png) + c. Logout URL -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/rolepoint-tutorial/create_aaduser_02.png) +### Configure RolePoint Single Sign-On -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/rolepoint-tutorial/create_aaduser_03.png) +To configure single sign-on on **RolePoint** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [RolePoint support team](mailto:info@rolepoint.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/rolepoint-tutorial/create_aaduser_04.png) +### Create an Azure AD test user - a. In the **Name** textbox, type **BrittaSimon**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - b. In the **User name** textbox, type the **email address** of BrittaSimon. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - c. Select **Show Password** and write down the value of the **Password**. + ![The "Users and groups" and "All users" links](common/users.png) - d. Click **Create**. - -### Creating a RolePoint test user +2. Select **New user** at the top of the screen. -In this section, you create a user called Britta Simon in RolePoint. Work with [RolePoint support team](mailto:info@rolepoint.com) to add the users in the RolePoint platform. + ![New user Button](common/new-user.png) -### Assigning the Azure AD test user +3. In the User properties, perform the following steps. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to RolePoint. + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. -![Assign User][200] + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -**To assign Britta Simon to RolePoint, perform the following steps:** + d. Click **Create**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +### Assign the Azure AD test user - ![Assign User][201] +In this section, you enable Britta Simon to use Azure single sign-on by granting access to RolePoint. -1. In the applications list, select **RolePoint**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **RolePoint**. - ![Configure Single Sign-On](./media/rolepoint-tutorial/tutorial_rolepoint_app.png) + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the menu on the left, click **Users and groups**. +2. In the applications list, select **RolePoint**. - ![Assign User][202] + ![The RolePoint link in the Applications list](common/all-applications.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +3. In the menu on the left, select **Users and groups**. - ![Assign User][203] + ![The "Users and groups" link](common/users-groups-blade.png) -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Click **Select** button on **Users and groups** dialog. + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -When you click the RolePoint tile in the Access Panel, you should get automatically signed-on to your RolePoint application. +7. In the **Add Assignment** dialog click the **Assign** button. -## Additional resources +### Create RolePoint test user -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you create a user called Britta Simon in RolePoint. Work with [RolePoint support team](mailto:info@rolepoint.com) to add the users in the RolePoint platform. Users must be created and activated before you use single sign-on. +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the RolePoint tile in the Access Panel, you should be automatically signed in to the RolePoint for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/rolepoint-tutorial/tutorial_general_01.png -[2]: ./media/rolepoint-tutorial/tutorial_general_02.png -[3]: ./media/rolepoint-tutorial/tutorial_general_03.png -[4]: ./media/rolepoint-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/rolepoint-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/rolepoint-tutorial/tutorial_general_200.png -[201]: ./media/rolepoint-tutorial/tutorial_general_201.png -[202]: ./media/rolepoint-tutorial/tutorial_general_202.png -[203]: ./media/rolepoint-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/rstudio-connect-tutorial.md b/articles/active-directory/saas-apps/rstudio-connect-tutorial.md new file mode 100644 index 0000000000000..b118e6d11af93 --- /dev/null +++ b/articles/active-directory/saas-apps/rstudio-connect-tutorial.md @@ -0,0 +1,202 @@ +--- +title: 'Tutorial: Azure Active Directory integration with RStudio Connect | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and RStudio Connect. +services: active-directory +documentationCenter: na +author: jeevansd +manager: mtillman +ms.reviewer: barbkess + +ms.assetid: 9bc78022-6d38-4476-8f03-e3ca2551e72e +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 04/04/2019 +ms.author: jeedes + +ms.collection: M365-identity-device-management +--- +# Tutorial: Azure Active Directory integration with RStudio Connect + +In this tutorial, you learn how to integrate RStudio Connect with Azure Active Directory (Azure AD). +Integrating RStudio Connect with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to RStudio Connect. +* You can enable your users to be automatically signed-in to RStudio Connect (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with RStudio Connect, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* RStudio Connect single sign-on enabled subscription + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* RStudio Connect supports **SP and IDP** initiated SSO + +* RStudio Connect supports **Just In Time** user provisioning + +## Adding RStudio Connect from the gallery + +To configure the integration of RStudio Connect into Azure AD, you need to add RStudio Connect from the gallery to your list of managed SaaS apps. + +**To add RStudio Connect from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **RStudio Connect**, select **RStudio Connect** from result panel then click **Add** button to add the application. + + ![RStudio Connect in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with RStudio Connect based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in RStudio Connect needs to be established. + +To configure and test Azure AD single sign-on with RStudio Connect, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure RStudio Connect Single Sign-On](#configure-rstudio-connect-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create RStudio Connect test user](#create-rstudio-connect-test-user)** - to have a counterpart of Britta Simon in RStudio Connect that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with RStudio Connect, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **RStudio Connect** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: + + ![RStudio Connect Domain and URLs single sign-on information](common/idp-intiated.png) + + a. In the **Identifier** text box, type a URL using the following pattern: + `https://connect..com/__login__/saml` + + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://connect..com/__login__/saml/acs` + +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: + + ![RStudio Connect Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) + + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://connect..com/` + + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [RStudio Connect Client support team](mailto:support@rstudio.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +6. Your RStudio Connect application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. RStudio Connect application expects **nameidentifier** to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping. + + ![image](common/edit-attribute.png) + +7. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. + + ![The Certificate download link](common/copy-metadataurl.png) + +### Configure RStudio Connect Single Sign-On + +To configure single sign-on on **RStudio Connect** side, you need to send the **App Federation Metadata Url** to [RStudio Connect support team](mailto:support@rstudio.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to RStudio Connect. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **RStudio Connect**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **RStudio Connect**. + + ![The RStudio Connect link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create RStudio Connect test user + +In this section, a user called Britta Simon is created in RStudio Connect. RStudio Connect supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in RStudio Connect, a new one is created when you attempt to access RStudio Connect. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. + +When you click the RStudio Connect tile in the Access Panel, you should be automatically signed in to the RStudio Connect for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) + diff --git a/articles/active-directory/saas-apps/salesforce-tutorial.md b/articles/active-directory/saas-apps/salesforce-tutorial.md index 35466f5a26b88..70edaa4a61aa8 100644 --- a/articles/active-directory/saas-apps/salesforce-tutorial.md +++ b/articles/active-directory/saas-apps/salesforce-tutorial.md @@ -9,11 +9,12 @@ ms.reviewer: barbkess ms.assetid: d2d7d420-dc91-41b8-a6b3-59579e043b35 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 01/17/2019 +ms.date: 04/10/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -53,7 +54,7 @@ To configure the integration of Salesforce into Azure AD, you need to add Salesf **To add Salesforce from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. ![The Azure Active Directory button](common/select-azuread.png) @@ -61,13 +62,13 @@ To configure the integration of Salesforce into Azure AD, you need to add Salesf ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add new application, click **New application** button on the top of dialog. +3. To add a new application, click the **New application** button at the top of the dialog. ![The New application button](common/add-new-app.png) -4. In the search box, type **Salesforce**, select **Salesforce** from result panel then click **Add** button to add the application. +4. In the search box, type **Salesforce**, select **Salesforce** from the result panel then click the **Add** button to add the application. - ![Salesforce in the results list](common/search-new-app.png) + ![Salesforce in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on @@ -97,7 +98,7 @@ To configure Azure AD single sign-on with Salesforce, perform the following step ![Single sign-on select mode](common/select-saml-option.png) -3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. +3. On the **Set up Single Sign-On with SAML** page, click the **Edit** icon to open the **Basic SAML Configuration** dialog. ![Edit Basic SAML Configuration](common/edit-urls.png) @@ -130,13 +131,13 @@ To configure Azure AD single sign-on with Salesforce, perform the following step a. Login URL - b. Azure Ad Identifier + b. Azure AD Identifier c. Logout URL ### Configure Salesforce Single Sign-On -1. Open a new tab in your browser and log in to your Salesforce administrator account. +1. Open a new tab in your browser and sign in to your Salesforce administrator account. 2. Click on the **Setup** under **settings icon** on the top right corner of the page. @@ -202,8 +203,7 @@ The objective of this section is to create a test user in the Azure portal calle a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon\@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. c. Select **Show password** check box, and then write down the value that's displayed in the Password box. @@ -245,7 +245,7 @@ In this section, you test your Azure AD single sign-on configuration using the A When you click the Salesforce tile in the Access Panel, you should be automatically signed in to the Salesforce for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -## Additional Resources +## Additional resources - [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) diff --git a/articles/active-directory/saas-apps/samanage-provisioning-tutorial.md b/articles/active-directory/saas-apps/samanage-provisioning-tutorial.md index 8438de8e90df4..671ff7f5cbac7 100644 --- a/articles/active-directory/saas-apps/samanage-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/samanage-provisioning-tutorial.md @@ -7,13 +7,14 @@ author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 62d0392f-37d4-436e-9aff-22f4e5b83623 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 07/28/2018 +ms.date: 03/28/2019 ms.author: v-wingf-msft ms.collection: M365-identity-device-management --- @@ -29,39 +30,34 @@ The objective of this tutorial is to demonstrate the steps to be performed in Sa The scenario outlined in this tutorial assumes that you already have the following: -* An Azure AD tenant -* A [Samanage tenant](https://www.samanage.com/pricing/) with the Professional package -* A user account in Samanage with Admin permissions +* An Azure AD tenant +* A [Samanage tenant](https://www.samanage.com/pricing/) with the Professional package +* A user account in Samanage with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the [Samanage Rest API](https://www.samanage.com/api/), which is available to Samanage developers for accounts with the Professional package. ## Adding Samanage from the gallery + Before configuring Samanage for automatic user provisioning with Azure AD, you need to add Samanage from the Azure AD application gallery to your list of managed SaaS applications. **To add Samanage from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] - -2. Navigate to **Enterprise applications** > **All applications**. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Enterprise applications Section][2] + ![The Azure Active Directory button](common/select-azuread.png) -3. To add Samanage, click the **New application** button on the top of the dialog. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The New application button][3] + ![The Enterprise applications blade](common/enterprise-applications.png) -4. In the search box, type **Samanage**. +3. To add new application, click **New application** button on the top of dialog. - ![Samanage Provisioning](./media/samanage-provisioning-tutorial/AppSearch.png) + ![The New application button](common/add-new-app.png) -5. In the results panel, select **Samanage**, and then click the **Add** button to add Samanage to your list of SaaS applications. +4. In the search box, type **Samanage**, select **Samanage** from result panel then click **Add** button to add the application. - ![Samanage Provisioning](./media/samanage-provisioning-tutorial/AppSearchResults.png) - - ![Samanage Provisioning](./media/samanage-provisioning-tutorial/AppCreation.png) + ![Samanage in the results list](common/search-new-app.png) ## Assigning users to Samanage @@ -88,11 +84,13 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Samanage in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Samanage**. + + ![Enterprise applications blade](common/enterprise-applications.png) -2. Select Samanage from your list of SaaS applications. +2. In the applications list, select **Samanage**. - ![Samanage Provisioning](./media/samanage-provisioning-tutorial/AppInstanceSearch.png) + ![The Samanage link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. diff --git a/articles/active-directory/saas-apps/sansan-tutorial.md b/articles/active-directory/saas-apps/sansan-tutorial.md index 28ec7363224df..e77237a7585bc 100644 --- a/articles/active-directory/saas-apps/sansan-tutorial.md +++ b/articles/active-directory/saas-apps/sansan-tutorial.md @@ -254,8 +254,8 @@ When you click the Sansan tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/sap-fiori-tutorial.md b/articles/active-directory/saas-apps/sap-fiori-tutorial.md new file mode 100644 index 0000000000000..05a5b4d4737be --- /dev/null +++ b/articles/active-directory/saas-apps/sap-fiori-tutorial.md @@ -0,0 +1,379 @@ +--- +title: 'Tutorial: Azure Active Directory integration with SAP Fiori | Microsoft Docs' +description: Learn how to configure single sign-on between Azure Active Directory and SAP Fiori. +services: active-directory +documentationCenter: na +author: jeevansd +manager: daveba +ms.reviewer: barbkess + +ms.assetid: 77ad13bf-e56b-4063-97d0-c82a19da9d56 +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: tutorial +ms.date: 03/11/2019 +ms.author: jeedes + +--- +# Tutorial: Azure Active Directory integration with SAP Fiori + +In this tutorial, you learn how to integrate SAP Fiori with Azure Active Directory (Azure AD). +Integrating SAP Fiori with Azure AD provides you with the following benefits: + +* You can control in Azure AD who has access to SAP Fiori. +* You can enable your users to be automatically signed-in to SAP Fiori (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. + +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. + +## Prerequisites + +To configure Azure AD integration with SAP Fiori, you need the following items: + +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* SAP Fiori single sign-on enabled subscription +* SAP Fiori V7.20 required atleast + +## Scenario description + +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* SAP Fiori supports **SP** initiated SSO + +## Adding SAP Fiori from the gallery + +To configure the integration of SAP Fiori into Azure AD, you need to add SAP Fiori from the gallery to your list of managed SaaS apps. + +**To add SAP Fiori from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) + +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) + +3. To add new application, click **New application** button on the top of dialog. + + ![The New application button](common/add-new-app.png) + +4. In the search box, type **SAP Fiori**, select **SAP Fiori** from result panel then click **Add** button to add the application. + + ![SAP Fiori in the results list](common/search-new-app.png) + +## Configure and test Azure AD single sign-on + +In this section, you configure and test Azure AD single sign-on with SAP Fiori based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in SAP Fiori needs to be established. + +To configure and test Azure AD single sign-on with SAP Fiori, you need to complete the following building blocks: + +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure SAP Fiori Single Sign-On](#configure-sap-fiori-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create SAP Fiori test user](#create-sap-fiori-test-user)** - to have a counterpart of Britta Simon in SAP Fiori that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. + +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with SAP Fiori, perform the following steps: + +1. Open a new web browser window and sign in to your SAP Fiori company site as an administrator + +2. Make sure that **http** and **https** services are active and appropriate ports are assigned in **SMICM** T-Code. + +3. Sign in to business client of SAP System (T01), where SSO is required and activate HTTP Security session Management. + + a. Go to Transaction code **SICF_SESSIONS**. It displays all relevant profile parameters with current values. They look like below:- + ``` + login/create_sso2_ticket = 2 + login/accept_sso2_ticket = 1 + login/ticketcache_entries_max = 1000 + login/ticketcache_off = 0 login/ticket_only_by_https = 0 + icf/set_HTTPonly_flag_on_cookies = 3 + icf/user_recheck = 0 http/security_session_timeout = 1800 + http/security_context_cache_size = 2500 + rdisp/plugin_auto_logout = 1800 + rdisp/autothtime = 60 + ``` + >[!NOTE] + > Adjust above parameters as per your organization requirements, Above parameters are given here as indication only. + + b. If required adjust parameters, in the instance/default profile of SAP system and restart SAP system. + + c. Double click on relevant client to enable HTTP security session. + + ![The Certificate download link](./media/sapfiori-tutorial/tutorial-sapnetweaver-profileparameter.png) + + d. Activate below SICF services: + ``` + /sap/public/bc/sec/saml2 + /sap/public/bc/sec/cdc_ext_service + /sap/bc/webdynpro/sap/saml2 + /sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable trace) + ``` +4. Go to Transaction code **SAML2** in business client of SAP system [T01/122]. It will open a user interface in a browser. In this example, we assumed 122 as SAP business client. + + ![The Certificate download link](./media/sapfiori-tutorial/tutorial-sapnetweaver-sapbusinessclient.png) + +5. Provide your username and password to enter in user interface and click **Edit**. + + ![The Certificate download link](./media/sapfiori-tutorial/tutorial-sapnetweaver-userpwd.png) + +6. Replace **Provider Name** from T01122 to `http://T01122` and click on **Save**. + + > [!NOTE] + > By default provider name come as format but Azure AD expects name in the format of ://, recommending to maintain provider name as https:// to allow multiple SAP Fiori ABAP engines to configure in Azure AD. + + ![The Certificate download link](./media/sapfiori-tutorial/tutorial-sapnetweaver-providername.png) + +7. **Generating Service Provider Metadata**:- Once we are done with configuring the **Local Provider** and **Trusted Providers** settings on SAML 2.0 User Interface, the next step would be to generate the service provider’s metadata file (which would contain all the settings, authentication contexts and other configurations in SAP). Once this file is generated we need to upload this in Azure AD. + + ![The Certificate download link](./media/sapfiori-tutorial/tutorial-sapnetweaver-generatesp.png) + + a. Go to **Local Provider tab**. + + b. Click on **Metadata**. + + c. Save the generated **Metadata XML file** on your computer and upload it in **Basic SAML Configuration** section to auto populate the **Identifier** and **Reply URL** values in Azure portal. + +8. In the [Azure portal](https://portal.azure.com/), on the **SAP Fiori** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +9. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +10. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +11. On the **Basic SAML Configuration** section, perform the following steps: + + a. Click **Upload metadata file** to upload the **Service Provider metadata file** which you have obtained earlier. + + ![Upload metadata file](common/upload-metadata.png) + + b. Click on **folder logo** to select the metadata file and click **Upload**. + + ![choose metadata file](common/browse-upload-metadata.png) + + c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in **Basic SAML Configuration** section textbox as shown below: + + ![SAP Fiori Domain and URLs single sign-on information](common/sp-identifier-reply.png) + + d. In the **Sign-on URL** text box, type a URL using the following pattern: + `https://` + + > [!NOTE] + > We have seen few customers reporting an error of incorrect Reply URL configured for their instance. If you receive any such error, you can use following PowerShell script as a work around to set the correct Reply URL for your instance.: + ``` + Set-AzureADServicePrincipal -ObjectId $ServicePrincipalObjectId -ReplyUrls "" + ``` + > ServicePrincipal Object ID is to be set by yourself first or you can pass that also here. + +12. SAP Fiori application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog. + + ![image](common/edit-attribute.png) + +13. In the **User Claims** section on the **User Attributes** dialog, configure SAML token attribute as shown in the image above and perform the following steps: + + a. Click **Edit icon** to open the **Manage user claims** dialog. + + ![image](./media/sapfiori-tutorial/nameidattribute.png) + + ![image](./media/sapfiori-tutorial/nameidattribute1.png) + + b. From the **Transformation** list, select **ExtractMailPrefix()**. + + c. From the **Parameter 1** list, select **user.userprinicipalname**. + + d. Click **Save**. + +14. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) + +15. On the **Set up SAP Fiori** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure SAP Fiori Single Sign-On + +1. Sign in to SAP system and go to transaction code SAML2. It opens new browser window with SAML configuration screen. + +2. For configuring End points for trusted Identity provider (Azure AD) go to **Trusted Providers** tab. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-samlconfig.png) + +3. Press **Add** and select **Upload Metadata File** from the context menu. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-uploadmetadata.png) + +4. Upload metadata file, which you have downloaded from the Azure portal. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-metadatafile.png) + +5. In the next screen type the Alias name. For example aadsts and press **Next** to continue. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-aliasname.png) + +6. Make sure that your **Digest Algorithm** should be **SHA-256** and don’t require any changes and press **Next**. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-identityprovider.png) + +7. On **Single Sign-On Endpoints**, use **HTTP POST** and click **Next** to continue. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect.png) + +8. On **Single Logout Endpoints** select **HTTPRedirect** and click **Next** to continue. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-httpredirect1.png) + +9. On **Artifact Endpoints**, press **Next** to continue. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-artifactendpoint.png) + +10. On **Authentication Requirements**, click **Finish**. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-authentication.png) + +11. Go to tab **Trusted Provider** > **Identity Federation** (from bottom of the screen). Click **Edit**. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-trustedprovider.png) + +12. Click **Add** under the **Identity Federation** tab (bottom window). + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-addidentityprovider.png) + +13. From the pop-up window select **Unspecified** from the **Supported NameID formats** and click OK. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-nameid.png) + +14. Note that **user ID Source** and **user ID mapping mode** values determine the link between SAP user and Azure AD claim. + + #### Scenario: SAP User to Azure AD user mapping. + + a. NameID details screenshot from SAP. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/nameiddetails.png) + + b. Screenshot mentioning Required claims from Azure AD. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/claimsaad1.png) + + #### Scenario: Select SAP user ID based on configured email address in SU01. In this case email ID should be configured in su01 for each user who requires SSO. + + a. NameID details screenshot from SAP. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/tutorial-sapnetweaver-nameiddetails1.png) + + b. screenshot mentioning Required claims from Azure AD. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/claimsaad2.png) + +15. Click **Save** and then click **Enable** to enable identity provider. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/configuration1.png) + +16. Click **OK** once prompted. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/configuration2.png) + +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) + +2. Select **New user** at the top of the screen. + + ![New user Button](common/new-user.png) + +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. + + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. + +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to SAP Fiori. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SAP Fiori**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **SAP Fiori**. + + ![The SAP Fiori link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create SAP Fiori test user + +In this section, you create a user called Britta Simon in SAP Fiori. Please work your in house SAP expert team or work with your organization SAP partner to add the users in the SAP Fiori platform. + +### Test single sign-on + +1. Once the identity provider Azure AD was activated, try accessing below URL to check SSO (there will no prompt for username & password) + + `https:///sap/bc/bsp/sap/it00/default.htm` + + (or) use the URL below + + `https:///sap/bc/bsp/sap/it00/default.htm` + + > [!NOTE] + > Replace sapurl with actual SAP hostname. + +2. The above URL should take you to below mentioned screen. If you are able to reach up to the below page, Azure AD SSO setup is successfully done. + + ![Configure Single Sign-On](./media/sapfiori-tutorial/testingsso.png) + +3. If username & password prompt occurs, please diagnose the issue by enable the trace using below URL + + `https:///sap/bc/webdynpro/sap/sec_diag_tool?sap-client=122&sap-language=EN#` + +## Additional Resources + +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) + +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) + +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/sap-netweaver-tutorial.md b/articles/active-directory/saas-apps/sap-netweaver-tutorial.md index 45a9fe26a7bcc..045ee1e464901 100644 --- a/articles/active-directory/saas-apps/sap-netweaver-tutorial.md +++ b/articles/active-directory/saas-apps/sap-netweaver-tutorial.md @@ -131,7 +131,7 @@ To configure Azure AD single sign-on with SAP NetWeaver, perform the following s 6. Replace **Provider Name** from T01122 to `http://T01122` and click on **Save**. > [!NOTE] - > By default provider name come as format but Azure AD expects name in the format of ://, recommending to maintain provider name as https:// to allow multiple SAP NetWeaver ABAP engines to configure in Azure AD. + > By default provider name come as `` format but Azure AD expects name in the format of `://`, recommending to maintain provider name as `https://` to allow multiple SAP NetWeaver ABAP engines to configure in Azure AD. ![The Certificate download link](./media/sapnetweaver-tutorial/tutorial_sapnetweaver_providername.png) diff --git a/articles/active-directory/saas-apps/scclifecycle-tutorial.md b/articles/active-directory/saas-apps/scclifecycle-tutorial.md index bd132ff061214..2ce203658e273 100644 --- a/articles/active-directory/saas-apps/scclifecycle-tutorial.md +++ b/articles/active-directory/saas-apps/scclifecycle-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 9748bf38-ffc3-4d51-a1ae-207ce57104fa ms.service: active-directory @@ -12,228 +13,198 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/14/2017 +ms.topic: tutorial +ms.date: 03/22/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with SCC LifeCycle In this tutorial, you learn how to integrate SCC LifeCycle with Azure Active Directory (Azure AD). - Integrating SCC LifeCycle with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to SCC LifeCycle -- You can enable your users to automatically get signed-on to SCC LifeCycle (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to SCC LifeCycle. +* You can enable your users to be automatically signed-in to SCC LifeCycle (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with SCC LifeCycle, you need the following items: -- An Azure AD subscription -- An SCC LifeCycle single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial here: [Trial offer](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* SCC LifeCycle single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding SCC LifeCycle from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* SCC LifeCycle supports **SP** initiated SSO ## Adding SCC LifeCycle from the gallery + To configure the integration of SCC LifeCycle into Azure AD, you need to add SCC LifeCycle from the gallery to your list of managed SaaS apps. **To add SCC LifeCycle from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **SCC LifeCycle**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/scclifecycle-tutorial/tutorial_scclifecycle_search.png) +4. In the search box, type **SCC LifeCycle**, select **SCC LifeCycle** from result panel then click **Add** button to add the application. -1. In the results panel, select **SCC LifeCycle**, and then click **Add** button to add the application. + ![SCC LifeCycle in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/scclifecycle-tutorial/tutorial_scclifecycle_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on +In this section, you configure and test Azure AD single sign-on with SCC LifeCycle based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in SCC LifeCycle needs to be established. -In this section, you configure and test Azure AD single sign-on with SCC LifeCycle based on a test user called "Britta Simon." +To configure and test Azure AD single sign-on with SCC LifeCycle, you need to complete the following building blocks: -For single sign-on to work, Azure AD needs to know what the counterpart user in SCC LifeCycle is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in SCC LifeCycle needs to be established. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure SCC LifeCycle Single Sign-On](#configure-scc-lifecycle-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create SCC LifeCycle test user](#create-scc-lifecycle-test-user)** - to have a counterpart of Britta Simon in SCC LifeCycle that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -In SCC LifeCycle, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +### Configure Azure AD single sign-on -To configure and test Azure AD single sign-on with SCC LifeCycle, you need to complete the following building blocks: +In this section, you enable Azure AD single sign-on in the Azure portal. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating an SCC LifeCycle test user](#creating-an-scc-lifecycle-test-user)** - to have a counterpart of Britta Simon in SCC LifeCycle that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +To configure Azure AD single sign-on with SCC LifeCycle, perform the following steps: -### Configuring Azure AD single sign-on +1. In the [Azure portal](https://portal.azure.com/), on the **SCC LifeCycle** application integration page, select **Single sign-on**. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your SCC LifeCycle application. + ![Configure single sign-on link](common/select-sso.png) -**To configure Azure AD single sign-on with SCC LifeCycle, perform the following steps:** +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. In the Azure portal, on the **SCC LifeCycle** application integration page, click **Single sign-on**. + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On][4] +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/scclifecycle-tutorial/tutorial_scclifecycle_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **SCC LifeCycle Domain and URLs** section, perform the following steps: +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Configure Single Sign-On](./media/scclifecycle-tutorial/tutorial_scclifecycle_url.png) + ![SCC LifeCycle Domain and URLs single sign-on information](common/sp-identifier.png) - a. In the **Sign-on URL** textbox, type a URL using the following pattern: - `https://.scc.com/ic7/welcome/customer/PICTtest.aspx` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.scc.com/ic7/welcome/customer/PICTtest.aspx` - b. In the **Identifier** textbox, type a URL using the following pattern: + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: | | - |--|--| + |--| | `https://bs1.scc.com/`| | `https://lifecycle.scc.com/`| - - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [SCC LifeCycle Client support team](mailto:lifecycle.support@scc.com) to get these values. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. - ![Configure Single Sign-On](./media/scclifecycle-tutorial/tutorial_scclifecycle_certificate.png) + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [SCC LifeCycle Client support team](mailto:lifecycle.support@scc.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. Click **Save** button. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/scclifecycle-tutorial/tutorial_general_400.png) + ![The Certificate download link](common/metadataxml.png) -1. To configure single sign-on on **SCC LifeCycle** side, you need to send the downloaded **Metadata XML** to [SCC LifeCycle support team](mailto:lifecycle.support@scc.com). They set this setting to have the SAML SSO connection set properly on both sides. +6. On the **Set up SCC LifeCycle** section, copy the appropriate URL(s) as per your requirement. - >[!NOTE] - >Single sign-on has to be enabled by the SCC LifeCycle support team. + ![Copy configuration URLs](common/copy-configuration-urls.png) -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + a. Login URL -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + b. Azure AD Identifier -![Create Azure AD User][100] + c. Logout URL -**To create a test user in Azure AD, perform the following steps:** +### Configure SCC LifeCycle Single Sign-On -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +To configure single sign-on on **SCC LifeCycle** side, you need to send the downloaded **Metadata XML** and appropriate copied URLs from Azure portal to [SCC LifeCycle support team](mailto:lifecycle.support@scc.com). They set this setting to have the SAML SSO connection set properly on both sides. - ![Creating an Azure AD test user](./media/scclifecycle-tutorial/create_aaduser_01.png) + > [!NOTE] + > Single sign-on has to be enabled by the [SCC LifeCycle support team](mailto:lifecycle.support@scc.com). -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/scclifecycle-tutorial/create_aaduser_02.png) +### Create an Azure AD test user + +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/scclifecycle-tutorial/create_aaduser_03.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/scclifecycle-tutorial/create_aaduser_04.png) + ![The "Users and groups" and "All users" links](common/users.png) - a. In the **Name** textbox, type **BrittaSimon**. +2. Select **New user** at the top of the screen. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + ![New user Button](common/new-user.png) - c. Select **Show Password** and write down the value of the **Password**. +3. In the User properties, perform the following steps. - d. Click **Create**. - -### Creating an SCC LifeCycle test user + ![The User dialog box](common/user-properties.png) -In order to enable Azure AD users to log into SCC LifeCycle, they must be provisioned into SCC LifeCycle. There is no action item for you to configure user provisioning to SCC LifeCycle. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` + For example, BrittaSimon@contoso.com -When an assigned user tries to log into SCC LifeCycle, an SCC LifeCycle account is automatically created if necessary. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -> [!NOTE] -> The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active. + d. Click **Create**. -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to SCC LifeCycle. -![Assign User][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SCC LifeCycle**. -**To assign Britta Simon to SCC LifeCycle, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications.** +2. In the applications list, select **SCC LifeCycle**. - ![Assign User][201] + ![The SCC LifeCycle link in the Applications list](common/all-applications.png) -1. In the applications list, select **SCC LifeCycle**. +3. In the menu on the left, select **Users and groups**. - ![Configure Single Sign-On](./media/scclifecycle-tutorial/tutorial_scclifecycle_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![Assign User][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create SCC LifeCycle test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +In order to enable Azure AD users to log into SCC LifeCycle, they must be provisioned into SCC LifeCycle. There is no action item for you to configure user provisioning to SCC LifeCycle. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When an assigned user tries to log into SCC LifeCycle, an SCC LifeCycle account is automatically created if necessary. -When you click the SCC LifeCycle tile in the Access Panel, you should get automatically signed-on to SCC LifeCycle application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +> [!NOTE] +> The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active. -## Additional resources +### Test single sign-on -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the SCC LifeCycle tile in the Access Panel, you should be automatically signed in to the SCC LifeCycle for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/scclifecycle-tutorial/tutorial_general_01.png -[2]: ./media/scclifecycle-tutorial/tutorial_general_02.png -[3]: ./media/scclifecycle-tutorial/tutorial_general_03.png -[4]: ./media/scclifecycle-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/scclifecycle-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/scclifecycle-tutorial/tutorial_general_200.png -[201]: ./media/scclifecycle-tutorial/tutorial_general_201.png -[202]: ./media/scclifecycle-tutorial/tutorial_general_202.png -[203]: ./media/scclifecycle-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/sciforma-tutorial.md b/articles/active-directory/saas-apps/sciforma-tutorial.md index 26667f89a62f8..d9ea6b9e17962 100644 --- a/articles/active-directory/saas-apps/sciforma-tutorial.md +++ b/articles/active-directory/saas-apps/sciforma-tutorial.md @@ -192,9 +192,9 @@ When you click the Sciforma tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/sciquest-spend-director-tutorial.md b/articles/active-directory/saas-apps/sciquest-spend-director-tutorial.md index acce52964b449..4695e51c18619 100644 --- a/articles/active-directory/saas-apps/sciquest-spend-director-tutorial.md +++ b/articles/active-directory/saas-apps/sciquest-spend-director-tutorial.md @@ -202,8 +202,8 @@ When you click the SciQuest Spend Director tile in the Access Panel, you should ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/screensteps-tutorial.md b/articles/active-directory/saas-apps/screensteps-tutorial.md index 10767727fa337..8bf84438f0f69 100644 --- a/articles/active-directory/saas-apps/screensteps-tutorial.md +++ b/articles/active-directory/saas-apps/screensteps-tutorial.md @@ -234,8 +234,8 @@ When you click the ScreenSteps tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/sd-elements-tutorial.md b/articles/active-directory/saas-apps/sd-elements-tutorial.md index ed233c86ec780..1715e00bde017 100644 --- a/articles/active-directory/saas-apps/sd-elements-tutorial.md +++ b/articles/active-directory/saas-apps/sd-elements-tutorial.md @@ -265,8 +265,8 @@ When you click the SD Elements tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/shibumi-tutorial.md b/articles/active-directory/saas-apps/shibumi-tutorial.md index 772d18b7f1fbf..d32c20c2fdf10 100644 --- a/articles/active-directory/saas-apps/shibumi-tutorial.md +++ b/articles/active-directory/saas-apps/shibumi-tutorial.md @@ -199,9 +199,9 @@ When you click the Shibumi tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/shucchonavi-tutorial.md b/articles/active-directory/saas-apps/shucchonavi-tutorial.md index 0ea8524744505..91de71fecb462 100644 --- a/articles/active-directory/saas-apps/shucchonavi-tutorial.md +++ b/articles/active-directory/saas-apps/shucchonavi-tutorial.md @@ -188,8 +188,8 @@ When you click the Shuccho Navi tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/signagelive-tutorial.md b/articles/active-directory/saas-apps/signagelive-tutorial.md index d9441b8daa827..37edfa2e3b78f 100644 --- a/articles/active-directory/saas-apps/signagelive-tutorial.md +++ b/articles/active-directory/saas-apps/signagelive-tutorial.md @@ -24,106 +24,107 @@ In this tutorial, you learn how to integrate Signagelive with Azure Active Direc Integrating Signagelive with Azure AD provides you with the following benefits: * You can control in Azure AD who has access to Signagelive. -* You can enable your users to be automatically signed-in to Signagelive (Single Sign-On) with their Azure AD accounts. -* You can manage your accounts in one central location - the Azure portal. +* You can enable your users to be automatically signed in to Signagelive (single sign-on) with their Azure AD accounts. +* You can manage your accounts in one central location: the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). -If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. +For more information about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Signagelive, you need the following items: -* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) -* Signagelive single sign-on enabled subscription +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* A Signagelive single-sign-on-enabled subscription. ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. -* Signagelive supports **SP** initiated SSO +* Signagelive supports SP-initiated SSO. -## Adding Signagelive from the gallery +## Add Signagelive from the gallery -To configure the integration of Signagelive into Azure AD, you need to add Signagelive from the gallery to your list of managed SaaS apps. +To configure the integration of Signagelive into Azure AD, first add Signagelive from the gallery to your list of managed SaaS apps. -**To add Signagelive from the gallery, perform the following steps:** +To add Signagelive from the gallery, take the following steps: -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the [Azure portal](https://portal.azure.com), in the left pane, select the **Azure Active Directory** icon. ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise Applications** and then select the **All Applications** option. +2. Go to **Enterprise Applications**, and then select the **All Applications** option. ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add new application, click **New application** button on the top of dialog. +3. To add a new application, select the **New application** button at the top of the dialog box. ![The New application button](common/add-new-app.png) -4. In the search box, type **Signagelive**, select **Signagelive** from result panel then click **Add** button to add the application. +4. In the search box, enter **Signagelive**. ![Signagelive in the results list](common/search-new-app.png) +5. Select **Signagelive** from the results pane, and then select the **Add** button to add the application. + ## Configure and test Azure AD single sign-on In this section, you configure and test Azure AD single sign-on with Signagelive based on a test user called **Britta Simon**. -For single sign-on to work, a link relationship between an Azure AD user and the related user in Signagelive needs to be established. +For single sign-on to work, you must establish a link between an Azure AD user and the related user in Signagelive. -To configure and test Azure AD single sign-on with Signagelive, you need to complete the following building blocks: +To configure and test Azure AD single sign-on with Signagelive, first complete the following building blocks: -1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Configure Signagelive Single Sign-On](#configure-signagelive-single-sign-on)** - to configure the Single Sign-On settings on application side. -3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Create Signagelive test user](#create-signagelive-test-user)** - to have a counterpart of Britta Simon in Signagelive that is linked to the Azure AD representation of user. -6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +1. [Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on) to enable your users to use this feature. +2. [Configure Signagelive single sign-on](#configure-signagelive-single-sign-on) to configure the single sign-on settings on the application side. +3. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with Britta Simon. +4. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on. +5. [Create a Signagelive test user](#create-a-signagelive-test-user) to have a counterpart of Britta Simon in Signagelive that is linked to the Azure AD representation of the user. +6. [Test single sign-on](#test-single-sign-on) to verify that the configuration works. ### Configure Azure AD single sign-on In this section, you enable Azure AD single sign-on in the Azure portal. -To configure Azure AD single sign-on with Signagelive, perform the following steps: +To configure Azure AD single sign-on with Signagelive, take the following steps: 1. In the [Azure portal](https://portal.azure.com/), on the **Signagelive** application integration page, select **Single sign-on**. ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. +2. In the **Select a single sign-on method** dialog box, select **SAML** to enable single sign-on. ![Single sign-on select mode](common/select-saml-option.png) -3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. +3. On the **Set up single sign-on with SAML** page, select **Edit** to open the **Basic SAML Configuration** dialog box. ![Edit Basic SAML Configuration](common/edit-urls.png) -4. On the **Basic SAML Configuration** section, perform the following steps: +4. In the **Basic SAML Configuration** section, take the following steps: ![Signagelive Domain and URLs single sign-on information](common/sp-signonurl.png) - In the **Sign-on URL** text box, type a URL using the following pattern: + In the **Sign-on URL** box, enter a URL that uses the following pattern: `https://login.signagelive.com/sso/` > [!NOTE] - > The value is not real. Update the value with the actual Sign-On URL. Contact [Signagelive Client support team](mailto:support@signagelive.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + > The value is not real. Update the value with the actual sign-on URL. To get the value, contact the [Signagelive Client support team](mailto:support@signagelive.com) . You can also refer to the patterns that are shown in the **Basic SAML Configuration** section in the Azure portal. -5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the **Certificate (Raw)** from the given options per your requirement. Then save it on your computer. ![The Certificate download link](common/certificateraw.png) -6. On the **Set up Signagelive** section, copy the appropriate URL(s) as per your requirement. +6. In the **Set up Signagelive** section, copy the URL(s) that you need. ![Copy configuration URLs](common/copy-configuration-urls.png) a. Login URL - b. Azure Ad Identifier + b. Azure AD Identifier c. Logout URL -### Configure Signagelive Single Sign-On +### Configure Signagelive Single sign-on -To configure single sign-on on **Signagelive** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Signagelive support team](mailto:support@signagelive.com). They set this setting to have the SAML SSO connection set properly on both sides. +To configure single sign-on on the Signagelive side, send the downloaded **Certificate (Raw)** and copied URLs from the Azure portal to the [Signagelive support team](mailto:support@signagelive.com). They ensure that the SAML SSO connection is set properly on both sides. ### Create an Azure AD test user @@ -135,26 +136,25 @@ The objective of this section is to create a test user in the Azure portal calle 2. Select **New user** at the top of the screen. - ![New user Button](common/new-user.png) + ![New user button](common/new-user.png) -3. In the User properties, perform the following steps. +3. In the **User** dialog box, take the following steps. ![The User dialog box](common/user-properties.png) a. In the **Name** field, enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field, enter "brittasimon@yourcompanydomain.extension". For example, in this case, you might enter "BrittaSimon@contoso.com". - c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + c. Select the **Show password** check box, and then note the value that's displayed in the Password box. - d. Click **Create**. + d. Select **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Signagelive. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Signagelive**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, and then select **Signagelive**. ![Enterprise applications blade](common/enterprise-applications.png) @@ -166,29 +166,29 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting ![The "Users and groups" link](common/users-groups-blade.png) -4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. +4. Select the **Add user** button. Then, in the **Add Assignment** dialog box, select **Users and groups**. ![The Add Assignment pane](common/add-assign-user.png) -5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. +5. In the **Users and groups** dialog box, in the **Users** list, select **Britta Simon**. Then click the **Select** button at the bottom of the screen. -6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. +6. If you are expecting a role value in the SAML assertion, then, in the **Select Role** dialog box, select the appropriate role for the user from the list. Next, click the **Select** button at the bottom of the screen. -7. In the **Add Assignment** dialog, click the **Assign** button. +7. In the **Add Assignment** dialog box, select the **Assign** button. -### Create Signagelive test user +### Create a Signagelive test user -In this section, you create a user called Britta Simon in Signagelive. Work with [Signagelive support team](mailto:support@signagelive.com) to add the users in the Signagelive platform. Users must be created and activated before you use single sign-on. +In this section, you create a user called Britta Simon in Signagelive. Work with the [Signagelive support team](mailto:support@signagelive.com) to add the users in the Signagelive platform. You must create and activate users before you use single sign-on. ### Test single sign-on -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +In this section, you test your Azure AD single sign-on configuration by using the MyApps portal. -When you click the Signagelive tile in the Access Panel, you should be automatically signed in to the Signagelive for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). +When you select the **Signagelive** tile in the MyApps portal, you should be automatically signed in. For more information about the MyApps portal, see [What is the MyApps portal?](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -## Additional Resources +## Additional resources -- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [ List of tutorials on how to integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) - [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) diff --git a/articles/active-directory/saas-apps/signalfx-tutorial.md b/articles/active-directory/saas-apps/signalfx-tutorial.md index 1b9f616462cf2..9b1fdf2f2f3d1 100644 --- a/articles/active-directory/saas-apps/signalfx-tutorial.md +++ b/articles/active-directory/saas-apps/signalfx-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 6d5ab4b0-29bc-4b20-8536-d64db7530f32 ms.service: active-directory @@ -13,172 +13,174 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 04/16/2018 +ms.topic: tutorial +ms.date: 03/25/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with SignalFx In this tutorial, you learn how to integrate SignalFx with Azure Active Directory (Azure AD). - Integrating SignalFx with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to SignalFx. -- You can enable your users to automatically get signed-on to SignalFx (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to SignalFx. +* You can enable your users to be automatically signed-in to SignalFx (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with SignalFx, you need the following items: -- An Azure AD subscription -- A SignalFx single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* SignalFx single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding SignalFx from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* SignalFx supports **IDP** initiated SSO +* SignalFx supports **Just In Time** user provisioning ## Adding SignalFx from the gallery + To configure the integration of SignalFx into Azure AD, you need to add SignalFx from the gallery to your list of managed SaaS apps. **To add SignalFx from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **SignalFx**, select **SignalFx** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![SignalFx in the results list](./media/signalfx-tutorial/tutorial_signalfx_addfromgallery.png) +4. In the search box, type **SignalFx**, select **SignalFx** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![SignalFx in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with SignalFx based on a test user called "Britta Simon". +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in SignalFx is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in SignalFx needs to be established. +In this section, you configure and test Azure AD single sign-on with SignalFx based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in SignalFx needs to be established. To configure and test Azure AD single sign-on with SignalFx, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a SignalFx test user](#create-a-signalfx-test-user)** - to have a counterpart of Britta Simon in SignalFx that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure SignalFx Single Sign-On](#configure-signalfx-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create SignalFx test user](#create-signalfx-test-user)** - to have a counterpart of Britta Simon in SignalFx that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your SignalFx application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with SignalFx, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **SignalFx** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with SignalFx, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **SignalFx** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure single sign-on link][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/signalfx-tutorial/tutorial_signalfx_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **SignalFx Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![SignalFx Domain and URLs single sign-on information](./media/signalfx-tutorial/tutorial_signalfx_url.png) +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: - a. In the **Identifier** textbox, type a URL: `https://api.signalfx.com/v1/saml/metadata` + ![SignalFx Domain and URLs single sign-on information](common/idp-intiated.png) - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://api.signalfx.com/v1/saml/acs/` + a. In the **Identifier** text box, type a URL: + `https://api.signalfx.com/v1/saml/metadata` - > [!NOTE] + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://api.signalfx.com/v1/saml/acs/` + + > [!NOTE] > The preceding value is not real value. You update the value with the actual Reply URL, which is explained later in the tutorial. -1. SignalFx application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. The following screenshot shows an example for this. +5. SignalFx application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog. + + ![image](common/edit-attribute.png) - ![Configure Single Sign-On](./media/signalfx-tutorial/tutorial_signalfx_attribute.png) +6. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps: -1. In the **User Attributes** section on the **Single sign-on** dialog, configure SAML token attribute as shown in the image and perform the following steps: - - | Attribute Name | Attribute Value | - | ------------------- | -------------------- | - | User.FirstName | user.givenname | + | Name | Source Attribute| + | ------------------- | -------------------- | + | User.FirstName | user.givenname | | User.email | user.mail | | PersonImmutableID | user.userprincipalname | | User.LastName | user.surname | - a. Click **Add attribute** to open the **Add Attribute** dialog. + a. Click **Add new claim** to open the **Manage user claims** dialog. - ![Configure Single Sign-On Add](./media/signalfx-tutorial/tutorial_attribute_04.png) + ![image](common/new-save-attribute.png) - ![Configure Single Sign-On Addattb](./media/signalfx-tutorial/tutorial_attribute_05.png) + ![image](common/new-attribute-details.png) b. In the **Name** textbox, type the attribute name shown for that row. - c. From the **Value** list, type the attribute value shown for that row. + c. Leave the **Namespace** blank. + + d. Select Source as **Attribute**. + + e. From the **Source attribute** list, type the attribute value shown for that row. + + f. Click **Ok** - d. Leave the **Namespace** blank. - - e. Click **Ok**. - -1. On the **SAML Signing Certificate** section, perform the following steps: + g. Click **Save**. - ![The Certificate download link](./media/signalfx-tutorial/tutorial_signalfx_certificate.png) +7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - a. Click the copy button to copy **App Federation Metadata Url** and paste it into notepad. + ![The Certificate download link](common/certificatebase64.png) - b. Click **Certificate(Base64)** and then save the certificate file on your computer. +8. On the **Set up SignalFx** section, copy the appropriate URL(s) as per your requirement. -1. Click **Save** button. + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On Save button](./media/signalfx-tutorial/tutorial_general_400.png) + a. Login URL -1. On the **SignalFx Configuration** section, click **Configure SignalFx** to open **Configure sign-on** window. Copy the **SAML Entity ID** from the **Quick Reference section.** + b. Azure AD Identifier - ![SignalFx Configuration](./media/signalfx-tutorial/tutorial_signalfx_configure.png) + c. Logout URL -1. Sign-on to your SignalFx company site as administrator. +### Configure SignalFx Single Sign-On + +1. Sign in to your SignalFx company site as administrator. 1. In SignalFx, on the top click **Integrations** to open the Integrations page. ![SignalFx Integration](./media/signalfx-tutorial/tutorial_signalfx_intg.png) 1. Click on **Azure Active Directory** tile under **Login Services** section. - + ![SignalFx saml](./media/signalfx-tutorial/tutorial_signalfx_saml.png) 1. Click on **NEW INTEGRATION** and under the **INSTALL** tab perform the following steps: - + ![SignalFx samlintgpage](./media/signalfx-tutorial/tutorial_signalfx_azure.png) a. In the **Name** textbox type, a new integration name, like **OurOrgName SAML SSO**. - b. Copy the **Integration ID** value and append with the **Reply URL** like `https://api.signalfx.com/v1/saml/acs/` in the **Reply URL** textbox of **SignalFx Domain and URLs** section in Azure portal. + b. Copy the **Integration ID** value and append to the **Reply URL** in the place of `` in the **Reply URL** textbox of **Basic SAML Configuration** section in Azure portal. c. Click on **Upload File** to upload the **Base64 encoded certificate** downloaded from Azure portal in the **Certificate** textbox. - d. In the **Issuer URL** textbox, paste the value of **SAML Entity ID**, which you have copied from the Azure portal. + d. In the **Issuer URL** textbox, paste the value of **Azure AD Identifier**, which you have copied from the Azure portal. - e. In the **Metadata URL** textbox, paste the **App Federation Metadata Url** which you have copied from the Azure portal. + e. In the **Metadata URL** textbox, paste the **Login URL** which you have copied from the Azure portal. f. Click **Save**. @@ -186,98 +188,73 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Create an Azure AD test user][100] - -**To create a test user in Azure AD, perform the following steps:** +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Azure Active Directory button](./media/signalfx-tutorial/create_aaduser_01.png) +2. Select **New user** at the top of the screen. -1. To display the list of users, go to **Users and groups**, and then click **All users**. + ![New user Button](common/new-user.png) - ![The "Users and groups" and "All users" links](./media/signalfx-tutorial/create_aaduser_02.png) +3. In the User properties, perform the following steps. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The User dialog box](common/user-properties.png) - ![The Add button](./media/signalfx-tutorial/create_aaduser_03.png) - -1. In the **User** dialog box, perform the following steps: - - ![The User dialog box](./media/signalfx-tutorial/create_aaduser_04.png) - - a. In the **Name** box, type **BrittaSimon**. - - b. In the **User name** box, type the email address of user Britta Simon. - - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. - - d. Click **Create**. + a. In the **Name** field enter **BrittaSimon**. -### Create a SignalFx test user - -The objective of this section is to create a user called Britta Simon in SignalFx. SignalFx supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access SignalFx if it doesn't exist yet. + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` + For example, BrittaSimon@contoso.com -When a user signs in to SignalFx from the SAML SSO for the first time, [SignalFx support team](mailto:kmazzola@signalfx.com) sends them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. ->[!Note] ->If you need to create a user manually, contact [SignalFx support team](mailto:kmazzola@signalfx.com) + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to SignalFx. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SignalFx**. -**To assign Britta Simon to SignalFx, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **SignalFx**. - ![Assign User][201] + ![The SignalFx link in the Applications list](common/all-applications.png) -1. In the applications list, select **SignalFx**. +3. In the menu on the left, select **Users and groups**. - ![The SignalFx link in the Applications list](./media/signalfx-tutorial/tutorial_signalfx_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create SignalFx test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on - -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +The objective of this section is to create a user called Britta Simon in SignalFx. SignalFx supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access SignalFx if it doesn't exist yet. -When you click the SignalFx tile in the Access Panel, you should get automatically signed-on to your SignalFx application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +When a user signs in to SignalFx from the SAML SSO for the first time, [SignalFx support team](mailto:kmazzola@signalfx.com) sends them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation. -## Additional resources +> [!Note] +> If you need to create a user manually, contact [SignalFx support team](mailto:kmazzola@signalfx.com) -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the SignalFx tile in the Access Panel, you should be automatically signed in to the SignalFx for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/signalfx-tutorial/tutorial_general_01.png -[2]: ./media/signalfx-tutorial/tutorial_general_02.png -[3]: ./media/signalfx-tutorial/tutorial_general_03.png -[4]: ./media/signalfx-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/signalfx-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/signalfx-tutorial/tutorial_general_200.png -[201]: ./media/signalfx-tutorial/tutorial_general_201.png -[202]: ./media/signalfx-tutorial/tutorial_general_202.png -[203]: ./media/signalfx-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/silverback-tutorial.md b/articles/active-directory/saas-apps/silverback-tutorial.md index 1666440b27081..cf7672994503b 100644 --- a/articles/active-directory/saas-apps/silverback-tutorial.md +++ b/articles/active-directory/saas-apps/silverback-tutorial.md @@ -235,9 +235,9 @@ When you click the Silverback tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/simplenexus-tutorial.md b/articles/active-directory/saas-apps/simplenexus-tutorial.md index 213f034bc0209..191d7d70e255c 100644 --- a/articles/active-directory/saas-apps/simplenexus-tutorial.md +++ b/articles/active-directory/saas-apps/simplenexus-tutorial.md @@ -194,8 +194,8 @@ When you click the SimpleNexus tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/skilljar-tutorial.md b/articles/active-directory/saas-apps/skilljar-tutorial.md index 44f36f39fd6b7..db6280e414e1b 100644 --- a/articles/active-directory/saas-apps/skilljar-tutorial.md +++ b/articles/active-directory/saas-apps/skilljar-tutorial.md @@ -195,9 +195,9 @@ When you click the Skilljar tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/skillsbase-tutorial.md b/articles/active-directory/saas-apps/skillsbase-tutorial.md index beb219c05ece0..8573196db034c 100644 --- a/articles/active-directory/saas-apps/skillsbase-tutorial.md +++ b/articles/active-directory/saas-apps/skillsbase-tutorial.md @@ -211,8 +211,8 @@ When you click the Skills Base tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/skillsmanager-tutorial.md b/articles/active-directory/saas-apps/skillsmanager-tutorial.md index 353df69621697..23c056137faa8 100644 --- a/articles/active-directory/saas-apps/skillsmanager-tutorial.md +++ b/articles/active-directory/saas-apps/skillsmanager-tutorial.md @@ -191,8 +191,8 @@ When you click the Skills Manager tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/skydeskemail-tutorial.md b/articles/active-directory/saas-apps/skydeskemail-tutorial.md index 0be63e5e59782..c83696b085eb4 100644 --- a/articles/active-directory/saas-apps/skydeskemail-tutorial.md +++ b/articles/active-directory/saas-apps/skydeskemail-tutorial.md @@ -236,9 +236,9 @@ When you click the SkyDesk Email tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/skyhighnetworks-tutorial.md b/articles/active-directory/saas-apps/skyhighnetworks-tutorial.md index bc7e2c182ed67..671c7275abb7e 100644 --- a/articles/active-directory/saas-apps/skyhighnetworks-tutorial.md +++ b/articles/active-directory/saas-apps/skyhighnetworks-tutorial.md @@ -198,8 +198,8 @@ When you click the Skyhigh Networks tile in the Access Panel, you should be auto ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/skytap-tutorial.md b/articles/active-directory/saas-apps/skytap-tutorial.md index 487247e7f8dc6..bcc1447a2888f 100644 --- a/articles/active-directory/saas-apps/skytap-tutorial.md +++ b/articles/active-directory/saas-apps/skytap-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: d6cb7ab2-da1a-4015-8e6f-c0c47bb6210f ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/07/2018 +ms.topic: tutorial +ms.date: 04-08-2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,206 +22,188 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Skytap In this tutorial, you learn how to integrate Skytap with Azure Active Directory (Azure AD). - Integrating Skytap with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Skytap. -- You can enable your users to automatically get signed-on to Skytap (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Skytap. +* You can enable your users to be automatically signed-in to Skytap (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Skytap, you need the following items: -- An Azure AD subscription -- A Skytap single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Skytap single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Skytap from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Skytap supports **SP and IDP** initiated SSO ## Adding Skytap from the gallery + To configure the integration of Skytap into Azure AD, you need to add Skytap from the gallery to your list of managed SaaS apps. **To add Skytap from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add a new application, click the **New application** button at the top of the dialog. -1. In the search box, type **Skytap**, select **Skytap** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Skytap in the results list](./media/skytap-tutorial/tutorial_skytap_addfromgallery.png) +4. In the search box, type **Skytap**, select **Skytap** from the result panel then click the **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![Skytap in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with Skytap based on a test user called "Britta Simon". +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in Skytap is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Skytap needs to be established. +In this section, you configure and test Azure AD single sign-on with Skytap based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Skytap needs to be established. To configure and test Azure AD single sign-on with Skytap, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Skytap test user](#create-a-skytap-test-user)** - to have a counterpart of Britta Simon in Skytap that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Skytap Single Sign-On](#configure-skytap-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Skytap test user](#create-skytap-test-user)** - to have a counterpart of Britta Simon in Skytap that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Skytap application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Skytap, perform the following steps:** +To configure Azure AD single sign-on with Skytap, perform the following steps: -1. In the Azure portal, on the **Skytap** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Skytap** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/skytap-tutorial/tutorial_skytap_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Skytap Domain and URLs** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: + ![Single sign-on select mode](common/select-saml-option.png) - ![Skytap Domain and URLs single sign-on information](./media/skytap-tutorial/tutorial_skytap_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Identifier** textbox, type a URL using the following pattern: `http://pingone.com/` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Reply URL** textbox, type a URL: `https://sso.connect.pingidentity.com/sso/sp/ACS.saml2` +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: -1. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: + ![Skytap Domain and URLs single sign-on information](common/idp-intiated.png) - ![Skytap Domain and URLs single sign-on information](./media/skytap-tutorial/tutorial_skytap_url1.png) + a. In the **Identifier** text box, type a URL using the following pattern: + `http://pingone.com/` - c. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=&idpid=` - - d. In the **Relay State** textbox, type a URL using the following pattern: `https://pingone.com/1.0/` + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://sso.connect.pingidentity.com/sso/sp/ACS.saml2` - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Sign-On URL and Relay State. Contact [Skytap Client support team](mailto:support@skytap.com) to get these values. +5. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode: -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + ![Skytap Domain and URLs single sign-on information](common/both-advanced-urls.png) - ![The Certificate download link](./media/skytap-tutorial/tutorial_skytap_certificate.png) + d. In the **Sign-on URL** text box, type a URL using the following pattern: + `https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=&idpid=` -1. Click **Save** button. + e. In the **Relay State** text box, type a URL using the following pattern: + `https://pingone.com/1.0/` - ![Configure Single Sign-On Save button](./media/skytap-tutorial/tutorial_general_400.png) - -1. To configure single sign-on on **Skytap** side, you need to send the downloaded **Metadata XML** to [Skytap support team](mailto:support@skytap.com). They set this setting to have the SAML SSO connection set properly on both sides. + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL, Sign-on URL and Relay State. Contact [Skytap Client support team](mailto:support@skytap.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -### Create an Azure AD test user +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -The objective of this section is to create a test user in the Azure portal called Britta Simon. + ![The Certificate download link](common/metadataxml.png) + +7. On the **Set up Skytap** section, copy the appropriate URL(s) as per your requirement. - ![Create an Azure AD test user][100] + ![Copy configuration URLs](common/copy-configuration-urls.png) -**To create a test user in Azure AD, perform the following steps:** + a. Login URL -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. + b. Azure AD Identifier - ![The Azure Active Directory button](./media/skytap-tutorial/create_aaduser_01.png) + c. Logout URL -1. To display the list of users, go to **Users and groups**, and then click **All users**. +### Configure Skytap Single Sign-On - ![The "Users and groups" and "All users" links](./media/skytap-tutorial/create_aaduser_02.png) +To configure single sign-on on **Skytap** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Skytap support team](mailto:support@skytap.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. +### Create an Azure AD test user - ![The Add button](./media/skytap-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. In the **User** dialog box, perform the following steps: +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![The User dialog box](./media/skytap-tutorial/create_aaduser_04.png) + ![The "Users and groups" and "All users" links](common/users.png) - a. In the **Name** box, type **BrittaSimon**. +2. Select **New user** at the top of the screen. - b. In the **User name** box, type the email address of user Britta Simon. + ![New user Button](common/new-user.png) - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. +3. In the User properties, perform the following steps. - d. Click **Create**. - -### Create a Skytap test user + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com -In this section, you create a user called Britta Simon in Skytap. Work with [Skytap support team](mailto:support@skytap.com) to add the users in the Skytap platform. Users must be created and activated before you use single sign-on + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Skytap. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Skytap**. -**To assign Britta Simon to Skytap, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Skytap**. - ![Assign User][201] + ![The Skytap link in the Applications list](common/all-applications.png) -1. In the applications list, select **Skytap**. +3. In the menu on the left, select **Users and groups**. - ![The Skytap link in the Applications list](./media/skytap-tutorial/tutorial_skytap_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create Skytap test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +In this section, you create a user called Britta Simon in Skytap. Work with [Skytap support team](mailto:support@skytap.com) to add the users in the Skytap platform. Users must be created and activated before you use single sign-on. + +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Skytap tile in the Access Panel, you should get automatically signed-on to your Skytap application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +When you click the Skytap tile in the Access Panel, you should be automatically signed in to the Skytap for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). ## Additional resources -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - - - - -[1]: ./media/skytap-tutorial/tutorial_general_01.png -[2]: ./media/skytap-tutorial/tutorial_general_02.png -[3]: ./media/skytap-tutorial/tutorial_general_03.png -[4]: ./media/skytap-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/skytap-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/skytap-tutorial/tutorial_general_200.png -[201]: ./media/skytap-tutorial/tutorial_general_201.png -[202]: ./media/skytap-tutorial/tutorial_general_202.png -[203]: ./media/skytap-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/slack-provisioning-tutorial.md b/articles/active-directory/saas-apps/slack-provisioning-tutorial.md index c054cd257908c..b2d7e2a779778 100644 --- a/articles/active-directory/saas-apps/slack-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/slack-provisioning-tutorial.md @@ -14,7 +14,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/27/2019 ms.author: asmalser-msft ms.reviewer: asmalser @@ -23,22 +23,21 @@ ms.collection: M365-identity-device-management # Tutorial: Configure Slack for automatic user provisioning - -The objective of this tutorial is to show you the steps you need to perform in Slack and Azure AD to automatically provision and de-provision user accounts from Azure AD to Slack. +The objective of this tutorial is to show you the steps you need to perform in Slack and Azure AD to automatically provision and de-provision user accounts from Azure AD to Slack. ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active Directory tenant -* A Slack tenant with the [Plus plan](https://aadsyncfabric.slack.com/pricing) or better enabled -* A user account in Slack with Team Admin permissions +* An Azure Active Directory tenant +* A Slack tenant with the [Plus plan](https://aadsyncfabric.slack.com/pricing) or better enabled +* A user account in Slack with Team Admin permissions Note: The Azure AD provisioning integration relies on the [Slack SCIM API](https://api.slack.com/scim), which is available to Slack teams on the Plus plan or better. ## Assigning users to Slack -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD will be synchronized. +Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD will be synchronized. Before configuring and enabling the provisioning service, you will need to decide what users and/or groups in Azure AD represent the users who need access to your Slack app. Once decided, you can assign these users to your Slack app by following the instructions here: @@ -46,10 +45,9 @@ Before configuring and enabling the provisioning service, you will need to decid ### Important tips for assigning users to Slack -* It is recommended that a single Azure AD user is assigned to Slack to test the provisioning configuration. Additional users and/or groups may be assigned later. - -* When assigning a user to Slack, you must select the **User** or "Group" role in the assignment dialog. The "Default Access" role does not work for provisioning. +* It is recommended that a single Azure AD user is assigned to Slack to test the provisioning configuration. Additional users and/or groups may be assigned later. +* When assigning a user to Slack, you must select the **User** or "Group" role in the assignment dialog. The "Default Access" role does not work for provisioning. ## Configuring user provisioning to Slack @@ -57,10 +55,8 @@ This section guides you through connecting your Azure AD to Slack's user account **Tip:** You may also choose to enabled SAML-based Single Sign-On for Slack, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other. - ### To configure automatic user account provisioning to Slack in Azure AD: - 1. In the [Azure portal](https://portal.azure.com), browse to the **Azure Active Directory > Enterprise Apps > All applications** section. 2. If you have already configured Slack for single sign-on, search for your instance of Slack using the search field. Otherwise, select **Add** and search for **Slack** in the application gallery. Select Slack from the search results, and add it to your list of applications. @@ -71,17 +67,17 @@ This section guides you through connecting your Azure AD to Slack's user account ![Slack Provisioning](./media/slack-provisioning-tutorial/Slack1.PNG) -5. Under the **Admin Credentials** section, click **Authorize**. This opens a Slack authorization dialog in a new browser window. +5. Under the **Admin Credentials** section, click **Authorize**. This opens a Slack authorization dialog in a new browser window. 6. In the new window, sign into Slack using your Team Admin account. in the resulting authorization dialog, select the Slack team that you want to enable provisioning for, and then select **Authorize**. Once completed, return to the Azure portal to complete the provisioning configuration. - ![Authorization Dialog](./media/slack-provisioning-tutorial/Slack3.PNG) + ![Authorization Dialog](./media/slack-provisioning-tutorial/Slack3.PNG) 7. In the Azure portal, click **Test Connection** to ensure Azure AD can connect to your Slack app. If the connection fails, ensure your Slack account has Team Admin permissions and try the "Authorize" step again. 8. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox below. -9. Click **Save**. +9. Click **Save**. 10. Under the Mappings section, select **Synchronize Azure Active Directory Users to Slack**. @@ -89,11 +85,11 @@ This section guides you through connecting your Azure AD to Slack's user account 12. To enable the Azure AD provisioning service for Slack, change the **Provisioning Status** to **On** in the **Settings** section -13. Click **Save**. +13. Click **Save**. This will start the initial synchronization of any users and/or groups assigned to Slack in the Users and Groups section. Note that the initial sync will take longer to perform than subsequent syncs, which occur approximately every 10 minutes as long as the service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity reports, which describe all actions performed by the provisioning service on your Slack app. -## [Optional] Configuring group object provisioning to Slack +## [Optional] Configuring group object provisioning to Slack Optionally, you can enable the provisioning of group objects from Azure AD to Slack. This is different from "assigning groups of users", in that the actual group object in addition to its members will be replicated from Azure AD to Slack. For example, if you have a group named "My Group" in Azure AD, an identical group named "My Group" will be created inside Slack. @@ -113,12 +109,17 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti ## Connector limitations - * When configuring Slack's **displayName** attribute, be aware of the following behaviors: +* When configuring Slack's **displayName** attribute, be aware of the following behaviors: + * Values are not entirely unique (e.g. 2 users can have the same display name) + * Supports non-English characters, spaces, capitalization. + * Allowed punctuation includes periods, underscores, hyphens, apostrophes, brackets (e.g. **( [ { } ] )**), and separators (e.g. **, / ;**). + * Only updates if these two settings are configured in Slack's workplace/organization - **Profile syncing is enabled** and **Users cannot change their display name**. - * Slack's **userName** attribute has to be under 21 characters and have a unique value. + + * Slack's **userName** attribute has to be under 21 characters and have a unique value. ## Additional Resources diff --git a/articles/active-directory/saas-apps/smallimprovements-tutorial.md b/articles/active-directory/saas-apps/smallimprovements-tutorial.md index 1de961fa6c278..613e7ba1ec6a0 100644 --- a/articles/active-directory/saas-apps/smallimprovements-tutorial.md +++ b/articles/active-directory/saas-apps/smallimprovements-tutorial.md @@ -241,8 +241,8 @@ When you click the Small Improvements tile in the Access Panel, you should be au ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/smartdraw-tutorial.md b/articles/active-directory/saas-apps/smartdraw-tutorial.md index 50be6235f41ec..ec9e72a7ca73e 100644 --- a/articles/active-directory/saas-apps/smartdraw-tutorial.md +++ b/articles/active-directory/saas-apps/smartdraw-tutorial.md @@ -245,9 +245,9 @@ When you click the SmartDraw tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/smarteru-tutorial.md b/articles/active-directory/saas-apps/smarteru-tutorial.md index 28ff451df4924..fca776077ae35 100644 --- a/articles/active-directory/saas-apps/smarteru-tutorial.md +++ b/articles/active-directory/saas-apps/smarteru-tutorial.md @@ -228,8 +228,8 @@ When you click the SmarterU tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/smartlpa-tutorial.md b/articles/active-directory/saas-apps/smartlpa-tutorial.md index 63802cc0efbf4..9d2f0da9cddb4 100644 --- a/articles/active-directory/saas-apps/smartlpa-tutorial.md +++ b/articles/active-directory/saas-apps/smartlpa-tutorial.md @@ -191,8 +191,8 @@ When you click the SmartLPA tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/smartrecruiters-tutorial.md b/articles/active-directory/saas-apps/smartrecruiters-tutorial.md index aee5d45437976..ba013aa16889c 100644 --- a/articles/active-directory/saas-apps/smartrecruiters-tutorial.md +++ b/articles/active-directory/saas-apps/smartrecruiters-tutorial.md @@ -220,9 +220,9 @@ When you click the SmartRecruiters tile in the Access Panel, you should be autom ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/smartvid.io-tutorial.md b/articles/active-directory/saas-apps/smartvid.io-tutorial.md index ed68a7a0a77b6..43cb908943cb8 100644 --- a/articles/active-directory/saas-apps/smartvid.io-tutorial.md +++ b/articles/active-directory/saas-apps/smartvid.io-tutorial.md @@ -181,8 +181,8 @@ When you click the smartvid.io tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/soonr-tutorial.md b/articles/active-directory/saas-apps/soonr-tutorial.md index b002a9dc2a1b6..a24f73ec6e5a7 100644 --- a/articles/active-directory/saas-apps/soonr-tutorial.md +++ b/articles/active-directory/saas-apps/soonr-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: b75f5f00-ea8b-4850-ae2e-134e5d678d97 ms.service: active-directory @@ -12,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 08/11/2017 +ms.topic: tutorial +ms.date: 08-04-2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,220 +22,188 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Soonr Workplace In this tutorial, you learn how to integrate Soonr Workplace with Azure Active Directory (Azure AD). - Integrating Soonr Workplace with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Soonr Workplace -- You can enable your users to automatically get signed-on to Soonr Workplace (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Soonr Workplace. +* You can enable your users to be automatically signed-in to Soonr Workplace (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Soonr Workplace, you need the following items: -- An Azure AD subscription -- A Soonr Workplace single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Soonr Workplace single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Soonr Workplace from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Soonr Workplace supports **SP and IDP** initiated SSO ## Adding Soonr Workplace from the gallery + To configure the integration of Soonr Workplace into Azure AD, you need to add Soonr Workplace from the gallery to your list of managed SaaS apps. **To add Soonr Workplace from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - - ![Active Directory][1] - -1. Navigate to **Enterprise applications**. Then go to **All applications**. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![Applications][3] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -1. In the search box, type **Soonr Workplace**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Creating an Azure AD test user](./media/soonr-tutorial/tutorial_soonr_search.png) +3. To add a new application, click the **New application** button at the top of the dialog. -1. In the results panel, select **Soonr Workplace**, and then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/soonr-tutorial/tutorial_soonr_addfromgallery.png) +4. In the search box, type **Soonr Workplace**, select **Soonr Workplace** from the result panel then click the **Add** button to add the application. -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Soonr Workplace based on a test user called "Britta Simon". + ![Soonr Workplace in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in Soonr Workplace is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Soonr Workplace needs to be established. +## Configure and test Azure AD single sign-on -In Soonr Workplace, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Soonr Workplace based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Soonr Workplace needs to be established. To configure and test Azure AD single sign-on with Soonr Workplace, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Soonr Workplace test user](#creating-a-soonr-workplace-test-user)** - to have a counterpart of Britta Simon in Soonr Workplace that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Soonr Workplace Single Sign-On](#configure-soonr-workplace-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Soonr Workplace test user](#create-soonr-workplace-test-user)** - to have a counterpart of Britta Simon in Soonr Workplace that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Soonr Workplace application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Soonr Workplace, perform the following steps:** +To configure Azure AD single sign-on with Soonr Workplace, perform the following steps: -1. In the Azure portal, on the **Soonr Workplace** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Soonr Workplace** application integration page, select **Single sign-on**. - ![Configure Single Sign-On][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/soonr-tutorial/tutorial_soonr_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Soonr Workplace Domain and URLs** section, perform the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On](./media/soonr-tutorial/tutorial_soonr_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Identifier** textbox, type a URL using the following pattern: `https://.soonr.com/singlesignon/saml/metadata` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://.soonr.com/singlesignon/saml/SSO` +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: -1. On the **Soonr Workplace Domain and URLs** section, If you wish to configure the application in **SP initiated mode**, perform the following steps: - - ![Configure Single Sign-On](./media/soonr-tutorial/tutorial_soonr_url1.png) + ![Soonr Workplace Domain and URLs single sign-on information](common/idp-intiated.png) - a. Click on the **Show advanced URL settings**. + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.soonr.com/singlesignon/saml/metadata` - b. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.soonr.com/singlesignon/saml/SSO` + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.soonr.com/singlesignon/saml/SSO` - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Sign on URL and Reply URL. Contact [Soonr Workplace support team](https://awp.autotask.net/help/) to get these values. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - ![Configure Single Sign-On](./media/soonr-tutorial/tutorial_soonr_certificate.png) + ![Soonr Workplace Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) -1. Click **Save** button. + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.soonr.com/singlesignon/saml/SSO` - ![Configure Single Sign-On](./media/soonr-tutorial/tutorial_general_400.png) + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Soonr Workplace Client support team](https://awp.autotask.net/help/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. On the **Soonr Workplace Configuration** section, click **Configure Soonr Workplace** to open **Configure sign-on** window. Copy the **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/soonr-tutorial/tutorial_soonr_configure.png) + ![The Certificate download link](common/metadataxml.png) -1. To configure single sign-on on **Soonr Workplace** side, you need to send the downloaded **Metadata XML**, **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** to [Soonr Workplace support team](https://awp.autotask.net/help/). They set this setting to have the SAML SSO connection set properly on both sides. +7. On the **Set up Soonr Workplace** section, copy the appropriate URL(s) as per your requirement. - >[!Note] - >If you require assistance with configuring Autotask Workplace, please see [this page](https://awp.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to get assistance with your Workplace account. + ![Copy configuration URLs](common/copy-configuration-urls.png) -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + a. Login URL -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + b. Azure AD Identifier -![Create Azure AD User][100] + c. Logout URL -**To create a test user in Azure AD, perform the following steps:** +### Configure Soonr Workplace Single Sign-On -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +To configure single sign-on on **Soonr Workplace** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Soonr Workplace support team](https://awp.autotask.net/help/). They set this setting to have the SAML SSO connection set properly on both sides. - ![Creating an Azure AD test user](./media/soonr-tutorial/create_aaduser_01.png) +> [!Note] +> If you require assistance with configuring Autotask Workplace, please see [this page](https://awp.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to get assistance with your Workplace account. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/soonr-tutorial/create_aaduser_02.png) +### Create an Azure AD test user -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/soonr-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/soonr-tutorial/create_aaduser_04.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - a. In the **Name** textbox, type **BrittaSimon**. + ![The "Users and groups" and "All users" links](common/users.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. +2. Select **New user** at the top of the screen. - c. Select **Show Password** and write down the value of the **Password**. + ![New user Button](common/new-user.png) - d. Click **Create**. - -### Creating a Soonr Workplace test user +3. In the User properties, perform the following steps. -The objective of this section is to create a user called Britta Simon in Soonr Workplace. Work with [Soonr Workplace support team](https://awp.autotask.net/help/) to create a user in the platform. You can raise the support ticket with Soonr from here. + ![The User dialog box](common/user-properties.png) -### Assigning the Azure AD test user + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Soonr Workplace. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -![Assign User][200] + d. Click **Create**. -**To assign Britta Simon to Soonr Workplace, perform the following steps:** +### Assign the Azure AD test user -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Soonr Workplace. - ![Assign User][201] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Soonr Workplace**. -1. In the applications list, select **Soonr Workplace**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Configure Single Sign-On](./media/soonr-tutorial/tutorial_soonr_app.png) +2. In the applications list, select **Soonr Workplace**. -1. In the menu on the left, click **Users and groups**. + ![The Soonr Workplace link in the Applications list](common/all-applications.png) - ![Assign User][202] +3. In the menu on the left, select **Users and groups**. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![The "Users and groups" link](common/users-groups-blade.png) - ![Assign User][203] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Select** button on **Users and groups** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. +7. In the **Add Assignment** dialog click the **Assign** button. -When you click the Soonr Workplace tile in the Access Panel, you should get automatically signed-on to your Soonr Workplace application. +### Create Soonr Workplace test user -## Additional resources +In this section, you create a user called Britta Simon in Soonr Workplace. Work with [Soonr Workplace support team](https://awp.autotask.net/help/) to add the users in the Soonr Workplace platform. Users must be created and activated before you use single sign-on. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Soonr Workplace tile in the Access Panel, you should be automatically signed in to the Soonr Workplace for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional resources -[1]: ./media/soonr-tutorial/tutorial_general_01.png -[2]: ./media/soonr-tutorial/tutorial_general_02.png -[3]: ./media/soonr-tutorial/tutorial_general_03.png -[4]: ./media/soonr-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/soonr-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/soonr-tutorial/tutorial_general_200.png -[201]: ./media/soonr-tutorial/tutorial_general_201.png -[202]: ./media/soonr-tutorial/tutorial_general_202.png -[203]: ./media/soonr-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/spacio-tutorial.md b/articles/active-directory/saas-apps/spacio-tutorial.md index c7b0cec48eb24..910ddbe54a660 100644 --- a/articles/active-directory/saas-apps/spacio-tutorial.md +++ b/articles/active-directory/saas-apps/spacio-tutorial.md @@ -181,8 +181,8 @@ When you click the Spacio tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/spring-cm-tutorial.md b/articles/active-directory/saas-apps/spring-cm-tutorial.md index 5190889477fa3..08a7cb5bec76c 100644 --- a/articles/active-directory/saas-apps/spring-cm-tutorial.md +++ b/articles/active-directory/saas-apps/spring-cm-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 4a42f797-ac58-4aca-a8e6-53bfe5529083 ms.service: active-directory @@ -12,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/26/2017 +ms.topic: tutorial +ms.date: 04-08-2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,111 +22,107 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with SpringCM In this tutorial, you learn how to integrate SpringCM with Azure Active Directory (Azure AD). - Integrating SpringCM with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to SpringCM -- You can enable your users to automatically get signed-on to SpringCM (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to SpringCM. +* You can enable your users to be automatically signed-in to SpringCM (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with SpringCM, you need the following items: -- An Azure AD subscription -- A SpringCM single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* SpringCM single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding SpringCM from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* SpringCM supports **SP** initiated SSO ## Adding SpringCM from the gallery + To configure the integration of SpringCM into Azure AD, you need to add SpringCM from the gallery to your list of managed SaaS apps. **To add SpringCM from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add a new application, click the **New application** button at the top of the dialog. -1. In the search box, type **SpringCM**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/spring-cm-tutorial/tutorial_springcm_search.png) +4. In the search box, type **SpringCM**, select **SpringCM** from the result panel then click the **Add** button to add the application. -1. In the results panel, select **SpringCM**, and then click **Add** button to add the application. + ![SpringCM in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/spring-cm-tutorial/tutorial_springcm_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with SpringCM based on a test user called "Britta Simon." +In this section, you configure and test Azure AD single sign-on with SpringCM based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in SpringCM needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in SpringCM is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in SpringCM needs to be established. +To configure and test Azure AD single sign-on with SpringCM, you need to complete the following building blocks: -In SpringCM, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure SpringCM Single Sign-On](#configure-springcm-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create SpringCM test user](#create-springcm-test-user)** - to have a counterpart of Britta Simon in SpringCM that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with SpringCM, you need to complete the following building blocks: +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a SpringCM test user](#creating-a-springcm-test-user)** - to have a counterpart of Britta Simon in SpringCM that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +To configure Azure AD single sign-on with SpringCM, perform the following steps: -### Configuring Azure AD single sign-on +1. In the [Azure portal](https://portal.azure.com/), on the **SpringCM** application integration page, select **Single sign-on**. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your SpringCM application. + ![Configure single sign-on link](common/select-sso.png) -**To configure Azure AD single sign-on with SpringCM, perform the following steps:** +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. In the Azure portal, on the **SpringCM** application integration page, click **Single sign-on**. + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On][4] +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/spring-cm-tutorial/tutorial_springcm_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **SpringCM Domain and URLs** section, perform the following steps: +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Configure Single Sign-On](./media/spring-cm-tutorial/tutorial_springcm_url.png) + ![SpringCM Domain and URLs single sign-on information](common/sp-signonurl.png) - In the **Sign-on URL** textbox, type a URL using the following pattern: `https://na11.springcm.com/atlas/SSO/SSOEndpoint.ashx?aid=` + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://na11.springcm.com/atlas/SSO/SSOEndpoint.ashx?aid=` - > [!NOTE] - > This value is not real. Update this value with the actual Sign-On URL. Contact [SpringCM Client support team](https://knowledge.springcm.com/support) to get this value. - -1. On the **SAML Signing Certificate** section, click **Certificate(Raw)** and then save the certificate file on your computer. + > [!NOTE] + > The value is not real. Update the value with the actual Sign-On URL. Contact [SpringCM Client support team](https://knowledge.springcm.com/support) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On](./media/spring-cm-tutorial/tutorial_springcm_certificate.png) +4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer. -1. Click **Save** button. + ![The Certificate download link](common/certificateraw.png) - ![Configure Single Sign-On](./media/spring-cm-tutorial/tutorial_general_400.png) +6. On the **Set up SpringCM** section, copy the appropriate URL(s) as per your requirement. -1. On the **SpringCM Configuration** section, click **Configure SpringCM** to open **Configure sign-on** window. Copy the **SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On](./media/spring-cm-tutorial/tutorial_springcm_configure.png) + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure SpringCM Single Sign-On 1. In a different web browser window, sign on to your **SpringCM** company site as administrator. @@ -139,134 +136,105 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf a. To upload your downloaded Azure Active Directory certificate, click **Select Issuer Certificate** or **Change Issuer Certificate**. - b. Paste **SAML Entity ID** value, which you have copied from Azure portal into the **Issuer** textbox. + b. In the **Issuer** textbox, paste **Azure AD Identifier** value, which you have copied from Azure portal. - c. Paste **SAML Single Sign-On Service URL** value, which you have copied from the Azure portal into the **Service Provider (SP) Initiated Endpoint** textbox. + c. In the **Service Provider (SP) Initiated Endpoint** textbox, paste **Login URL** value, which you have copied from the Azure portal. d. Select **SAML Enabled** as **Enable**. e. Click **Save**. - -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. +### Create an Azure AD test user -![Create Azure AD User][100] +The objective of this section is to create a test user in the Azure portal called Britta Simon. -**To create a test user in Azure AD, perform the following steps:** +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + ![The "Users and groups" and "All users" links](common/users.png) - ![Creating an Azure AD test user](./media/spring-cm-tutorial/create_aaduser_01.png) +2. Select **New user** at the top of the screen. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/spring-cm-tutorial/create_aaduser_02.png) + ![New user Button](common/new-user.png) -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/spring-cm-tutorial/create_aaduser_03.png) +3. In the User properties, perform the following steps. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/spring-cm-tutorial/create_aaduser_04.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** textbox, type **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - b. In the **User name** textbox, type the **email address** of BrittaSimon. - - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating a SpringCM test user -To enable Azure Active Directory users to log in to SpringCM, they must be provisioned into SpringCM. In the case of SpringCM, provisioning is a manual task. +### Assign the Azure AD test user ->[!NOTE] ->For more information, see [Create and Edit a SpringCM User](https://knowledge.springcm.com/create-and-edit-a-springcm-user). +In this section, you enable Britta Simon to use Azure single sign-on by granting access to SpringCM. -**To provision a user account to SpringCM, perform the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SpringCM**. -1. Log in to your **SpringCM** company site as administrator. + ![Enterprise applications blade](common/enterprise-applications.png) -1. Click **GOTO**, and then click **ADDRESS BOOK**. - - ![Create User](./media/spring-cm-tutorial/ic797054.png "Create User") +2. In the applications list, select **SpringCM**. -1. Click **Create User**. + ![The SpringCM link in the Applications list](common/all-applications.png) -1. Select a **User Role**. +3. In the menu on the left, select **Users and groups**. -1. Select **Send Activation Email**. + ![The "Users and groups" link](common/users-groups-blade.png) -1. Type the first name, last name, and email address of a valid Azure Active Directory user account you want to provision into the related textboxes. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Add the user to a **Security group**. + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Save**. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - >[!NOTE] - >You can use any other SpringCM user account creation tools or APIs provided by SpringCM to provision AAD user accounts. - > +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -### Assigning the Azure AD test user +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to SpringCM. +### Create SpringCM test user -![Assign User][200] +To enable Azure Active Directory users to sign in to SpringCM, they must be provisioned into SpringCM. In the case of SpringCM, provisioning is a manual task. -**To assign Britta Simon to SpringCM, perform the following steps:** +> [!NOTE] +> For more information, see [Create and Edit a SpringCM User](https://knowledge.springcm.com/create-and-edit-a-springcm-user). -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +**To provision a user account to SpringCM, perform the following steps:** - ![Assign User][201] +1. Sign in to your **SpringCM** company site as administrator. -1. In the applications list, select **SpringCM**. +1. Click **GOTO**, and then click **ADDRESS BOOK**. + + ![Create User](./media/spring-cm-tutorial/ic797054.png "Create User") - ![Configure Single Sign-On](./media/spring-cm-tutorial/tutorial_springcm_app.png) +1. Click **Create User**. -1. In the menu on the left, click **Users and groups**. +1. Select a **User Role**. - ![Assign User][202] +1. Select **Send Activation Email**. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +1. Type the first name, last name, and email address of a valid Azure Active Directory user account you want to provision into the related textboxes. - ![Assign User][203] +1. Add the user to a **Security group**. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +1. Click **Save**. -1. Click **Select** button on **Users and groups** dialog. + > [!NOTE] + > You can use any other SpringCM user account creation tools or APIs provided by SpringCM to provision AAD user accounts. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. - -When you click the SpringCM tile in the Access Panel, you should get automatically signed-on to your SpringCM application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +When you click the SpringCM tile in the Access Panel, you should be automatically signed in to the SpringCM for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). ## Additional resources -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - - -[1]: ./media/spring-cm-tutorial/tutorial_general_01.png -[2]: ./media/spring-cm-tutorial/tutorial_general_02.png -[3]: ./media/spring-cm-tutorial/tutorial_general_03.png -[4]: ./media/spring-cm-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/spring-cm-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/spring-cm-tutorial/tutorial_general_200.png -[201]: ./media/spring-cm-tutorial/tutorial_general_201.png -[202]: ./media/spring-cm-tutorial/tutorial_general_202.png -[203]: ./media/spring-cm-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/springerlink-tutorial.md b/articles/active-directory/saas-apps/springerlink-tutorial.md index ab46f47302c99..62d85008d0d23 100644 --- a/articles/active-directory/saas-apps/springerlink-tutorial.md +++ b/articles/active-directory/saas-apps/springerlink-tutorial.md @@ -203,9 +203,9 @@ When you click the Springer Link tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/sprinklr-tutorial.md b/articles/active-directory/saas-apps/sprinklr-tutorial.md index 333a25b82e12b..ad522282c7344 100644 --- a/articles/active-directory/saas-apps/sprinklr-tutorial.md +++ b/articles/active-directory/saas-apps/sprinklr-tutorial.md @@ -269,8 +269,8 @@ When you click the Sprinklr tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/statuspage-tutorial.md b/articles/active-directory/saas-apps/statuspage-tutorial.md index 22e8f878ade29..ebfea05f49e9d 100644 --- a/articles/active-directory/saas-apps/statuspage-tutorial.md +++ b/articles/active-directory/saas-apps/statuspage-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: f6ee8bb3-df43-4c0d-bf84-89f18deac4b9 ms.service: active-directory @@ -12,278 +13,244 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/11/2017 +ms.topic: tutorial +ms.date: 03/22/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with StatusPage In this tutorial, you learn how to integrate StatusPage with Azure Active Directory (Azure AD). - Integrating StatusPage with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to StatusPage -- You can enable your users to automatically get signed-on to StatusPage (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to StatusPage. +* You can enable your users to be automatically signed-in to StatusPage (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with StatusPage, you need the following items: -- An Azure AD subscription -- A StatusPage single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* StatusPage single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding StatusPage from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* StatusPage supports **IDP** initiated SSO ## Adding StatusPage from the gallery + To configure the integration of StatusPage into Azure AD, you need to add StatusPage from the gallery to your list of managed SaaS apps. **To add StatusPage from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **StatusPage**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_search.png) +4. In the search box, type **StatusPage**, select **StatusPage** from result panel then click **Add** button to add the application. -1. In the results panel, select **StatusPage**, and then click **Add** button to add the application. + ![StatusPage in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with StatusPage based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with StatusPage based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in StatusPage needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in StatusPage is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in StatusPage needs to be established. +To configure and test Azure AD single sign-on with StatusPage, you need to complete the following building blocks: -In StatusPage, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure StatusPage Single Sign-On](#configure-statuspage-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create StatusPage test user](#create-statuspage-test-user)** - to have a counterpart of Britta Simon in StatusPage that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with StatusPage, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a StatusPage test user](#creating-a-statuspage-test-user)** - to have a counterpart of Britta Simon in StatusPage that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with StatusPage, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your StatusPage application. +1. In the [Azure portal](https://portal.azure.com/), on the **StatusPage** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with StatusPage, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **StatusPage** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **StatusPage Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_url.png) +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: - a. In the **Identifier** textbox, type a URL using the following pattern: + ![StatusPage Domain and URLs single sign-on information](common/idp-intiated.png) + a. In the **Identifier** text box, type a URL using the following pattern: + | | |--| - | `https://.statuspagestaging.com/` | - | `https://.statuspage.io/` | + | `https://.statuspagestaging.com/`| + | `https://.statuspage.io/`| - b. In the **Reply URL** textbox, type a URL using the following pattern: + b. In the **Reply URL** text box, type a URL using the following pattern: | | |--| - | `https://.statuspagestaging.com/sso/saml/consume` | - | `https://.statuspage.io/sso/saml/consume` | + | `https://.statuspagestaging.com/sso/saml/consume`| + | `https://.statuspage.io/sso/saml/consume`| - > [!NOTE] - > Contact the StatusPage support team at [SupportTeam@statuspage.io](mailto:SupportTeam@statuspage.io)to request metadata necessary to configure single sign-on. - > - > a. From the metadata, copy the Issuer value, and then paste it into the **Identifier** textbox. - > - > b. From the metadata, copy the Reply URL, and then paste it into the **Reply URL** textbox. + > [!NOTE] + > Contact the StatusPage support team at [SupportTeam@statuspage.io](mailto:SupportTeam@statuspage.io)to request metadata necessary to configure single sign-on. + > + > a. From the metadata, copy the Issuer value, and then paste it into the **Identifier** textbox. + > + > b. From the metadata, copy the Reply URL, and then paste it into the **Reply URL** textbox. -1. On the **SAML Signing Certificate** section, click **Certificate (Base64)** and then save the certificate file on your computer. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_certificate.png) + ![The Certificate download link](common/certificatebase64.png) -1. Click **Save** button. +6. On the **Set up StatusPage** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_general_400.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. On the **StatusPage Configuration** section, click **Configure StatusPage** to open **Configure sign-on** window. Copy the **SAML Single Sign-On Service URL** from the **Quick Reference section.** + a. Login URL - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_configure.png) + b. Azure AD Identifier -1. In another browser window, sign on to your StatusPage company site as an administrator. + c. Logout URL -1. In the main toolbar, click **Manage Account**. - - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_06.png) +### Configure StatusPage Single Sign-On -1. Click the **Single Sign-on** tab. - - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_07.png) +1. In another browser window, sign in to your StatusPage company site as an administrator. -1. On the SSO Setup page, perform the following steps: - - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_08.png) +1. In the main toolbar, click **Manage Account**. - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_09.png) - - a. In the **SSO Target URL** textbox, paste the value of **SAML Single Sign-On Service URL**, which you have copied from Azure portal. + ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_06.png) - b. Open your downloaded certificate in Notepad, copy the content, and then paste it into the **Certificate** textbox. +1. Click the **Single Sign-on** tab. - c. Click **SAVE CONFIGURATION**. + ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_07.png) -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> +1. On the SSO Setup page, perform the following steps: -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_08.png) -![Create Azure AD User][100] + ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_09.png) -**To create a test user in Azure AD, perform the following steps:** + a. In the **SSO Target URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal. -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + b. Open your downloaded certificate in Notepad, copy the content, and then paste it into the **Certificate** textbox. - ![Creating an Azure AD test user](./media/statuspage-tutorial/create_aaduser_01.png) + c. Click **SAVE CONFIGURATION**. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/statuspage-tutorial/create_aaduser_02.png) +### Create an Azure AD test user -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/statuspage-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/statuspage-tutorial/create_aaduser_04.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - a. In the **Name** textbox, type **BrittaSimon**. + ![The "Users and groups" and "All users" links](common/users.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. +2. Select **New user** at the top of the screen. - c. Select **Show Password** and write down the value of the **Password**. + ![New user Button](common/new-user.png) - d. Click **Create**. - -### Creating a StatusPage test user +3. In the User properties, perform the following steps. -The objective of this section is to create a user called Britta Simon in StatusPage. + ![The User dialog box](common/user-properties.png) -StatusPage supports just-in-time provisioning. You have already enabled it in [Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on). + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` + For example, BrittaSimon@contoso.com -**To create a user called Britta Simon in StatusPage, perform the following steps:** + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -1. Sign-on to your StatusPage company site as an administrator. + d. Click **Create**. -1. In the menu on the top, click **Manage Account**. +### Assign the Azure AD test user - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_06.png) +In this section, you enable Britta Simon to use Azure single sign-on by granting access to StatusPage. -1. Click the **Team Members** tab. - - ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_10.png) +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **StatusPage**. -1. Click **ADD TEAM MEMBER**. - - ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_11.png) + ![Enterprise applications blade](common/enterprise-applications.png) -1. Type the **Email Address**, **First Name**, and **Surname** of a valid user you want to provision into the related textboxes. - - ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_12.png) +2. In the applications list, select **StatusPage**. -1. As **Role**, choose **Client Administrator**. + ![The StatusPage link in the Applications list](common/all-applications.png) -1. Click **CREATE ACCOUNT**. +3. In the menu on the left, select **Users and groups**. -### Assigning the Azure AD test user + ![The "Users and groups" link](common/users-groups-blade.png) -In this section, you enable Britta Simon to use Azure single sign-on by granting access to StatusPage. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -![Assign User][200] + ![The Add Assignment pane](common/add-assign-user.png) -**To assign Britta Simon to StatusPage, perform the following steps:** +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. - ![Assign User][201] +7. In the **Add Assignment** dialog click the **Assign** button. -1. In the applications list, select **StatusPage**. +### Create StatusPage test user - ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_app.png) +The objective of this section is to create a user called Britta Simon in StatusPage. -1. In the menu on the left, click **Users and groups**. +StatusPage supports just-in-time provisioning. You have already enabled it in [Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on). - ![Assign User][202] +**To create a user called Britta Simon in StatusPage, perform the following steps:** -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +1. Sign-on to your StatusPage company site as an administrator. - ![Assign User][203] +1. In the menu on the top, click **Manage Account**. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + ![Configure Single Sign-On](./media/statuspage-tutorial/tutorial_statuspage_06.png) -1. Click **Select** button on **Users and groups** dialog. +1. Click the **Team Members** tab. + + ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_10.png) -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +1. Click **ADD TEAM MEMBER**. + + ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_11.png) -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. +1. Type the **Email Address**, **First Name**, and **Surname** of a valid user you want to provision into the related textboxes. -When you click the StatusPage tile in the Access Panel, you should get automatically signed-on to your StatusPage application. + ![Creating an Azure AD test user](./media/statuspage-tutorial/tutorial_statuspage_12.png) -## Additional resources +1. As **Role**, choose **Client Administrator**. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +1. Click **CREATE ACCOUNT**. +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the StatusPage tile in the Access Panel, you should be automatically signed in to the StatusPage for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/statuspage-tutorial/tutorial_general_01.png -[2]: ./media/statuspage-tutorial/tutorial_general_02.png -[3]: ./media/statuspage-tutorial/tutorial_general_03.png -[4]: ./media/statuspage-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/statuspage-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/statuspage-tutorial/tutorial_general_200.png -[201]: ./media/statuspage-tutorial/tutorial_general_201.png -[202]: ./media/statuspage-tutorial/tutorial_general_202.png -[203]: ./media/statuspage-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/sugarcrm-tutorial.md b/articles/active-directory/saas-apps/sugarcrm-tutorial.md index 214732a64cda1..e42ed996c3b87 100644 --- a/articles/active-directory/saas-apps/sugarcrm-tutorial.md +++ b/articles/active-directory/saas-apps/sugarcrm-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 3331b9fc-ebc0-4a3a-9f7b-bf20ee35d180 ms.service: active-directory @@ -12,283 +13,247 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/13/2017 +ms.topic: tutorial +ms.date: 03/22/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Sugar CRM In this tutorial, you learn how to integrate Sugar CRM with Azure Active Directory (Azure AD). - Integrating Sugar CRM with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Sugar CRM -- You can enable your users to automatically get signed-on to Sugar CRM (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Sugar CRM. +* You can enable your users to be automatically signed-in to Sugar CRM (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Sugar CRM, you need the following items: -- An Azure AD subscription -- A Sugar CRM single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Sugar CRM single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Sugar CRM from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Sugar CRM supports **SP** initiated SSO ## Adding Sugar CRM from the gallery + To configure the integration of Sugar CRM into Azure AD, you need to add Sugar CRM from the gallery to your list of managed SaaS apps. **To add Sugar CRM from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Sugar CRM**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/sugarcrm-tutorial/tutorial_sugarcrm_search.png) +4. In the search box, type **Sugar CRM**, select **Sugar CRM** from result panel then click **Add** button to add the application. -1. In the results panel, select **Sugar CRM**, and then click **Add** button to add the application. + ![Sugar CRM in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/sugarcrm-tutorial/tutorial_sugarcrm_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Sugar CRM based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with Sugar CRM based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Sugar CRM needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Sugar CRM is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Sugar CRM needs to be established. +To configure and test Azure AD single sign-on with Sugar CRM, you need to complete the following building blocks: -In Sugar CRM, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Sugar CRM Single Sign-On](#configure-sugar-crm-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Sugar CRM test user](#create-sugar-crm-test-user)** - to have a counterpart of Britta Simon in Sugar CRM that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Sugar CRM, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Sugar CRM test user](#creating-a-sugar-crm-test-user)** - to have a counterpart of Britta Simon in Sugar CRM that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Sugar CRM, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Sugar CRM application. +1. In the [Azure portal](https://portal.azure.com/), on the **Sugar CRM** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Sugar CRM, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Sugar CRM** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/sugarcrm-tutorial/tutorial_sugarcrm_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Sugar CRM Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/sugarcrm-tutorial/tutorial_sugarcrm_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - In the **Sign-on URL** textbox, type a URL using the following pattern: + ![Sugar CRM Domain and URLs single sign-on information](common/sp-signonurl.png) + + In the **Sign-on URL** text box, type a URL using the following pattern: | | |--| - | `https://.sugarondemand.com` | - | `https://.trial.sugarcrm` | + | `https://.sugarondemand.com`| + | `https://.trial.sugarcrm`| + + > [!NOTE] + > The value is not real. Update the value with the actual Sign-On URL. Contact [Sugar CRM Client support team](https://support.sugarcrm.com/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - > [!NOTE] - > The value is not real. Update the value with the actual Sign-On URL. Contact [Sugar CRM Client support team](https://support.sugarcrm.com/) to get the value. - -1. On the **SAML Signing Certificate** section, click **Certificate (Base64)** and then save the certificate file on your computer. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/sugarcrm-tutorial/tutorial_sugarcrm_certificate.png) + ![The Certificate download link](common/certificatebase64.png) -1. Click **Save** button. +6. On the **Set up Sugar CRM** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/sugarcrm-tutorial/tutorial_general_400.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. On the **Sugar CRM Configuration** section, click **Configure Sugar CRM** to open **Configure sign-on** window. Copy the **Sign-Out URL, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + a. Login URL - ![Configure Single Sign-On](./media/sugarcrm-tutorial/tutorial_sugarcrm_configure.png) + b. Azure AD Identifier -1. In a different web browser window, log in to your Sugar CRM company site as an administrator. + c. Logout URL + +### Configure Sugar CRM Single Sign-On + +1. In a different web browser window, sign in to your Sugar CRM company site as an administrator. 1. Go to **Admin**. - + ![Admin](./media/sugarcrm-tutorial/ic795888.png "Admin") 1. In the **Administration** section, click **Password Management**. - + ![Administration](./media/sugarcrm-tutorial/ic795889.png "Administration") 1. Select **Enable SAML Authentication**. - + ![Administration](./media/sugarcrm-tutorial/ic795890.png "Administration") 1. In the **SAML Authentication** section, perform the following steps: - + ![SAML Authentication](./media/sugarcrm-tutorial/ic795891.png "SAML Authentication") - - a. In the **Login URL** textbox, paste the value of **SAML Single Sign-On Service URL**, which you have copied from Azure portal. + + a. In the **Login URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal. - b. In the **SLO URL** textbox, paste the value of **Sign-Out URL**, which you have copied from Azure portal. + b. In the **SLO URL** textbox, paste the value of **Logout URL**, which you have copied from Azure portal. c. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste the entire Certificate into **X.509 Certificate** textbox. d. Click **Save**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> +### Create an Azure AD test user -### Creating an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. -![Create Azure AD User][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. - - ![Creating an Azure AD test user](./media/sugarcrm-tutorial/create_aaduser_01.png) - -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/sugarcrm-tutorial/create_aaduser_02.png) +2. Select **New user** at the top of the screen. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/sugarcrm-tutorial/create_aaduser_03.png) + ![New user Button](common/new-user.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/sugarcrm-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** textbox, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` + For example, BrittaSimon@contoso.com - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating a Sugar CRM test user -In order to enable Azure AD users to log in to Sugar CRM, they must be provisioned to Sugar CRM. +### Assign the Azure AD test user -In the case of Sugar CRM, provisioning is a manual task. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Sugar CRM. -**To provision a user account, perform the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Sugar CRM**. -1. Log in to your **Sugar CRM** company site as administrator. + ![Enterprise applications blade](common/enterprise-applications.png) -1. Go to **Admin**. - - ![Admin](./media/sugarcrm-tutorial/ic795888.png "Admin") +2. In the applications list, select **Sugar CRM**. -1. In the **Administration** section, click **User Management**. - - ![Administration](./media/sugarcrm-tutorial/ic795893.png "Administration") + ![The Sugar CRM link in the Applications list](common/all-applications.png) -1. Go to **Users \> Create New User**. - - ![Create New User](./media/sugarcrm-tutorial/ic795894.png "Create New User") +3. In the menu on the left, select **Users and groups**. -1. On the **User Profile** tab, perform the following steps: - - ![New User](./media/sugarcrm-tutorial/ic795895.png "New User") + ![The "Users and groups" link](common/users-groups-blade.png) - a. Type the **user name**, **last name**, and **email address** of a valid Azure Active Directory user into the related textboxes. - -1. As **Status**, select **Active**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. On the Password tab, perform the following steps: - - ![New User](./media/sugarcrm-tutorial/ic795896.png "New User") + ![The Add Assignment pane](common/add-assign-user.png) - a. Type the password into the related textbox. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - b. Click **Save**. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. ->[!NOTE] ->You can use any other Sugar CRM user account creation tools or APIs provided by Sugar CRM to provision AAD user accounts. -> +7. In the **Add Assignment** dialog click the **Assign** button. -### Assigning the Azure AD test user +### Create Sugar CRM test user -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Sugar CRM. +In order to enable Azure AD users to sign in to Sugar CRM, they must be provisioned to Sugar CRM. In the case of Sugar CRM, provisioning is a manual task. -![Assign User][200] +**To provision a user account, perform the following steps:** -**To assign Britta Simon to Sugar CRM, perform the following steps:** +1. Sign in to your **Sugar CRM** company site as administrator. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +1. Go to **Admin**. - ![Assign User][201] + ![Admin](./media/sugarcrm-tutorial/ic795888.png "Admin") -1. In the applications list, select **Sugar CRM**. +1. In the **Administration** section, click **User Management**. - ![Configure Single Sign-On](./media/sugarcrm-tutorial/tutorial_sugarcrm_app.png) + ![Administration](./media/sugarcrm-tutorial/ic795893.png "Administration") -1. In the menu on the left, click **Users and groups**. +1. Go to **Users \> Create New User**. - ![Assign User][202] + ![Create New User](./media/sugarcrm-tutorial/ic795894.png "Create New User") -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +1. On the **User Profile** tab, perform the following steps: - ![Assign User][203] + ![New User](./media/sugarcrm-tutorial/ic795895.png "New User") -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + * Type the **user name**, **last name**, and **email address** of a valid Azure Active Directory user into the related textboxes. + +1. As **Status**, select **Active**. -1. Click **Select** button on **Users and groups** dialog. +1. On the Password tab, perform the following steps: -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on + ![New User](./media/sugarcrm-tutorial/ic795896.png "New User") -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. + a. Type the password into the related textbox. -When you click the Sugar CRM tile in the Access Panel, you should get automatically signed-on to your Sugar CRM application. + b. Click **Save**. -## Additional resources +> [!NOTE] +> You can use any other Sugar CRM user account creation tools or APIs provided by Sugar CRM to provision AAD user accounts. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Sugar CRM tile in the Access Panel, you should be automatically signed in to the Sugar CRM for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/sugarcrm-tutorial/tutorial_general_01.png -[2]: ./media/sugarcrm-tutorial/tutorial_general_02.png -[3]: ./media/sugarcrm-tutorial/tutorial_general_03.png -[4]: ./media/sugarcrm-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/sugarcrm-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/sugarcrm-tutorial/tutorial_general_200.png -[201]: ./media/sugarcrm-tutorial/tutorial_general_201.png -[202]: ./media/sugarcrm-tutorial/tutorial_general_202.png -[203]: ./media/sugarcrm-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/sumologic-tutorial.md b/articles/active-directory/saas-apps/sumologic-tutorial.md index f035a1801de2e..3e522f71b044d 100644 --- a/articles/active-directory/saas-apps/sumologic-tutorial.md +++ b/articles/active-directory/saas-apps/sumologic-tutorial.md @@ -257,9 +257,9 @@ When you click the SumoLogic tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/sumtotalcentral-tutorial.md b/articles/active-directory/saas-apps/sumtotalcentral-tutorial.md index c93f18e03d583..c4ffbc24544be 100644 --- a/articles/active-directory/saas-apps/sumtotalcentral-tutorial.md +++ b/articles/active-directory/saas-apps/sumtotalcentral-tutorial.md @@ -191,8 +191,8 @@ When you click the SumTotalCentral tile in the Access Panel, you should be autom ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/syncplicity-tutorial.md b/articles/active-directory/saas-apps/syncplicity-tutorial.md index aa2fb9981f3b8..f2d40591abc09 100644 --- a/articles/active-directory/saas-apps/syncplicity-tutorial.md +++ b/articles/active-directory/saas-apps/syncplicity-tutorial.md @@ -241,8 +241,8 @@ When you click the Syncplicity tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/synergi-tutorial.md b/articles/active-directory/saas-apps/synergi-tutorial.md index abedbd2bbdc12..731a24767d87c 100644 --- a/articles/active-directory/saas-apps/synergi-tutorial.md +++ b/articles/active-directory/saas-apps/synergi-tutorial.md @@ -191,9 +191,9 @@ When you click the Synergi tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/tableau-online-provisioning-tutorial.md b/articles/active-directory/saas-apps/tableau-online-provisioning-tutorial.md index c3f52567dc040..7c680986101e7 100644 --- a/articles/active-directory/saas-apps/tableau-online-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/tableau-online-provisioning-tutorial.md @@ -7,13 +7,14 @@ author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 0be9c435-f9a1-484d-8059-e578d5797d8e ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 07/30/2018 +ms.date: 03/27/2019 ms.author: v-wingf-msft ms.collection: M365-identity-device-management --- @@ -41,27 +42,21 @@ Before configuring Tableau Online for automatic user provisioning with Azure AD, **To add Tableau Online from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications** > **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications Section][2] + ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add Tableau Online, click the **New application** button on the top of the dialog. +3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) -4. In the search box, type **Tableau Online**. +4. In the search box, type **Tableau Online**, select **Tableau Online** from result panel then click **Add** button to add the application. - ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/AppSearch.png) - -5. In the results panel, select **Tableau Online**, and then click the **Add** button to add Tableau Online to your list of SaaS applications. - - ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/AppSearchResults.png) - - ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/AppCreation.png) + ![Tableau Online in the results list](common/search-new-app.png) ## Assigning users to Tableau Online @@ -86,11 +81,13 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Tableau Online in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Tableau Online**. + + ![Enterprise applications blade](common/enterprise-applications.png) -2. Select Tableau Online from your list of SaaS applications. +2. In the applications list, select **Tableau Online**. - ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/AppInstanceSearch.png) + ![The Tableau Online link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. @@ -112,15 +109,16 @@ This section guides you through the steps to configure the Azure AD provisioning 6. After logging in to your administrative account for Tableau Online, the values for **Domain** and **Content URL** can be extracted from the URL of the Admin page. - * The **Domain** for your Tableau Online account can be copied from this part of the URL: - ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/DomainUrlPart.png) + * The **Domain** for your Tableau Online account can be copied from this part of the URL: - * The **Content URL** for your Tableau Online account can be copied from this section, and is a value defined during account set-up. In this example, the value is "contoso": - ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/ContentUrlPart.png) + ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/DomainUrlPart.png) - > [!NOTE] - > Your **Domain** may be different from the one shown here. + * The **Content URL** for your Tableau Online account can be copied from this section, and is a value defined during account set-up. In this example, the value is "contoso": + + ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/ContentUrlPart.png) + > [!NOTE] + > Your **Domain** may be different from the one shown here. 7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Tableau Online. If the connection fails, ensure your Tableau Online account has Admin permissions and try again. @@ -130,35 +128,35 @@ This section guides you through the steps to configure the Azure AD provisioning ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/EmailNotification.png) -10. Click **Save**. +9. Click **Save**. -11. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Tableau**. +10. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Tableau**. ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/UserMappings.png) -12. Review the user attributes that are synchronized from Azure AD to Tableau Online in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Tableau Online for update operations. Select the **Save** button to commit any changes. +11. Review the user attributes that are synchronized from Azure AD to Tableau Online in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Tableau Online for update operations. Select the **Save** button to commit any changes. ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/UserAttributeMapping.png) -13. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Tableau**. +12. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Tableau**. ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/GroupMappings.png) -14. Review the group attributes that are synchronized from Azure AD to Tableau Online in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Tableau Online for update operations. Select the **Save** button to commit any changes. +13. Review the group attributes that are synchronized from Azure AD to Tableau Online in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Tableau Online for update operations. Select the **Save** button to commit any changes. ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/GroupAttributeMapping.png) -15. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md). +14. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md). -16. To enable the Azure AD provisioning service for Tableau Online, change the **Provisioning Status** to **On** in the **Settings** section. +15. To enable the Azure AD provisioning service for Tableau Online, change the **Provisioning Status** to **On** in the **Settings** section. ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/ProvisioningStatus.png) -17. Define the users and/or groups that you would like to provision to Tableau Online by choosing the desired values in **Scope** in the **Settings** section. +16. Define the users and/or groups that you would like to provision to Tableau Online by choosing the desired values in **Scope** in the **Settings** section. ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/ScopeSync.png) -18. When you are ready to provision, click **Save**. +17. When you are ready to provision, click **Save**. ![Tableau Online Provisioning](./media/tableau-online-provisioning-tutorial/SaveProvisioning.png) @@ -171,7 +169,6 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - ## Next steps * [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md) diff --git a/articles/active-directory/saas-apps/tableauonline-tutorial.md b/articles/active-directory/saas-apps/tableauonline-tutorial.md index b810d0cc229fe..b9c3622e2a567 100644 --- a/articles/active-directory/saas-apps/tableauonline-tutorial.md +++ b/articles/active-directory/saas-apps/tableauonline-tutorial.md @@ -241,8 +241,8 @@ When you click the Tableau Online tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/tableauserver-tutorial.md b/articles/active-directory/saas-apps/tableauserver-tutorial.md index f859d29c8409e..110c2dc62288a 100644 --- a/articles/active-directory/saas-apps/tableauserver-tutorial.md +++ b/articles/active-directory/saas-apps/tableauserver-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: c1917375-08aa-445c-a444-e22e23fa19e0 ms.service: active-directory @@ -13,46 +13,35 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 12/12/2018 +ms.topic: tutorial +ms.date: 03/22/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Tableau Server In this tutorial, you learn how to integrate Tableau Server with Azure Active Directory (Azure AD). - Integrating Tableau Server with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Tableau Server. -- You can enable your users to automatically get signed-on to Tableau Server (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Tableau Server. +* You can enable your users to be automatically signed-in to Tableau Server (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Tableau Server, you need the following items: -- An Azure AD subscription -- A Tableau Server single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Tableau Server single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -1. Adding Tableau Server from the gallery -2. Configuring and testing Azure AD single sign-on +* Tableau Server supports **SP** initiated SSO ## Adding Tableau Server from the gallery @@ -60,66 +49,86 @@ To configure the integration of Tableau Server into Azure AD, you need to add Ta **To add Tableau Server from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The Enterprise applications blade][2] - 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Tableau Server**, select **Tableau Server** from result panel then click **Add** button to add the application. - ![Tableau Server in the results list](./media/tableauserver-tutorial/tutorial-tableauserver-addfromgallery.png) + ![Tableau Server in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Tableau Server based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Tableau Server is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Tableau Server needs to be established. +In this section, you configure and test Azure AD single sign-on with Tableau Server based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Tableau Server needs to be established. To configure and test Azure AD single sign-on with Tableau Server, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. 2. **[Configure Tableau Server Single Sign-On](#configure-tableau-server-single-sign-on)** - to configure the Single Sign-On settings on application side. 3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -4. **[Create Tableau Server test user](#create-tableau-server-test-user)** - to have a counterpart of Britta Simon in Cisco Umbrella that is linked to the Azure AD representation of user. -5. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Tableau Server test user](#create-tableau-server-test-user)** - to have a counterpart of Britta Simon in Tableau Server that is linked to the Azure AD representation of user. 6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Tableau Server application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Tableau Server, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Tableau Server** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Tableau Server, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Tableau Server** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure single sign-on link][4] + ![Single sign-on select mode](common/select-saml-option.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, perform the following steps: + + ![Tableau Server Domain and URLs single sign-on information](common/sp-identifier-reply.png) + + a. In the **Sign-on URL** text box, type a URL using the following pattern: + `https://azure..link` + + b. In the **Identifier** box, type a URL using the following pattern: + `https://azure..link` + + c. In the **Reply URL** text box, type a URL using the following pattern: + `https://azure..link/wg/saml/SSO/index.html` + + > [!NOTE] + > The preceding values are not real values. Update the values with the actual URL and identifier from the Tableau Server configuration page which is explained later in the tutorial. - ![Configure Single Sign-On](common/tutorial-general-301.png) +5. Tableau Server application expects a custom claim **username** which needs to be defined as below. This is being used as user identifier instead of Unique user identifier claim. You can manage the values of these attributes from the **User Attributes & Claims** section on application integration page. Click **Edit** button to open **User Attributes & Claims** dialog. -3. Tableau Server application expects a custom claim **username** which needs to be defined as below. This is being used as user identifier instead of Unique user identifier claim. You can manage the values of these attributes from the **User Attributes & Claims** section on application integration page. Click **Edit** button to open **User Attributes & Claims** dialog. + ![image](common/edit-attribute.png) - ![image](./media/tableauserver-tutorial/tutorial-tableauserver-attribute.png) +6. In the **User Claims** section on the **User Attributes & Claims** dialog, configure SAML token attribute as shown in the image above and perform the following steps: -4. In the **User Claims** section on the **User Attributes & Claims** dialog, configure SAML token attribute as shown in the image above and perform the following steps: - - | Attribute Name | Attribute Value | Namespace | - | ---------------| --------------- | ----------- | + | Name | Source Attribute | Namespace | + | ---------------| --------------- | ----------- | | username | user.userprincipalname | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | + | | | a. Click **Add new claim** to open the **Manage user claims** dialog. - ![image](./media/tableauserver-tutorial/tutorial-tableauserver-add-attribute.png) + ![image](common/new-save-attribute.png) - ![image](./media/tableauserver-tutorial/tutorial-tableauserver-manage-attribute.png) + ![image](common/new-attribute-details.png) b. In the **Name** textbox, type the attribute name shown for that row. @@ -129,32 +138,27 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf e. From the **Source attribute** list, type the attribute value shown for that row. - f. Click **Save**. + f. Click **Ok** -5. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. + g. Click **Save**. - ![Configure Single Sign-On](common/editconfigure.png) +7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -6. On the **Basic SAML Configuration** section, perform the following steps: + ![The Certificate download link](common/metadataxml.png) - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://azure..link` - - b. In the **Identifier** textbox, type a URL using the following pattern: `https://azure..link` +8. On the **Set up Tableau Server** section, copy the appropriate URL(s) as per your requirement. - c. In the **Reply URL** textbox, type a URL using the following pattern: `https://azure..link/wg/saml/SSO/index.html` + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![image](./media/tableauserver-tutorial/tutorial-tableauserver-url.png) - - > [!NOTE] - > The preceding values are not real values. Update the values with the actual URL and identifier from the Tableau Server configuration page which is explained later in the tutorial. + a. Login URL -7. On the **SAML Signing Certificate** page, in the **SAML Signing Certificate** section, click **Download** to download **Federation Metadata XML** and then save certificate file on your computer. + b. Azure AD Identifier - ![The Certificate download link](./media/tableauserver-tutorial/tutorial-tableauserver-certificate.png) + c. Logout URL -### Configure Tableau Server Single Sign-On +### Configure Tableau Server Single Sign-On -1. To get SSO configured for your application, you need to sign-on to your Tableau Server tenant as an administrator. +1. To get SSO configured for your application, you need to sign in to your Tableau Server tenant as an administrator. 2. On the **CONFIGURATION** tab, select **User Identity & Access**, and then select the **Authentication** Method tab. @@ -165,14 +169,14 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf ![Configure Single Sign-On](./media/tableauserver-tutorial/tutorial-tableauserver-config.png) a. For **Authentication Method**, select SAML. - + b. Select the checkbox of **Enable SAML Authentication for the server**. - c. Tableau Server return URL—The URL that Tableau Server users will be accessing, such as . Using `http://localhost` is not recommended. Using a URL with a trailing slash (for example, `http://tableau_server/`) is not supported. Copy **Tableau Server return URL** and paste it to Azure AD **Sign On URL** textbox in **Tableau Server Domain and URLs** section. + c. Tableau Server return URL—The URL that Tableau Server users will be accessing, such as . Using `http://localhost` is not recommended. Using a URL with a trailing slash (for example, `http://tableau_server/`) is not supported. Copy **Tableau Server return URL** and paste it in to **Sign On URL** textbox in **Basic SAML Configuration** section in the Azure portal - d. SAML entity ID—The entity ID uniquely identifies your Tableau Server installation to the IdP. You can enter your Tableau Server URL again here, if you like, but it does not have to be your Tableau Server URL. Copy **SAML entity ID** and paste it to Azure AD **Identifier** textbox in **Tableau Server Domain and URLs** section. + d. SAML entity ID—The entity ID uniquely identifies your Tableau Server installation to the IdP. You can enter your Tableau Server URL again here, if you like, but it does not have to be your Tableau Server URL. Copy **SAML entity ID** and paste it in to **Identifier** textbox in **Basic SAML Configuration** section in the Azure portal - e. Click the **Download XML Metadata File** and open it in the text editor application. Locate Assertion Consumer Service URL with Http Post and Index 0 and copy the URL. Now paste it to Azure AD **Reply URL** textbox in **Tableau Server Domain and URLs** section. + e. Click the **Download XML Metadata File** and open it in the text editor application. Locate Assertion Consumer Service URL with Http Post and Index 0 and copy the URL. Now paste it in to **Reply URL** textbox in **Basic SAML Configuration** section in the Azure portal f. Locate your Federation Metadata file downloaded from Azure portal, and then upload it in the **SAML Idp metadata file**. @@ -180,9 +184,8 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf h. Click **Save** - >[!NOTE] - >Customer have to upload any certificate in the Tableau Server SAML SSO configuration and it will get ignored in the SSO flow. - >If you need help configuring SAML on Tableau Server then please refer to this article [Configure SAML](https://onlinehelp.tableau.com/v2018.2/server/en-us/saml_config_steps_tsm_ui.htm). + > [!NOTE] + > Customer have to upload any certificate in the Tableau Server SAML SSO configuration and it will get ignored in the SSO flow. If you need help configuring SAML on Tableau Server then please refer to this article [Configure SAML](https://onlinehelp.tableau.com/v2018.2/server/en-us/saml_config_steps_tsm_ui.htm). ### Create an Azure AD test user @@ -190,79 +193,71 @@ The objective of this section is to create a test user in the Azure portal calle 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](common/create-aaduser-01.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![Creating an Azure AD test user](common/create-aaduser-02.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** field, enter **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension** + b. In the **User name** field type `brittasimon@yourcompanydomain.extension` For example, BrittaSimon@contoso.com - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. - - d. Select **Create**. - -### Create Tableau Server test user + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -The objective of this section is to create a user called Britta Simon in Tableau Server. You need to provision all the users in the Tableau server. - -That username of the user should match the value which you have configured in the Azure AD custom attribute of **username**. With the correct mapping the integration should work Configuring Azure AD Single Sign-On. - ->[!NOTE] ->If you need to create a user manually, you need to contact the Tableau Server administrator in your organization. + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Tableau Server. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Tableau Server**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Tableau Server**. - ![Configure Single Sign-On](./media/tableauserver-tutorial/tutorial-tableauserver-app.png) + ![The Tableau Server link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) 5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. In the **Add Assignment** dialog, select the **Assign** button. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create Tableau Server test user + +The objective of this section is to create a user called Britta Simon in Tableau Server. You need to provision all the users in the Tableau server. + +That username of the user should match the value which you have configured in the Azure AD custom attribute of **username**. With the correct mapping the integration should work Configuring Azure AD Single Sign-On. + +> [!NOTE] +> If you need to create a user manually, you need to contact the Tableau Server administrator in your organization. ### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Tableau Server tile in the Access Panel, you should get automatically signed-on to your Tableau Server application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources +When you click the Tableau Server tile in the Access Panel, you should be automatically signed in to the Tableau Server for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: common/tutorial-general-01.png -[2]: common/tutorial-general-02.png -[3]: common/tutorial-general-03.png -[4]: common/tutorial-general-04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: common/tutorial-general-100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[201]: common/tutorial-general-201.png -[202]: common/tutorial-general-202.png -[203]: common/tutorial-general-203.png diff --git a/articles/active-directory/saas-apps/tangoanalytics-tutorial.md b/articles/active-directory/saas-apps/tangoanalytics-tutorial.md index 6d803a118c3c8..aceccd3e29ca1 100644 --- a/articles/active-directory/saas-apps/tangoanalytics-tutorial.md +++ b/articles/active-directory/saas-apps/tangoanalytics-tutorial.md @@ -191,8 +191,8 @@ When you click the Tango Analytics tile in the Access Panel, you should be autom ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/target-process-tutorial.md b/articles/active-directory/saas-apps/target-process-tutorial.md index 8052736ed1d9b..770902fb23940 100644 --- a/articles/active-directory/saas-apps/target-process-tutorial.md +++ b/articles/active-directory/saas-apps/target-process-tutorial.md @@ -229,8 +229,8 @@ When you click the TargetProcess tile in the Access Panel, you should be automat ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/tas-tutorial.md b/articles/active-directory/saas-apps/tas-tutorial.md index 79dabfb4b1a95..93ae649cd26d4 100644 --- a/articles/active-directory/saas-apps/tas-tutorial.md +++ b/articles/active-directory/saas-apps/tas-tutorial.md @@ -225,9 +225,9 @@ When you click the TAS tile in the Access Panel, you should be automatically sig ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/teamphoria-tutorial.md b/articles/active-directory/saas-apps/teamphoria-tutorial.md index 577e47efc384c..20ddd009fbdbd 100644 --- a/articles/active-directory/saas-apps/teamphoria-tutorial.md +++ b/articles/active-directory/saas-apps/teamphoria-tutorial.md @@ -234,9 +234,9 @@ When you click the Teamphoria tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/teamseer-tutorial.md b/articles/active-directory/saas-apps/teamseer-tutorial.md index 6fc190dbfb71c..91ba7cf6b06cf 100644 --- a/articles/active-directory/saas-apps/teamseer-tutorial.md +++ b/articles/active-directory/saas-apps/teamseer-tutorial.md @@ -239,8 +239,8 @@ When you click the TeamSeer tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/teamwork-tutorial.md b/articles/active-directory/saas-apps/teamwork-tutorial.md index 7dc6747782775..37ee28e92fa1f 100644 --- a/articles/active-directory/saas-apps/teamwork-tutorial.md +++ b/articles/active-directory/saas-apps/teamwork-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: bd4413c2-0d7c-41a7-aba4-b7a7a28c9448 ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 04/04/2017 +ms.topic: tutorial +ms.date: 08-04-2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,203 +22,181 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Teamwork.com In this tutorial, you learn how to integrate Teamwork.com with Azure Active Directory (Azure AD). - Integrating Teamwork.com with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Teamwork.com. -- You can enable your users to automatically get signed-on to Teamwork.com (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Teamwork.com. +* You can enable your users to be automatically signed-in to Teamwork.com (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Teamwork.com, you need the following items: -- An Azure AD subscription -- A Teamwork.com single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Teamwork.com single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Teamwork.com from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Teamwork.com supports **SP** initiated SSO ## Adding Teamwork.com from the gallery + To configure the integration of Teamwork.com into Azure AD, you need to add Teamwork.com from the gallery to your list of managed SaaS apps. **To add Teamwork.com from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon. -1. Navigate to **Enterprise applications**. Then go to **All applications**. + ![The Azure Active Directory button](common/select-azuread.png) - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The New application button][3] + ![The Enterprise applications blade](common/enterprise-applications.png) -1. In the search box, type **Teamwork.com**, select **Teamwork.com** from result panel then click **Add** button to add the application. +3. To add a new application, click the **New application** button at the top of the dialog. - ![Teamwork.com in the results list](./media/teamwork-tutorial/tutorial_teamwork_addfromgallery.png) + ![The New application button](common/add-new-app.png) -## Configure and test Azure AD single sign-on +4. In the search box, type **Teamwork.com**, select **Teamwork.com** from the result panel then click the **Add** button to add the application. -In this section, you configure and test Azure AD single sign-on with Teamwork.com based on a test user called "Britta Simon". + ![Teamwork.com in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in Teamwork.com is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Teamwork.com needs to be established. +## Configure and test Azure AD single sign-on -In Teamwork.com, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Teamwork.com based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Teamwork.com needs to be established. To configure and test Azure AD single sign-on with Teamwork.com, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Teamwork.com test user](#create-a-teamworkcom-test-user)** - to have a counterpart of Britta Simon in Teamwork.com that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Teamwork.com Single Sign-On](#configure-teamworkcom-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Teamwork.com test user](#create-teamworkcom-test-user)** - to have a counterpart of Britta Simon in Teamwork.com that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Teamwork.com application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Teamwork.com, perform the following steps: -**To configure Azure AD single sign-on with Teamwork.com, perform the following steps:** +1. In the [Azure portal](https://portal.azure.com/), on the **Teamwork.com** application integration page, select **Single sign-on**. -1. In the Azure portal, on the **Teamwork.com** application integration page, click **Single sign-on**. + ![Configure single sign-on link](common/select-sso.png) - ![Configure single sign-on link][4] +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/teamwork-tutorial/tutorial_teamwork_samlbase.png) + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Teamwork.com Domain and URLs** section, perform the following steps: +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Teamwork.com Domain and URLs single sign-on information](./media/teamwork-tutorial/tutorial_teamwork_url.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.teamwork.com` +4. On the **Basic SAML Configuration** section, perform the following steps: - b. In the **Identifier** textbox, type the URL: + ![Teamwork.com Domain and URLs single sign-on information](common/sp-identifier.png) - ||| + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.teamwork.com` + + b. In the **Identifier (Entity ID)** text box, type the URL: + + | | | |-|-| | `https://teamwork.com/saml`| | `https://eu.teamwork.com/saml`| - > [!NOTE] - > This Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact [Teamwork.com support team](mailto:support@teamwork.com) to get this value. + > [!NOTE] + > This Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact [Teamwork.com support team](mailto:support@teamwork.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. +4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![The Certificate download link](./media/teamwork-tutorial/tutorial_teamwork_certificate.png) + ![The Certificate download link](common/metadataxml.png) -1. Click **Save** button. +6. On the **Set up Teamwork.com** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On Save button](./media/teamwork-tutorial/tutorial_general_400.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. To configure single sign-on on **Teamwork.com** side, you need to send the downloaded **Metadata XML** to [Teamwork.com support team](mailto:support@teamwork.com). They set this setting to have the SAML SSO connection set properly on both sides. + a. Login URL -### Create an Azure AD test user + b. Azure AD Identifier -The objective of this section is to create a test user in the Azure portal called Britta Simon. + c. Logout URL - ![Create an Azure AD test user][100] +### Configure Teamwork.com Single Sign-On -**To create a test user in Azure AD, perform the following steps:** +To configure single sign-on on **Teamwork.com** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Teamwork.com support team](mailto:support@teamwork.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +### Create an Azure AD test user - ![The Azure Active Directory button](./media/teamwork-tutorial/create_aaduser_01.png) - -1. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/teamwork-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/teamwork-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/teamwork-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Teamwork.com test user - -In this section, you create a user called Britta Simon in Teamwork.com. Work with [Teamwork.com support team](mailto:support@teamwork.com) to add the users in the Teamwork.com platform. Users must be created and activated before you use single sign-on. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Teamwork.com. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Teamwork.com**. + + ![Enterprise applications blade](common/enterprise-applications.png) -**To assign Britta Simon to Teamwork.com, perform the following steps:** +2. In the applications list, select **Teamwork.com**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. + ![The Teamwork.com link in the Applications list](common/all-applications.png) - ![Assign User][201] +3. In the menu on the left, select **Users and groups**. -1. In the applications list, select **Teamwork.com**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![The Teamwork.com link in the Applications list](./media/teamwork-tutorial/tutorial_teamwork_app.png) +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. In the menu on the left, click **Users and groups**. + ![The Add Assignment pane](common/add-assign-user.png) - ![The "Users and groups" link][202] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +7. In the **Add Assignment** dialog click the **Assign** button. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +### Create Teamwork.com test user -1. Click **Select** button on **Users and groups** dialog. +In this section, you create a user called Britta Simon in Teamwork.com. Work with [Teamwork.com support team](mailto:support@teamwork.com) to add the users in the Teamwork.com platform. Users must be created and activated before you use single sign-on. -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Teamwork.com tile in the Access Panel, you should get automatically signed-on to your Teamwork.com application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +When you click the Teamwork.com tile in the Access Panel, you should be automatically signed in to the Teamwork.com for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). ## Additional resources -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - - -[1]: ./media/teamwork-tutorial/tutorial_general_01.png -[2]: ./media/teamwork-tutorial/tutorial_general_02.png -[3]: ./media/teamwork-tutorial/tutorial_general_03.png -[4]: ./media/teamwork-tutorial/tutorial_general_04.png - -[100]: ./media/teamwork-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/teamwork-tutorial/tutorial_general_200.png -[201]: ./media/teamwork-tutorial/tutorial_general_201.png -[202]: ./media/teamwork-tutorial/tutorial_general_202.png -[203]: ./media/teamwork-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/textmagic-tutorial.md b/articles/active-directory/saas-apps/textmagic-tutorial.md index 6ad39514a0186..0283ac15c9204 100644 --- a/articles/active-directory/saas-apps/textmagic-tutorial.md +++ b/articles/active-directory/saas-apps/textmagic-tutorial.md @@ -236,8 +236,8 @@ When you click the TextMagic tile in the Access Panel, you should be automatical ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/thefundingportal-tutorial.md b/articles/active-directory/saas-apps/thefundingportal-tutorial.md index 98605412748f5..ae91c2edaec2b 100644 --- a/articles/active-directory/saas-apps/thefundingportal-tutorial.md +++ b/articles/active-directory/saas-apps/thefundingportal-tutorial.md @@ -220,8 +220,8 @@ When you click The Funding Portal tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) \ No newline at end of file diff --git a/articles/active-directory/saas-apps/thirdlight-tutorial.md b/articles/active-directory/saas-apps/thirdlight-tutorial.md index d84d7befa7761..e5fff9a254e67 100644 --- a/articles/active-directory/saas-apps/thirdlight-tutorial.md +++ b/articles/active-directory/saas-apps/thirdlight-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 168aae9a-54ee-4c2b-ab12-650a2c62b901 ms.service: active-directory @@ -12,247 +13,219 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/16/2017 +ms.topic: tutorial +ms.date: 03/25/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with ThirdLight In this tutorial, you learn how to integrate ThirdLight with Azure Active Directory (Azure AD). - Integrating ThirdLight with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to ThirdLight -- You can enable your users to automatically get signed-on to ThirdLight (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to ThirdLight. +* You can enable your users to be automatically signed-in to ThirdLight (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with ThirdLight, you need the following items: -- An Azure AD subscription -- A ThirdLight single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* ThirdLight single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding ThirdLight from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* ThirdLight supports **SP** initiated SSO ## Adding ThirdLight from the gallery + To configure the integration of ThirdLight into Azure AD, you need to add ThirdLight from the gallery to your list of managed SaaS apps. **To add ThirdLight from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **ThirdLight**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/thirdlight-tutorial/tutorial_thirdlight_search.png) +4. In the search box, type **ThirdLight**, select **ThirdLight** from result panel then click **Add** button to add the application. -1. In the results panel, select **ThirdLight**, and then click **Add** button to add the application. + ![ThirdLight in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/thirdlight-tutorial/tutorial_thirdlight_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with ThirdLight based on a test user called "Britta Simon." +In this section, you configure and test Azure AD single sign-on with ThirdLight based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in ThirdLight needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in ThirdLight is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in ThirdLight needs to be established. +To configure and test Azure AD single sign-on with ThirdLight, you need to complete the following building blocks: -This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in ThirdLight. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure ThirdLight Single Sign-On](#configure-thirdlight-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create ThirdLight test user](#create-thirdlight-test-user)** - to have a counterpart of Britta Simon in ThirdLight that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with ThirdLight, you need to complete the following building blocks: +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a ThirdLight test user](#creating-a-thirdlight-test-user)** - to have a counterpart of Britta Simon in ThirdLight that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +To configure Azure AD single sign-on with ThirdLight, perform the following steps: -### Configuring Azure AD single sign-on +1. In the [Azure portal](https://portal.azure.com/), on the **ThirdLight** application integration page, select **Single sign-on**. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your ThirdLight application. + ![Configure single sign-on link](common/select-sso.png) -**To configure Azure AD single sign-on with ThirdLight, perform the following steps:** +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. In the Azure portal, on the **ThirdLight** application integration page, click **Single sign-on**. + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On][4] +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/thirdlight-tutorial/tutorial_thirdlight_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **ThirdLight Domain and URLs** section, perform the following steps: +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Configure Single Sign-On](./media/thirdlight-tutorial/tutorial_thirdlight_url.png) + ![ThirdLight Domain and URLs single sign-on information](common/sp-identifier.png) - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.thirdlight.com/` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.thirdlight.com/` - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.thirdlight.com/saml/sp` + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.thirdlight.com/saml/sp` - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identiifer. Contact [ThirdLight Client support team](https://www.thirdlight.com/support) to get these values. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the XML file on your computer. + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [ThirdLight Client support team](https://www.thirdlight.com/support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On](./media/thirdlight-tutorial/tutorial_thirdlight_certificate.png) +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -1. Click **Save** button. + ![The Certificate download link](common/metadataxml.png) - ![Configure Single Sign-On](./media/thirdlight-tutorial/tutorial_general_400.png) +6. On the **Set up ThirdLight** section, copy the appropriate URL(s) as per your requirement. -1. In a different web browser window, log in to your ThirdLight company site as an administrator. + ![Copy configuration URLs](common/copy-configuration-urls.png) + + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure ThirdLight Single Sign-On + +1. In a different web browser window, sign in to your ThirdLight company site as an administrator. 1. Go to **Configuration \> System Administration**, and then click **SAML2**. - + ![System Administration](./media/thirdlight-tutorial/ic805843.png "System Administration") 1. In the SAML2 configuration section, perform the following steps: - - ![SAML Single Sign-On](./media/thirdlight-tutorial/ic805844.png "SAML Single Sign-On") - - a. Select **Enable SAML2 Single Sign-On**. - - b. As **Source for IdP Metadata**, select **Load IdP Metadata from XML**. - - c. Open the downloaded metadata file, copy the content, and then paste it - into the **IdP Metadata XML** textbox. - - d. Click **Save SAML2 settings**. - -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) - -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + + ![SAML Single Sign-On](./media/thirdlight-tutorial/ic805844.png "SAML Single Sign-On") -![Create Azure AD User][100] + a. Select **Enable SAML2 Single Sign-On**. -**To create a test user in Azure AD, perform the following steps:** + b. As **Source for IdP Metadata**, select **Load IdP Metadata from XML**. -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + c. Open the downloaded metadata file from the Azure portal, copy the content, and then paste it into the **IdP Metadata XML** textbox. - ![Creating an Azure AD test user](./media/thirdlight-tutorial/create_aaduser_01.png) + d. Click **Save SAML2 settings**. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/thirdlight-tutorial/create_aaduser_02.png) +### Create an Azure AD test user -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/thirdlight-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/thirdlight-tutorial/create_aaduser_04.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - a. In the **Name** textbox, type **BrittaSimon**. + ![The "Users and groups" and "All users" links](common/users.png) - b. In the **User name** textbox, type the **email address** of Britta Simon. +2. Select **New user** at the top of the screen. - c. Select **Show Password** and write down the value of the **Password**. + ![New user Button](common/new-user.png) - d. Click **Create**. - -### Creating a ThirdLight test user +3. In the User properties, perform the following steps. -To enable Azure AD users to log in to ThirdLight, they must be provisioned into ThirdLight. -In the case of ThirdLight, provisioning is a manual task. + ![The User dialog box](common/user-properties.png) -**To provision a user account, perform the following steps:** + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com. -1. Log in to your **ThirdLight** company site as an administrator. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -1. Go to **Users** tab. + d. Click **Create**. -1. Select **Users and Groups**. +### Assign the Azure AD test user -1. Click **Add new User** button. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to ThirdLight. -1. Enter **the Username, Name or Description, Email, Choose a Preset or Group of New Members** of a valid AAD account you want to provision. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ThirdLight**. -1. Click **Create**. + ![Enterprise applications blade](common/enterprise-applications.png) ->[!NOTE] ->You can use any other Thirdlight user account creation tools or APIs provided by Thirdlight to provision AAD user accounts. +2. In the applications list, select **ThirdLight**. -### Assigning the Azure AD test user + ![The ThirdLight link in the Applications list](common/all-applications.png) -In this section, you enable Britta Simon to use Azure single sign-on by granting access to ThirdLight. +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) -![Assign User][200] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -**To assign Britta Simon to ThirdLight, perform the following steps:** + ![The Add Assignment pane](common/add-assign-user.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![Assign User][201] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. In the applications list, select **ThirdLight**. +7. In the **Add Assignment** dialog click the **Assign** button. - ![Configure Single Sign-On](./media/thirdlight-tutorial/tutorial_thirdlight_app.png) +### Create ThirdLight test user -1. In the menu on the left, click **Users and groups**. +To enable Azure AD users to sign in to ThirdLight, they must be provisioned into ThirdLight. +In the case of ThirdLight, provisioning is a manual task. - ![Assign User][202] +**To provision a user account, perform the following steps:** -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +1. Sign in to your **ThirdLight** company site as an administrator. - ![Assign User][203] +1. Go to **Users** tab. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +1. Select **Users and Groups**. -1. Click **Select** button on **Users and groups** dialog. +1. Click **Add new User** button. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +1. Enter **the Username, Name or Description, Email, Choose a Preset or Group of New Members** of a valid AAD account you want to provision. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +1. Click **Create**. -When you click the ThirdLight tile in the Access Panel, you should get automatically signed-on to your ThirdLight application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +> [!NOTE] +> You can use any other Thirdlight user account creation tools or APIs provided by Thirdlight to provision AAD user accounts. -## Additional resources +### Test single sign-on -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +In this section, you test your Azure AD single sign-on configuration using the Access Panel. - +When you click the ThirdLight tile in the Access Panel, you should be automatically signed in to the ThirdLight for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -[1]: ./media/thirdlight-tutorial/tutorial_general_01.png -[2]: ./media/thirdlight-tutorial/tutorial_general_02.png -[3]: ./media/thirdlight-tutorial/tutorial_general_03.png -[4]: ./media/thirdlight-tutorial/tutorial_general_04.png +## Additional Resources -[100]: ./media/thirdlight-tutorial/tutorial_general_100.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[200]: ./media/thirdlight-tutorial/tutorial_general_200.png -[201]: ./media/thirdlight-tutorial/tutorial_general_201.png -[202]: ./media/thirdlight-tutorial/tutorial_general_202.png -[203]: ./media/thirdlight-tutorial/tutorial_general_203.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/thirdpartytrust-tutorial.md b/articles/active-directory/saas-apps/thirdpartytrust-tutorial.md index ef976d67df50b..a6f90e5ce5b0f 100644 --- a/articles/active-directory/saas-apps/thirdpartytrust-tutorial.md +++ b/articles/active-directory/saas-apps/thirdpartytrust-tutorial.md @@ -191,9 +191,9 @@ When you click the ThirdPartyTrust tile in the Access Panel, you should be autom ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/thoughtworks-mingle-tutorial.md b/articles/active-directory/saas-apps/thoughtworks-mingle-tutorial.md index 753911765f08e..1e3d1aff37559 100644 --- a/articles/active-directory/saas-apps/thoughtworks-mingle-tutorial.md +++ b/articles/active-directory/saas-apps/thoughtworks-mingle-tutorial.md @@ -229,9 +229,9 @@ When you click the Thoughtworks Mingle tile in the Access Panel, you should be a ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/thousandeyes-provisioning-tutorial.md b/articles/active-directory/saas-apps/thousandeyes-provisioning-tutorial.md index a0d3b61b712d6..4933267ad4bc0 100644 --- a/articles/active-directory/saas-apps/thousandeyes-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/thousandeyes-provisioning-tutorial.md @@ -14,7 +14,7 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/26/2018 +ms.date: 03/28/2019 ms.author: asmalser-msft ms.collection: M365-identity-device-management @@ -22,22 +22,18 @@ ms.collection: M365-identity-device-management # Tutorial: Configure ThousandEyes for automatic user provisioning - The objective of this tutorial is to show you the steps you need to perform in ThousandEyes and Azure AD to automatically provision and de-provision user accounts from Azure AD to ThousandEyes. ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active directory tenant -* An active [ThousandEyes account](https://www.thousandeyes.com/pricing) -* A ThousandEyes user account that has been assigned a Role which includes the following 3 permissions: - * view all users - * edit user - * API access permissions +* An Azure Active directory tenant +* A ThousandEyes tenant with the [Standard plan](https://www.thousandeyes.com/pricing) or better enabled +* A user account in ThousandEyes with Admin permissions > [!NOTE] -> The Azure AD provisioning integration relies on the [ThousandEyes SCIM API](https://success.thousandeyes.com/PublicArticlePage?articleIdParam=kA044000000CnWrCAK_ThousandEyes-support-for-SCIM). +> The Azure AD provisioning integration relies on the [ThousandEyes SCIM API](https://success.thousandeyes.com/PublicArticlePage?articleIdParam=kA044000000CnWrCAK), which is available to ThousandEyes teams on the Standard plan or better. ## Assigning users to ThousandEyes @@ -49,34 +45,19 @@ Before configuring and enabling the provisioning service, you need to decide wha ### Important tips for assigning users to ThousandEyes -* It is recommended that a single Azure AD user is assigned to ThousandEyes to test the provisioning configuration. Additional users and/or groups may be assigned later. - -* When assigning a user to ThousandEyes, you must select either the **User** role or another valid application-specific role (if available) in the assignment dialogue. The **Default Access** role does not work for provisioning, and these users are skipped. - -## Configure auto-provisioned user roles in ThousandEyes - -For each account group, you are auto-provisioning users into you can configure a set of roles to be applied when the new user account is created. By default, auto-provisioning users are assigned the _Regular User_ role for all account groups unless configured otherwise. - -1. To specify a new set of roles for auto-provisioned users log-into ThousandEyes and navigate to the SCIM Settings section **> your user icon in the top right corner > Account Settings > Organization > Security & Authentication.** - - ![Navigate to SCIM API Settings](https://monosnap.com/file/kqY8Il7eysGFAiCLCQWFizzM27PiBG) - -2. Add an entry for each account group, assign a set of roles then *save* your changes. - - ![Set default roles and account groups for users created via SCIM API](https://monosnap.com/file/16siam6U8xDQH1RTnaxnmIxvsZuNZG) +* It is recommended that a single Azure AD user is assigned to ThousandEyes to test the provisioning configuration. Additional users and/or groups may be assigned later. +* When assigning a user to ThousandEyes, you must select either the **User** role, or another valid application-specific role (if available) in the assignment dialog. The **Default Access** role does not work for provisioning, and these users are skipped. ## Configuring user provisioning to ThousandEyes This section guides you through connecting your Azure AD to ThousandEyes's user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in ThousandEyes based on user and group assignment in Azure AD. > [!TIP] -> You may also choose to enabled SAML-based Single Sign-On (SSO) for ThousandEyes, following the [instructions provided in Azure knowledge base](https://docs.microsoft.com/azure/active-directory/saas-apps/thousandeyes-tutorial) to complete SSO. SSO can be configured independently of automatic provisioning, though these two features complement each other. - +> You may also choose to enabled SAML-based Single Sign-On for ThousandEyes, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other. ### Configure automatic user account provisioning to ThousandEyes in Azure AD - 1. In the [Azure portal](https://portal.azure.com), browse to the **Azure Active Directory > Enterprise Apps > All applications** section. 2. If you have already configured ThousandEyes for single sign-on, search for your instance of ThousandEyes using the search field. Otherwise, select **Add** and search for **ThousandEyes** in the application gallery. Select ThousandEyes from the search results, and add it to your list of applications. @@ -88,7 +69,7 @@ This section guides you through connecting your Azure AD to ThousandEyes's user ![ThousandEyes Provisioning](./media/thousandeyes-provisioning-tutorial/ThousandEyes1.png) 5. Under the **Admin Credentials** section, input the **OAuth Bearer Token** -generated by your ThousandEyes' account (you can find and or generate a token under your ThousandEyes account **Profile** section). +generated by your ThousandEyes's account (you can find and or generate a token under your ThousandEyes account **Profile** section). ![ThousandEyes Provisioning](./media/thousandeyes-provisioning-tutorial/ThousandEyes2.png) @@ -96,7 +77,7 @@ generated by your ThousandEyes' account (you can find and or generate a token un 7. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox "Send an email notification when a failure occurs." -8. Click **Save**. +8. Click **Save**. 9. Under the Mappings section, select **Synchronize Azure Active Directory Users to ThousandEyes**. @@ -104,13 +85,12 @@ generated by your ThousandEyes' account (you can find and or generate a token un 11. To enable the Azure AD provisioning service for ThousandEyes, change the **Provisioning Status** to **On** in the **Settings** section -12. Click **Save**. +12. Click **Save**. This operation starts the initial synchronization of any users and/or groups assigned to ThousandEyes in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). - ## Additional resources * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) diff --git a/articles/active-directory/saas-apps/thousandeyes-tutorial.md b/articles/active-directory/saas-apps/thousandeyes-tutorial.md index ca70b79f7f8eb..fd0c175f1004a 100644 --- a/articles/active-directory/saas-apps/thousandeyes-tutorial.md +++ b/articles/active-directory/saas-apps/thousandeyes-tutorial.md @@ -246,9 +246,9 @@ When you click the ThousandEyes tile in the Access Panel, you should be automati ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/tidemark-tutorial.md b/articles/active-directory/saas-apps/tidemark-tutorial.md index bba431dd45de8..e470fd3f04d6e 100644 --- a/articles/active-directory/saas-apps/tidemark-tutorial.md +++ b/articles/active-directory/saas-apps/tidemark-tutorial.md @@ -200,9 +200,9 @@ When you click the Tidemark tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/tigertext-tutorial.md b/articles/active-directory/saas-apps/tigertext-tutorial.md index e25978b6260f1..2bc8fb44126f5 100644 --- a/articles/active-directory/saas-apps/tigertext-tutorial.md +++ b/articles/active-directory/saas-apps/tigertext-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 03f1e128-5bcb-4e49-b6a3-fe22eedc6d5e ms.service: active-directory @@ -12,210 +13,186 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/21/2017 +ms.topic: tutorial +ms.date: 03/29/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with TigerText Secure Messenger In this tutorial, you learn how to integrate TigerText Secure Messenger with Azure Active Directory (Azure AD). - Integrating TigerText Secure Messenger with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to TigerText Secure Messenger -- You can enable your users to automatically get signed-on to TigerText Secure Messenger (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to TigerText Secure Messenger. +* You can enable your users to be automatically signed-in to TigerText Secure Messenger (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with TigerText Secure Messenger, you need the following items: -- An Azure AD subscription -- A TigerText Secure Messenger single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) +* TigerText Secure Messenger single sign-on enabled subscription -To test the steps in this tutorial, you should follow these recommendations: +## Scenario description -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +* TigerText Secure Messenger supports **SP** initiated SSO -1. Add TigerText Secure Messenger from the gallery -1. Configure and test Azure AD single sign-on +## Adding TigerText Secure Messenger from the gallery -## Add TigerText Secure Messenger from the gallery To configure the integration of TigerText Secure Messenger into Azure AD, you need to add TigerText Secure Messenger from the gallery to your list of managed SaaS apps. **To add TigerText Secure Messenger from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **TigerText Secure Messenger**, select **TigerText Secure Messenger** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Add from gallery](./media/tigertext-tutorial/tutorial_tigertext_addfromgallery.png) +4. In the search box, type **TigerText Secure Messenger**, select **TigerText Secure Messenger** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with TigerText Secure Messenger based on a test user called "Britta Simon". + ![TigerText Secure Messenger in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in TigerText Secure Messenger is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in TigerText Secure Messenger needs to be established. +## Configure and test Azure AD single sign-on -In TigerText Secure Messenger, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with TigerText Secure Messenger based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in TigerText Secure Messenger needs to be established. To configure and test Azure AD single sign-on with TigerText Secure Messenger, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a TigerText Secure Messenger test user](#create-a-tigertext-secure-messenger-test-user)** - to have a counterpart of Britta Simon in TigerText Secure Messenger that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test Single Sign-On](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure TigerText Secure Messenger Single Sign-On](#configure-tigertext-secure-messenger-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create TigerText Secure Messenger test user](#create-tigertext-secure-messenger-test-user)** - to have a counterpart of Britta Simon in TigerText Secure Messenger that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your TigerText Secure Messenger application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with TigerText Secure Messenger, perform the following steps:** +To configure Azure AD single sign-on with TigerText Secure Messenger, perform the following steps: -1. In the Azure portal, on the **TigerText Secure Messenger** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **TigerText Secure Messenger** application integration page, select **Single sign-on**. - ![Configure Single Sign-On][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![SAML-based Sign-on](./media/tigertext-tutorial/tutorial_tigertext_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **TigerText Secure Messenger Domain and URLs** section, perform the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![TigerText Secure Messenger Domain and URLs section](./media/tigertext-tutorial/tutorial_tigertext_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Sign-on URL** textbox, type URL as: `https://home.tigertext.com` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Identifier** textbox, type a URL using the following pattern: `https://saml-lb.tigertext.me/v1/organization/` +4. On the **Basic SAML Configuration** section, perform the following steps: - > [!NOTE] - > This value is not real. Update this value with the actual Identifier. Contact [TigerText Secure Messenger Client support team](mailTo:prosupport@tigertext.com) to get this value. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + ![TigerText Secure Messenger Domain and URLs single sign-on information](common/sp-identifier.png) - ![SAML Signing Certificate section](./media/tigertext-tutorial/tutorial_tigertext_certificate.png) + a. In the **Sign on URL** text box, type a URL: + `https://home.tigertext.com` -1. Click **Save** button. + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://saml-lb.tigertext.me/v1/organization/` - ![Save Button](./media/tigertext-tutorial/tutorial_general_400.png) + > [!NOTE] + > The Identifier value is not real. Update this value with the actual Identifier. Contact [TigerText Secure Messenger Client support team](mailto:prosupport@tigertext.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. To get single sign-on configured for your application, contact [TigerText Secure Messenger support team](mailTo:prosupport@tigertext.com) and provide them the **Downloaded metadata**. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + ![The Certificate download link](common/metadataxml.png) -### Create an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. +6. On the **Set up TigerText Secure Messenger** section, copy the appropriate URL(s) as per your requirement. -![Create Azure AD User][100] + ![Copy configuration URLs](common/copy-configuration-urls.png) -**To create a test user in Azure AD, perform the following steps:** + a. Login URL -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + b. Azure AD Identifier - ![Creating an Azure AD test user](./media/tigertext-tutorial/create_aaduser_01.png) + c. Logout URL -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Users and groups->All users](./media/tigertext-tutorial/create_aaduser_02.png) +### Configure TigerText Secure Messenger Single Sign-On -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Add Button](./media/tigertext-tutorial/create_aaduser_03.png) +To configure single sign-on on **TigerText Secure Messenger** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [TigerText Secure Messenger support team](mailto:prosupport@tigertext.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. On the **User** dialog page, perform the following steps: - - ![User dialog](./media/tigertext-tutorial/create_aaduser_04.png) +### Create an Azure AD test user - a. In the **Name** textbox, type **BrittaSimon**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - b. In the **User name** textbox, type the **email address** of BrittaSimon. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - c. Select **Show Password** and write down the value of the **Password**. + ![The "Users and groups" and "All users" links](common/users.png) - d. Click **Create**. - -### Create a TigerText Secure Messenger test user +2. Select **New user** at the top of the screen. -In this section, you create a user called Britta Simon in TigerText. Please reach out to [TigerText Secure Messenger Client support team](mailTo:prosupport@tigertext.com) to add the users in the TigerText platform. + ![New user Button](common/new-user.png) -### Assign the Azure AD test user +3. In the User properties, perform the following steps. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to TigerText Secure Messenger. + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -![Assign User][200] + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. -**To assign Britta Simon to TigerText Secure Messenger, perform the following steps:** +### Assign the Azure AD test user -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to TigerText Secure Messenger. - ![Assign User][201] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TigerText Secure Messenger**. -1. In the applications list, select **TigerText Secure Messenger**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![TigerText Secure Messenger in app list](./media/tigertext-tutorial/tutorial_tigertext_app.png) +2. In the applications list, select **TigerText Secure Messenger**. -1. In the menu on the left, click **Users and groups**. + ![The TigerText Secure Messenger link in the Applications list](common/all-applications.png) - ![Assign User][202] +3. In the menu on the left, select **Users and groups**. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![The "Users and groups" link](common/users-groups-blade.png) - ![Assign User][203] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Select** button on **Users and groups** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +7. In the **Add Assignment** dialog click the **Assign** button. -When you click the TigerText tile in the Access Panel, you should get automatically signed-on to your TigerText application. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Create TigerText Secure Messenger test user -## Additional resources +In this section, you create a user called Britta Simon in TigerText Secure Messenger. Work with [TigerText Secure Messenger support team](mailto:prosupport@tigertext.com) to add the users in the TigerText Secure Messenger platform. Users must be created and activated before you use single sign-on. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the TigerText Secure Messenger tile in the Access Panel, you should be automatically signed in to the TigerText Secure Messenger for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/tigertext-tutorial/tutorial_general_01.png -[2]: ./media/tigertext-tutorial/tutorial_general_02.png -[3]: ./media/tigertext-tutorial/tutorial_general_03.png -[4]: ./media/tigertext-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/tigertext-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/tigertext-tutorial/tutorial_general_200.png -[201]: ./media/tigertext-tutorial/tutorial_general_201.png -[202]: ./media/tigertext-tutorial/tutorial_general_202.png -[203]: ./media/tigertext-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/timelive-tutorial.md b/articles/active-directory/saas-apps/timelive-tutorial.md index 2e489d7afd2b5..3a6ba034ebd0a 100644 --- a/articles/active-directory/saas-apps/timelive-tutorial.md +++ b/articles/active-directory/saas-apps/timelive-tutorial.md @@ -214,9 +214,9 @@ When you click the TimeLive tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/timeoffmanager-tutorial.md b/articles/active-directory/saas-apps/timeoffmanager-tutorial.md index e71be91d56972..3e677e2e82eed 100644 --- a/articles/active-directory/saas-apps/timeoffmanager-tutorial.md +++ b/articles/active-directory/saas-apps/timeoffmanager-tutorial.md @@ -249,9 +249,9 @@ When you click the TimeOffManager tile in the Access Panel, you should be automa ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/tinfoil-security-tutorial.md b/articles/active-directory/saas-apps/tinfoil-security-tutorial.md index 57a4a3892f884..d0c529df2840f 100644 --- a/articles/active-directory/saas-apps/tinfoil-security-tutorial.md +++ b/articles/active-directory/saas-apps/tinfoil-security-tutorial.md @@ -247,9 +247,9 @@ When you click the TINFOIL SECURITY tile in the Access Panel, you should be auto ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/tivitz-tutorial.md b/articles/active-directory/saas-apps/tivitz-tutorial.md index 51e305271fd77..35a125c58b0ef 100644 --- a/articles/active-directory/saas-apps/tivitz-tutorial.md +++ b/articles/active-directory/saas-apps/tivitz-tutorial.md @@ -195,9 +195,9 @@ When you click the TiViTz tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/toc.yml b/articles/active-directory/saas-apps/toc.yml index 79cd00f5f87ee..16df4b6fce1dd 100644 --- a/articles/active-directory/saas-apps/toc.yml +++ b/articles/active-directory/saas-apps/toc.yml @@ -135,6 +135,8 @@ href: bcinthecloud-tutorial.md - name: BeeLine href: beeline-tutorial.md + - name: Benchling + href: benchling-tutorial.md - name: BenefitHub href: benefithub-tutorial.md - name: Benefitsolver @@ -229,6 +231,8 @@ href: cisco-umbrella-tutorial.md - name: Cisco Webex Meetings href: cisco-webex-tutorial.md + - name: Citrix Netscaler + href: citrix-netscaler-tutorial.md - name: Citrix ShareFile href: sharefile-tutorial.md - name: Clarizen @@ -265,6 +269,8 @@ href: concur-tutorial.md - name: Condeco href: condeco-tutorial.md + - name: Confirmit Horizons + href: confirmit-horizons-tutorial.md - name: Confluence SAML SSO by Microsoft href: confluencemicrosoft-tutorial.md - name: Consent2Go @@ -349,6 +355,8 @@ href: elium-tutorial.md - name: eLuminate href: eluminate-tutorial.md + - name: Empactis + href: empactis-tutorial.md - name: EmpCenter href: empcenter-tutorial.md - name: Encompass @@ -425,6 +433,8 @@ href: freshservice-tutorial.md - name: Front href: front-tutorial.md + - name: Fulcrum + href: fulcrum-tutorial.md - name: Fuse href: fuse-tutorial.md - name: Fuze @@ -485,6 +495,8 @@ href: hpesaas-tutorial.md - name: HR2day by Merces href: hr2day-tutorial.md + - name: HRworks Single Sign-On + href: hrworks-single-sign-on-tutorial.md - name: HubSpot SAML href: hubspot-tutorial.md - name: Huddle @@ -557,6 +569,8 @@ href: iqnavigatorvms-tutorial.md - name: iQualify LMS href: iqualify-tutorial.md + - name: Iris Intranet + href: iris-intranet-tutorial.md - name: IriusRisk href: iriusrisk-tutorial.md - name: ITRP @@ -709,6 +723,8 @@ href: mixpanel-tutorial.md - name: MOBI href: mobi-tutorial.md + - name: MobiControl + href: mobicontrol-tutorial.md - name: Mobile Xpense href: mobilexpense-tutorial.md - name: MobileIron @@ -823,6 +839,8 @@ href: peoplecart-tutorial.md - name: Perception United States (Non-UltiPro) href: perceptionunitedstates-tutorial.md + - name: Percolate + href: percolate-tutorial.md - name: PerformanceCentre href: performancecentre-tutorial.md - name: Periscope Data @@ -843,6 +861,8 @@ href: policystat-tutorial.md - name: PostBeyond href: postbeyond-tutorial.md + - name: Powerschool Performance Matters + href: powerschool-performance-matters-tutorial.md - name: Predictix Assortment Planning href: predictix-assortment-planning-tutorial.md - name: Predictix Ordering @@ -995,6 +1015,8 @@ href: settlingmusic-tutorial.md - name: SharePoint on-premises href: sharepoint-on-premises-tutorial.md + - name: Shibumi + href: shibumi-tutorial.md - name: Shmoop For Schools href: shmoopforschools-tutorial.md - name: Showpad @@ -1031,6 +1053,8 @@ href: slack-tutorial.md - name: Small Improvements href: smallimprovements-tutorial.md + - name: SmartDraw + href: smartdraw-tutorial.md - name: SmarterU href: smarteru-tutorial.md - name: SmartFile @@ -1101,6 +1125,8 @@ href: tangoe-tutorial.md - name: TargetProcess href: target-process-tutorial.md + - name: TAS + href: tas-tutorial.md - name: Teamphoria href: teamphoria-tutorial.md - name: TeamSeer @@ -1356,4 +1382,4 @@ href: zscaler-three-provisioning-tutorial.md - name: Zscaler ZSCloud href: zscaler-zscloud-provisioning-tutorial.md - + diff --git a/articles/active-directory/saas-apps/tonicdm-tutorial.md b/articles/active-directory/saas-apps/tonicdm-tutorial.md index c92fe6fe8d877..f96f7e5ab3038 100644 --- a/articles/active-directory/saas-apps/tonicdm-tutorial.md +++ b/articles/active-directory/saas-apps/tonicdm-tutorial.md @@ -189,9 +189,9 @@ When you click the TonicDM tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/trackvia-tutorial.md b/articles/active-directory/saas-apps/trackvia-tutorial.md index 4005bd3ee7502..4ee5383cc2e75 100644 --- a/articles/active-directory/saas-apps/trackvia-tutorial.md +++ b/articles/active-directory/saas-apps/trackvia-tutorial.md @@ -208,9 +208,9 @@ When you click the TrackVia tile in the Access Panel, you should be automaticall ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/trakopolis-tutorial.md b/articles/active-directory/saas-apps/trakopolis-tutorial.md index f58aad10050a5..8603bbdbe1efb 100644 --- a/articles/active-directory/saas-apps/trakopolis-tutorial.md +++ b/articles/active-directory/saas-apps/trakopolis-tutorial.md @@ -190,9 +190,9 @@ When you click the Trakopolis tile in the Access Panel, you should be automatica ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/trakstar-tutorial.md b/articles/active-directory/saas-apps/trakstar-tutorial.md index fe71623b08a55..2e9bd5d6e7872 100644 --- a/articles/active-directory/saas-apps/trakstar-tutorial.md +++ b/articles/active-directory/saas-apps/trakstar-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 411cb8c3-95c6-4138-acf2-ffc7f663e89a ms.service: active-directory @@ -12,220 +13,188 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/09/2017 +ms.topic: tutorial +ms.date: 04/02/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Trakstar In this tutorial, you learn how to integrate Trakstar with Azure Active Directory (Azure AD). - Integrating Trakstar with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Trakstar -- You can enable your users to automatically get signed-on to Trakstar (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Trakstar. +* You can enable your users to be automatically signed-in to Trakstar (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Trakstar, you need the following items: -- An Azure AD subscription -- A Trakstar single-sign on enabled subscription - - SSO is a paid feature in Trakstar. To enable it for your organization, reach out to [Trakstar Client support team](mailto:support@trakstar.com). - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Trakstar single sign-on enabled subscription +* SSO is a paid feature in Trakstar. To enable it for your organization, reach out to [Trakstar Client support team](mailto:support@trakstar.com). -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Trakstar from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Trakstar supports **SP** initiated SSO ## Adding Trakstar from the gallery + To configure the integration of Trakstar into Azure AD, you need to add Trakstar from the gallery to your list of managed SaaS apps. **To add Trakstar from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - - ![Active Directory][1] - -1. Navigate to **Enterprise applications**. Then go to **All applications**. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![Applications][3] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -1. In the search box, type **Trakstar**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Creating an Azure AD test user](./media/trakstar-tutorial/tutorial_trakstar_search.png) +3. To add new application, click **New application** button on the top of dialog. -1. In the results panel, select **Trakstar**, and then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/trakstar-tutorial/tutorial_trakstar_addfromgallery.png) +4. In the search box, type **Trakstar**, select **Trakstar** from result panel then click **Add** button to add the application. -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Trakstar based on a test user called "Britta Simon." + ![Trakstar in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in Trakstar is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Trakstar needs to be established. +## Configure and test Azure AD single sign-on -In Trakstar, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Trakstar based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Trakstar needs to be established. To configure and test Azure AD single sign-on with Trakstar, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Trakstar test user](#creating-a-trakstar-test-user)** - to have a counterpart of Britta Simon in Trakstar that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Trakstar Single Sign-On](#configure-trakstar-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Trakstar test user](#create-trakstar-test-user)** - to have a counterpart of Britta Simon in Trakstar that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Trakstar application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Trakstar, perform the following steps:** +To configure Azure AD single sign-on with Trakstar, perform the following steps: -1. In the Azure portal, on the **Trakstar** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Trakstar** application integration page, select **Single sign-on**. - ![Configure Single Sign-On][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/trakstar-tutorial/tutorial_trakstar_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Trakstar Domain and URLs** section, perform the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On](./media/trakstar-tutorial/tutorial_trakstar_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Sign-on URL** textbox, copy the value found in the **ACS (Consumer) URL** within Trakstar (Settings > Authentication & SSO) in the format: `https://app.trakstar.com/auth/saml/callback?namespace=` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Identifier** textbox, leave the default: `https://app.trakstar.com` +4. On the **Basic SAML Configuration** section, perform the following steps: - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Log into Trakstar as an Administrator to get these values. - > If you don't see the "Authentication & SSO" tab within Settings, you might not have the feature - -1. On the **SAML Signing Certificate** section, click **Certificate (Base64)** and then save the certificate file on your computer. + ![Trakstar Domain and URLs single sign-on information](common/sp-identifier.png) - ![Configure Single Sign-On](./media/trakstar-tutorial/tutorial_trakstar_certificate.png) + a. In the **Sign-on URL** textbox, copy the value found in the **ACS (Consumer) URL** within Trakstar (Settings > Authentication & SSO) in the format: `https://app.trakstar.com/auth/saml/callback?namespace=` -1. Click **Save** button. + b. In the **Identifier (Entity ID)** text box, leave the default: + `https://app.trakstar.com` - ![Configure Single Sign-On](./media/trakstar-tutorial/tutorial_general_400.png) + > [!NOTE] + > These values are not real. Update these values with the actual Sign-On URL and Identifier. Sign into Trakstar as an Administrator to get these values. + > If you don't see the "Authentication & SSO" tab within Settings, you might not have the feature. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. On the **Trakstar Configuration** section, click **Configure Trakstar** to open **Configure sign-on** window. Copy the **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/trakstar-tutorial/tutorial_trakstar_configure.png) + ![The Certificate download link](common/certificatebase64.png) -1. To configure single sign-on on **Trakstar** side, you need to log in as an Administrator and enter the **Certificate (Base64)**, **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL**. +6. On the **Set up Trakstar** section, copy the appropriate URL(s) as per your requirement. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + ![Copy configuration URLs](common/copy-configuration-urls.png) -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + a. Login URL -![Create Azure AD User][100] + b. Azure AD Identifier -**To create a test user in Azure AD, perform the following steps:** + c. Logout URL -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +### Configure Trakstar Single Sign-On - ![Creating an Azure AD test user](./media/trakstar-tutorial/create_aaduser_01.png) +To configure single sign-on on **Trakstar** side, you need to sign in as an Administrator and enter the content of downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal. They set this setting to have the SAML SSO connection set properly on both sides. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/trakstar-tutorial/create_aaduser_02.png) +### Create an Azure AD test user -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/trakstar-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/trakstar-tutorial/create_aaduser_04.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - a. In the **Name** textbox, type **BrittaSimon**. + ![The "Users and groups" and "All users" links](common/users.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. +2. Select **New user** at the top of the screen. - c. Select **Show Password** and write down the value of the **Password**. + ![New user Button](common/new-user.png) - d. Click **Create**. - -### Creating a Trakstar test user +3. In the User properties, perform the following steps. -The objective of this section is to create a user called Britta Simon in Trakstar. + ![The User dialog box](common/user-properties.png) + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -### Assigning the Azure AD test user + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Trakstar. + d. Click **Create**. -![Assign User][200] +### Assign the Azure AD test user -**To assign Britta Simon to Trakstar, perform the following steps:** +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Trakstar. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Trakstar**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the applications list, select **Trakstar**. +2. In the applications list, select **Trakstar**. - ![Configure Single Sign-On](./media/trakstar-tutorial/tutorial_trakstar_app.png) + ![The Trakstar link in the Applications list](common/all-applications.png) -1. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Select** button on **Users and groups** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. -When you click the Trakstar tile in the Access Panel, you should get automatically signed-on to your Trakstar application. +### Create Trakstar test user -## Additional resources +In this section, you create a user called Britta Simon in Trakstar. Work with Trakstar Administrator to add the users in the Trakstar platform. Users must be created and activated before you use single sign-on. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Trakstar tile in the Access Panel, you should be automatically signed in to the Trakstar for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/trakstar-tutorial/tutorial_general_01.png -[2]: ./media/trakstar-tutorial/tutorial_general_02.png -[3]: ./media/trakstar-tutorial/tutorial_general_03.png -[4]: ./media/trakstar-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/trakstar-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/trakstar-tutorial/tutorial_general_200.png -[201]: ./media/trakstar-tutorial/tutorial_general_201.png -[202]: ./media/trakstar-tutorial/tutorial_general_202.png -[203]: ./media/trakstar-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/trello-tutorial.md b/articles/active-directory/saas-apps/trello-tutorial.md index 1fa1e577794ad..1851578c18d78 100644 --- a/articles/active-directory/saas-apps/trello-tutorial.md +++ b/articles/active-directory/saas-apps/trello-tutorial.md @@ -24,109 +24,112 @@ In this tutorial, you learn how to integrate Trello with Azure Active Directory Integrating Trello with Azure AD provides you with the following benefits: * You can control in Azure AD who has access to Trello. -* You can enable your users to be automatically signed-in to Trello (Single Sign-On) with their Azure AD accounts. -* You can manage your accounts in one central location - the Azure portal. +* You can enable your users to be automatically signed-in to Trello (single sign-on) with their Azure AD accounts. +* You can manage your accounts in one central location: the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +For more information about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Trello, you need the following items: -* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) -* Trello single sign-on enabled subscription +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* A Trello single-sign-on-enabled subscription. ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. -* Trello supports **SP and IDP** initiated SSO +* Trello supports SP- and IDP-initiated SSO -* Trello supports **Just In Time** user provisioning +* Trello supports Just In Time user provisioning -## Adding Trello from the gallery +## Add Trello from the gallery -To configure the integration of Trello into Azure AD, you need to add Trello from the gallery to your list of managed SaaS apps. +To configure the integration of Trello into Azure AD, first add Trello from the gallery to your list of managed SaaS apps. -**To add Trello from the gallery, perform the following steps:** +To add Trello from the gallery, take the following steps: -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the [Azure portal](https://portal.azure.com), in the left pane, select the **Azure Active Directory** icon. ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise Applications** and then select the **All Applications** option. +2. Select **Enterprise Applications**, and then select **All Applications**. ![The Enterprise applications blade](common/enterprise-applications.png) -3. To add new application, click **New application** button on the top of dialog. +3. To add a new application, select the **New application** button at the top of the dialog box. ![The New application button](common/add-new-app.png) -4. In the search box, type **Trello**, select **Trello** from result panel then click **Add** button to add the application. +4. In the search box, enter **Trello**, and then select **Trello** from the results pane. + +5. Select the **Add** button to add the application. ![Trello in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with [Application name] based on a test user called **Britta Simon**. -For single sign-on to work, a link relationship between an Azure AD user and the related user in [Application name] needs to be established. +In this section, you configure and test Azure AD single sign-on with Trello based on a test user called **Britta Simon**. + +For single sign-on to work, you need to establish a link between an Azure AD user and the related user in Trello. -To configure and test Azure AD single sign-on with [Application name], you need to complete the following building blocks: +To configure and test Azure AD single sign-on with Trello, you need to complete the following building blocks: -1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Configure Trello Single Sign-On](#configure-trello-single-sign-on)** - to configure the Single Sign-On settings on application side. -3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Create Trello test user](#create-trello-test-user)** - to have a counterpart of Britta Simon in Trello that is linked to the Azure AD representation of user. -6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +1. [Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on) to enable your users to use this feature. +2. [Configure Trello single sign-on](#configure-trello-single-sign-on) to configure the single sign-on settings on the application side. +3. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with Britta Simon. +4. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on. +5. [Create a Trello test user](#create-a-trello-test-user) to have a counterpart of Britta Simon in Trello that is linked to the Azure AD representation of the user. +6. [Test single sign-on](#test-single-sign-on) to verify that the configuration works. ### Configure Azure AD single sign-on In this section, you enable Azure AD single sign-on in the Azure portal. > [!NOTE] -> You should get the **\** slug from Trello. If you don't have the slug value, contact [Trello support team](mailto:support@trello.com) to get the slug for you enterprise. +> You should get the **\** slug from Trello. If you don't have the slug value, contact the [Trello support team](mailto:support@trello.com) to get the slug for your enterprise. -To configure Azure AD single sign-on with [Application name], perform the following steps: +To configure Azure AD single sign-on with Trello, take the following steps: 1. In the [Azure portal](https://portal.azure.com/), on the **Trello** application integration page, select **Single sign-on**. ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. +2. In the **Select a Single sign-on method** dialog box, select **SAML** to enable single sign-on. ![Single sign-on select mode](common/select-saml-option.png) -3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. +3. On the **Set up Single Sign-on with SAML** page, select the **Edit** icon to open the **Basic SAML Configuration** dialog box. ![Edit Basic SAML Configuration](common/edit-urls.png) -4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps: +4. In the **Basic SAML Configuration** section, if you want to configure the application in IDP-initiated mode, take the following steps: - ![Trello Domain and URLs single sign-on information](common/idp-intiated.png) + ![Trello domain and URLs single sign-on information](common/idp-intiated.png) - a. In the **Identifier** text box, type a URL using the following pattern: + a. In the **Identifier** box, enter a URL by using the following pattern: `https://trello.com/auth/saml/metadata` - b. In the **Reply URL** text box, type a URL using the following pattern: + b. In the **Reply URL** box, enter a URL by using the following pattern: `https://trello.com/auth/saml/consume/` -5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: +5. Select **Set additional URLs**, and then take the following steps if you want to configure the application in SP-initiated mode: - ![Trello Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) + ![Trello domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) - In the **Sign-on URL** text box, type a URL using the following pattern: + In the **Sign-on URL** box, enter a URL by using the following pattern: `https://trello.com/auth/saml/login/` > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Trello Client support team](mailto:support@trello.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + > These values are not real. Update these values with the actual identifier, reply URL, and sign-on URL. Contact the [Trello Client support team](mailto:support@trello.com) to get these values. You can also refer to the patterns in the **Basic SAML Configuration** section in the Azure portal. -6. Trello application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog. +6. The Trello application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on the application integration page. On the **Set up Single Sign-On with SAML** page, select the **Edit** button to open the **User Attributes** dialog box. - ![image](common/edit-attribute.png) + ![User Attributes dialog box](common/edit-attribute.png) -7. In the **User Claims** section on the **User Attributes** dialog, configure SAML token attribute as shown in the image above and perform the following steps: +7. In the **User Claims** section in the **User Attributes** dialog box, configure the SAML token attribute as shown in the previous image. Then take the following steps: | Name | Source Attribute| | --- | --- | @@ -134,41 +137,41 @@ To configure Azure AD single sign-on with [Application name], perform the follow | User.FirstName | user.givenname | | User.LastName | user.surname | - a. Click **Add new claim** to open the **Manage user claims** dialog. + a. Select **Add new claim** to open the **Manage user claims** dialog box. - ![image](common/new-save-attribute.png) + ![User claims dialog box](common/new-save-attribute.png) - ![image](common/new-attribute-details.png) + ![Manage user claims](common/new-attribute-details.png) - b. In the **Name** textbox, type the attribute name shown for that row. + b. In the **Name** box, enter the attribute name that's shown for that row. - c. Leave the **Namespace** blank. + c. Leave **Namespace** blank. - d. Select Source as **Attribute**. + d. For **Source**, select **Attribute**. - e. From the **Source attribute** list, type the attribute value shown for that row. + e. In the **Source attribute** list, enter the attribute value that's shown for that row. - f. Click **Ok** + f. Select **Ok**. - g. Click **Save**. + g. Select **Save**. -8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. +8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the **Certificate (Base64)** from the given options as per your requirements. Then save it on your computer. ![The Certificate download link](common/certificatebase64.png) -9. On the **Set up Trello** section, copy the appropriate URL(s) as per your requirement. +9. On the **Set up Trello** section, copy the appropriate URL(s) according to your requirements. ![Copy configuration URLs](common/copy-configuration-urls.png) a. Login URL - b. Azure Ad Identifier + b. Azure AD identifier c. Logout URL -### Configure Trello Single Sign-On +### Configure Trello single sign-on -To configure single sign-on on **Trello** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Trello support team](mailto:support@trello.com). They set this setting to have the SAML SSO connection set properly on both sides. +To configure single sign-on on the Trello side, first send the downloaded **Certificate (Base64)** and copied URLs from the Azure portal to the [Trello support team](mailto:support@trello.com). They ensure that the SAML SSO connection is set properly on both sides. ### Create an Azure AD test user @@ -180,63 +183,62 @@ The objective of this section is to create a test user in the Azure portal calle 2. Select **New user** at the top of the screen. - ![New user Button](common/new-user.png) + ![New user button](common/new-user.png) -3. In the User properties, perform the following steps. +3. In the **User** dialog box, take the following steps. ![The User dialog box](common/user-properties.png) - a. In the **Name** field enter **BrittaSimon**. + a. In the **Name** field, enter **BrittaSimon**. - b. In the **User name** field type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field, enter "brittasimon@yourcompanydomain.extension". For example, in this case, you might enter "BrittaSimon@contoso.com". - c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + c. Select the **Show password** check box, and then note the value that's displayed in the **Password** box. - d. Click **Create**. + d. Select **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Trello. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Trello**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, and then select **Trello**. - ![Enterprise applications blade](common/enterprise-applications.png) + ![Enterprise Applications blade](common/enterprise-applications.png) 2. In the applications list, select **Trello**. - ![The Trello link in the Applications list](common/all-applications.png) + ![The Trello link in the applications list](common/all-applications.png) 3. In the menu on the left, select **Users and groups**. ![The "Users and groups" link](common/users-groups-blade.png) -4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. +4. Select the **Add user** button. Then, in the **Add Assignment** dialog box, select **Users and groups**. ![The Add Assignment pane](common/add-assign-user.png) -5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. +5. In the **Users and groups** dialog box, select **Britta Simon** in the users list. Then click the **Select** button at the bottom of the screen. -6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. +6. If you are expecting any role value in the SAML assertion, then, in the **Select Role** dialog box, select the appropriate role for the user from the list. Then click the **Select** button at the bottom of the screen. -7. In the **Add Assignment** dialog click the **Assign** button. +7. In the **Add Assignment** dialog box, select the **Assign** button. -### Create Trello test user +### Create a Trello test user -In this section, a user called Britta Simon is created in Trello. Trello supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Trello, a new one is created after authentication. +In this section, you create a user called Britta Simon in Trello. Trello supports Just in Time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Trello, a new one is created after authentication. -> [!Note] -> If you need to create a user manually, Contact [Trello support team](mailto:support@trello.com). +> [!NOTE] +> If you need to create a user manually, contact the [Trello support team](mailto:support@trello.com). ### Test single sign-on -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +In this section, you test your Azure AD single sign-on configuration by using the MyApps portal. -When you click the Trello tile in the Access Panel, you should be automatically signed in to the Trello for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). +When you select the Trello tile in the MyApps portal, you should be automatically signed in to Trello. For more information about the My Apps portal, see [What is the MyApps portal?](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -## Additional Resources +## Additional resources -- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of tutorials on how to integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) - [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) diff --git a/articles/active-directory/saas-apps/trisotechdigitalenterpriseserver-tutorial.md b/articles/active-directory/saas-apps/trisotechdigitalenterpriseserver-tutorial.md index cf78cd69a5aee..48f446d4e3436 100644 --- a/articles/active-directory/saas-apps/trisotechdigitalenterpriseserver-tutorial.md +++ b/articles/active-directory/saas-apps/trisotechdigitalenterpriseserver-tutorial.md @@ -209,9 +209,9 @@ When you click the Trisotech Digital Enterprise Server tile in the Access Panel, ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/turborater-tutorial.md b/articles/active-directory/saas-apps/turborater-tutorial.md index 4da2bbc8df7f6..e246c20fb2414 100644 --- a/articles/active-directory/saas-apps/turborater-tutorial.md +++ b/articles/active-directory/saas-apps/turborater-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: abb116b8-8024-4cc6-bc81-f32ef490ea17 ms.service: active-directory @@ -13,216 +13,190 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 10/03/2017 +ms.topic: tutorial +ms.date: 3/8/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with TurboRater In this tutorial, you learn how to integrate TurboRater with Azure Active Directory (Azure AD). - Integrating TurboRater with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to TurboRater. -- You can enable your users to automatically get signed-on to TurboRater (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to TurboRater. +* You can enable your users to be automatically signed-in to TurboRater (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with TurboRater, you need the following items: -- An Azure AD subscription -- A TurboRater single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) +* TurboRater single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding TurboRater from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* TurboRater supports **IDP** initiated SSO ## Adding TurboRater from the gallery + To configure the integration of TurboRater into Azure AD, you need to add TurboRater from the gallery to your list of managed SaaS apps. **To add TurboRater from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **TurboRater**, select **TurboRater** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![TurboRater in the results list](./media/turborater-tutorial/tutorial_turborater_addfromgallery.png) +4. In the search box, type **TurboRater**, select **TurboRater** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![TurboRater in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with TurboRater based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in TurboRater is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in TurboRater needs to be established. +## Configure and test Azure AD single sign-on -In TurboRater, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with TurboRater based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in TurboRater needs to be established. To configure and test Azure AD single sign-on with TurboRater, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a TurboRater test user](#create-a-turborater-test-user)** - to have a counterpart of Britta Simon in TurboRater that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure TurboRater Single Sign-On](#configure-turborater-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create TurboRater test user](#create-turborater-test-user)** - to have a counterpart of Britta Simon in TurboRater that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your TurboRater application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with TurboRater, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **TurboRater** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -**To configure Azure AD single sign-on with TurboRater, perform the following steps:** + ![Single sign-on select mode](common/select-saml-option.png) -1. In the Azure portal, on the **TurboRater** application integration page, click **Single sign-on**. +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure single sign-on link][4] + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/turborater-tutorial/tutorial_turborater_samlbase.png) +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: -1. On the **TurboRater Domain and URLs** section, perform the following steps: + ![TurboRater Domain and URLs single sign-on information](common/idp-intiated.png) - ![TurboRater Domain and URLs single sign-on information](./media/turborater-tutorial/tutorial_turborater_url.png) + a. In the **Identifier** text box, type a URL: + `https://www.itcdataservices.com` - a. In the **Identifier** textbox, type the value as: `https://www.itcdataservices.com` - - b. In the **Reply URL** textbox, type the value as: - - | Environment | URL | + b. In the **Reply URL** text box, type a URL using the following pattern: + + | Environment | URL | | ---------------| --------------- | | Test | `https://ratingqa.itcdataservices.com/webservices/imp/saml/login` | | Live | `https://www.itcratingservices.com/webservices/imp/saml/login` | -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. - - ![The Certificate download link](./media/turborater-tutorial/tutorial_turborater_certificate.png) + > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [TurboRater Client support team](https://www.getitc.com/support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. Click **Save** button. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On Save button](./media/turborater-tutorial/tutorial_general_400.png) + ![The Certificate download link](common/metadataxml.png) -1. To configure single sign-on on **TurboRater** side, you need to send the downloaded **Metadata XML** to [TurboRater support team](https://www.getitc.com/support). They set this setting to have the SAML SSO connection set properly on both sides. +6. On the **Set up TurboRater** section, copy the appropriate URL(s) as per your requirement. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) + ![Copy configuration URLs](common/copy-configuration-urls.png) -### Create an Azure AD test user + a. Login URL -The objective of this section is to create a test user in the Azure portal called Britta Simon. + b. Azure AD Identifier - ![Create an Azure AD test user][100] + c. Logout URL -**To create a test user in Azure AD, perform the following steps:** +### Configure TurboRater Single Sign-On -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +To configure single sign-on on **TurboRater** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [TurboRater support team](https://www.getitc.com/support). They set this setting to have the SAML SSO connection set properly on both sides. - ![The Azure Active Directory button](./media/turborater-tutorial/create_aaduser_01.png) +### Create an Azure AD test user -1. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/turborater-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/turborater-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/turborater-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a TurboRater test user - -To enable Azure AD users to log in to TurboRater, they must be provisioned into TurboRater. -In the case of TurboRater, provisioning is a manual task. -To create a user, please work with [TurboRater support team](https://www.getitc.com/support). ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to TurboRater. -![Assign the user role][200] - -**To assign Britta Simon to TurboRater, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TurboRater**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the applications list, select **TurboRater**. +2. In the applications list, select **TurboRater**. - ![The TurboRater link in the Applications list](./media/turborater-tutorial/tutorial_turborater_app.png) + ![The TurboRater link in the Applications list](common/all-applications.png) -1. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![The "Users and groups" link][202] + ![The "Users and groups" link](common/users-groups-blade.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The Add Assignment pane][203] + ![The Add Assignment pane](common/add-assign-user.png) -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Select** button on **Users and groups** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. - -When you click the TurboRater tile in the Access Panel, you should get automatically signed-on to your TurboRater application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Create TurboRater test user -## Additional resources +In this section, you create a user called Britta Simon in TurboRater. Work with [TurboRater support team](https://www.getitc.com/support) to add the users in the TurboRater platform. Users must be created and activated before you use single sign-on. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the TurboRater tile in the Access Panel, you should be automatically signed in to the TurboRater for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/turborater-tutorial/tutorial_general_01.png -[2]: ./media/turborater-tutorial/tutorial_general_02.png -[3]: ./media/turborater-tutorial/tutorial_general_03.png -[4]: ./media/turborater-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/turborater-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/turborater-tutorial/tutorial_general_200.png -[201]: ./media/turborater-tutorial/tutorial_general_201.png -[202]: ./media/turborater-tutorial/tutorial_general_202.png -[203]: ./media/turborater-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/tyeexpress-tutorial.md b/articles/active-directory/saas-apps/tyeexpress-tutorial.md index 178ccd406f666..f0b1276fb6162 100644 --- a/articles/active-directory/saas-apps/tyeexpress-tutorial.md +++ b/articles/active-directory/saas-apps/tyeexpress-tutorial.md @@ -219,9 +219,9 @@ When you click the T&E Express tile in the Access Panel, you should be automatic ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/uberflip-tutorial.md b/articles/active-directory/saas-apps/uberflip-tutorial.md index bed8c26563924..7c88fb9496af4 100644 --- a/articles/active-directory/saas-apps/uberflip-tutorial.md +++ b/articles/active-directory/saas-apps/uberflip-tutorial.md @@ -4,54 +4,46 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 754b1f5b-6694-4fd6-9e1e-9fad769c64db ms.service: active-directory ms.workload: identity +ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 08/21/2018 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Uberflip In this tutorial, you learn how to integrate Uberflip with Azure Active Directory (Azure AD). - Integrating Uberflip with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Uberflip. -- You can enable your users to automatically get signed-on to Uberflip (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Uberflip. +* You can enable your users to be automatically signed-in to Uberflip (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Uberflip, you need the following items: -- An Azure AD subscription -- A Uberflip single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Uberflip single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Uberflip supports **SP** and **IDP** initiated SSO -1. Adding Uberflip from the gallery -2. Configuring and testing Azure AD single sign-on +* Uberflip supports **Just In Time** user provisioning ## Adding Uberflip from the gallery @@ -59,166 +51,157 @@ To configure the integration of Uberflip into Azure AD, you need to add Uberflip **To add Uberflip from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Uberflip**, select **Uberflip** from result panel then click **Add** button to add the application. - ![Uberflip in the results list](./media/uberflip-tutorial/tutorial_uberflip_addfromgallery.png) + ![Uberflip in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Uberflip based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Uberflip is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Uberflip needs to be established. +In this section, you configure and test Azure AD single sign-on with Uberflip based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Uberflip needs to be established. To configure and test Azure AD single sign-on with Uberflip, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Create an Uberflip test user](#create-an-uberflip-test-user)** - to have a counterpart of Britta Simon in Uberflip that is linked to the Azure AD representation of user. +2. **[Configure Uberflip Single Sign-On](#configure-uberflip-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. 4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +5. **[Create Uberflip test user](#create-uberflip-test-user)** - to have a counterpart of Britta Simon in Uberflip that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Uberflip application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Uberflip, perform the following steps: -**To configure Azure AD single sign-on with Uberflip, perform the following steps:** +1. In the [Azure portal](https://portal.azure.com/), on the **Uberflip** application integration page, select **Single sign-on**. -1. In the Azure portal, on the **Uberflip** application integration page, click **Single sign-on**. + ![Configure single sign-on link](common/select-sso.png) - ![Configure single sign-on link][4] +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. + ![Single sign-on select mode](common/select-saml-option.png) - ![Single sign-on dialog box](./media/uberflip-tutorial/tutorial_uberflip_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -3. On the **Uberflip Domain and URLs** section, perform the following step if you wish to configure the application in **IDP** initiated mode: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Uberflip Domain and URLs single sign-on information](./media/uberflip-tutorial/tutorial_uberflip_url1.png) +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step: - In the **Reply URL** textbox, type a URL using the following pattern: `https://app.uberflip.com/sso/saml2//` + ![Uberflip Domain and URLs single sign-on information](common/both-replyurl.png) + In the **Reply URL** text box, type a URL using the following pattern: + `https://app.uberflip.com/sso/saml2//` + > [!NOTE] - > This value is not real. Update this value with the actual Reply URL. Contact [Uberflip Client support team](mailto:support@uberflip.com) to get this value. + > This value is not real. Update this value with the actual Reply URL. Contact [Uberflip Client support team](mailto:support@uberflip.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -4. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - ![Uberflip Domain and URLs single sign-on information](./media/uberflip-tutorial/tutorial_uberflip_url2.png) + ![Uberflip Domain and URLs single sign-on information](common/both-signonurl.png) - In the **Sign-on URL** textbox, type the URL: `https://app.uberflip.com/users/login` + In the **Sign-on URL** text box, type a URL: + `https://app.uberflip.com/users/login` -5. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![The Certificate download link](./media/uberflip-tutorial/tutorial_uberflip_certificate.png) + ![The Certificate download link](common/metadataxml.png) -6. Click **Save** button. +7. On the **Set up Uberflip** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On Save button](./media/uberflip-tutorial/tutorial_general_400.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -7. To configure single sign-on on **Uberflip** side, you need to send the downloaded **Metadata XML** to [Uberflip support team](mailto:support@uberflip.com). They set this setting to have the SAML SSO connection set properly on both sides. + a. Login URL -### Create an Azure AD test user + b. Azure AD Identifier -The objective of this section is to create a test user in the Azure portal called Britta Simon. + c. Logout URL - ![Create an Azure AD test user][100] +### Configure Uberflip Single Sign-On -**To create a test user in Azure AD, perform the following steps:** +To configure single sign-on on **Uberflip** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Uberflip support team](mailto:support@uberflip.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +### Create an Azure AD test user - ![The Azure Active Directory button](./media/uberflip-tutorial/create_aaduser_01.png) - -2. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/uberflip-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -3. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/uberflip-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -4. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/uberflip-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. -### Create an Uberflip test user - -The objective of this section is to create a user called Britta Simon in Uberflip. Uberflip supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access Uberflip if it doesn't exist yet. - -> [!Note] -> If you need to create a user manually, contact [Uberflip support team](mailto:support@uberflip.com). - ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Uberflip. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Uberflip**. -**To assign Britta Simon to Uberflip, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Uberflip**. - ![Assign User][201] + ![The Uberflip link in the Applications list](common/all-applications.png) -2. In the applications list, select **Uberflip**. +3. In the menu on the left, select **Users and groups**. - ![The Uberflip link in the Applications list](./media/uberflip-tutorial/tutorial_uberflip_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -3. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -5. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -6. Click **Select** button on **Users and groups** dialog. +### Create Uberflip test user -7. Click **Assign** button on **Add Assignment** dialog. +In this section, a user called Britta Simon is created in Uberflip. Uberflip supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Uberflip, a new one is created after authentication. -### Test single sign-on +> [!Note] +> If you need to create a user manually, contact [Uberflip support team](mailto:support@uberflip.com). -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +### Test single sign-on -When you click the Uberflip tile in the Access Panel, you should get automatically signed-on to your Uberflip application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -## Additional resources +When you click the Uberflip tile in the Access Panel, you should be automatically signed in to the Uberflip for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: ./media/uberflip-tutorial/tutorial_general_01.png -[2]: ./media/uberflip-tutorial/tutorial_general_02.png -[3]: ./media/uberflip-tutorial/tutorial_general_03.png -[4]: ./media/uberflip-tutorial/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: ./media/uberflip-tutorial/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[200]: ./media/uberflip-tutorial/tutorial_general_200.png -[201]: ./media/uberflip-tutorial/tutorial_general_201.png -[202]: ./media/uberflip-tutorial/tutorial_general_202.png -[203]: ./media/uberflip-tutorial/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/useall-tutorial.md b/articles/active-directory/saas-apps/useall-tutorial.md index 590866020f83f..e44adc906c4d3 100644 --- a/articles/active-directory/saas-apps/useall-tutorial.md +++ b/articles/active-directory/saas-apps/useall-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 8dd9e452-a5b6-4a16-a97c-b60211ea6b95 ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 10/30/2018 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,37 +22,27 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Useall In this tutorial, you learn how to integrate Useall with Azure Active Directory (Azure AD). - Integrating Useall with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Useall. -- You can enable your users to automatically get signed-on to Useall (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Useall. +* You can enable your users to be automatically signed-in to Useall (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Useall, you need the following items: -- An Azure AD subscription -- A Useall single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Useall single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -1. Adding Useall from the gallery -2. Configuring and testing Azure AD single sign-on +* Useall supports **SP** initiated SSO ## Adding Useall from the gallery @@ -62,144 +52,138 @@ To configure the integration of Useall into Azure AD, you need to add Useall fro 1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Useall**, select **Useall** from result panel then click **Add** button to add the application. - ![Useall in the results list](./media/useall-tutorial/tutorial_useall_addfromgallery.png) + ![Useall in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Useall based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Useall is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Useall needs to be established. +In this section, you configure and test Azure AD single sign-on with Useall based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Useall needs to be established. To configure and test Azure AD single sign-on with Useall, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating Useall test user](#creating-useall-test-user)** - to have a counterpart of Britta Simon in Useall that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Useall Single Sign-On](#configure-useall-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Useall test user](#create-useall-test-user)** - to have a counterpart of Britta Simon in Useall that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Useall application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Useall, perform the following steps:** +To configure Azure AD single sign-on with Useall, perform the following steps: -1. In the Azure portal, on the **Useall** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Useall** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On](common/tutorial_general_301.png) + ![Single sign-on select mode](common/select-saml-option.png) 3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure Single Sign-On](common/editconfigure.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps: - ![Useall Domain and URLs single sign-on information](./media/useall-tutorial/tutorial_useall_url.png) + ![Useall Domain and URLs single sign-on information](common/sp-identifier.png) - a. In the **Sign on URL** textbox, type a URL using the following pattern: `https://.useall.com.br/tenant/useall` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.useall.com.br/tenant/useall` - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.useall.com.br/tenant/apiuseall/saml2` + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.useall.com.br/tenant/apiuseall/saml2` > [!NOTE] - > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Useall support team](mailto:luizotavio@useall.com.br) to get these values. + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Useall Client support team](mailto:luizotavio@useall.com.br) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. 5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. - ![The Certificate download link](./media/useall-tutorial/tutorial_useall_certificate.png) + ![The Certificate download link](common/copy-metadataurl.png) + +### Configure Useall Single Sign-On -6. To configure single sign-on on **Useall** side, you need to send the downloaded **App Federation Metadata Url** to [Useall support team](mailto:luizotavio@useall.com.br). They set this setting to have the SAML SSO connection set properly on both sides. +To configure single sign-on on **Useall** side, you need to send the **App Federation Metadata Url** to [Useall support team](mailto:luizotavio@useall.com.br). They set this setting to have the SAML SSO connection set properly on both sides. -### Creating an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](common/create_aaduser_01.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![Creating an Azure AD test user](common/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** field, enter **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - d. Select **Create**. - -### Creating Useall test user - -In this section, you create a user called Britta Simon in Useall. Work with [Useall support team](mailto:luizotavio@useall.com.br) to add the users in the Useall platform. Users must be created and activated before you use single sign-on. + d. Click **Create**. -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Useall. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Useall**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Useall**. - ![Configure Single Sign-On](./media/useall-tutorial/tutorial_useall_app.png) + ![The Useall link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) 5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. In the **Add Assignment** dialog select the **Assign** button. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -### Testing single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +### Create Useall test user -When you click the Useall tile in the Access Panel, you should get automatically signed-on to your Useall application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +In this section, you create a user called Britta Simon in Useall. Work with [Useall support team](mailto:luizotavio@useall.com.br) to add the users in the Useall platform. Users must be created and activated before you use single sign-on. + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -## Additional resources +When you click the Useall tile in the Access Panel, you should be automatically signed in to the Useall for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: common/tutorial_general_01.png -[2]: common/tutorial_general_02.png -[3]: common/tutorial_general_03.png -[4]: common/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: common/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[200]: common/tutorial_general_200.png -[201]: common/tutorial_general_201.png -[202]: common/tutorial_general_202.png -[203]: common/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/userecho-tutorial.md b/articles/active-directory/saas-apps/userecho-tutorial.md index 73a402fad6937..327049a9b5edd 100644 --- a/articles/active-directory/saas-apps/userecho-tutorial.md +++ b/articles/active-directory/saas-apps/userecho-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: bedd916b-8f69-4b50-9b8d-56f4ee3bd3ed ms.service: active-directory @@ -12,187 +13,198 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/12/2017 +ms.topic: tutorial +ms.date: 03/29/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with UserEcho In this tutorial, you learn how to integrate UserEcho with Azure Active Directory (Azure AD). - Integrating UserEcho with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to UserEcho -- You can enable your users to automatically get signed-on to UserEcho (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to UserEcho. +* You can enable your users to be automatically signed-in to UserEcho (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with UserEcho, you need the following items: -- An Azure AD subscription -- A UserEcho single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial here: [Trial offer](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* UserEcho single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding UserEcho from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* UserEcho supports **SP** initiated SSO ## Adding UserEcho from the gallery + To configure the integration of UserEcho into Azure AD, you need to add UserEcho from the gallery to your list of managed SaaS apps. **To add UserEcho from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **UserEcho**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/userecho-tutorial/tutorial_userecho_search.png) +4. In the search box, type **UserEcho**, select **UserEcho** from result panel then click **Add** button to add the application. -1. In the results panel, select **UserEcho**, and then click **Add** button to add the application. + ![UserEcho in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/userecho-tutorial/tutorial_userecho_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with UserEcho based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with UserEcho based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in UserEcho needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in UserEcho is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in UserEcho needs to be established. +To configure and test Azure AD single sign-on with UserEcho, you need to complete the following building blocks: -In UserEcho, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure UserEcho Single Sign-On](#configure-userecho-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create UserEcho test user](#create-userecho-test-user)** - to have a counterpart of Britta Simon in UserEcho that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with UserEcho, you need to complete the following building blocks: +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with UserEcho, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **UserEcho** application integration page, select **Single sign-on**. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a UserEcho test user](#creating-a-userecho-test-user)** - to have a counterpart of Britta Simon in UserEcho that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. + ![Configure single sign-on link](common/select-sso.png) -### Configuring Azure AD single sign-on +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your UserEcho application. + ![Single sign-on select mode](common/select-saml-option.png) -**To configure Azure AD single sign-on with UserEcho, perform the following steps:** +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. In the Azure portal, on the **UserEcho** application integration page, click **Single sign-on**. + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On][4] +4. On the **Basic SAML Configuration** section, perform the following steps: -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_samlbase.png) + ![UserEcho Domain and URLs single sign-on information](common/sp-identifier.png) -1. On the **UserEcho Domain and URLs** section, perform the following steps: + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.userecho.com/` - ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_url.png) + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.userecho.com/saml/metadata/` - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.userecho.com/` + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [UserEcho Client support team](https://feedback.userecho.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.userecho.com/saml/metadata/` +4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [UserEcho Client support team](https://feedback.userecho.com/) to get these values. + ![The Certificate download link](common/certificatebase64.png) -1. On the **SAML Signing Certificate** section, click **Certificate(Base64)** and then save the certificate file on your computer. +6. On the **Set up UserEcho** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_certificate.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. Click **Save** button. + a. Login URL - ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_general_400.png) + b. Azure AD Identifier -1. On the **UserEcho Configuration** section, click **Configure UserEcho** to open **Configure sign-on** window. Copy the **Sign-Out URL and SAML Single Sign-On Service URL** from the **Quick Reference section.** + c. Logout URL - ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_configure.png) +### Configure UserEcho Single Sign-On 1. In another browser window, sign on to your UserEcho company site as an administrator. -1. In the toolbar on the top, click your user name to expand the menu, and then click **Setup**. +2. In the toolbar on the top, click your user name to expand the menu, and then click **Setup**. ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_06.png) -1. Click **Integrations**. +3. Click **Integrations**. ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_07.png) -1. Click **Website**, and then click **Single sign-on (SAML2)**. +4. Click **Website**, and then click **Single sign-on (SAML2)**. ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_08.png) -1. On the **Single sign-on (SAML)** page, perform the following steps: +5. On the **Single sign-on (SAML)** page, perform the following steps: ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_09.png) a. As **SAML-enabled**, select **Yes**. - b. Paste **SAML Single Sign-On Service URL**, which you have copied from the Azure portal into the **SAML SSO URL** textbox. + b. Paste **Login URL**, which you have copied from the Azure portal into the **SAML SSO URL** textbox. - c. Paste **Sign-Out URL**, which you have copied from the Azure portal into the **Remote logoout URL** textbox. + c. Paste **Logout URL**, which you have copied from the Azure portal into the **Remote Logout URL** textbox. d. Open your downloaded certificate in Notepad, copy the content, and then paste it into the **X.509 Certificate** textbox. e. Click **Save**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> +### Create an Azure AD test user -### Creating an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. -![Create Azure AD User][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](./media/userecho-tutorial/create_aaduser_01.png) + ![New user Button](common/new-user.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/userecho-tutorial/create_aaduser_02.png) +3. In the User properties, perform the following steps. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/userecho-tutorial/create_aaduser_03.png) + ![The User dialog box](common/user-properties.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/userecho-tutorial/create_aaduser_04.png) + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - a. In the **Name** textbox, type **BrittaSimon**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + d. Click **Create**. - c. Select **Show Password** and write down the value of the **Password**. +### Assign the Azure AD test user - d. Click **Create**. - -### Creating a UserEcho test user +In this section, you enable Britta Simon to use Azure single sign-on by granting access to UserEcho. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **UserEcho**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **UserEcho**. + + ![The UserEcho link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create UserEcho test user The objective of this section is to create a user called Britta Simon in UserEcho. @@ -200,23 +212,23 @@ The objective of this section is to create a user called Britta Simon in UserEch 1. Sign-on to your UserEcho company site as an administrator. -1. In the toolbar on the top, click your user name to expand the menu, and then click **Setup**. +2. In the toolbar on the top, click your user name to expand the menu, and then click **Setup**. ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_06.png) -1. Click **Users**, to expand the **Users** section. +3. Click **Users**, to expand the **Users** section. ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_10.png) -1. Click **Users**. +4. Click **Users**. ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_11.png) -1. Click **Invite a new user**. +5. Click **Invite a new user**. ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_12.png) -1. On the **Invite a new user** dialog, perform the following steps: +6. On the **Invite a new user** dialog, perform the following steps: ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_13.png) @@ -226,60 +238,17 @@ The objective of this section is to create a user called Britta Simon in UserEch c. Click **Invite**. -An invitation is sent to Britta, which enables her to start using UserEcho. - -### Assigning the Azure AD test user - -In this section, you enable Britta Simon to use Azure single sign-on by granting access to UserEcho. - -![Assign User][200] - -**To assign Britta Simon to UserEcho, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. - - ![Assign User][201] - -1. In the applications list, select **UserEcho**. - - ![Configure Single Sign-On](./media/userecho-tutorial/tutorial_userecho_app.png) - -1. In the menu on the left, click **Users and groups**. - - ![Assign User][202] - -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. - - ![Assign User][203] - -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. - -1. Click **Select** button on **Users and groups** dialog. - -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on - -The objective of this section is to test your Azure AD SSO configuration using the Access Panel. - -When you click the UserEcho tile in the Access Panel, you should get automatically signed-on to your UserEcho application. +### Test single sign-on -## Additional resources +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the UserEcho tile in the Access Panel, you should be automatically signed in to the UserEcho for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/userecho-tutorial/tutorial_general_01.png -[2]: ./media/userecho-tutorial/tutorial_general_02.png -[3]: ./media/userecho-tutorial/tutorial_general_03.png -[4]: ./media/userecho-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/userecho-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/userecho-tutorial/tutorial_general_200.png -[201]: ./media/userecho-tutorial/tutorial_general_201.png -[202]: ./media/userecho-tutorial/tutorial_general_202.png -[203]: ./media/userecho-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/uservoice-tutorial.md b/articles/active-directory/saas-apps/uservoice-tutorial.md index 298ab5f14da07..d5de632ebd479 100644 --- a/articles/active-directory/saas-apps/uservoice-tutorial.md +++ b/articles/active-directory/saas-apps/uservoice-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 684a405b-8932-46f6-b43a-4d97a42b6b87 ms.service: active-directory @@ -13,202 +13,220 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/21/2017 +ms.topic: tutorial +ms.date: 03/29/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with UserVoice In this tutorial, you learn how to integrate UserVoice with Azure Active Directory (Azure AD). - Integrating UserVoice with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to UserVoice. -- You can enable your users to automatically get signed-on to UserVoice (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to UserVoice. +* You can enable your users to be automatically signed-in to UserVoice (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with UserVoice, you need the following items: -- An Azure AD subscription -- A UserVoice single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* UserVoice single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding UserVoice from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* UserVoice supports **SP** initiated SSO ## Adding UserVoice from the gallery + To configure the integration of UserVoice into Azure AD, you need to add UserVoice from the gallery to your list of managed SaaS apps. **To add UserVoice from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. - - ![The New application button][3] + ![The Enterprise applications blade](common/enterprise-applications.png) -1. In the search box, type **UserVoice**, select **UserVoice** from result panel then click **Add** button to add the application. +3. To add new application, click **New application** button on the top of dialog. - ![UserVoice in the results list](./media/uservoice-tutorial/tutorial_uservoice_addfromgallery.png) + ![The New application button](common/add-new-app.png) -## Configure and test Azure AD single sign-on +4. In the search box, type **UserVoice**, select **UserVoice** from result panel then click **Add** button to add the application. -In this section, you configure and test Azure AD single sign-on with UserVoice based on a test user called "Britta Simon". + ![UserVoice in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in UserVoice is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in UserVoice needs to be established. +## Configure and test Azure AD single sign-on -In UserVoice, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with UserVoice based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in UserVoice needs to be established. To configure and test Azure AD single sign-on with UserVoice, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a UserVoice test user](#create-a-uservoice-test-user)** - to have a counterpart of Britta Simon in UserVoice that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure UserVoice Single Sign-On](#configure-uservoice-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create UserVoice test user](#create-uservoice-test-user)** - to have a counterpart of Britta Simon in UserVoice that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your UserVoice application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with UserVoice, perform the following steps:** +To configure Azure AD single sign-on with UserVoice, perform the following steps: -1. In the Azure portal, on the **UserVoice** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **UserVoice** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/uservoice-tutorial/tutorial_uservoice_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **UserVoice Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![UserVoice Domain and URLs single sign-on information](./media/uservoice-tutorial/tutorial_uservoice_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.UserVoice.com` + ![UserVoice Domain and URLs single sign-on information](common/sp-identifier.png) - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.UserVoice.com` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.UserVoice.com` - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [UserVoice Client support team](https://www.uservoice.com/) to get these values. + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.UserVoice.com` -1. On the **SAML Signing Certificate** section, copy the **THUMBPRINT** value of certificate. + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [UserVoice Client support team](https://www.uservoice.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![The Certificate download link](./media/uservoice-tutorial/tutorial_uservoice_certificate.png) +5. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog. -1. Click **Save** button. + ![Edit SAML Signing Certificate](common/edit-certificate.png) - ![Configure Single Sign-On Save button](./media/uservoice-tutorial/tutorial_general_400.png) +6. In the **SAML Signing Certificate** section, copy the **Thumbprint** and save it on your computer. -1. On the **UserVoice Configuration** section, click **Configure UserVoice** to open **Configure sign-on** window. Copy the **Sign-Out URL, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + ![Copy Thumbprint value](common/copy-thumbprint.png) - ![UserVoice Configuration](./media/uservoice-tutorial/tutorial_uservoice_configure.png) +7. On the **Set up UserVoice** section, copy the appropriate URL(s) as per your requirement. -1. In a different web browser window, log in to your UserVoice company site as an administrator. + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. In the toolbar on the top, click **Settings**, and then select **Web portal** from the menu. + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure UserVoice Single Sign-On + +1. In a different web browser window, sign in to your UserVoice company site as an administrator. + +2. In the toolbar on the top, click **Settings**, and then select **Web portal** from the menu. ![Settings Section On App Side](./media/uservoice-tutorial/ic777519.png "Settings") -1. On the **Web portal** tab, in the **User authentication** section, click **Edit** to open the **Edit User Authentication** dialog page. +3. On the **Web portal** tab, in the **User authentication** section, click **Edit** to open the **Edit User Authentication** dialog page. ![Web portal Tab](./media/uservoice-tutorial/ic777520.png "Web portal") -1. On the **Edit User Authentication** dialog page, perform the following steps: +4. On the **Edit User Authentication** dialog page, perform the following steps: ![Edit user authentication](./media/uservoice-tutorial/ic777521.png "Edit user authentication") a. Click **Single Sign-On (SSO)**. - b. Paste the **SAML Single Sign-On Service URL** value, which you have copied from the Azure portal into the **SSO Remote Sign-In** textbox. + b. Paste the **Login URL** value, which you have copied from the Azure portal into the **SSO Remote Sign-In** textbox. - c. Paste the **Sign-Out URL** value, which you have copied from the Azure portal into the **SSO Remote Sign-Out textbox**. + c. Paste the **Logout URL** value, which you have copied from the Azure portal into the **SSO Remote Sign-Out textbox**. - d. Paste the **Thumbprint** value , which you have copied from Azure portal into the **Current certificate SHA1 fingerprint** textbox. + d. Paste the **Thumbprint** value , which you have copied from Azure portal into the **Current certificate SHA1 fingerprint** textbox. e. Click **Save authentication settings**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> - -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Create an Azure AD test user][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. + + ![The "Users and groups" and "All users" links](common/users.png) -**To create a test user in Azure AD, perform the following steps:** +2. Select **New user** at the top of the screen. -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. + ![New user Button](common/new-user.png) - ![The Azure Active Directory button](./media/uservoice-tutorial/create_aaduser_01.png) +3. In the User properties, perform the following steps. -1. To display the list of users, go to **Users and groups**, and then click **All users**. + ![The User dialog box](common/user-properties.png) - ![The "Users and groups" and "All users" links](./media/uservoice-tutorial/create_aaduser_02.png) + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - ![The Add button](./media/uservoice-tutorial/create_aaduser_03.png) + d. Click **Create**. -1. In the **User** dialog box, perform the following steps: +### Assign the Azure AD test user - ![The User dialog box](./media/uservoice-tutorial/create_aaduser_04.png) +In this section, you enable Britta Simon to use Azure single sign-on by granting access to UserVoice. - a. In the **Name** box, type **BrittaSimon**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **UserVoice**. - b. In the **User name** box, type the email address of user Britta Simon. + ![Enterprise applications blade](common/enterprise-applications.png) - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. +2. In the applications list, select **UserVoice**. - d. Click **Create**. - -### Create a UserVoice test user + ![The UserVoice link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) -To enable Azure AD users to log in to UserVoice, they must be provisioned into UserVoice. In the case of UserVoice, provisioning is a manual task. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create UserVoice test user + +To enable Azure AD users to sign in to UserVoice, they must be provisioned into UserVoice. In the case of UserVoice, provisioning is a manual task. ### To provision a user account, perform the following steps: -1. Log in to your **UserVoice** tenant. -1. Go to **Settings**. +1. Sign in to your **UserVoice** tenant. + +2. Go to **Settings**. ![Settings](./media/uservoice-tutorial/ic777811.png "Settings") -1. Click **General**. +3. Click **General**. -1. Click **Agents and permissions**. +4. Click **Agents and permissions**. ![Agents and permissions](./media/uservoice-tutorial/ic777812.png "Agents and permissions") -1. Click **Add admins**. +5. Click **Add admins**. ![Add admins](./media/uservoice-tutorial/ic777813.png "Add admins") -1. On the **Invite admins** dialog, perform the following steps: +6. On the **Invite admins** dialog, perform the following steps: ![Invite admins](./media/uservoice-tutorial/ic777814.png "Invite admins") @@ -219,61 +237,17 @@ To enable Azure AD users to log in to UserVoice, they must be provisioned into U > [!NOTE] > You can use any other UserVoice user account creation tools or APIs provided by UserVoice to provision AAD user accounts. -### Assign the Azure AD test user - -In this section, you enable Britta Simon to use Azure single sign-on by granting access to UserVoice. - -![Assign the user role][200] - -**To assign Britta Simon to UserVoice, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. - - ![Assign User][201] - -1. In the applications list, select **UserVoice**. - - ![The UserVoice link in the Applications list](./media/uservoice-tutorial/tutorial_uservoice_app.png) - -1. In the menu on the left, click **Users and groups**. - - ![The "Users and groups" link][202] - -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. - - ![The Add Assignment pane][203] - -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. - -1. Click **Select** button on **Users and groups** dialog. - -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the UserVoice tile in the Access Panel, you should get automatically signed-on to your UserVoice application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - +When you click the UserVoice tile in the Access Panel, you should be automatically signed in to the UserVoice for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/uservoice-tutorial/tutorial_general_01.png -[2]: ./media/uservoice-tutorial/tutorial_general_02.png -[3]: ./media/uservoice-tutorial/tutorial_general_03.png -[4]: ./media/uservoice-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/uservoice-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/uservoice-tutorial/tutorial_general_200.png -[201]: ./media/uservoice-tutorial/tutorial_general_201.png -[202]: ./media/uservoice-tutorial/tutorial_general_202.png -[203]: ./media/uservoice-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/velpic-provisioning-tutorial.md b/articles/active-directory/saas-apps/velpic-provisioning-tutorial.md index 5024b6f8af201..8d92ce578eef2 100644 --- a/articles/active-directory/saas-apps/velpic-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/velpic-provisioning-tutorial.md @@ -14,15 +14,14 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 03/01/2019 +ms.date: 03/27/2019 ms.author: zhchia ms.collection: M365-identity-device-management --- # Tutorial: Configuring Velpic for Automatic User Provisioning - -The objective of this tutorial is to show you the steps you need to perform in Velpic and Azure AD to automatically provision and de-provision user accounts from Azure AD to Velpic. +The objective of this tutorial is to show you the steps you need to perform in Velpic and Azure AD to automatically provision and de-provision user accounts from Azure AD to Velpic. > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). @@ -31,9 +30,9 @@ The objective of this tutorial is to show you the steps you need to perform in V The scenario outlined in this tutorial assumes that you already have the following items: -* An Azure Active Directory tenant -* A Velpic tenant with the [Enterprise plan](https://www.velpic.com/pricing.html) or better enabled -* A user account in Velpic with Admin permissions +* An Azure Active Directory tenant +* A Velpic tenant with the [Enterprise plan](https://www.velpic.com/pricing.html) or better enabled +* A user account in Velpic with Admin permissions ## Assigning users to Velpic @@ -45,32 +44,30 @@ Before configuring and enabling the provisioning service, you will need to decid ### Important tips for assigning users to Velpic -* It is recommended that a single Azure AD user be assigned to Velpic to test the provisioning configuration. Additional users and/or groups may be assigned later. - -* When assigning a user to Velpic, you must select either the **User** role, or another valid application-specific role (if available) in the assignment dialog. Note that the **Default Access** role does not work for provisioning, and these users will be skipped. +* It is recommended that a single Azure AD user be assigned to Velpic to test the provisioning configuration. Additional users and/or groups may be assigned later. +* When assigning a user to Velpic, you must select either the **User** role, or another valid application-specific role (if available) in the assignment dialog. Note that the **Default Access** role does not work for provisioning, and these users will be skipped. -## Configuring user provisioning to Velpic +## Configuring user provisioning to Velpic This section guides you through connecting your Azure AD to Velpic's user account provisioning API, and configuring the provisioning service to create, update and disable assigned user accounts in Velpic based on user and group assignment in Azure AD. ->[!TIP] ->You may also choose to enabled SAML-based Single Sign-On for Velpic, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other. - +> [!TIP] +> You may also choose to enabled SAML-based Single Sign-On for Velpic, following the instructions provided in [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other. ### To configure automatic user account provisioning to Velpic in Azure AD: -1. In the [Azure portal](https://portal.azure.com), browse to the **Azure Active Directory > Enterprise Apps > All applications** section. +1. In the [Azure portal](https://portal.azure.com), browse to the **Azure Active Directory > Enterprise Apps > All applications** section. 2. If you have already configured Velpic for single sign-on, search for your instance of Velpic using the search field. Otherwise, select **Add** and search for **Velpic** in the application gallery. Select Velpic from the search results, and add it to your list of applications. -3. Select your instance of Velpic, then select the **Provisioning** tab. +3. Select your instance of Velpic, then select the **Provisioning** tab. -4. Set the **Provisioning Mode** to **Automatic**. +4. Set the **Provisioning Mode** to **Automatic**. ![Velpic Provisioning](./media/velpic-provisioning-tutorial/Velpic1.png) -5. Under the **Admin Credentials** section, input the **Tenant URL&Secret Token** of Velpic.(You can find these values under your Velpic account: **Manage** > **Integration** > **Plugin** > **SCIM**) +5. Under the **Admin Credentials** section, input the **Tenant URL&Secret Token** of Velpic.(You can find these values under your Velpic account: **Manage** > **Integration** > **Plugin** > **SCIM**) ![Authorization Values](./media/velpic-provisioning-tutorial/Velpic2.png) @@ -78,7 +75,7 @@ This section guides you through connecting your Azure AD to Velpic's user accoun 7. Enter the email address of a person or group who should receive provisioning error notifications in the **Notification Email** field, and check the checkbox below. -8. Click **Save**. +8. Click **Save**. 9. Under the Mappings section, select **Synchronize Azure Active Directory Users to Velpic**. @@ -86,13 +83,12 @@ This section guides you through connecting your Azure AD to Velpic's user accoun 11. To enable the Azure AD provisioning service for Velpic, change the **Provisioning Status** to **On** in the **Settings** section -12. Click **Save**. +12. Click **Save**. This will start the initial synchronization of any users and/or groups assigned to Velpic in the Users and Groups section. Note that the initial sync will take longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity reports, which describe all actions performed by the provisioning service. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). - ## Additional resources * [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) diff --git a/articles/active-directory/saas-apps/velpicsaml-tutorial.md b/articles/active-directory/saas-apps/velpicsaml-tutorial.md index ec3d2fed9735d..1f94e922ad102 100644 --- a/articles/active-directory/saas-apps/velpicsaml-tutorial.md +++ b/articles/active-directory/saas-apps/velpicsaml-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 28acce3e-22a0-4a37-8b66-6e518d777350 ms.service: active-directory @@ -12,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 04/04/2017 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,137 +22,136 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Velpic SAML In this tutorial, you learn how to integrate Velpic SAML with Azure Active Directory (Azure AD). - Integrating Velpic SAML with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Velpic SAML -- You can enable your users to automatically get signed-on to Velpic SAML (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure Management portal +* You can control in Azure AD who has access to Velpic SAML. +* You can enable your users to be automatically signed-in to Velpic SAML (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Velpic SAML, you need the following items: -- An Azure AD subscription -- A Velpic SAML single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- You should not use your production environment, unless this is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Velpic SAML single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Velpic SAML from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Velpic SAML supports **SP** initiated SSO ## Adding Velpic SAML from the gallery + To configure the integration of Velpic SAML into Azure AD, you need to add Velpic SAML from the gallery to your list of managed SaaS apps. **To add Velpic SAML from the gallery, perform the following steps:** -1. In the **[Azure Management Portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. Click **Add** button on the top of the dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Velpic SAML**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/velpicsaml-tutorial/tutorial_velpicsaml_search.png) +4. In the search box, type **Velpic SAML**, select **Velpic SAML** from result panel then click **Add** button to add the application. -1. In the results panel, select **Velpic SAML**, and then click **Add** button to add the application. + ![Velpic SAML in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/velpicsaml-tutorial/tutorial_velpicsaml_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Velpic SAML based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with Velpic SAML based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Velpic SAML needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Velpic SAML is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Velpic SAML needs to be established. +To configure and test Azure AD single sign-on with Velpic SAML, you need to complete the following building blocks: -This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Velpic SAML. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Velpic SAML Single Sign-On](#configure-velpic-saml-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Velpic SAML test user](#create-velpic-saml-test-user)** - to have a counterpart of Britta Simon in Velpic SAML that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Velpic SAML, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Velpic SAML test user](#creating-a-velpic-saml-test-user)** - to have a counterpart of Britta Simon in Velpic SAML that is linked to the Azure AD representation of her. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Velpic SAML, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure Management portal and configure single sign-on in your Velpic SAML application. +1. In the [Azure portal](https://portal.azure.com/), on the **Velpic SAML** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Velpic SAML, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure Management portal, on the **Velpic SAML** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, as **Mode** select **SAML-based Sign-on** to enable single sign on. - - ![Configure Single Sign-On](./media/velpicsaml-tutorial/tutorial_velpicsaml_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. Enter the details in the **Velpic SAML Domain and URLs** section- + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/velpicsaml-tutorial/tutorial_velpicsaml_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type the value as: `https://.velpicsaml.net` + ![Velpic SAML Domain and URLs single sign-on information](common/sp-identifier.png) + + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.velpicsaml.net` + + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://auth.velpic.com/saml/v2//login` - b. In the **Identifier** textbox, paste the **‘Single sign on URL’** value `https://auth.velpic.com/saml/v2//login` - > [!NOTE] > Please note that the Sign on URL will be provided by the Velpic SAML team and Identifier value will be available when you configure the SSO Plugin on Velpic SAML side. You need to copy that value from Velpic SAML application page and paste it here. -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the XML file on your computer. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) + +6. On the **Set up Velpic SAML** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/velpicsaml-tutorial/tutorial_velpicsaml_certificate.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. Click **Save** button. + a. Login URL - ![Configure Single Sign-On](./media/velpicsaml-tutorial/tutorial_general_400.png) + b. Azure AD Identifier -1. On the Velpic SAML Configuration section, click Configure Velpic SAML to open Configure sign-on window. Copy the SAML Entity ID from the Quick Reference section. + c. Logout URL -1. In a different web browser window, log into your Velpic SAML company site as an administrator. +### Configure Velpic SAML Single Sign-On -1. Click on **Manage** tab and go to **Integration** section where you need to click on **Plugins** button to create new plugin for Sign-In. +1. In a different web browser window, sign into your Velpic SAML company site as an administrator. + +2. Click on **Manage** tab and go to **Integration** section where you need to click on **Plugins** button to create new plugin for Sign-In. ![Plugin](./media/velpicsaml-tutorial/velpic_1.png) -1. Click on the **‘Add plugin’** button. +3. Click on the **‘Add plugin’** button. ![Plugin](./media/velpicsaml-tutorial/velpic_2.png) -1. Click on the **SAML** tile in the Add Plugin page. +4. Click on the **SAML** tile in the Add Plugin page. ![Plugin](./media/velpicsaml-tutorial/velpic_3.png) -1. Enter the name of the new SAML plugin and click the **‘Add’** button. +5. Enter the name of the new SAML plugin and click the **‘Add’** button. ![Plugin](./media/velpicsaml-tutorial/velpic_4.png) -1. Enter the details as follows: +6. Enter the details as follows: ![Plugin](./media/velpicsaml-tutorial/velpic_5.png) a. In the **Name** textbox, type the name of SAML plugin. - b. In the **Issuer URL** textbox, paste the **SAML Entity ID** you copied from the **Configure sign-on** window of the Azure portal. + b. In the **Issuer URL** textbox, paste the **Azure AD Identifier** you copied from the **Configure sign-on** window of the Azure portal. c. In the **Provider Metadata Config** upload the Metadata XML file which you downloaded from Azure portal. @@ -161,94 +161,83 @@ In this section, you enable Azure AD single sign-on in the Azure Management port f. Click **Save**. -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure Management portal called Britta Simon. - -![Create Azure AD User][100] +### Create an Azure AD test user -**To create a test user in Azure AD, perform the following steps:** +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. In the **Azure Management portal**, on the left navigation pane, click **Azure Active Directory** icon. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Creating an Azure AD test user](./media/velpicsaml-tutorial/create_aaduser_01.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. Go to **Users and groups** and click **All users** to display the list of users. - - ![Creating an Azure AD test user](./media/velpicsaml-tutorial/create_aaduser_02.png) +2. Select **New user** at the top of the screen. -1. At the top of the dialog click **Add** to open the **User** dialog. - - ![Creating an Azure AD test user](./media/velpicsaml-tutorial/create_aaduser_03.png) + ![New user Button](common/new-user.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/velpicsaml-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** textbox, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating a Velpic SAML test user -This step is usually not required as the application supports just in time user provisioning. If the automatic user provisioning is not enabled then manual user creation can be done as described below. +### Assign the Azure AD test user -Log into your Velpic SAML company site as an administrator and perform following steps: - -1. Click on Manage tab and go to Users section, then click on New button to add users. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Velpic SAML. - ![add user](./media/velpicsaml-tutorial/velpic_7.png) +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Velpic SAML**. -1. On the **“Create New User”** dialog page, perform the following steps. + ![Enterprise applications blade](common/enterprise-applications.png) - ![user](./media/velpicsaml-tutorial/velpic_8.png) - - a. In the **First Name** textbox, type the first name of Britta Simon. +2. In the applications list, select **Velpic SAML**. - b. In the **Last Name** textbox, type the last name of Britta Simon. + ![The Velpic SAML link in the Applications list](common/all-applications.png) - c. In the **User Name** textbox, type the user name of Britta Simon. +3. In the menu on the left, select **Users and groups**. - d. In the **Email** textbox, type the email address of Britta Simon account. - - e. Rest of the information is optional, you can fill it if needed. - - f. Click **SAVE**. + ![The "Users and groups" link](common/users-groups-blade.png) -### Assigning the Azure AD test user +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Velpic SAML. + ![The Add Assignment pane](common/add-assign-user.png) -![Assign User][200] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -**To assign Britta Simon to Velpic SAML, perform the following steps:** +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. In the Azure Management portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +7. In the **Add Assignment** dialog click the **Assign** button. - ![Assign User][201] +### Create Velpic SAML test user -1. In the applications list, select **Velpic SAML**. +This step is usually not required as the application supports just in time user provisioning. If the automatic user provisioning is not enabled then manual user creation can be done as described below. - ![Configure Single Sign-On](./media/velpicsaml-tutorial/tutorial_velpicsaml_app.png) +Sign into your Velpic SAML company site as an administrator and perform following steps: + +1. Click on Manage tab and go to Users section, then click on New button to add users. -1. In the menu on the left, click **Users and groups**. + ![add user](./media/velpicsaml-tutorial/velpic_7.png) - ![Assign User][202] +2. On the **“Create New User”** dialog page, perform the following steps. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![user](./media/velpicsaml-tutorial/velpic_8.png) + + a. In the **First Name** textbox, type the first name of Britta. - ![Assign User][203] + b. In the **Last Name** textbox, type the last name of Simon. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + c. In the **User Name** textbox, type the user name of Britta Simon. -1. Click **Select** button on **Users and groups** dialog. + d. In the **Email** textbox, type the email address of Brittasimon@contoso.com account. -1. Click **Assign** button on **Add Assignment** dialog. + e. Rest of the information is optional, you can fill it if needed. -### Testing single sign-on + f. Click **SAVE**. + +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. @@ -258,25 +247,11 @@ In this section, you test your Azure AD single sign-on configuration using the A 1. Click on the **‘Log In With Azure AD’** button to log in to Velpic using your Azure AD account. +## Additional Resources -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - - - - -[1]: ./media/velpicsaml-tutorial/tutorial_general_01.png -[2]: ./media/velpicsaml-tutorial/tutorial_general_02.png -[3]: ./media/velpicsaml-tutorial/tutorial_general_03.png -[4]: ./media/velpicsaml-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/velpicsaml-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/velpicsaml-tutorial/tutorial_general_200.png -[201]: ./media/velpicsaml-tutorial/tutorial_general_201.png -[202]: ./media/velpicsaml-tutorial/tutorial_general_202.png -[203]: ./media/velpicsaml-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/veritas-tutorial.md b/articles/active-directory/saas-apps/veritas-tutorial.md index 104ce0679eaf6..76d8311624818 100644 --- a/articles/active-directory/saas-apps/veritas-tutorial.md +++ b/articles/active-directory/saas-apps/veritas-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila +manager: mtillman +ms.reviewer: barbkess ms.assetid: c47894b1-f5df-4755-845d-f12f4c602dc4 ms.service: active-directory @@ -12,230 +13,199 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 01/31/2017 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Veritas Enterprise Vault.cloud SSO In this tutorial, you learn how to integrate Veritas Enterprise Vault.cloud SSO with Azure Active Directory (Azure AD). - Integrating Veritas Enterprise Vault.cloud SSO with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Veritas Enterprise Vault.cloud SSO -- You can enable your users to automatically get signed-on to Veritas Enterprise Vault.cloud SSO (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Veritas Enterprise Vault.cloud SSO. +* You can enable your users to be automatically signed-in to Veritas Enterprise Vault.cloud SSO (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Veritas Enterprise Vault.cloud SSO, you need the following items: -- An Azure AD subscription -- A Veritas Enterprise Vault.cloud SSO single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Veritas Enterprise Vault.cloud SSO single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Veritas Enterprise Vault.cloud SSO from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Veritas Enterprise Vault.cloud SSO supports **SP** initiated SSO ## Adding Veritas Enterprise Vault.cloud SSO from the gallery + To configure the integration of Veritas Enterprise Vault.cloud SSO into Azure AD, you need to add Veritas Enterprise Vault.cloud SSO from the gallery to your list of managed SaaS apps. **To add Veritas Enterprise Vault.cloud SSO from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Veritas Enterprise Vault.cloud SSO**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/veritas-tutorial/tutorial_veritas_search.png) +4. In the search box, type **Veritas Enterprise Vault.cloud SSO**, select **Veritas Enterprise Vault.cloud SSO** from result panel then click **Add** button to add the application. -1. In the results panel, select **Veritas Enterprise Vault.cloud SSO**, and then click **Add** button to add the application. + ![Veritas Enterprise Vault.cloud SSO in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/veritas-tutorial/tutorial_veritas_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Veritas Enterprise Vault.cloud SSO based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with Veritas Enterprise Vault.cloud SSO based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Veritas Enterprise Vault.cloud SSO needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Veritas Enterprise Vault.cloud SSO is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Veritas Enterprise Vault.cloud SSO needs to be established. +To configure and test Azure AD single sign-on with Veritas Enterprise Vault.cloud SSO, you need to complete the following building blocks: -In Veritas Enterprise Vault.cloud SSO, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Veritas Enterprise Vault.cloud SSO Single Sign-On](#configure-veritas-enterprise-vaultcloud-sso-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Veritas Enterprise Vault.cloud SSO test user](#create-veritas-enterprise-vaultcloud-sso-test-user)** - to have a counterpart of Britta Simon in Veritas Enterprise Vault.cloud SSO that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Veritas Enterprise Vault.cloud SSO, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Veritas Enterprise Vault.cloud SSO test user](#creating-a-veritas-enterprise-vaultcloud-sso-test-user)** - to have a counterpart of Britta Simon in Veritas Enterprise Vault.cloud SSO that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Veritas Enterprise Vault.cloud SSO, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Veritas Enterprise Vault.cloud SSO application. +1. In the [Azure portal](https://portal.azure.com/), on the **Veritas Enterprise Vault.cloud SSO** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Veritas Enterprise Vault.cloud SSO, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Veritas Enterprise Vault.cloud SSO** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/veritas-tutorial/tutorial_veritas_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Veritas Enterprise Vault.cloud SSO Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/veritas-tutorial/tutorial_veritas_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://personal.ap.archive.veritas.com/CID=` + ![Veritas Enterprise Vault.cloud SSO Domain and URLs single sign-on information](common/sp-identifier-reply.png) - b. In the **Identifier** textbox, use the URL as per the Datacenter + a. In the **Sign-on URL** text box, type a URL using the following pattern: + `https://personal.ap.archive.veritas.com/CID=` - | Datacenter| URL | + b. In the **Identifier** box, use the URL as per the Datacenter: + + | Datacenter| URL | |----------|----| | North America| `https://auth.lax.archivecloud.net` | | Europe | `https://auth.ams.archivecloud.net` | | Asia Pacific| `https://auth.syd.archivecloud.net`| - c. In the **Reply URL** textbox, use the URL as per the Datacenter + c. In the **Reply URL** text box, use the URL as per the Datacenter: - | Datacenter| URL | + | Datacenter| URL | |----------|----| | North America| `https://auth.lax.archivecloud.net` | | Europe | `https://auth.ams.archivecloud.net` | | Asia Pacific| `https://auth.syd.archivecloud.net`| - - > [!NOTE] - > This value is not real. Update this value with the actual Sign-On URL. Contact [Veritas Enterprise Vault.cloud SSO Client support team](https://www.veritas.com/support/.html) to get this value. -1. On the **SAML Signing Certificate** section, click **Certificate(Base64)** and then save the certificate file on your computer. + > [!NOTE] + > This value is not real. Update this value with the actual Sign-On URL. Contact [Veritas Enterprise Vault.cloud SSO Client support team](https://www.veritas.com/support/.html) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On](./media/veritas-tutorial/tutorial_veritas_certificate.png) +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. -1. Click **Save** button. + ![The Certificate download link](common/certificatebase64.png) - ![Configure Single Sign-On](./media/veritas-tutorial/tutorial_general_400.png) +6. On the **Set up Veritas Enterprise Vault.cloud SSO** section, copy the appropriate URL(s) as per your requirement. -1. On the **Veritas Enterprise Vault.cloud SSO Configuration** section, click **Configure Veritas Enterprise Vault.cloud SSO** to open **Configure sign-on** window. Copy the **SAML Single Sign-On Service URL** from the **Quick Reference section.** + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On](./media/veritas-tutorial/tutorial_veritas_configure.png) + a. Login URL -1. To configure single sign-on on **Veritas Enterprise Vault.cloud SSO** side, you need to send the downloaded **Certificate(Base64)** and **SAML Single Sign-On Service URL** to [Veritas Enterprise Vault.cloud SSO support team](https://www.veritas.com/support/.html). + b. Azure AD Identifier -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + c. Logout URL -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. +### Configure Veritas Enterprise Vault.cloud SSO Single Sign-On -![Create Azure AD User][100] +To configure single sign-on on **Veritas Enterprise Vault.cloud SSO** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Veritas Enterprise Vault.cloud SSO support team](https://www.veritas.com/support/.html). They set this setting to have the SAML SSO connection set properly on both sides. -**To create a test user in Azure AD, perform the following steps:** +### Create an Azure AD test user -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Creating an Azure AD test user](./media/veritas-tutorial/create_aaduser_01.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/veritas-tutorial/create_aaduser_02.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/veritas-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/veritas-tutorial/create_aaduser_04.png) + ![New user Button](common/new-user.png) - a. In the **Name** textbox, type **BrittaSimon**. +3. In the User properties, perform the following steps. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + ![The User dialog box](common/user-properties.png) - c. Select **Show Password** and write down the value of the **Password**. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - d. Click **Create**. - -### Creating a Veritas Enterprise Vault.cloud SSO test user + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -In this section, you create a user called Britta Simon in Enterprise Vault.cloud SSO. Work with [Veritas Enterprise Vault.cloud SSO support team](https://www.veritas.com/support/.html) to add the users in the Enterprise Vault.cloud SSO platform. Users must be created and activated before you use single sign-on. + d. Click **Create**. -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Veritas Enterprise Vault.cloud SSO. -![Assign User][200] - -**To assign Britta Simon to Veritas Enterprise Vault.cloud SSO, perform the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Veritas Enterprise Vault.cloud SSO**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Assign User][201] +2. In the applications list, select **Veritas Enterprise Vault.cloud SSO**. -1. In the applications list, select **Veritas Enterprise Vault.cloud SSO**. + ![The Veritas Enterprise Vault.cloud SSO link in the Applications list](common/all-applications.png) - ![Configure Single Sign-On](./media/veritas-tutorial/tutorial_veritas_app.png) +3. In the menu on the left, select **Users and groups**. -1. In the menu on the left, click **Users and groups**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![Assign User][202] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![The Add Assignment pane](common/add-assign-user.png) - ![Assign User][203] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. Click **Select** button on **Users and groups** dialog. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +### Create Veritas Enterprise Vault.cloud SSO test user -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +In this section, you create a user called Britta Simon in Veritas Enterprise Vault.cloud SSO. Work with [Veritas Enterprise Vault.cloud SSO support team](https://www.veritas.com/support/.html) to add the users in the Veritas Enterprise Vault.cloud SSO platform. Users must be created and activated before you use single sign-on. -When you click the Veritas Enterprise Vault.cloud SSO tile in the Access Panel, you should get automatically signed-on to your Veritas Enterprise Vault.cloud SSO application. +### Test single sign-on -## Additional resources +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the Veritas Enterprise Vault.cloud SSO tile in the Access Panel, you should be automatically signed in to the Veritas Enterprise Vault.cloud SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/veritas-tutorial/tutorial_general_01.png -[2]: ./media/veritas-tutorial/tutorial_general_02.png -[3]: ./media/veritas-tutorial/tutorial_general_03.png -[4]: ./media/veritas-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/veritas-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/veritas-tutorial/tutorial_general_200.png -[201]: ./media/veritas-tutorial/tutorial_general_201.png -[202]: ./media/veritas-tutorial/tutorial_general_202.png -[203]: ./media/veritas-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/versal-tutorial.md b/articles/active-directory/saas-apps/versal-tutorial.md index 7ae4f6b275cba..0ce4f7bd38f39 100644 --- a/articles/active-directory/saas-apps/versal-tutorial.md +++ b/articles/active-directory/saas-apps/versal-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 5b2e53c0-61a3-4954-ae46-8c28c6368bfd ms.service: active-directory @@ -13,193 +13,181 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 08/22/2017 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Versal In this tutorial, you learn how to integrate Versal with Azure Active Directory (Azure AD). - Integrating Versal with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Versal. -- You can enable your users to automatically get signed-on to Versal (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Versal. +* You can enable your users to be automatically signed-in to Versal (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Versal, you need the following items: -- An Azure AD subscription -- A Versal single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Versal single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Versal from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Versal supports **IDP** initiated SSO ## Adding Versal from the gallery + To configure the integration of Versal into Azure AD, you need to add Versal from the gallery to your list of managed SaaS apps. **To add Versal from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Versal**, select **Versal** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Versal in the results list](./media/versal-tutorial/tutorial_versal_addfromgallery.png) +4. In the search box, type **Versal**, select **Versal** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on - -In this section, you configure and test Azure AD single sign-on with Versal based on a test user called "Britta Simon". + ![Versal in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in Versal is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Versal needs to be established. +## Configure and test Azure AD single sign-on -In Versal, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Versal based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Versal needs to be established. To configure and test Azure AD single sign-on with Versal, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Versal test user](#create-a-versal-test-user)** - to have a counterpart of Britta Simon in Versal that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Versal Single Sign-On](#configure-versal-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Versal test user](#create-versal-test-user)** - to have a counterpart of Britta Simon in Versal that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Versal application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Versal, perform the following steps:** +To configure Azure AD single sign-on with Versal, perform the following steps: -1. In the Azure portal, on the **Versal** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Versal** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/versal-tutorial/tutorial_versal_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Versal Domain and URLs** section, perform the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![Versal Domain and URLs single sign-on information](./media/versal-tutorial/tutorial_versal_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Identifier** textbox, type the value: `VERSAL` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://versal.com/sso/saml/orgs/` +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: - > [!NOTE] - > Reply URL value is not real. Update this value with the actual Reply URL. Contact [Versal support team](https://support.versal.com/hc/) to get this value. - -1. Your application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **User Identifier** is **user.userprincipalname** but **Versal** expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration. - - ![User Identifier dropdown menu](./media/versal-tutorial/tutorial_versal_attribute.png) + ![Versal Domain and URLs single sign-on information](common/idp-intiated.png) -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + a. In the **Identifier** text box, type a URL: + `VERSAL` - ![The Certificate download link](./media/versal-tutorial/tutorial_versal_certificate.png) + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://versal.com/sso/saml/orgs/` -1. Click **Save** button. + > [!NOTE] + > The Reply URL value is not real. Update this value with the actual Reply URL. Contact [Versal Client support team](https://support.versal.com/hc/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On Save button](./media/versal-tutorial/tutorial_general_400.png) - -1. To configure single sign-on on **Versal** side, you need to send the downloaded **Metadata XML** and **SAML Signing Certificate** to [Versal support team](https://support.versal.com/hc/). They will configure your Versal organization to have the SAML SSO connection set properly on both sides. +5. Versal application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. Versal application expects **nameidentifier** to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) + ![image](common/edit-attribute.png) -### Create an Azure AD test user +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -The objective of this section is to create a test user in the Azure portal called Britta Simon. + ![The Certificate download link](common/metadataxml.png) - ![Create an Azure AD test user][100] +7. On the **Set up Versal** section, copy the appropriate URL(s) as per your requirement. -**To create a test user in Azure AD, perform the following steps:** + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. + a. Login URL - ![The Azure Active Directory button](./media/versal-tutorial/create_aaduser_01.png) + b. Azure AD Identifier -1. To display the list of users, go to **Users and groups**, and then click **All users**. + c. Logout URL - ![The "Users and groups" and "All users" links](./media/versal-tutorial/create_aaduser_02.png) +### Configure Versal Single Sign-On -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. +To configure single sign-on on **Versal** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Versal support team](https://support.versal.com/hc/). They set this setting to have the SAML SSO connection set properly on both sides. - ![The Add button](./media/versal-tutorial/create_aaduser_03.png) +### Create an Azure AD test user -1. In the **User** dialog box, perform the following steps: +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The User dialog box](./media/versal-tutorial/create_aaduser_04.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - a. In the **Name** box, type **BrittaSimon**. + ![The "Users and groups" and "All users" links](common/users.png) - b. In the **User name** box, type the email address of user Britta Simon. +2. Select **New user** at the top of the screen. - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + ![New user Button](common/new-user.png) - d. Click **Create**. +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) + + a. In the **Name** field enter **BrittaSimon**. -### Create a Versal test user + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -In this section, you create a user called Britta Simon in Versal. Please follow the [Creating a SAML test user](https://support.versal.com/hc/en-us/articles/115011672887-Creating-a-SAML-test-user) -support guide to create the user Britta Simon within your organization. Users must be created and activated in Versal before you use single sign-on. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Versal. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Versal**. + + ![Enterprise applications blade](common/enterprise-applications.png) -**To assign Britta Simon to Versal, perform the following steps:** +2. In the applications list, select **Versal**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. + ![The Versal link in the Applications list](common/all-applications.png) - ![Assign User][201] +3. In the menu on the left, select **Users and groups**. -1. In the applications list, select **Versal**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![The Versal link in the Applications list](./media/versal-tutorial/tutorial_versal_app.png) +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. In the menu on the left, click **Users and groups**. + ![The Add Assignment pane](common/add-assign-user.png) - ![The "Users and groups" link][202] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +7. In the **Add Assignment** dialog click the **Assign** button. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +### Create Versal test user -1. Click **Select** button on **Users and groups** dialog. +In this section, you create a user called Britta Simon in Versal. Follow the [Creating a SAML test user](https://support.versal.com/hc/articles/115011672887-Creating-a-SAML-test-user) +support guide to create the user Britta Simon within your organization. Users must be created and activated in Versal before you use single sign-on. -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using a Versal course embedded within your website. Please see the [Embedding Organizational Courses](https://support.versal.com/hc/en-us/articles/203271866-Embedding-organizational-courses) **SAML Single Sign-On** @@ -207,25 +195,13 @@ support guide for instructions on how to embed a Versal course with support for You will need to create a course, share it with your organization, and publish it in order to test course embedding. Please see [Creating a course](https://support.versal.com/hc/en-us/articles/203722528-Create-a-course), [Publishing a course](https://support.versal.com/hc/en-us/articles/203753398-Publishing-a-course), - and [Course and learner management](https://support.versal.com/hc/en-us/articles/206029467-Course-and-learner-management) for more information. - - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) + and [Course and learner management](https://support.versal.com/hc/en-us/articles/206029467-Course-and-learner-management) for more information. - +## Additional Resources -[1]: ./media/versal-tutorial/tutorial_general_01.png -[2]: ./media/versal-tutorial/tutorial_general_02.png -[3]: ./media/versal-tutorial/tutorial_general_03.png -[4]: ./media/versal-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/versal-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/versal-tutorial/tutorial_general_200.png -[201]: ./media/versal-tutorial/tutorial_general_201.png -[202]: ./media/versal-tutorial/tutorial_general_202.png -[203]: ./media/versal-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/vibehcm-tutorial.md b/articles/active-directory/saas-apps/vibehcm-tutorial.md index 128f127e57727..e9cac69549118 100644 --- a/articles/active-directory/saas-apps/vibehcm-tutorial.md +++ b/articles/active-directory/saas-apps/vibehcm-tutorial.md @@ -4,217 +4,186 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 4379bef7-adc9-4b6d-9384-c46d9a914bfe ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 09/25/2018 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Vibe HCM In this tutorial, you learn how to integrate Vibe HCM with Azure Active Directory (Azure AD). - Integrating Vibe HCM with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Vibe HCM. -- You can enable your users to automatically get signed-on to Vibe HCM (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Vibe HCM. +* You can enable your users to be automatically signed-in to Vibe HCM (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Vibe HCM, you need the following items: -- An Azure AD subscription -- A Vibe HCM single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Vibe HCM single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Vibe HCM from the gallery -2. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Vibe HCM supports **SP** and **IDP** initiated SSO ## Adding Vibe HCM from the gallery + To configure the integration of Vibe HCM into Azure AD, you need to add Vibe HCM from the gallery to your list of managed SaaS apps. **To add Vibe HCM from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) - ![The Azure Active Directory button][1] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -2. Navigate to **Enterprise applications**. Then go to **All applications**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The Enterprise applications blade][2] - 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Vibe HCM**, select **Vibe HCM** from result panel then click **Add** button to add the application. - ![Vibe HCM in the results list](./media/vibehcm-tutorial/tutorial_vibehcm_addfromgallery.png) + ![Vibe HCM in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Vibe HCM based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Vibe HCM is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Vibe HCM needs to be established. +In this section, you configure and test Azure AD single sign-on with Vibe HCM based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Vibe HCM needs to be established. To configure and test Azure AD single sign-on with Vibe HCM, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Create a Vibe HCM test user](#create-a-vibe-hcm-test-user)** - to have a counterpart of Britta Simon in Vibe HCM that is linked to the Azure AD representation of user. +2. **[Configure Vibe HCM Single Sign-On](#configure-vibe-hcm-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. 4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +5. **[Create Vibe HCM test user](#create-vibe-hcm-test-user)** - to have a counterpart of Britta Simon in Vibe HCM that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Vibe HCM application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Vibe HCM, perform the following steps:** +To configure Azure AD single sign-on with Vibe HCM, perform the following steps: -1. In the Azure portal, on the **Vibe HCM** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Vibe HCM** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/vibehcm-tutorial/tutorial_vibehcm_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -3. On the **Vibe HCM Domain and URLs** section, he user does not have to perform any steps as the app is already pre-integrated with Azure: + ![Single sign-on select mode](common/select-saml-option.png) - ![Vibe HCM Domain and URLs single sign-on information](./media/vibehcm-tutorial/tutorial_vibehcm_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -4. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Vibe HCM Domain and URLs single sign-on information](./media/vibehcm-tutorial/tutorial_vibehcm_url1.png) +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode the user does not have to perform any step as the app is already pre-integrated with Azure. - In the **Sign on URL** textbox, type a URL using the following pattern: `https://.vibehcm.com/portal.jsp` - - > [!NOTE] - > The Sign on URL value is not real. Update the value with the actual Sign-On URL. Contact [Vibe HCM support team](mailto:support@vibehcm.com) to get the value. - -4. On the **SAML Signing Certificate** section, click the copy button to copy **App Federation Metadata Url** and paste it into notepad. + ![Vibe HCM Domain and URLs single sign-on information](common/preintegrated.png) - ![The Certificate download link](./media/vibehcm-tutorial/tutorial_vibehcm_certificate.png) +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: -5. Click **Save** button. + ![Vibe HCM Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) - ![Configure Single Sign-On Save button](./media/vibehcm-tutorial/tutorial_general_400.png) + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.vibehcm.com/portal.jsp` -6. To configure single sign-on on **Vibe HCM** side, you need to send the copied **App Federation Metadata Url** to [Vibe HCM support team](mailto:support@vibehcm.com). They set this setting to have the SAML SSO connection set properly on both sides. + > [!NOTE] + > The value is not real. Update the value with the actual Sign-on URL. Contact [Vibe HCM Client support team](mailto:support@vibehcm.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -### Create an Azure AD test user - -The objective of this section is to create a test user in the Azure portal called Britta Simon. +6. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. - ![Create an Azure AD test user][100] + ![The Certificate download link](common/copy-metadataurl.png) -**To create a test user in Azure AD, perform the following steps:** +### Configure Vibe HCM Single Sign-On -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +To configure single sign-on on **Vibe HCM** side, you need to send the **App Federation Metadata Url** to [Vibe HCM support team](mailto:support@vibehcm.com). They set this setting to have the SAML SSO connection set properly on both sides. - ![The Azure Active Directory button](./media/vibehcm-tutorial/create_aaduser_01.png) +### Create an Azure AD test user -2. To display the list of users, go to **Users and groups**, and then click **All users**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Users and groups" and "All users" links](./media/vibehcm-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -3. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/vibehcm-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -4. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/vibehcm-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Vibe HCM test user - -In this section, you create a user called Britta Simon in Vibe HCM. Work with [Vibe HCM support team](mailto:support@vibehcm.com) to add the users in the Vibe HCM platform. Users must be created and activated before you use single sign-on. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Vibe HCM. -![Assign the user role][200] - -**To assign Britta Simon to Vibe HCM, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Vibe HCM**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Vibe HCM**. - ![The Vibe HCM link in the Applications list](./media/vibehcm-tutorial/tutorial_vibehcm_app.png) + ![The Vibe HCM link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![The "Users and groups" link][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The Add Assignment pane][203] + ![The Add Assignment pane](common/add-assign-user.png) -5. On **Users and groups** dialog, select **Britta Simon** in the Users list. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. Click **Select** button on **Users and groups** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -7. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. - -When you click the Vibe HCM tile in the Access Panel, you should get automatically signed-on to your Vibe HCM application. -For more information about the Access Panel, see [Introduction to the Access Panel](../active-directory-saas-access-panel-introduction.md). +### Create Vibe HCM test user -## Additional resources +In this section, you create a user called Britta Simon in Vibe HCM. Work with [Vibe HCM support team](mailto:support@vibehcm.com) to add the users in the Vibe HCM platform. Users must be created and activated before you use single sign-on. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Vibe HCM tile in the Access Panel, you should be automatically signed in to the Vibe HCM for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/vibehcm-tutorial/tutorial_general_01.png -[2]: ./media/vibehcm-tutorial/tutorial_general_02.png -[3]: ./media/vibehcm-tutorial/tutorial_general_03.png -[4]: ./media/vibehcm-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/vibehcm-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/vibehcm-tutorial/tutorial_general_200.png -[201]: ./media/vibehcm-tutorial/tutorial_general_201.png -[202]: ./media/vibehcm-tutorial/tutorial_general_202.png -[203]: ./media/vibehcm-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/vidyard-tutorial.md b/articles/active-directory/saas-apps/vidyard-tutorial.md index 00833a454203b..79a288d841d5d 100644 --- a/articles/active-directory/saas-apps/vidyard-tutorial.md +++ b/articles/active-directory/saas-apps/vidyard-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: bed7df23-6e13-4e7c-b4cc-53ed4804664d ms.service: active-directory @@ -13,261 +13,242 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 05/22/2018 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Vidyard In this tutorial, you learn how to integrate Vidyard with Azure Active Directory (Azure AD). - Integrating Vidyard with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Vidyard. -- You can enable your users to automatically get signed-on to Vidyard (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Vidyard. +* You can enable your users to be automatically signed-in to Vidyard (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Vidyard, you need the following items: -- An Azure AD subscription -- A Vidyard single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Vidyard single sign-on enabled subscription -To test the steps in this tutorial, you should follow these recommendations: +## Scenario description -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +* Vidyard supports **SP** and **IDP** initiated SSO -1. Adding Vidyard from the gallery -1. Configuring and testing Azure AD single sign-on +* Vidyard supports **Just In Time** user provisioning ## Adding Vidyard from the gallery + To configure the integration of Vidyard into Azure AD, you need to add Vidyard from the gallery to your list of managed SaaS apps. **To add Vidyard from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Vidyard**, select **Vidyard** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Vidyard in the results list](./media/vidyard-tutorial/tutorial_vidyard_addfromgallery.png) +4. In the search box, type **Vidyard**, select **Vidyard** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![Vidyard in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with Vidyard based on a test user called "Britta Simon". +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in Vidyard is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Vidyard needs to be established. +In this section, you configure and test Azure AD single sign-on with Vidyard based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Vidyard needs to be established. To configure and test Azure AD single sign-on with Vidyard, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Vidyard test user](#create-a-vidyard-test-user)** - to have a counterpart of Britta Simon in Vidyard that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Vidyard Single Sign-On](#configure-vidyard-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Vidyard test user](#create-vidyard-test-user)** - to have a counterpart of Britta Simon in Vidyard that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Vidyard application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Vidyard, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Vidyard** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Vidyard, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Vidyard** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure single sign-on link][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/vidyard-tutorial/tutorial_vidyard_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Vidyard Domain and URLs** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Vidyard Domain and URLs single sign-on information](./media/vidyard-tutorial/tutorial_vidyard_url2.png) +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: - a. In the **Identifier** textbox, type a URL using the following pattern: `https://secure.vidyard.com/sso/saml//metadata` + ![Vidyard Domain and URLs single sign-on information](common/idp-intiated.png) - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://secure.vidyard.com/sso/saml//consume` + a. In the **Identifier** text box, type a URL using the following pattern: + `https://secure.vidyard.com/sso/saml//metadata` -1. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://secure.vidyard.com/sso/saml//consume` - ![Vidyard Domain and URLs single sign-on information](./media/vidyard-tutorial/tutorial_vidyard_url1.png) +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - In the **Sign-on URL** textbox, type a URL using the following pattern: `https://secure.vidyard.com/sso/saml//login` + ![Vidyard Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) + + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://secure.vidyard.com/sso/saml//login` > [!NOTE] - > These values are not real. You will update these values with the actual Identifier, Reply URL, and Sign-On URL, which is explained later in the tutorial + > These values are not real. You will update these values with the actual Identifier, Reply URL, and Sign-On URL, which is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. -1. On the **SAML Signing Certificate** section, click **Certificate(Base64)** and then save the certificate file on your computer. + ![The Certificate download link](common/certificatebase64.png) - ![The Certificate download link](./media/vidyard-tutorial/tutorial_vidyard_certificate.png) +7. On the **Set up Vidyard** section, copy the appropriate URL(s) as per your requirement. -1. Click **Save** button. + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On Save button](./media/vidyard-tutorial/tutorial_general_400.png) + a. Login URL -1. On the **Vidyard Configuration** section, click **Configure Vidyard** to open **Configure sign-on** window. Copy the **SAML Single Sign-On Service URL** from the **Quick Reference section.** + b. Azure AD Identifier - ![Vidyard Configuration](./media/vidyard-tutorial/tutorial_vidyard_configure.png) + c. Logout URL -1. In a different web browser window, log in to your Vidyard Software company site as an administrator. +### Configure Vidyard Single Sign-On -1. From the Vidyard dashboard, select **Group** > **Security** +1. In a different web browser window, sign in to your Vidyard Software company site as an administrator. + +2. From the Vidyard dashboard, select **Group** > **Security** ![Vidyard Configuration](./media/vidyard-tutorial/configure1.png) -1. Click **New Profile** tab. +3. Click **New Profile** tab. ![Vidyard Configuration](./media/vidyard-tutorial/configure2.png) -1. In the **SAML Configuration** section, perform the following steps: +4. In the **SAML Configuration** section, perform the following steps: ![Vidyard Configuration](./media/vidyard-tutorial/configure3.png) a. Please enter general profile name in the **Profile Name** textbox. - b. Copy **SSO User Login Page** value and paste it into **Sign on URL** textbox in **Vidyard Domain and URLs section** on Azure portal. + b. Copy **SSO User Login Page** value and paste it into **Sign on URL** textbox in **Basic SAML Configuration** section on Azure portal. - c. Copy **ACS URL** value and paste it into **Reply URL** textbox in **Vidyard Domain and URLs section** on Azure portal. + c. Copy **ACS URL** value and paste it into **Reply URL** textbox in **Basic SAML Configuration** section on Azure portal. - d. Copy **Issuer/Metadata URL** value and paste it into **Identifier** textbox in **Vidyard Domain and URLs section** on Azure portal. + d. Copy **Issuer/Metadata URL** value and paste it into **Identifier** textbox in **Basic SAML Configuration** section on Azure portal. e. Open your downloaded certificate file from Azure portal in Notepad and then paste it into the **X.509 Certificate** textbox. - f. In the **SAML Endpoint URL** textbox, paste the value of **SAML Single Sign-On Service URL** copied from Azure portal. + f. In the **SAML Endpoint URL** textbox, paste the value of **Login URL** copied from Azure portal. g. Click **Confirm**. -1. From the Single Sign On tab, select **Assign** next to an existing profile +5. From the Single Sign On tab, select **Assign** next to an existing profile ![Vidyard Configuration](./media/vidyard-tutorial/configure4.png) > [!NOTE] > Once you have created an SSO profile, assign it to any group(s) for which users will require access through Azure. If the user does not exist within the group to which they were assigned, Vidyard will automatically create a user account and assign their role in real-time. -1. Select your organization group, which is visible in the **Groups Available to Assign**. +6. Select your organization group, which is visible in the **Groups Available to Assign**. ![Vidyard Configuration](./media/vidyard-tutorial/configure5.png) -1. You can see the assigned groups under the **Groups Currently Assigned**. Select a role for the group as per your organization and click **Confirm**. +7. You can see the assigned groups under the **Groups Currently Assigned**. Select a role for the group as per your organization and click **Confirm**. ![Vidyard Configuration](./media/vidyard-tutorial/configure6.png) > [!NOTE] > For more information, refer [this doc](https://knowledge.vidyard.com/saml-single-sign-on-authentication/saml-based-single-sign-on-sso-in-vidyard). -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Create an Azure AD test user][100] - -**To create a test user in Azure AD, perform the following steps:** - -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. - - ![The Azure Active Directory button](./media/vidyard-tutorial/create_aaduser_01.png) - -1. To display the list of users, go to **Users and groups**, and then click **All users**. - - ![The "Users and groups" and "All users" links](./media/vidyard-tutorial/create_aaduser_02.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Add button](./media/vidyard-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. In the **User** dialog box, perform the following steps: + ![New user Button](common/new-user.png) - ![The User dialog box](./media/vidyard-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** box, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Vidyard test user - -The objective of this section is to create a user called Britta Simon in Vidyard. Vidyard supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access Vidyard if it doesn't exist yet. ->[!Note] ->If you need to create a user manually, contact [Vidyard support team](mailto:support@vidyard.com). ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Vidyard. -![Assign the user role][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Vidyard**. -**To assign Britta Simon to Vidyard, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Vidyard**. - ![Assign User][201] + ![The Vidyard link in the Applications list](common/all-applications.png) -1. In the applications list, select **Vidyard**. +3. In the menu on the left, select **Users and groups**. - ![The Vidyard link in the Applications list](./media/vidyard-tutorial/tutorial_vidyard_app.png) + ![The "Users and groups" link](common/users-groups-blade.png) -1. In the menu on the left, click **Users and groups**. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The "Users and groups" link][202] + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - ![The Add Assignment pane][203] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Select** button on **Users and groups** dialog. +### Create Vidyard test user -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +In this section, a user called Britta Simon is created in Vidyard. Vidyard supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Vidyard, a new one is created after authentication. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +>[!Note] +>If you need to create a user manually, contact [Vidyard support team](mailto:support@vidyard.com). -When you click the Vidyard tile in the Access Panel, you should get automatically signed-on to your Vidyard application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Test single sign-on -## Additional resources +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the Vidyard tile in the Access Panel, you should be automatically signed in to the Vidyard for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/vidyard-tutorial/tutorial_general_01.png -[2]: ./media/vidyard-tutorial/tutorial_general_02.png -[3]: ./media/vidyard-tutorial/tutorial_general_03.png -[4]: ./media/vidyard-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/vidyard-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/vidyard-tutorial/tutorial_general_200.png -[201]: ./media/vidyard-tutorial/tutorial_general_201.png -[202]: ./media/vidyard-tutorial/tutorial_general_202.png -[203]: ./media/vidyard-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/vodeclic-tutorial.md b/articles/active-directory/saas-apps/vodeclic-tutorial.md index e3a156abd48bf..7e94efee7d168 100644 --- a/articles/active-directory/saas-apps/vodeclic-tutorial.md +++ b/articles/active-directory/saas-apps/vodeclic-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: d77a0f53-e3a3-445e-ab3e-119cef6e2e1d ms.service: active-directory @@ -13,221 +13,196 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 12/06/2017 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Vodeclic In this tutorial, you learn how to integrate Vodeclic with Azure Active Directory (Azure AD). - Integrating Vodeclic with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Vodeclic. -- You can enable your users to automatically get signed on to Vodeclic (single sign-on, or SSO) with their Azure AD accounts. -- You can manage your accounts in one central location--the Azure portal. +* You can control in Azure AD who has access to Vodeclic. +* You can enable your users to be automatically signed-in to Vodeclic (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Vodeclic, you need the following items: -- An Azure AD subscription -- A Vodeclic SSO-enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Vodeclic single sign-on enabled subscription -To test the steps in this tutorial, follow these recommendations: +## Scenario description -- Don't use your production environment unless it's necessary. -- If you don't have an Azure AD trial environment, [get a one-month free trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial consists of two main building blocks: +* Vodeclic supports **SP** and **IDP** initiated SSO -1. Adding Vodeclic from the gallery -1. Configuring and testing Azure AD single sign-on +## Adding Vodeclic from the gallery -## Add Vodeclic from the gallery To configure the integration of Vodeclic into Azure AD, you need to add Vodeclic from the gallery to your list of managed SaaS apps. -**To add Vodeclic from the gallery, take the following steps:** +**To add Vodeclic from the gallery, perform the following steps:** -1. In the [Azure portal](https://portal.azure.com), in the left pane, select the **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Go to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add a new application, select the **New application** button at the top of the dialog box. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Vodeclic**. Select **Vodeclic** from the results panel, and then select the **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Vodeclic in the results list](./media/vodeclic-tutorial/tutorial_vodeclic_addfromgallery.png) +4. In the search box, type **Vodeclic**, select **Vodeclic** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on - -In this section, you configure and test Azure AD single sign-on with Vodeclic based on a test user called "Britta Simon." + ![Vodeclic in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know who the counterpart user in Vodeclic is to a user in Azure AD. In other words, you need to establish a link between an Azure AD user and the related user in Vodeclic. +## Configure and test Azure AD single sign-on -In Vodeclic, give the value **Username** the same value as **user name** in Azure AD. Now you have established the link between the two users. +In this section, you configure and test Azure AD single sign-on with Vodeclic based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Vodeclic needs to be established. -To configure and test Azure AD single sign-on with Vodeclic, complete the following building blocks: +To configure and test Azure AD single sign-on with Vodeclic, you need to complete the following building blocks: -1. [Configure Azure AD single sign-On](#configure-azure-ad-single-sign-on) to enable your users to use this feature. -1. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with Britta Simon. -1. [Create a Vodeclic test user](#create-a-vodeclic-test-user) to have a counterpart of Britta Simon in Vodeclic that is linked to the Azure AD representation of the user. -1. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on. -1. [Test single sign-on](#test-single-sign-on) to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Vodeclic Single Sign-On](#configure-vodeclic-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Vodeclic test user](#create-vodeclic-test-user)** - to have a counterpart of Britta Simon in Vodeclic that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Vodeclic application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Vodeclic, take the following steps:** +To configure Azure AD single sign-on with Vodeclic, perform the following steps: -1. In the Azure portal, on the **Vodeclic** application integration page, select **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Vodeclic** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. In the **Single sign-on** dialog box, under **Single-Sign-on Mode**, select **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/vodeclic-tutorial/tutorial_vodeclic_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. If you want to configure the application in **IDP** initiated mode, in the **Vodeclic Domain and URLs** section, take the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![Vodeclic domain and URLs single sign-on information](./media/vodeclic-tutorial/tutorial_vodeclic_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Identifier** box, type a URL with the following pattern: `https://.lms.vodeclic.net/auth/saml` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Reply URL** box, type a URL with the following pattern: `https://.lms.vodeclic.net/auth/saml/callback` +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: -1. If you want to configure the application in **SP** initiated mode, select the **Show advanced URL settings** check box, and take the following step: + ![Vodeclic Domain and URLs single sign-on information](common/idp-intiated.png) - ![Vodeclic domain and URLs single sign-on information](./media/vodeclic-tutorial/tutorial_vodeclic_url1.png) + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.lms.vodeclic.net/auth/saml` - In the **Sign-on URL** box, type a URL with the following pattern: `https://.lms.vodeclic.net/auth/saml` - - > [!NOTE] - > These values aren't real. Update these values with the actual identifier, reply URL, and sign-on URL. Contact the [Vodeclic Client support team](mailto:hotline@vodeclic.com) to get these values. + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.lms.vodeclic.net/auth/saml/callback` -1. In the **SAML Signing Certificate** section, select **Metadata XML**. Then save the metadata file on your computer. +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - ![The Certificate download link](./media/vodeclic-tutorial/tutorial_vodeclic_certificate.png) + ![Vodeclic Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) -1. Select **Save**. + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.lms.vodeclic.net/auth/saml` - ![Configure Single Sign-On Save button](./media/vodeclic-tutorial/tutorial_general_400.png) - -1. To configure single sign-on on the **Vodeclic** side, send the downloaded **Metadata XML** to the [Vodeclic support team](mailto:hotline@vodeclic.com). They set this setting to have the SAML SSO connection set properly on both sides. + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Vodeclic Client support team](mailto:hotline@vodeclic.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com) while you are setting up the app. After you add this app from the **Active Directory** > **Enterprise Applications** section, select the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature at [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985). +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -### Create an Azure AD test user + ![The Certificate download link](common/metadataxml.png) -The objective of this section is to create a test user in the Azure portal called Britta Simon. +7. On the **Set up Vodeclic** section, copy the appropriate URL(s) as per your requirement. - ![Create an Azure AD test user][100] + ![Copy configuration URLs](common/copy-configuration-urls.png) -**To create a test user in Azure AD, take the following steps:** + a. Login URL -1. In the Azure portal, in the left pane, select the **Azure Active Directory** button. + b. Azure AD Identifier - ![The Azure Active Directory button](./media/vodeclic-tutorial/create_aaduser_01.png) + c. Logout URL -1. To display the list of users, go to **Users and groups**. Then select **All users**. +### Configure Vodeclic Single Sign-On - ![The "Users and groups" and "All users" links](./media/vodeclic-tutorial/create_aaduser_02.png) +To configure single sign-on on **Vodeclic** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Vodeclic support team](mailto:hotline@vodeclic.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. To open the **User** dialog box, select **Add** at the top of the **All Users** dialog box. +### Create an Azure AD test user - ![The Add button](./media/vodeclic-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. In the **User** dialog box, take the following steps: +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![The User dialog box](./media/vodeclic-tutorial/create_aaduser_04.png) + ![The "Users and groups" and "All users" links](common/users.png) - a. In the **Name** box, type **BrittaSimon**. +2. Select **New user** at the top of the screen. - b. In the **User name** box, type the email address of user Britta Simon. + ![New user Button](common/new-user.png) - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. +3. In the User properties, perform the following steps. - d. Select **Create**. - -### Create a Vodeclic test user + ![The User dialog box](common/user-properties.png) -In this section, you create a user called Britta Simon in Vodeclic. Work with the [Vodeclic support team](mailto:hotline@vodeclic.com) to add the users in the Vodeclic platform. Users must be created and activated before you use single sign-on. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -> [!NOTE] -> According to application requirements, you might need to get your machine whitelisted. For that to happen, you need to share your public IP address with the [Vodeclic support team](mailto:hotline@vodeclic.com). + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Vodeclic. -![Assign the user role][200] - -**To assign Britta Simon to Vodeclic, take the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Vodeclic**. -1. In the Azure portal, open the applications view, and then go to the directory view. Next, go to **Enterprise applications**, and then select **All applications**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Assign user][201] +2. In the applications list, select **Vodeclic**. -1. In the applications list, select **Vodeclic**. + ![The Vodeclic link in the Applications list](common/all-applications.png) - ![The Vodeclic link in the Applications list](./media/vodeclic-tutorial/tutorial_vodeclic_app.png) +3. In the menu on the left, select **Users and groups**. -1. In the menu on the left, select **Users and groups**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![The "Users and groups" link][202] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Select the **Add** button. Then select **Users and groups** in the **Add Assignment** dialog box. + ![The Add Assignment pane](common/add-assign-user.png) - ![The Add Assignment pane][203] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. In the **Users and groups** dialog box, select **Britta Simon** in the **Users** list. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. In the **Users and groups** dialog box, select the **Select** button. +7. In the **Add Assignment** dialog click the **Assign** button. -1. In the **Add Assignment** dialog box, select the **Assign** button. - -### Test single sign-on +### Create Vodeclic test user -In this section, you test your Azure AD single sign-on configuration by using the access panel. +In this section, you create a user called Britta Simon in Vodeclic. Work with [Vodeclic support team](mailto:hotline@vodeclic.com) to add the users in the Vodeclic platform. Users must be created and activated before you use single sign-on. -When you select the Vodeclic tile in the access panel, you get automatically signed in to your Vodeclic application. - -For more information about the access panel, see [Introduction to the access panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources +> [!NOTE] +> According to application requirements, you might need to get your machine whitelisted. For that to happen, you need to share your public IP address with the [Vodeclic support team](mailto:hotline@vodeclic.com). -* [List of tutorials on how to integrate SaaS apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Vodeclic tile in the Access Panel, you should be automatically signed in to the Vodeclic for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/vodeclic-tutorial/tutorial_general_01.png -[2]: ./media/vodeclic-tutorial/tutorial_general_02.png -[3]: ./media/vodeclic-tutorial/tutorial_general_03.png -[4]: ./media/vodeclic-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/vodeclic-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/vodeclic-tutorial/tutorial_general_200.png -[201]: ./media/vodeclic-tutorial/tutorial_general_201.png -[202]: ./media/vodeclic-tutorial/tutorial_general_202.png -[203]: ./media/vodeclic-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/vxmaintain-tutorial.md b/articles/active-directory/saas-apps/vxmaintain-tutorial.md index 3f45fbbf0af0b..ba775b97271f8 100644 --- a/articles/active-directory/saas-apps/vxmaintain-tutorial.md +++ b/articles/active-directory/saas-apps/vxmaintain-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 841a1066-593c-4603-9abe-f48496d73d10 ms.service: active-directory @@ -12,204 +13,186 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 01/26/2018 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with vxMaintain In this tutorial, you learn how to integrate vxMaintain with Azure Active Directory (Azure AD). +Integrating vxMaintain with Azure AD provides you with the following benefits: -This integration provides several important benefits. You can: +* You can control in Azure AD who has access to vxMaintain. +* You can enable your users to be automatically signed-in to vxMaintain (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -- Control in Azure AD who has access to vxMaintain. -- Enable your users to automatically sign in to vxMaintain with single sign-on (SSO) by using their Azure AD accounts. -- Manage your accounts in one central location: the Azure portal. - -To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with vxMaintain, you need the following items: -- An Azure AD subscription -- A vxMaintain SSO-enabled subscription +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* vxMaintain single sign-on enabled subscription + +## Scenario description -> [!NOTE] -> When you test the steps in this tutorial, we recommend that you do not use a production environment. +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -To test the steps in this tutorial, follow these recommendations: +* vxMaintain supports **IDP** initiated SSO -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +## Adding vxMaintain from the gallery -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. +To configure the integration of vxMaintain into Azure AD, you need to add vxMaintain from the gallery to your list of managed SaaS apps. + +**To add vxMaintain from the gallery, perform the following steps:** + +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) -The scenario that this tutorial outlines consists of two main building blocks: +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -* Adding vxMaintain from the gallery -* Configuring and testing Azure AD single sign-on + ![The Enterprise applications blade](common/enterprise-applications.png) -## Add vxMaintain from the gallery -To configure the integration of vxMaintain with Azure AD, you need to add vxMaintain from the gallery to your list of managed SaaS apps. +3. To add new application, click **New application** button on the top of dialog. -To add vxMaintain from the gallery, do the following: + ![The New application button](common/add-new-app.png) -1. In the [Azure portal](https://portal.azure.com), in the left pane, select the **Azure Active Directory** button. +4. In the search box, type **vxMaintain**, select **vxMaintain** from result panel then click **Add** button to add the application. - ![The Azure Active Directory button][1] + ![vxMaintain in the results list](common/search-new-app.png) -1. Select **Enterprise applications** > **All applications**. +## Configure and test Azure AD single sign-on - ![The "Enterprise applications" pane][2] - -1. To add an application, in the **All applications** dialog box, select **New application**. +In this section, you configure and test Azure AD single sign-on with vxMaintain based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in vxMaintain needs to be established. - ![The "New application" button][3] +To configure and test Azure AD single sign-on with vxMaintain, you need to complete the following building blocks: -1. In the search box, type **vxMaintain**. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure vxMaintain Single Sign-On](#configure-vxmaintain-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create vxMaintain test user](#create-vxmaintain-test-user)** - to have a counterpart of Britta Simon in vxMaintain that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. - ![The "Single Sign-on Mode" drop-down list](./media/vxmaintain-tutorial/tutorial_vxmaintain_search.png) +### Configure Azure AD single sign-on -1. In the results list, select **vxMaintain**, and then select **Add**. +In this section, you enable Azure AD single sign-on in the Azure portal. - ![The vxMaintain link](./media/vxmaintain-tutorial/tutorial_vxmaintain_addfromgallery.png) +To configure Azure AD single sign-on with vxMaintain, perform the following steps: -## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD SSO by using vxMaintain, based on a test user called "Britta Simon." +1. In the [Azure portal](https://portal.azure.com/), on the **vxMaintain** application integration page, select **Single sign-on**. -For SSO to work, Azure AD needs to know the vxMaintain counterpart to the Azure AD user. That is, you must establish a link relationship between the Azure AD user and the corresponding vxMaintain user. + ![Configure single sign-on link](common/select-sso.png) -To establish the link relationship, assign the vxMaintain **user name** value as the Azure AD **Username** value. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -To configure and test Azure AD SSO by using vxMaintain, complete the following building blocks. + ![Single sign-on select mode](common/select-saml-option.png) -### Configure Azure AD SSO +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -In this section, you can both enable Azure AD SSO in the Azure portal and configure SSO in your vxMaintain application by doing the following: + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. In the Azure portal, on the **vxMaintain** application integration page, select **Single sign-on**. +4. On the **Set up Single Sign-On with SAML** page, perform the following steps: - ![The "Single sign-on" command][4] + ![vxMaintain Domain and URLs single sign-on information](common/idp-intiated.png) -1. To enable SSO, in the **Single Sign-on Mode** drop-down list, select **SAML-based Sign-on**. - - ![The "SAML-based Sign-on" command](./media/vxmaintain-tutorial/tutorial_vxmaintain_samlbase.png) + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.verisae.com` -1. Under **vxMaintain Domain and URLs**, do the following: + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.verisae.com/DataNett/action/ssoConsume/mobile?_log=true` - ![The vxMaintain Domain and URLs section](./media/vxmaintain-tutorial/tutorial_vxmaintain_url.png) + > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [vxMaintain Client support team](https://www.hubspot.com/company/contact) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - a. In the **Identifier** box, type a URL that has the following syntax: `https://.verisae.com` +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - b. In the **Reply URL** box, type a URL that has the following syntax: `https://.verisae.com/DataNett/action/ssoConsume/mobile?_log=true` + ![The Certificate download link](common/metadataxml.png) - > [!NOTE] - > The preceding values are not real. Update them with the actual identifier and reply URL. To obtain the values, contact the [vxMaintain support team](https://www.hubspot.com/company/contact). - -1. Under **SAML Signing Certificate**, select **Metadata XML**, and then save the metadata file to your computer. +6. On the **Set up vxMaintain** section, copy the appropriate URL(s) as per your requirement. - ![The "SAML Signing Certificate" section](./media/vxmaintain-tutorial/tutorial_vxmaintain_certificate.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. Select **Save**. + a. Login URL - ![The Save button](./media/vxmaintain-tutorial/tutorial_general_400.png) + b. Azure AD Identifier -1. To configure **vxMaintain** SSO, send the downloaded **Metadata XML** file to the [vxMaintain support team](https://www.hubspot.com/company/contact). + c. Logout URL -> [!TIP] -> As you set up the app, you can read a concise version of the preceding instructions in the [Azure portal](https://portal.azure.com). After you add the app from the **Active Directory** > **Enterprise Applications** section, select the **Single Sign-On** tab, and then access the embedded documentation from the **Configuration** section. -> ->To learn more about the embedded documentation feature, see [Managing single sign-on for enterprise apps](https://go.microsoft.com/fwlink/?linkid=845985). -> +### Configure vxMaintain Single Sign-On -### Create an Azure AD test user -In this section, you create test user Britta Simon in the Azure portal by doing the following: +To configure single sign-on on **vxMaintain** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [vxMaintain support team](https://www.hubspot.com/company/contact). They set this setting to have the SAML SSO connection set properly on both sides. -![The Azure AD test user][100] +### Create an Azure AD test user -1. In the **Azure portal**, in the left pane, select the **Azure Active Directory** button. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![The "Azure Active Directory" button](./media/vxmaintain-tutorial/create_aaduser_01.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. To display a list of users, go to **Users and groups** > **All users**. - - ![The "All users" link](./media/vxmaintain-tutorial/create_aaduser_02.png) - The **All users** dialog box opens. + ![The "Users and groups" and "All users" links](common/users.png) -1. To open the **User** dialog box, select **Add**. - - ![The Add button](./media/vxmaintain-tutorial/create_aaduser_03.png) +2. Select **New user** at the top of the screen. -1. In the **User** dialog box, do the following: - - ![The User dialog box](./media/vxmaintain-tutorial/create_aaduser_04.png) + ![New user Button](common/new-user.png) - a. In the **Name** box, type **BrittaSimon**. +3. In the User properties, perform the following steps. - b. In the **User name** box, type the email address of test user Britta Simon. + ![The User dialog box](common/user-properties.png) - c. Select the **Show Password** check box, and then note the value that was generated in the **Password** box. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - d. Select **Create**. - -### Create a vxMaintain test user + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -In this section, you create test user Britta Simon in vxMaintain. To add users in the vxMaintain platform, work with the [vxMaintain support team](https://www.hubspot.com/company/contact). Before you use SSO, create and activate the users. + d. Click **Create**. ### Assign the Azure AD test user -In this section, you enable test user Britta Simon to use Azure SSO by granting access to vxMaintain. To do so, do the following: +In this section, you enable Britta Simon to use Azure single sign-on by granting access to vxMaintain. -![Test user in the Display Name list][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **vxMaintain**. -1. In the Azure portal **Applications** view, go to **Directory** view > **Enterprise applications** > **All applications**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![The "All applications" link][201] +2. In the applications list, select **vxMaintain**. -1. In the **Applications** list, select **vxMaintain**. + ![The vxMaintain link in the Applications list](common/all-applications.png) - ![The vxMaintain link](./media/vxmaintain-tutorial/tutorial_vxmaintain_app.png) +3. In the menu on the left, select **Users and groups**. -1. In the left pane, select **Users and groups**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![The "Users and groups" link][202] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Select **Add** and then, in the **Add Assignment** pane, select **Users and groups**. + ![The Add Assignment pane](common/add-assign-user.png) - ![The "Users and groups" link][203] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. In the **Users and groups** dialog box, in the **Users** list, select **Britta Simon**, and then select the **Select** button. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. In the **Add Assignment** dialog box, select **Assign**. - -### Test your Azure AD single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you test your Azure AD SSO configuration by using the Access Panel. +### Create vxMaintain test user -Selecting the **vxMaintain** tile in the Access Panel should sign you in to your vxMaintain application automatically. +In this section, you create a user called Britta Simon in vxMaintain. Work with [vxMaintain support team](https://www.hubspot.com/company/contact) to add the users in the vxMaintain platform. Users must be created and activated before you use single sign-on. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Test single sign-on -## Next steps +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of tutorials on integrating SaaS apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the vxMaintain tile in the Access Panel, you should be automatically signed in to the vxMaintain for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/vxmaintain-tutorial/tutorial_general_01.png -[2]: ./media/vxmaintain-tutorial/tutorial_general_02.png -[3]: ./media/vxmaintain-tutorial/tutorial_general_03.png -[4]: ./media/vxmaintain-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/vxmaintain-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/vxmaintain-tutorial/tutorial_general_200.png -[201]: ./media/vxmaintain-tutorial/tutorial_general_201.png -[202]: ./media/vxmaintain-tutorial/tutorial_general_202.png -[203]: ./media/vxmaintain-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/waywedo-tutorial.md b/articles/active-directory/saas-apps/waywedo-tutorial.md index 14224a2d9701a..d6c1f8894f15b 100644 --- a/articles/active-directory/saas-apps/waywedo-tutorial.md +++ b/articles/active-directory/saas-apps/waywedo-tutorial.md @@ -4,16 +4,17 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 84fc4f36-ecd1-42c6-8a70-cb0f3dc15655 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/25/2018 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,120 +22,124 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Way We Do In this tutorial, you learn how to integrate Way We Do with Azure Active Directory (Azure AD). - Integrating Way We Do with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Way We Do. -- You can enable your users to automatically get signed-on to Way We Do (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Way We Do. +* You can enable your users to be automatically signed in to Way We Do (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Way We Do, you need the following items: -- An Azure AD subscription -- A Way We Do single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Way We Do single sign-on enabled subscription -To test the steps in this tutorial, you should follow these recommendations: +## Scenario description -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +* Way We Do supports **SP** initiated SSO -1. Adding Way We Do from the gallery -2. Configuring and testing Azure AD single sign-on +* Way We Do supports **Just In Time** user provisioning ## Adding Way We Do from the gallery + To configure the integration of Way We Do into Azure AD, you need to add Way We Do from the gallery to your list of managed SaaS apps. **To add Way We Do from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. + + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The Enterprise applications blade][2] - 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Way We Do**, select **Way We Do** from result panel then click **Add** button to add the application. - ![Way We Do in the results list](./media/waywedo-tutorial/tutorial_waywedo_addfromgallery.png) + ![Way We Do in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Way We Do based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Way We Do is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Way We Do needs to be established. +In this section, you configure and test Azure AD single sign-on with Way We Do based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Way We Do needs to be established. To configure and test Azure AD single sign-on with Way We Do, you need to complete the following building blocks: -1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Create a Way We Do test user](#create-a-way-we-do-test-user)** - to have a counterpart of Britta Simon in Way We Do that is linked to the Azure AD representation of user. +1. **[Configure Azure AD single sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Way We Do single sign-On](#configure-way-we-do-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. 4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +5. **[Create Way We Do test user](#create-way-we-do-test-user)** - to have a counterpart of Britta Simon in Way We Do that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Way We Do application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Way We Do, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Way We Do** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) + +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. + + ![Single sign-on select mode](common/select-saml-option.png) + +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -**To configure Azure AD single sign-on with Way We Do, perform the following steps:** + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. In the Azure portal, on the **Way We Do** application integration page, click **Single sign-on**. +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Configure single sign-on link][4] + ![Way We Do Domain and URLs single sign-on information](common/sp-identifier.png) -2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/waywedo-tutorial/tutorial_waywedo_samlbase.png) + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.waywedo.com/Authentication/ExternalSignIn` -3. On the **Way We Do Domain and URLs** section, perform the following steps: + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.waywedo.com` - ![Way We Do Domain and URLs single sign-on information](./media/waywedo-tutorial/tutorial_waywedo_url.png) + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Way We Do Client support team](mailto:support@waywedo.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.waywedo.com/Authentication/ExternalSignIn` +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer. - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.waywedo.com` + ![The Certificate download link](common/certificateraw.png) - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [Way We Do Client support team](mailto:support@waywedo.com) to get these values. - -4. On the **SAML Signing Certificate** section, click **Certificate (Raw)** and then save the certificate file on your computer. +6. On the **Set up Way We Do** section, copy the appropriate URL(s) as per your requirement. - ![The Certificate download link](./media/waywedo-tutorial/tutorial_waywedo_certificate.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -5. Click **Save** button. + a. Login URL - ![Configure Single Sign-On Save button](./media/waywedo-tutorial/tutorial_general_400.png) + b. Azure AD Identifier -6. On the **Way We Do Configuration** section, click **Configure Way We Do** to open **Configure sign-on** window. Copy the **SAML Entity ID and SAML Single Sign-On Service URL** from the **Quick Reference section.** + c. Logout URL - ![Way We Do Configuration](./media/waywedo-tutorial/tutorial_waywedo_configure.png) +### Configure Way We Do Single Sign-On -7. In a different web browser window, login to Way We Do as a Security Administrator. +1. In a different web browser window, sign in to Way We Do as a Security Administrator. -8. Click the **person icon** in the top right corner of any page in Way We Do, then click **Account** in the dropdown menu. +2. Click the **person icon** in the top right corner of any page in Way We Do, then click **Account** in the dropdown menu. ![Way We Do account](./media/waywedo-tutorial/tutorial_waywedo_account.png) -9. Click the **menu icon** to open the push navigation menu and Click **Single Sign On**. +3. Click the **menu icon** to open the push navigation menu and Click **Single Sign On**. ![Way We Do single](./media/waywedo-tutorial/tutorial_waywedo_single.png) -10. On the **Single sign-on setup** page, perform the following steps: +4. On the **Single sign-on setup** page, perform the following steps: ![Way We Do save](./media/waywedo-tutorial/tutorial_waywedo_save.png) @@ -142,9 +147,9 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf b. In the **Single sign-on name** textbox, enter your name. - c. In the **Entity ID** textbox, paste the value of **SAML Entity ID**, which you have copied from the Azure portal. + c. In the **Entity ID** textbox, paste the value of **Azure AD Identifier**, which you have copied from the Azure portal. - d. In the **SAML SSO URL** textbox, paste the value of **SAML Single Sign-On Service URL**, which you have copied from the Azure portal. + d. In the **SAML SSO URL** textbox, paste the value of **Login URL**, which you have copied from the Azure portal. e. Upload the certificate by clicking the **select** button next to **Certificate**. @@ -159,100 +164,74 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf g. Click **Save** to persist your settings. -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Create an Azure AD test user][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. +2. Select **New user** at the top of the screen. - ![The Azure Active Directory button](./media/waywedo-tutorial/create_aaduser_01.png) + ![New user Button](common/new-user.png) -2. To display the list of users, go to **Users and groups**, and then click **All users**. +3. In the User properties, perform the following steps. - ![The "Users and groups" and "All users" links](./media/waywedo-tutorial/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) -3. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - ![The Add button](./media/waywedo-tutorial/create_aaduser_03.png) - -4. In the **User** dialog box, perform the following steps: - - ![The User dialog box](./media/waywedo-tutorial/create_aaduser_04.png) - - a. In the **Name** box, type **BrittaSimon**. - - b. In the **User name** box, type the email address of user Britta Simon. - - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Way We Do test user - -The objective of this section is to create a user called Britta Simon in Way We Do. Way We Do supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access Way We Do if it doesn't exist yet. - -> [!Note] -> If you need to create a user manually, contact [Way We Do Client support team](mailto:support@waywedo.com). ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Way We Do. -![Assign the user role][200] - -**To assign Britta Simon to Way We Do, perform the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Way We Do**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. - - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Way We Do**. - ![The Way We Do link in the Applications list](./media/waywedo-tutorial/tutorial_waywedo_app.png) + ![The Way We Do link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![The "Users and groups" link][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![The Add Assignment pane][203] + ![The Add Assignment pane](common/add-assign-user.png) -5. On **Users and groups** dialog, select **Britta Simon** in the Users list. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. Click **Select** button on **Users and groups** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -7. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +### Create Way We Do test user -When you click the Way We Do tile in the Access Panel, you should get automatically signed-on to your Way We Do application. -For more information about the Access Panel, see [Introduction to the Access Panel](../active-directory-saas-access-panel-introduction.md). +In this section, a user called Britta Simon is created in Way We Do. Way We Do supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Way We Do, a new one is created after authentication. -## Additional resources +> [!Note] +> If you need to create a user manually, contact [Way We Do Client support team](mailto:support@waywedo.com). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Way We Do tile in the Access Panel, you should be automatically signed in to the Way We Do for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/waywedo-tutorial/tutorial_general_01.png -[2]: ./media/waywedo-tutorial/tutorial_general_02.png -[3]: ./media/waywedo-tutorial/tutorial_general_03.png -[4]: ./media/waywedo-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/waywedo-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/waywedo-tutorial/tutorial_general_200.png -[201]: ./media/waywedo-tutorial/tutorial_general_201.png -[202]: ./media/waywedo-tutorial/tutorial_general_202.png -[203]: ./media/waywedo-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/wdesk-tutorial.md b/articles/active-directory/saas-apps/wdesk-tutorial.md index 5755a332b7d7e..61f820e9f40d7 100644 --- a/articles/active-directory/saas-apps/wdesk-tutorial.md +++ b/articles/active-directory/saas-apps/wdesk-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 06900a91-a326-4663-8ba6-69ae741a536e ms.service: active-directory @@ -12,140 +13,141 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 05/22/2017 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Wdesk In this tutorial, you learn how to integrate Wdesk with Azure Active Directory (Azure AD). - Integrating Wdesk with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Wdesk -- You can enable your users to automatically get signed-on to Wdesk (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Wdesk. +* You can enable your users to be automatically signed-in to Wdesk (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see. [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Wdesk, you need the following items: -- An Azure AD subscription -- A Wdesk single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Wdesk single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Wdesk from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Wdesk supports **SP** and **IDP** initiated SSO ## Adding Wdesk from the gallery + To configure the integration of Wdesk into Azure AD, you need to add Wdesk from the gallery to your list of managed SaaS apps. **To add Wdesk from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) - ![Active Directory][1] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -1. Navigate to **Enterprise applications**. Then go to **All applications**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. +3. To add new application, click **New application** button on the top of dialog. - ![Applications][3] + ![The New application button](common/add-new-app.png) -1. In the search box, type **Wdesk**. +4. In the search box, type **Wdesk**, select **Wdesk** from result panel then click **Add** button to add the application. - ![Creating an Azure AD test user](./media/wdesk-tutorial/tutorial_wdesk_search.png) + ![Wdesk in the results list](common/search-new-app.png) -1. In the results panel, select **Wdesk**, and then click **Add** button to add the application. +## Configure and test Azure AD single sign-on - ![Creating an Azure AD test user](./media/wdesk-tutorial/tutorial_wdesk_addfromgallery.png) +In this section, you configure and test Azure AD single sign-on with Wdesk based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Wdesk needs to be established. -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Wdesk based on a test user called "Britta Simon." +To configure and test Azure AD single sign-on with Wdesk, you need to complete the following building blocks: -For single sign-on to work, Azure AD needs to know what the counterpart user in Wdesk is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Wdesk needs to be established. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Wdesk Single Sign-On](#configure-wdesk-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Wdesk test user](#create-wdesk-test-user)** - to have a counterpart of Britta Simon in Wdesk that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Wdesk. +### Configure Azure AD single sign-on -To configure and test Azure AD single sign-on with Wdesk, you need to complete the following building blocks: +In this section, you enable Azure AD single sign-on in the Azure portal. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Wdesk test user](#creating-a-wdesk-test-user)** - to have a counterpart of Britta Simon in Wdesk that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +To configure Azure AD single sign-on with Wdesk, perform the following steps: -### Configuring Azure AD single sign-on +1. In the [Azure portal](https://portal.azure.com/), on the **Wdesk** application integration page, select **Single sign-on**. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Wdesk application. + ![Configure single sign-on link](common/select-sso.png) -**To configure Azure AD single sign-on with Wdesk, perform the following steps:** +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. In the Azure portal, on the **Wdesk** application integration page, click **Single sign-on**. + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On][4] +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **Wdesk Domain and URLs** section, If you wish to configure the application in **IDP** initiated mode perform the following steps: +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: - ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_url.png) + ![Wdesk Domain and URLs single sign-on information](common/idp-intiated.png) - a. In the **Identifier** textbox, type a URL using the following pattern: `https://.wdesk.com/auth/saml/sp/metadata/` + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.wdesk.com/auth/saml/sp/metadata/` - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://.wdesk.com/auth/saml/sp/consumer/` + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.wdesk.com/auth/saml/sp/consumer/` -1. Check **Show advanced URL settings**. If you wish to configure the application in **SP** initiated mode, perform the following step: +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_url1.png) + ![Wdesk Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) - In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.wdesk.com/auth/login/saml/` - - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. You get these values from WDesk portal when you configure the SSO. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.wdesk.com/auth/login/saml/` + + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. You get these values from WDesk portal when you configure the SSO. + +4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/metadataxml.png) - ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_certificate.png) +6. On the **Set up Wdesk** section, copy the appropriate URL(s) as per your requirement. -1. Click **Save** button. + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_general_400.png) - -1. In a different web browser window, login to Wdesk as a Security Administrator. + a. Login URL -1. In the bottom left, click **Admin** and choose **Account Admin**: + b. Azure AD Identifier + + c. Logout URL + +### Configure Wdesk Single Sign-On + +1. In a different web browser window, sign in to Wdesk as a Security Administrator. + +2. In the bottom left, click **Admin** and choose **Account Admin**: ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfig1.png) -1. In Wdesk Admin, navigate to **Security**, then **SAML** > **SAML Settings**: +3. In Wdesk Admin, navigate to **Security**, then **SAML** > **SAML Settings**: ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfig2.png) -1. Under **General Settings**, check the **Enable SAML Single Sign On**: +4. Under **General Settings**, check the **Enable SAML Single Sign On**: ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfig3.png) -1. Under **Service Provider Details**, perform the following steps: +5. Under **Service Provider Details**, perform the following steps: ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfig4.png) @@ -157,140 +159,111 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf d. Click **Save** on Azure portal to save the changes. -1. Click **Configure IdP Settings** to open **Edit IdP Settings** dialog. Click **Choose File** to locate the **Metadata.xml** file you saved from Azure portal, then upload it. +6. Click **Configure IdP Settings** to open **Edit IdP Settings** dialog. Click **Choose File** to locate the **Metadata.xml** file you saved from Azure portal, then upload it. ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfig5.png) -1. Click **Save changes**. +7. Click **Save changes**. ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfigsavebutton.png) -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure -> portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) +### Create an Azure AD test user -### Creating an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. -![Create Azure AD User][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](./media/wdesk-tutorial/create_aaduser_01.png) + ![New user Button](common/new-user.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/wdesk-tutorial/create_aaduser_02.png) +3. In the User properties, perform the following steps. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/wdesk-tutorial/create_aaduser_03.png) - -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/wdesk-tutorial/create_aaduser_04.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** textbox, type **BrittaSimon**. - - b. In the **User name** textbox, type the **email address** of BrittaSimon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating a Wdesk test user - -To enable Azure AD users to log in to Wdesk, they must be provisioned into Wdesk. In Wdesk, provisioning is a manual task. - -**To provision a user account, perform the following steps:** -1. Log in to Wdesk as a Security Administrator. -1. Navigate to **Admin** > **Account Admin**. +### Assign the Azure AD test user - ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfig1.png) - -1. Click **Members** under **People**. - -1. Now click **Add Member** to open **Add Member** dialog box. - - ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser1.png) +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wdesk. -1. In **User** text box, enter the username of user like **brittasimon\@contoso.com** and click **Continue** button. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Wdesk**. - ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser3.png) + ![Enterprise applications blade](common/enterprise-applications.png) -1. Enter the details as shown below: - - ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser4.png) - - a. In **E-mail** text box, enter the email of user like **brittasimon\@contoso.com**. +2. In the applications list, select **Wdesk**. - b. In **First Name** text box, enter the first name of user like **Britta**. + ![The Wdesk link in the Applications list](common/all-applications.png) - c. In **Last Name** text box, enter the last name of user like **Simon**. +3. In the menu on the left, select **Users and groups**. -1. Click **Save Member** button. + ![The "Users and groups" link](common/users-groups-blade.png) - ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser5.png) +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -### Assigning the Azure AD test user + ![The Add Assignment pane](common/add-assign-user.png) -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wdesk. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -![Assign User][200] +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -**To assign Britta Simon to Wdesk, perform the following steps:** +7. In the **Add Assignment** dialog click the **Assign** button. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +### Create Wdesk test user - ![Assign User][201] +To enable Azure AD users to sign in to Wdesk, they must be provisioned into Wdesk. In Wdesk, provisioning is a manual task. -1. In the applications list, select **Wdesk**. +**To provision a user account, perform the following steps:** - ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_app.png) +1. Sign in to Wdesk as a Security Administrator. -1. In the menu on the left, click **Users and groups**. +2. Navigate to **Admin** > **Account Admin**. - ![Assign User][202] + ![Configure Single Sign-On](./media/wdesk-tutorial/tutorial_wdesk_ssoconfig1.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +3. Click **Members** under **People**. - ![Assign User][203] +4. Now click **Add Member** to open **Add Member** dialog box. + + ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser1.png) -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +5. In **User** text box, enter the username of user like brittasimon@contoso.com and click **Continue** button. -1. Click **Select** button on **Users and groups** dialog. + ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser3.png) -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +6. Enter the details as shown below: + + ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser4.png) + + a. In **E-mail** text box, enter the email of user like brittasimon@contoso.com. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. + b. In **First Name** text box, enter the first name of user like **Britta**. -When you click the Wdesk tile in the Access Panel, you should get automatically signed-on to your Wdesk application. -For more information about the Access Panel, see [introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). + c. In **Last Name** text box, enter the last name of user like **Simon**. +7. Click **Save Member** button. -## Additional resources + ![Creating an Azure AD test user](./media/wdesk-tutorial/createuser5.png) -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Wdesk tile in the Access Panel, you should be automatically signed in to the Wdesk for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/wdesk-tutorial/tutorial_general_01.png -[2]: ./media/wdesk-tutorial/tutorial_general_02.png -[3]: ./media/wdesk-tutorial/tutorial_general_03.png -[4]: ./media/wdesk-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/wdesk-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/wdesk-tutorial/tutorial_general_200.png -[201]: ./media/wdesk-tutorial/tutorial_general_201.png -[202]: ./media/wdesk-tutorial/tutorial_general_202.png -[203]: ./media/wdesk-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/weekdone-tutorial.md b/articles/active-directory/saas-apps/weekdone-tutorial.md index ff3b716195492..ff9040afb7c3f 100644 --- a/articles/active-directory/saas-apps/weekdone-tutorial.md +++ b/articles/active-directory/saas-apps/weekdone-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 34921f9a-5637-4420-ab4c-9beb34421909 ms.service: active-directory @@ -12,223 +13,201 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 05/18/2018 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Weekdone In this tutorial, you learn how to integrate Weekdone with Azure Active Directory (Azure AD). - Integrating Weekdone with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Weekdone -- You can enable your users to automatically get signed-on to Weekdone (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Weekdone. +* You can enable your users to be automatically signed-in to Weekdone (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Weekdone, you need the following items: -- An Azure AD subscription -- A Weekdone single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Weekdone single sign-on enabled subscription -To test the steps in this tutorial, you should follow these recommendations: +## Scenario description -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +* Weekdone supports **SP** and **IDP** initiated SSO -1. Adding Weekdone from the gallery -2. Configuring and testing Azure AD single sign-on +* Weekdone supports **Just In Time** user provisioning ## Adding Weekdone from the gallery + To configure the integration of Weekdone into Azure AD, you need to add Weekdone from the gallery to your list of managed SaaS apps. **To add Weekdone from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. + + ![The Azure Active Directory button](common/select-azuread.png) - ![Active Directory][1] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -2. Navigate to **Enterprise applications**. Then go to **All applications**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][2] - 3. To add new application, click **New application** button on the top of dialog. - ![Applications][3] + ![The New application button](common/add-new-app.png) -4. In the search box, type **Weekdone**. +4. In the search box, type **Weekdone**, select **Weekdone** from result panel then click **Add** button to add the application. - ![Creating an Azure AD test user](./media/weekdone-tutorial/tutorial_weekdone_search.png) + ![Weekdone in the results list](common/search-new-app.png) -5. In the results panel, select **Weekdone**, and then click **Add** button to add the application. +## Configure and test Azure AD single sign-on - ![Creating an Azure AD test user](./media/weekdone-tutorial/tutorial_weekdone_addfromgallery.png) +In this section, you configure and test Azure AD single sign-on with Weekdone based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Weekdone needs to be established. -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Weekdone based on a test user called "Britta Simon". +To configure and test Azure AD single sign-on with Weekdone, you need to complete the following building blocks: -For single sign-on to work, Azure AD needs to know what the counterpart user in Weekdone is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Weekdone needs to be established. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Weekdone Single Sign-On](#configure-weekdone-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Weekdone test user](#create-weekdone-test-user)** - to have a counterpart of Britta Simon in Weekdone that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Weekdone, you need to complete the following building blocks: +### Configure Azure AD single sign-on + +In this section, you enable Azure AD single sign-on in the Azure portal. -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating a Weekdone test user](#creating-a-weekdone-test-user)** - to have a counterpart of Britta Simon in Weekdone that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +To configure Azure AD single sign-on with Weekdone, perform the following steps: -### Configuring Azure AD single sign-on +1. In the [Azure portal](https://portal.azure.com/), on the **Weekdone** application integration page, select **Single sign-on**. -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Weekdone application. + ![Configure single sign-on link](common/select-sso.png) -**To configure Azure AD single sign-on with Weekdone, perform the following steps:** +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. In the Azure portal, on the **Weekdone** application integration page, click **Single sign-on**. + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On][4] +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/weekdone-tutorial/tutorial_weekdone_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -3. On the **Weekdone Domain and URLs** section, If you wish to configure the application in **IDP** initiated mode: +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: - ![Configure Single Sign-On](./media/weekdone-tutorial/tutorial_weekdone_url1.png) + ![Weekdone Domain and URLs single sign-on information](common/idp-intiated.png) - a. In the **Identifier** textbox, type a URL using the following pattern: `https://weekdone.com/a//metadata` + a. In the **Identifier** text box, type a URL using the following pattern: + `https://weekdone.com/a//metadata` > [!NOTE] > The metadata file from weekdone can be retrieved with using the same URL. - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://weekdone.com/a/` + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://weekdone.com/a/` -4. Check **Show advanced URL settings**. If you wish to configure the application in **SP** initiated mode: +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - ![Configure Single Sign-On](./media/weekdone-tutorial/tutorial_weekdone_url2.png) + ![Weekdone Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) - In the **Sign-on URL** textbox, type a URL using the following pattern: `https://weekdone.com/a/` - - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Contact [Weekdone Client support team](mailto:hello@weekdone.com) to get these values. + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://weekdone.com/a/` -5. On the **SAML Signing Certificate** section, click **Certificate(Base64)** and then save the certificate file on your computer. + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Weekdone Client support team](mailto:hello@weekdone.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On](./media/weekdone-tutorial/tutorial_weekdone_certificate.png) +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. -6. Click **Save** button. + ![The Certificate download link](common/certificatebase64.png) - ![Configure Single Sign-On](./media/weekdone-tutorial/tutorial_general_400.png) - -7. On the **Weekdone Configuration** section, click **Configure Weekdone** to open **Configure sign-on** window. Copy the **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** +7. On the **Set up Weekdone** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On](./media/weekdone-tutorial/tutorial_weekdone_configure.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -8. To configure single sign-on on **Weekdone** side, you need to send the downloaded **Metadata XML, Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** to [Weekdone support team](mailto:hello@weekdone.com). + a. Login URL -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + b. Azure AD Identifier -![Create Azure AD User][100] + c. Logout URL -**To create a test user in Azure AD, perform the following steps:** +### Configure Weekdone Single Sign-On -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +To configure single sign-on on **Weekdone** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Weekdone support team](mailto:hello@weekdone.com). They set this setting to have the SAML SSO connection set properly on both sides. - ![Creating an Azure AD test user](./media/weekdone-tutorial/create_aaduser_01.png) +### Create an Azure AD test user -2. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/weekdone-tutorial/create_aaduser_02.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -3. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/weekdone-tutorial/create_aaduser_03.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -4. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/weekdone-tutorial/create_aaduser_04.png) + ![The "Users and groups" and "All users" links](common/users.png) - a. In the **Name** textbox, type **BrittaSimon**. +2. Select **New user** at the top of the screen. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + ![New user Button](common/new-user.png) - c. Select **Show Password** and write down the value of the **Password**. +3. In the User properties, perform the following steps. - d. Click **Create**. - -### Creating a Weekdone test user + ![The User dialog box](common/user-properties.png) -The objective of this section is to create a user called Britta Simon in Weekdone. Weekdone supports just-in-time provisioning, which is by default enabled. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -There is no action item for you in this section. A new user is created during an attempt to access Weekdone if it doesn't exist yet. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. ->[!NOTE] ->If you need to create a user manually, you need to contact the [Weekdone Client support team](mailto:hello@weekdone.com). + d. Click **Create**. -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Weekdone. -![Assign User][200] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Weekdone**. -**To assign Britta Simon to Weekdone, perform the following steps:** + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +2. In the applications list, select **Weekdone**. - ![Assign User][201] + ![The Weekdone link in the Applications list](common/all-applications.png) -2. In the applications list, select **Weekdone**. +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) - ![Configure Single Sign-On](./media/weekdone-tutorial/tutorial_weekdone_app.png) +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -3. In the menu on the left, click **Users and groups**. + ![The Add Assignment pane](common/add-assign-user.png) - ![Assign User][202] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. - ![Assign User][203] +7. In the **Add Assignment** dialog click the **Assign** button. -5. On **Users and groups** dialog, select **Britta Simon** in the Users list. +### Create Weekdone test user -6. Click **Select** button on **Users and groups** dialog. +In this section, a user called Britta Simon is created in Weekdone. Weekdone supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Weekdone, a new one is created after authentication. -7. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +>[!NOTE] +>If you need to create a user manually, you need to contact the [Weekdone Client support team](mailto:hello@weekdone.com). -The objective of this section is to test your Azure AD SSO configuration using the Access Panel. +### Test single sign-on -When you click the Weekdone tile in the Access Panel, you should get automatically signed-on to your Weekdone application. +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -## Additional resources +When you click the Weekdone tile in the Access Panel, you should be automatically signed in to the Weekdone for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: ./media/weekdone-tutorial/tutorial_general_01.png -[2]: ./media/weekdone-tutorial/tutorial_general_02.png -[3]: ./media/weekdone-tutorial/tutorial_general_03.png -[4]: ./media/weekdone-tutorial/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: ./media/weekdone-tutorial/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[200]: ./media/weekdone-tutorial/tutorial_general_200.png -[201]: ./media/weekdone-tutorial/tutorial_general_201.png -[202]: ./media/weekdone-tutorial/tutorial_general_202.png -[203]: ./media/weekdone-tutorial/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/wikispaces-tutorial.md b/articles/active-directory/saas-apps/wikispaces-tutorial.md index 58cac0a7bedea..da9c28b160a3f 100644 --- a/articles/active-directory/saas-apps/wikispaces-tutorial.md +++ b/articles/active-directory/saas-apps/wikispaces-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 665b95aa-f7f5-4406-9e2a-6fc299a1599c ms.service: active-directory @@ -12,171 +13,188 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/08/2017 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Wikispaces In this tutorial, you learn how to integrate Wikispaces with Azure Active Directory (Azure AD). - Integrating Wikispaces with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Wikispaces -- You can enable your users to automatically get signed-on to Wikispaces (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Wikispaces. +* You can enable your users to be automatically signed-in to Wikispaces (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Wikispaces, you need the following items: -- An Azure AD subscription -- A Wikispaces single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Wikispaces single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Wikispaces from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Wikispaces supports **SP** initiated SSO ## Adding Wikispaces from the gallery + To configure the integration of Wikispaces into Azure AD, you need to add Wikispaces from the gallery to your list of managed SaaS apps. **To add Wikispaces from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Wikispaces**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/wikispaces-tutorial/tutorial_wikispaces_search.png) +4. In the search box, type **Wikispaces**, select **Wikispaces** from result panel then click **Add** button to add the application. -1. In the results panel, select **Wikispaces**, and then click **Add** button to add the application. + ![Wikispaces in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/wikispaces-tutorial/tutorial_wikispaces_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Wikispaces based on a test user called "Britta Simon". +In this section, you configure and test Azure AD single sign-on with Wikispaces based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Wikispaces needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Wikispaces is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Wikispaces needs to be established. +To configure and test Azure AD single sign-on with Wikispaces, you need to complete the following building blocks: -In Wikispaces, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Wikispaces Single Sign-On](#configure-wikispaces-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Wikispaces test user](#create-wikispaces-test-user)** - to have a counterpart of Britta Simon in Wikispaces that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Wikispaces, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Wikispaces test user](#creating-a-wikispaces-test-user)** - to have a counterpart of Britta Simon in Wikispaces that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Wikispaces, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Wikispaces application. +1. In the [Azure portal](https://portal.azure.com/), on the **Wikispaces** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Wikispaces, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Wikispaces** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/wikispaces-tutorial/tutorial_wikispaces_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Wikispaces Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/wikispaces-tutorial/tutorial_wikispaces_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.wikispaces.net` + ![Wikispaces Domain and URLs single sign-on information](common/sp-identifier.png) - b. In the **Identifier** textbox, type a URL using the following pattern: `https://session.wikispaces.net/` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.wikispaces.net` - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [Wikispaces Client support team](https://www.wikispaces.com/site/help) to get these values. + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://session.wikispaces.net/` -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Wikispaces Client support team](https://www.wikispaces.com/site/help) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![Configure Single Sign-On](./media/wikispaces-tutorial/tutorial_wikispaces_certificate.png) +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -1. Click **Save** button. + ![The Certificate download link](common/metadataxml.png) - ![Configure Single Sign-On](./media/wikispaces-tutorial/tutorial_general_400.png) +6. On the **Set up Wikispaces** section, copy the appropriate URL(s) as per your requirement. -1. To configure single sign-on on **Wikispaces** side, you need to send the downloaded **Metadata XML** to [Wikispaces support team](https://www.wikispaces.com/site/help). You will get a notification as soon as the configuration has been completed. + ![Copy configuration URLs](common/copy-configuration-urls.png) -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) + a. Login URL -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + b. Azure AD Identifier + + c. Logout URL + +### Configure Wikispaces Single Sign-On -![Create Azure AD User][100] +To configure single sign-on on **Wikispaces** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Wikispaces support team](https://www.wikispaces.com/site/help). They set this setting to have the SAML SSO connection set properly on both sides. -**To create a test user in Azure AD, perform the following steps:** +### Create an Azure AD test user -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +The objective of this section is to create a test user in the Azure portal called Britta Simon. + +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Creating an Azure AD test user](./media/wikispaces-tutorial/create_aaduser_01.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/wikispaces-tutorial/create_aaduser_02.png) +2. Select **New user** at the top of the screen. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/wikispaces-tutorial/create_aaduser_03.png) + ![New user Button](common/new-user.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/wikispaces-tutorial/create_aaduser_04.png) +3. In the User properties, perform the following steps. - a. In the **Name** textbox, type **BrittaSimon**. + ![The User dialog box](common/user-properties.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - c. Select **Show Password** and write down the value of the **Password**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Creating a Wikispaces test user -In order to enable Azure AD users to log in to Wikispaces, they must be provisioned into Wikispaces. In the case of Wikispaces, provisioning is a manual task. +### Assign the Azure AD test user + +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wikispaces. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Wikispaces**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Wikispaces**. + + ![The Wikispaces link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create Wikispaces test user + +In order to enable Azure AD users to sign in to Wikispaces, they must be provisioned into Wikispaces. In the case of Wikispaces, provisioning is a manual task. ### To provision a user accounts, perform the following steps: -1. Log in to your **Wikispaces** company site as an administrator. -1. Go to **Members**. +1. Sign in to your **Wikispaces** company site as an administrator. + +2. Go to **Members**. ![Members](./media/wikispaces-tutorial/ic787193.png "Members") -1. Click the **Invite People**. +3. Click the **Invite People**. ![Invite People](./media/wikispaces-tutorial/ic787194.png "Invite People") -1. In the **Invite People** section, perform the following steps: +4. In the **Invite People** section, perform the following steps: ![Invite People](./media/wikispaces-tutorial/ic787208.png "Invite People") @@ -190,59 +208,17 @@ In order to enable Azure AD users to log in to Wikispaces, they must be provisio > [!NOTE] > You can use any other Wikispaces user account creation tools or APIs provided by Wikispaces to provision AAD user accounts. -### Assigning the Azure AD test user - -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wikispaces. - -![Assign User][200] - -**To assign Britta Simon to Wikispaces, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. - - ![Assign User][201] - -1. In the applications list, select **Wikispaces**. - - ![Configure Single Sign-On](./media/wikispaces-tutorial/tutorial_wikispaces_app.png) - -1. In the menu on the left, click **Users and groups**. - - ![Assign User][202] - -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. - - ![Assign User][203] - -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. - -1. Click **Select** button on **Users and groups** dialog. - -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Wikispaces tile in the Access Panel, you should get automatically signed-on to your Wikispaces application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the Wikispaces tile in the Access Panel, you should be automatically signed in to the Wikispaces for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/wikispaces-tutorial/tutorial_general_01.png -[2]: ./media/wikispaces-tutorial/tutorial_general_02.png -[3]: ./media/wikispaces-tutorial/tutorial_general_03.png -[4]: ./media/wikispaces-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/wikispaces-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/wikispaces-tutorial/tutorial_general_200.png -[201]: ./media/wikispaces-tutorial/tutorial_general_201.png -[202]: ./media/wikispaces-tutorial/tutorial_general_202.png -[203]: ./media/wikispaces-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/wingspanetmf-tutorial.md b/articles/active-directory/saas-apps/wingspanetmf-tutorial.md index 91c2b1dbe2546..1718acad4a774 100644 --- a/articles/active-directory/saas-apps/wingspanetmf-tutorial.md +++ b/articles/active-directory/saas-apps/wingspanetmf-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: ace320d3-521c-449c-992f-feabe7538de7 ms.service: active-directory @@ -12,216 +13,189 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 04/19/2017 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Wingspan eTMF In this tutorial, you learn how to integrate Wingspan eTMF with Azure Active Directory (Azure AD). - Integrating Wingspan eTMF with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Wingspan eTMF -- You can enable your users to automatically get signed-on to Wingspan eTMF (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Wingspan eTMF. +* You can enable your users to be automatically signed-in to Wingspan eTMF (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Wingspan eTMF, you need the following items: -- An Azure AD subscription -- A Wingspan eTMF single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Wingspan eTMF single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Wingspan eTMF from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Wingspan eTMF supports **SP** initiated SSO ## Adding Wingspan eTMF from the gallery + To configure the integration of Wingspan eTMF into Azure AD, you need to add Wingspan eTMF from the gallery to your list of managed SaaS apps. **To add Wingspan eTMF from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Wingspan eTMF**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/wingspanetmf-tutorial/tutorial_wingspanetmf_search.png) +4. In the search box, type **Wingspan eTMF**, select **Wingspan eTMF** from result panel then click **Add** button to add the application. -1. In the results panel, select **Wingspan eTMF**, and then click **Add** button to add the application. + ![Wingspan eTMF in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/wingspanetmf-tutorial/tutorial_wingspanetmf_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Wingspan eTMF based on a test user called "Britta Simon." +In this section, you configure and test Azure AD single sign-on with Wingspan eTMF based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Wingspan eTMF needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Wingspan eTMF is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Wingspan eTMF needs to be established. +To configure and test Azure AD single sign-on with Wingspan eTMF, you need to complete the following building blocks: -This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Wingspan eTMF. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Wingspan eTMF Single Sign-On](#configure-wingspan-etmf-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Wingspan eTMF test user](#create-wingspan-etmf-test-user)** - to have a counterpart of Britta Simon in Wingspan eTMF that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Wingspan eTMF, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Wingspan eTMF test user](#creating-a-wingspan-etmf-test-user)** - to have a counterpart of Britta Simon in Wingspan eTMF that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Wingspan eTMF, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Wingspan eTMF application. +1. In the [Azure portal](https://portal.azure.com/), on the **Wingspan eTMF** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Wingspan eTMF, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Wingspan eTMF** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/wingspanetmf-tutorial/tutorial_wingspanetmf_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Wingspan eTMF Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/wingspanetmf-tutorial/tutorial_wingspanetmf_url11.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://..mywingspan.com/saml` + ![Wingspan eTMF Domain and URLs single sign-on information](common/sp-identifier-reply.png) - b. In the **Identifier** textbox, type a URL using the following pattern: `http://saml..wingspan.com/shibboleth` + a. In the **Sign-on URL** text box, type a URL using the following pattern: + `https://..mywingspan.com/saml` - c. In the **Reply URL** textbox, type a URL using the following pattern: `https://..mywingspan.com/` - - > [!NOTE] - > These values are not the real. Update these values with the actual Sign-On URL, Identifier and Reply URL including the actual customer name and instance name. Contact [Wingspan eTMF Client support team](http://www.wingspan.com/contact-us/) to get these values. + b. In the **Identifier** box, type a URL using the following pattern: + `http://saml..wingspan.com/shibboleth` -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + c. In the **Reply URL** text box, type a URL using the following pattern: + `https://..mywingspan.com/` - ![Configure Single Sign-On](./media/wingspanetmf-tutorial/tutorial_wingspanetmf_certificate.png) + > [!NOTE] + > These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact [Wingspan eTMF Client support team](http://www.wingspan.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. Click **Save** button. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![Configure Single Sign-On](./media/wingspanetmf-tutorial/tutorial_general_400.png) + ![The Certificate download link](common/metadataxml.png) -1. To configure single sign-on on **Wingspan eTMF** side, you need to send the downloaded **Metadata XML** to [Wingspan eTMF support](http://www.wingspan.com/contact-us/). They set this up to have the SAML SSO connection set properly on both sides. +6. On the **Set up Wingspan eTMF** section, copy the appropriate URL(s) as per your requirement. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) - + ![Copy configuration URLs](common/copy-configuration-urls.png) -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. + a. Login URL -![Create Azure AD User][100] + b. Azure AD Identifier -**To create a test user in Azure AD, perform the following steps:** + c. Logout URL -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +### Configure Wingspan eTMF Single Sign-On - ![Creating an Azure AD test user](./media/wingspanetmf-tutorial/create_aaduser_01.png) +To configure single sign-on on **Wingspan eTMF** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Wingspan eTMF support team](http://www.wingspan.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides. -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/wingspanetmf-tutorial/create_aaduser_02.png) +### Create an Azure AD test user -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/wingspanetmf-tutorial/create_aaduser_03.png) +The objective of this section is to create a test user in the Azure portal called Britta Simon. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/wingspanetmf-tutorial/create_aaduser_04.png) +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - a. In the **Name** textbox, type **BrittaSimon**. + ![The "Users and groups" and "All users" links](common/users.png) - b. In the **User name** textbox, type the **email address** of BrittaSimon. +2. Select **New user** at the top of the screen. - c. Select **Show Password** and write down the value of the **Password**. + ![New user Button](common/new-user.png) - d. Click **Create**. - -### Creating a Wingspan eTMF test user +3. In the User properties, perform the following steps. -In this section, you create a user called Britta Simon in Wingspan eTMF. Work with [Wingspan eTMF support](http://www.wingspan.com/contact-us/) to add the users in the Wingspan eTMF application. Users must be created and activated before you use single sign-on. + ![The User dialog box](common/user-properties.png) -### Assigning the Azure AD test user + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wingspan eTMF. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -![Assign User][200] + d. Click **Create**. -**To assign Britta Simon to Wingspan eTMF, perform the following steps:** +### Assign the Azure AD test user -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wingspan eTMF. - ![Assign User][201] +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Wingspan eTMF**. -1. In the applications list, select **Wingspan eTMF**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Configure Single Sign-On](./media/wingspanetmf-tutorial/tutorial_wingspanetmf_app.png) +2. In the applications list, select **Wingspan eTMF**. -1. In the menu on the left, click **Users and groups**. + ![The Wingspan eTMF link in the Applications list](common/all-applications.png) - ![Assign User][202] +3. In the menu on the left, select **Users and groups**. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![The "Users and groups" link](common/users-groups-blade.png) - ![Assign User][203] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + ![The Add Assignment pane](common/add-assign-user.png) -1. Click **Select** button on **Users and groups** dialog. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +7. In the **Add Assignment** dialog click the **Assign** button. -Click the Wingspan eTMF tile in the Access Panel, you will be redirected to Organization sign on page. After successful login, you will be signed-on to your Wingspan eTMF application. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Create Wingspan eTMF test user -## Additional resources +In this section, you create a user called Britta Simon in Wingspan eTMF. Work with [Wingspan eTMF support team](http://www.wingspan.com/contact-us/) to add the users in the Wingspan eTMF platform. Users must be created and activated before you use single sign-on. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Wingspan eTMF tile in the Access Panel, you should be automatically signed in to the Wingspan eTMF for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/wingspanetmf-tutorial/tutorial_general_01.png -[2]: ./media/wingspanetmf-tutorial/tutorial_general_02.png -[3]: ./media/wingspanetmf-tutorial/tutorial_general_03.png -[4]: ./media/wingspanetmf-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/wingspanetmf-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/wingspanetmf-tutorial/tutorial_general_200.png -[201]: ./media/wingspanetmf-tutorial/tutorial_general_201.png -[202]: ./media/wingspanetmf-tutorial/tutorial_general_202.png -[203]: ./media/wingspanetmf-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/wizergosproductivitysoftware-tutorial.md b/articles/active-directory/saas-apps/wizergosproductivitysoftware-tutorial.md index 6cce7877c3820..ecd66789d5f8f 100644 --- a/articles/active-directory/saas-apps/wizergosproductivitysoftware-tutorial.md +++ b/articles/active-directory/saas-apps/wizergosproductivitysoftware-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: acc04396-13c5-4c24-ab9a-30fbc9234ebd ms.service: active-directory @@ -13,232 +13,202 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 11/24/2017 +ms.topic: tutorial +ms.date: 03/28/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Wizergos Productivity Software In this tutorial, you learn how to integrate Wizergos Productivity Software with Azure Active Directory (Azure AD). - Integrating Wizergos Productivity Software with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Wizergos Productivity Software. -- You can enable your users to automatically get signed-on to Wizergos Productivity Software (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Wizergos Productivity Software. +* You can enable your users to be automatically signed-in to Wizergos Productivity Software (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Wizergos Productivity Software, you need the following items: -- An Azure AD subscription -- A Wizergos Productivity Software single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Wizergos Productivity Software single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Wizergos Productivity Software from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Wizergos Productivity Software supports **IDP** initiated SSO ## Adding Wizergos Productivity Software from the gallery + To configure the integration of Wizergos Productivity Software into Azure AD, you need to add Wizergos Productivity Software from the gallery to your list of managed SaaS apps. **To add Wizergos Productivity Software from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Wizergos Productivity Software**, select **Wizergos Productivity Software** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Wizergos Productivity Software in the results list](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_addfromgallery.png) +4. In the search box, type **Wizergos Productivity Software**, select **Wizergos Productivity Software** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on - -In this section, you configure and test Azure AD single sign-on with Wizergos Productivity Software based on a test user called "Britta Simon". + ![Wizergos Productivity Software in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in Wizergos Productivity Software is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Wizergos Productivity Software needs to be established. +## Configure and test Azure AD single sign-on -In Wizergos Productivity Software, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Wizergos Productivity Software based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Wizergos Productivity Software needs to be established. To configure and test Azure AD single sign-on with Wizergos Productivity Software, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Wizergos Productivity Software test user](#create-a-wizergos-productivity-software-test-user)** - to have a counterpart of Britta Simon in Wizergos Productivity Software that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Wizergos Productivity Software Single Sign-On](#configure-wizergos-productivity-software-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Wizergos Productivity Software test user](#create-wizergos-productivity-software-test-user)** - to have a counterpart of Britta Simon in Wizergos Productivity Software that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Wizergos Productivity Software application. +In this section, you enable Azure AD single sign-on in the Azure portal. + +To configure Azure AD single sign-on with Wizergos Productivity Software, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Wizergos Productivity Software** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) -**To configure Azure AD single sign-on with Wizergos Productivity Software, perform the following steps:** +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. In the Azure portal, on the **Wizergos Productivity Software** application integration page, click **Single sign-on**. + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure single sign-on link][4] +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_samlbase.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) -1. On the **Wizergos Productivity Software Domain and URLs** section, perform the following steps: +4. On the **Basic SAML Configuration** section, perform the following steps: - ![Wizergos Productivity Software Domain and URLs single sign-on information](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_url.png) + ![Wizergos Productivity Software Domain and URLs single sign-on information](common/idp-identifier.png) - In the **Identifier** textbox, type the URL: `https://www.wizergos.net` + In the **Identifier** text box, type a URL: + `https://www.wizergos.net` -1. On the **SAML Signing Certificate** section, click **Certificate** and then save the certificate file on your computer. +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - ![The Certificate download link](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_certificate.png) + ![The Certificate download link](common/certificatebase64.png) -1. Click **Save** button. +6. On the **Set up Wizergos Productivity Software** section, copy the appropriate URL(s) as per your requirement. - ![Configure Single Sign-On Save button](./media/wizergosproductivitysoftware-tutorial/tutorial_general_400.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. On the **Wizergos Productivity Software Configuration** section, click **Configure Wizergos Productivity Software** to open **Configure sign-on** window. Copy the **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + a. Login URL - ![Wizergos Productivity Software Configuration](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_configure.png) + b. Azure AD Identifier + + c. Logout URL + +### Configure Wizergos Productivity Software Single Sign-On 1. In a different web browser window, sign-on to your Wizergos Productivity Software tenant as an administrator. -1. From the hamburger menu, select **Admin**. +2. From the hamburger menu, select **Admin**. ![Configure Single Sign-On On App side](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_000.png) -1. In Admin page on left hand menu select **AUTHENTICATION** and click on **Azure AD**. +3. In Admin page on left hand menu select **AUTHENTICATION** and click on **Azure AD**. ![Configure Single Sign-On On App side](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_002.png) -1. Perform the following steps on **AUTHENTICATION** section. +4. Perform the following steps on **AUTHENTICATION** section. ![Configure Single Sign-On On App side](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_003.png) a. Click **UPLOAD** button to upload the downloaded certificate from Azure AD. - b. In the **Issuer URL** textbox, paste the **SAML Entity ID** value which you have copied from Azure portal. + b. In the **Issuer URL** textbox, paste the **Azure AD Identifier** value which you have copied from Azure portal. - c. In the **Single Sign-On URL** textbox, paste the **SAML Single Sign-On Service URL** value which you have copied from Azure portal. + c. In the **Single Sign-On URL** textbox, paste the **Login URL** value which you have copied from Azure portal. - d. In the **Single Sign-Out URL** textbox, paste the **Sign-Out URL** value which you have copied from Azure portal. + d. In the **Single Sign-Out URL** textbox, paste the **Logout URL** value which you have copied from Azure portal. e. Click **Save** button. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> - -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Create an Azure AD test user][100] - -**To create a test user in Azure AD, perform the following steps:** - -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. - - ![The Azure Active Directory button](./media/wizergosproductivitysoftware-tutorial/create_aaduser_01.png) - -1. To display the list of users, go to **Users and groups**, and then click **All users**. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![The "Users and groups" and "All users" links](./media/wizergosproductivitysoftware-tutorial/create_aaduser_02.png) + ![The "Users and groups" and "All users" links](common/users.png) -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. +2. Select **New user** at the top of the screen. - ![The Add button](./media/wizergosproductivitysoftware-tutorial/create_aaduser_03.png) + ![New user Button](common/new-user.png) -1. In the **User** dialog box, perform the following steps: +3. In the User properties, perform the following steps. - ![The User dialog box](./media/wizergosproductivitysoftware-tutorial/create_aaduser_04.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** box, type **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - b. In the **User name** box, type the email address of user Britta Simon. - - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Wizergos Productivity Software test user - -In this section, you create a user called Britta Simon in Wizergos Productivity Software. Please work with [Wizergos Productivity Software support team](mailTo:support@wizergos.com) to add the users in the Wizergos Productivity Software platform. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wizergos Productivity Software. -![Assign the user role][200] - -**To assign Britta Simon to Wizergos Productivity Software, perform the following steps:** +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Wizergos Productivity Software**. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Assign User][201] +2. In the applications list, select **Wizergos Productivity Software**. -1. In the applications list, select **Wizergos Productivity Software**. + ![The Wizergos Productivity Software link in the Applications list](common/all-applications.png) - ![The Wizergos Productivity Software link in the Applications list](./media/wizergosproductivitysoftware-tutorial/tutorial_wizergosproductivitysoftware_app.png) +3. In the menu on the left, select **Users and groups**. -1. In the menu on the left, click **Users and groups**. + ![The "Users and groups" link](common/users-groups-blade.png) - ![The "Users and groups" link][202] +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + ![The Add Assignment pane](common/add-assign-user.png) - ![The Add Assignment pane][203] +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. Click **Select** button on **Users and groups** dialog. +7. In the **Add Assignment** dialog click the **Assign** button. -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +### Create Wizergos Productivity Software test user -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +In this section, you create a user called Britta Simon in Wizergos Productivity Software. Work with [Wizergos Productivity Software support team](mailTo:support@wizergos.com) to add the users in the Wizergos Productivity Software platform. -When you click the Wizergos Productivity Software tile in the Access Panel, you should get automatically signed-on to your Wizergos Productivity Software application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +### Test single sign-on -## Additional resources +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +When you click the Wizergos Productivity Software tile in the Access Panel, you should be automatically signed in to the Wizergos Productivity Software for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_01.png -[2]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_02.png -[3]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_03.png -[4]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_200.png -[201]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_201.png -[202]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_202.png -[203]: ./media/wizergosproductivitysoftware-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/work-com-tutorial.md b/articles/active-directory/saas-apps/work-com-tutorial.md index 8a11b4cf1781b..87a64f76c3694 100644 --- a/articles/active-directory/saas-apps/work-com-tutorial.md +++ b/articles/active-directory/saas-apps/work-com-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 98e6739e-eb24-46bd-9dd3-20b489839076 ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 07/27/2017 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,135 +22,136 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Work.com In this tutorial, you learn how to integrate Work.com with Azure Active Directory (Azure AD). - Integrating Work.com with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Work.com -- You can enable your users to automatically get signed-on to Work.com (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Work.com. +* You can enable your users to be automatically signed-in to Work.com (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Work.com, you need the following items: -- An Azure AD subscription -- A Work.com single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Work.com single sign-on enabled subscription -To test the steps in this tutorial, you should follow these recommendations: +## Scenario description -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +* Work.com supports **SP** initiated SSO -1. Add Work.com from the gallery -1. Configure and test Azure AD single sign-on +## Adding Work.com from the gallery -## Add Work.com from the gallery To configure the integration of Work.com into Azure AD, you need to add Work.com from the gallery to your list of managed SaaS apps. **To add Work.com from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Work.com**, select **Work.com** from results panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Add from gallery](./media/work-com-tutorial/tutorial_work-com_addfromgallery.png) +4. In the search box, type **Work.com**, select **Work.com** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Work.com based on a test user called "Britta Simon". + ![Work.com in the results list](common/search-new-app.png) -For single sign-on to work, Azure AD needs to know what the counterpart user in Work.com is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Work.com needs to be established. +## Configure and test Azure AD single sign-on -In Work.com, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Work.com based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Work.com needs to be established. To configure and test Azure AD single sign-on with Work.com, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Work.com test user](#create-a-workcom-test-user)** - to have a counterpart of Britta Simon in Work.com that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test Single Sign-On](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Work.com Single Sign-On](#configure-workcom-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Work.com test user](#create-workcom-test-user)** - to have a counterpart of Britta Simon in Work.com that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Work.com application. +In this section, you enable Azure AD single sign-on in the Azure portal. >[!NOTE] >To configure single sign-on, you need to setup a custom Work.com domain name yet. You need to define at least a domain name, test your domain name, and deploy it to your entire organization. -**To configure Azure AD single sign-on with Work.com, perform the following steps:** +To configure Azure AD single sign-on with Work.com, perform the following steps: + +1. In the [Azure portal](https://portal.azure.com/), on the **Work.com** application integration page, select **Single sign-on**. + + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Work.com** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![SAML-based Sign-on](./media/work-com-tutorial/tutorial_work-com_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Work.com Domain and URLs** section, perform the following: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Work.com Domain and URLs section](./media/work-com-tutorial/tutorial_work-com_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - In the **Sign-on URL** textbox, type a URL using the following pattern: `http://.my.salesforce.com` + ![Work.com Domain and URLs single sign-on information](common/sp-signonurl.png) - > [!NOTE] - > This value is not real. Update this value with the actual Sign-On URL. Contact [Work.com Client support team](https://help.salesforce.com/articleView?id=000159855&type=3) to get this value. + In the **Sign-on URL** text box, type a URL using the following pattern: + `http://.my.salesforce.com` -1. On the **SAML Signing Certificate** section, click **Certificate (Base64)** and then save the certificate file on your computer. + > [!NOTE] + > The value is not real. Update the value with the actual Sign-On URL. Contact [Work.com Client support team](https://help.salesforce.com/articleView?id=000159855&type=3) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![SAML Signing Certificate section](./media/work-com-tutorial/tutorial_work-com_certificate.png) +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. -1. Click **Save** button. + ![The Certificate download link](common/certificatebase64.png) - ![Save Button](./media/work-com-tutorial/tutorial_general_400.png) +6. On the **Set up Work.com** section, copy the appropriate URL(s) as per your requirement. -1. On the **Work.com Configuration** section, click **Configure Work.com** to open **Configure sign-on** window. Copy the **Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Work.com Configuration section](./media/work-com-tutorial/tutorial_work-com_configure.png) -1. Log in to your Work.com tenant as administrator. + a. Login URL -1. Go to **Setup**. + b. Azure AD Identifier + + c. Logout URL + +### Configure Work.com Single Sign-On + +1. Sign in to your Work.com tenant as administrator. + +2. Go to **Setup**. ![Setup](./media/work-com-tutorial/ic794108.png "Setup") -1. On the left navigation pane, in the **Administer** section, click **Domain Management** to expand the related section, and then click **My Domain** to open the **My Domain** page. +3. On the left navigation pane, in the **Administer** section, click **Domain Management** to expand the related section, and then click **My Domain** to open the **My Domain** page. ![My Domain](./media/work-com-tutorial/ic767825.png "My Domain") -1. To verify that your domain has been set up correctly, make sure that it is in “**Step 4 Deployed to Users**” and review your “**My Domain Settings**”. +4. To verify that your domain has been set up correctly, make sure that it is in “**Step 4 Deployed to Users**” and review your “**My Domain Settings**”. ![Domain Deployed to User](./media/work-com-tutorial/ic784377.png "Domain Deployed to User") -1. Log in to your Work.com tenant. +5. Sign in to your Work.com tenant. -1. Go to **Setup**. +6. Go to **Setup**. ![Setup](./media/work-com-tutorial/ic794108.png "Setup") -1. Expand the **Security Controls** menu, and then click **Single Sign-On Settings**. +7. Expand the **Security Controls** menu, and then click **Single Sign-On Settings**. ![Single Sign-On Settings](./media/work-com-tutorial/ic794113.png "Single Sign-On Settings") -1. On the **Single Sign-On Settings** dialog page, perform the following steps: +8. On the **Single Sign-On Settings** dialog page, perform the following steps: ![SAML Enabled](./media/work-com-tutorial/ic781026.png "SAML Enabled") @@ -158,7 +159,7 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf b. Click **New**. -1. In the **SAML Single Sign-On Settings** section, perform the following steps: +9. In the **SAML Single Sign-On Settings** section, perform the following steps: ![SAML Single Sign-On Setting](./media/work-com-tutorial/ic794114.png "SAML Single Sign-On Setting") @@ -167,7 +168,7 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf > [!NOTE] > Providing a value for **Name** does automatically populate the **API Name** textbox. - b. In **Issuer** textbox, paste the value of **SAML Entity ID** which you have copied from Azure portal. + b. In **Issuer** textbox, paste the value of **Azure AD Identifier** which you have copied from Azure portal. c. To upload the downloaded certificate from Azure portal, click **Browse**. @@ -177,79 +178,97 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf f. As **SAML Identity Location**, select **Identity is in the NameIdentfier element of the Subject statement**. - g. In **Identity Provider Login URL** textbox, paste the value of **SAML Single Sign-On Service URL** which you have copied from Azure portal. + g. In **Identity Provider Login URL** textbox, paste the value of **Login URL** which you have copied from Azure portal. - h. In **Identity Provider Logout URL** textbox, paste the value of **Sign-Out URL** which you have copied from Azure portal. + h. In **Identity Provider Logout URL** textbox, paste the value of **Logout URL** which you have copied from Azure portal. i. As **Service Provider Initiated Request Binding**, select **HTTP Post**. j. Click **Save**. -1. In your Work.com classic portal, on the left navigation pane, click **Domain Management** to expand the related section, and then click **My Domain** to open the **My Domain** page. +10. In your Work.com classic portal, on the left navigation pane, click **Domain Management** to expand the related section, and then click **My Domain** to open the **My Domain** page. ![My Domain](./media/work-com-tutorial/ic794115.png "My Domain") -1. On the **My Domain** page, in the **Login Page Branding** section, click **Edit**. +11. On the **My Domain** page, in the **Login Page Branding** section, click **Edit**. ![Login Page Branding](./media/work-com-tutorial/ic767826.png "Login Page Branding") -1. On the **Login Page Branding** page, in the **Authentication Service** section, the name of your **SAML SSO Settings** is displayed. Select it, and then click **Save**. +12. On the **Login Page Branding** page, in the **Authentication Service** section, the name of your **SAML SSO Settings** is displayed. Select it, and then click **Save**. ![Login Page Branding](./media/work-com-tutorial/ic784366.png "Login Page Branding") -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> +### Create an Azure AD test user -### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. -![Create Azure AD User][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](./media/work-com-tutorial/create_aaduser_01.png) + ![New user Button](common/new-user.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Users and groups -> All users](./media/work-com-tutorial/create_aaduser_02.png) +3. In the User properties, perform the following steps. + + ![The User dialog box](common/user-properties.png) -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Add](./media/work-com-tutorial/create_aaduser_03.png) + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com -1. On the **User** dialog page, perform the following steps: - - ![User dialog page](./media/work-com-tutorial/create_aaduser_04.png) + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - a. In the **Name** textbox, type **BrittaSimon**. + d. Click **Create**. - b. In the **User name** textbox, type the **email address** of BrittaSimon. +### Assign the Azure AD test user - c. Select **Show Password** and write down the value of the **Password**. +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Work.com. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Work.com**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Work.com**. + + ![The Work.com link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create Work.com test user - d. Click **Create**. - -### Create a Work.com test user For Azure Active Directory users to be able to sign in, they must be provisioned to Work.com. In the case of Work.com, provisioning is a manual task. ### To configure user provisioning, perform the following steps: + 1. Sign on to your Work.com company site as an administrator. -1. Go to **Setup**. +2. Go to **Setup**. ![Setup](./media/work-com-tutorial/IC794108.png "Setup") -1. Go to **Manage Users \> Users**. + +3. Go to **Manage Users \> Users**. ![Manage Users](./media/work-com-tutorial/IC784369.png "Manage Users") -1. Click **New User**. +4. Click **New User**. ![All Users](./media/work-com-tutorial/IC794117.png "All Users") -1. In the User Edit section, perform the following steps, in attributes of a valid Azure AD account you want to provision into the related textboxes: +5. In the User Edit section, perform the following steps, in attributes of a valid Azure AD account you want to provision into the related textboxes: ![User Edit](./media/work-com-tutorial/ic794118.png "User Edit") @@ -259,9 +278,9 @@ For Azure Active Directory users to be able to sign in, they must be provisioned c. In the **Alias** textbox, type the **name** of the user **BrittaS**. - d. In the **Email** textbox, type the **email address** of user **Brittasimon\@contoso.com**. + d. In the **Email** textbox, type the **email address** of user Brittasimon@contoso.com. - e. In the **User Name** textbox, type a user name of user like **Brittasimon\@contoso.com**. + e. In the **User Name** textbox, type a user name of user like Brittasimon@contoso.com. f. In the **Nick Name** textbox, type a **nick name** of user **Simon**. @@ -272,62 +291,18 @@ For Azure Active Directory users to be able to sign in, they must be provisioned > [!NOTE] > The Azure AD account holder will get an email including a link to confirm the account before it becomes active. > - > - -### Assign the Azure AD test user - -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Work.com. - -![Assign User][200] - -**To assign Britta Simon to Work.com, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. - ![Assign User][201] - -1. In the applications list, select **Work.com**. - - ![Work.com in app's list](./media/work-com-tutorial/tutorial_work-com_app.png) - -1. In the menu on the left, click **Users and groups**. - - ![Assign User][202] - -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. - - ![Assign User][203] - -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. - -1. Click **Select** button on **Users and groups** dialog. - -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Work.com tile in the Access Panel, you should get automatically signed-on to your Work.com application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - +When you click the Work.com tile in the Access Panel, you should be automatically signed in to the Work.com for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/work-com-tutorial/tutorial_general_01.png -[2]: ./media/work-com-tutorial/tutorial_general_02.png -[3]: ./media/work-com-tutorial/tutorial_general_03.png -[4]: ./media/work-com-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/work-com-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/work-com-tutorial/tutorial_general_200.png -[201]: ./media/work-com-tutorial/tutorial_general_201.png -[202]: ./media/work-com-tutorial/tutorial_general_202.png -[203]: ./media/work-com-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/workday-inbound-tutorial.md b/articles/active-directory/saas-apps/workday-inbound-tutorial.md index 2593dce94f955..32cce8f0edd09 100644 --- a/articles/active-directory/saas-apps/workday-inbound-tutorial.md +++ b/articles/active-directory/saas-apps/workday-inbound-tutorial.md @@ -46,7 +46,7 @@ The Workday user provisioning workflows supported by the Azure AD user provision ### Who is this user provisioning solution best suited for? -This Workday user provisioning solution is presently in public preview, and is ideally suited for: +This Workday user provisioning solution is ideally suited for: * Organizations that desire a pre-built, cloud-based solution for Workday user provisioning @@ -458,7 +458,7 @@ In this section, you will configure how user data flows from Workday to Active D 2. In the **Source Object Scope** field, you can select which sets of users in Workday should be in scope for provisioning to AD, by defining a set of attribute-based filters. The default scope is “all users in Workday”. Example filters: * Example: Scope to users with Worker IDs between 1000000 and - 2000000 + 2000000 (excluding 2000000) * Attribute: WorkerID diff --git a/articles/active-directory/saas-apps/workday-tutorial.md b/articles/active-directory/saas-apps/workday-tutorial.md index ab97c37f0e669..65e4b4fa2e6dd 100644 --- a/articles/active-directory/saas-apps/workday-tutorial.md +++ b/articles/active-directory/saas-apps/workday-tutorial.md @@ -298,9 +298,9 @@ When you click the Workday tile in the Access Panel, you should be automatically ## Additional Resources -- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/workfront-tutorial.md b/articles/active-directory/saas-apps/workfront-tutorial.md index ef910eaf7a4ba..aa5243ba8f345 100644 --- a/articles/active-directory/saas-apps/workfront-tutorial.md +++ b/articles/active-directory/saas-apps/workfront-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: aab8bd2f-f9dd-42da-a18e-d707865687d7 ms.service: active-directory @@ -12,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 05/22/2017 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,119 +22,116 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Workfront In this tutorial, you learn how to integrate Workfront with Azure Active Directory (Azure AD). - Integrating Workfront with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Workfront -- You can enable your users to automatically get signed-on to Workfront (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Workfront. +* You can enable your users to be automatically signed-in to Workfront (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Workfront, you need the following items: -- An Azure AD subscription -- A Workfront single-sign on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Workfront single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Workfront from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Workfront supports **SP** initiated SSO ## Adding Workfront from the gallery + To configure the integration of Workfront into Azure AD, you need to add Workfront from the gallery to your list of managed SaaS apps. **To add Workfront from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Workfront**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/workfront-tutorial/tutorial_workfront_search.png) +4. In the search box, type **Workfront**, select **Workfront** from result panel then click **Add** button to add the application. -1. In the results panel, select **Workfront**, and then click **Add** button to add the application. + ![Workfront in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/workfront-tutorial/tutorial_workfront_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Workfront based on a test user called "Britta Simon." +In this section, you configure and test Azure AD single sign-on with Workfront based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Workfront needs to be established. -For single sign-on to work, Azure AD needs to know what the counterpart user in Workfront is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Workfront needs to be established. +To configure and test Azure AD single sign-on with Workfront, you need to complete the following building blocks: -In Workfront, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Workfront Single Sign-On](#configure-workfront-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Workfront test user](#create-workfront-test-user)** - to have a counterpart of Britta Simon in Workfront that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -To configure and test Azure AD single sign-on with Workfront, you need to complete the following building blocks: +### Configure Azure AD single sign-on -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Workfront test user](#creating-a-workfront-test-user)** - to have a counterpart of Britta Simon in Workfront that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +In this section, you enable Azure AD single sign-on in the Azure portal. -### Configuring Azure AD single sign-on +To configure Azure AD single sign-on with Workfront, perform the following steps: -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Workfront application. +1. In the [Azure portal](https://portal.azure.com/), on the **Workfront** application integration page, select **Single sign-on**. -**To configure Azure AD single sign-on with Workfront, perform the following steps:** + ![Configure single sign-on link](common/select-sso.png) -1. In the Azure portal, on the **Workfront** application integration page, click **Single sign-on**. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On][4] + ![Single sign-on select mode](common/select-saml-option.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/workfront-tutorial/tutorial_workfront_samlbase.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. -1. On the **Workfront Domain and URLs** section, perform the following steps: + ![Edit Basic SAML Configuration](common/edit-urls.png) - ![Configure Single Sign-On](./media/workfront-tutorial/tutorial_workfront_url.png) +4. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.attask-ondemand.com` + ![Workfront Domain and URLs single sign-on information](common/sp-identifier.png) - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.attasksandbox.com/SAML2` + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.attask-ondemand.com` - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [Workfront Client support team](https://www.workfront.com/services-and-support) to get these values. - -1. On the **SAML Signing Certificate** section, click **Certificate(Base64)** and then save the Certificate file on your computer. + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.attasksandbox.com/SAML2` + + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Workfront Client support team](https://www.workfront.com/services-and-support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. + + ![The Certificate download link](common/certificatebase64.png) - ![Configure Single Sign-On](./media/workfront-tutorial/tutorial_workfront_certificate.png) +6. On the **Set up Workfront** section, copy the appropriate URL(s) as per your requirement. -1. Click **Save** button. + ![Copy configuration URLs](common/copy-configuration-urls.png) - ![Configure Single Sign-On](./media/workfront-tutorial/tutorial_general_400.png) + a. Login URL -1. On the **Workfront Configuration** section, click **Configure Workfront** to open **Configure sign-on** window. Copy the **Sign-Out URL, and SAML Single Sign-On Service URL** from the **Quick Reference section.** + b. Azure AD Identifier - ![Configure Single Sign-On](./media/workfront-tutorial/tutorial_workfront_configure.png) + c. Logout URL + +### Configure Workfront Single Sign-On 1. Sign-on to your Workfront company site as administrator. -1. Go to **Single Sign On Configuration**. +2. Go to **Single Sign On Configuration**. -1. On the **Single Sign-On** dialog, perform the following steps +3. On the **Single Sign-On** dialog, perform the following steps ![Configure Single Sign-On][23] @@ -141,58 +139,77 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf b. Select **Service Provider ID**. - c. Paste the **SAML Single Sign-On Service URL** into the **Login Portal URL** textbox. + c. Paste the **Login URL** into the **Login Portal URL** textbox. - d. Paste **Single Sign-Out Service URL** into the **Sign-Out URL** textbox. + d. Paste **Logout URL** into the **Sign-Out URL** textbox. e. Paste **Change Password URL** into the **Change Password URL** textbox. f. Click **Save**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) +### Create an Azure AD test user -### Creating an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. -![Create Azure AD User][100] +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -**To create a test user in Azure AD, perform the following steps:** + ![The "Users and groups" and "All users" links](common/users.png) -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. +2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](./media/workfront-tutorial/create_aaduser_01.png) + ![New user Button](common/new-user.png) -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/workfront-tutorial/create_aaduser_02.png) +3. In the User properties, perform the following steps. -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/workfront-tutorial/create_aaduser_03.png) + ![The User dialog box](common/user-properties.png) -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/workfront-tutorial/create_aaduser_04.png) + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - a. In the **Name** textbox, type **BrittaSimon**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. - b. In the **User name** textbox, type the **email address** of BrittaSimon. + d. Click **Create**. - c. Select **Show Password** and write down the value of the **Password**. +### Assign the Azure AD test user - d. Click **Create**. - -### Creating a Workfront test user +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Workfront. + +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Workfront**. + + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Workfront**. + + ![The Workfront link in the Applications list](common/all-applications.png) + +3. In the menu on the left, select **Users and groups**. + + ![The "Users and groups" link](common/users-groups-blade.png) + +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. + + ![The Add Assignment pane](common/add-assign-user.png) + +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. + +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. + +7. In the **Add Assignment** dialog click the **Assign** button. + +### Create Workfront test user The objective of this section is to create a user called Britta Simon in Workfront. **To create a user called Britta Simon in Workfront, perform the following steps:** 1. Sign on to your Workfront company site as administrator. -1. In the menu on the top, click **People**. -1. Click **New Person**. -1. On the New Person dialog, perform the following steps: + +2. In the menu on the top, click **People**. + +3. Click **New Person**. + +4. On the New Person dialog, perform the following steps: ![Create an Workfront test user][21] @@ -204,60 +221,21 @@ The objective of this section is to create a user called Britta Simon in Workfro d. Click **Add Person**. -### Assigning the Azure AD test user - -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Workfront. - -![Assign User][200] - -**To assign Britta Simon to Workfront, perform the following steps:** - -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +### Test single sign-on - ![Assign User][201] - -1. In the applications list, select **Workfront**. - - ![Configure Single Sign-On](./media/workfront-tutorial/tutorial_workfront_app.png) - -1. In the menu on the left, click **Users and groups**. - - ![Assign User][202] - -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. - - ![Assign User][203] - -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. - -1. Click **Select** button on **Users and groups** dialog. +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +When you click the Workfront tile in the Access Panel, you should be automatically signed in to the Workfront for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +## Additional Resources -When you click the Workfront tile in the Access Panel, you should get login page of Workfront application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -## Additional resources +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[1]: ./media/workfront-tutorial/tutorial_general_01.png -[2]: ./media/workfront-tutorial/tutorial_general_02.png -[3]: ./media/workfront-tutorial/tutorial_general_03.png -[4]: ./media/workfront-tutorial/tutorial_general_04.png [21]:./media/workfront-tutorial/tutorial_attask_08.png -[23]:./media/workfront-tutorial/tutorial_attask_06.png -[100]: ./media/workfront-tutorial/tutorial_general_100.png - -[200]: ./media/workfront-tutorial/tutorial_general_200.png -[201]: ./media/workfront-tutorial/tutorial_general_201.png -[202]: ./media/workfront-tutorial/tutorial_general_202.png -[203]: ./media/workfront-tutorial/tutorial_general_203.png - +[23]:./media/workfront-tutorial/tutorial_attask_06.png \ No newline at end of file diff --git a/articles/active-directory/saas-apps/wrike-tutorial.md b/articles/active-directory/saas-apps/wrike-tutorial.md index e28d2d826f670..c71b12c31748d 100644 --- a/articles/active-directory/saas-apps/wrike-tutorial.md +++ b/articles/active-directory/saas-apps/wrike-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: 894b7520-5136-4973-a1ba-942a9f7f0a03 ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 11/12/2018 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,37 +22,29 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Wrike In this tutorial, you learn how to integrate Wrike with Azure Active Directory (Azure AD). - Integrating Wrike with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Wrike. -- You can enable your users to automatically get signed-on to Wrike (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Wrike. +* You can enable your users to be automatically signed-in to Wrike (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Wrike, you need the following items: -- An Azure AD subscription -- A Wrike single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Wrike single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Wrike supports **SP** and **IDP** initiated SSO -1. Adding Wrike from the gallery -2. Configuring and testing Azure AD single sign-on +* Wrike supports **Just In Time** user provisioning ## Adding Wrike from the gallery @@ -60,146 +52,151 @@ To configure the integration of Wrike into Azure AD, you need to add Wrike from **To add Wrike from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Wrike**, select **Wrike** from result panel then click **Add** button to add the application. - ![Wrike in the results list](./media/wrike-tutorial/tutorial_wrike_addfromgallery.png) + ![Wrike in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Wrike based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Wrike is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Wrike needs to be established. +In this section, you configure and test Azure AD single sign-on with Wrike based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Wrike needs to be established. To configure and test Azure AD single sign-on with Wrike, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -3. **[Creating a Wrike test user](#creating-a-wrike-test-user)** - to have a counterpart of Britta Simon in Wrike that is linked to the Azure AD representation of user. -4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Wrike Single Sign-On](#configure-wrike-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Wrike test user](#create-wrike-test-user)** - to have a counterpart of Britta Simon in Wrike that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Wrike application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Wrike, perform the following steps:** +To configure Azure AD single sign-on with Wrike, perform the following steps: -1. In the Azure portal, on the **Wrike** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Wrike** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On](common/tutorial_general_301.png) + ![Single sign-on select mode](common/select-saml-option.png) 3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure Single Sign-On](common/editconfigure.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) + +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode the user does not have to perform any step as the app is already pre-integrated with Azure. + + ![Wrike Domain and URLs single sign-on information](common/preintegrated.png) + +5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: + + ![Wrike Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png) + + In the **Sign-on URL** text box, type a URL: + `https://www.wrike.com/login/` -4. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure. +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - ![Wrike Domain and URLs single sign-on information](./media/wrike-tutorial/tutorial_wrike_url.png) - - a. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: + ![The Certificate download link](common/metadataxml.png) - b. In the **Sign-on URL** textbox, type a URL: `https://www.wrike.com/login/` +7. On the **Set up Wrike** section, copy the appropriate URL(s) as per your requirement. - ![Wrike Domain and URLs single sign-on information](./media/wrike-tutorial/tutorial_wrike_url1.png) + ![Copy configuration URLs](common/copy-configuration-urls.png) -5. On the **SAML Signing Certificate** page, in the **SAML Signing Certificate** section, click **Download** to download **Federation Metadata XML** and then save metadata file on your computer. + a. Login URL - ![The Certificate download link](./media/wrike-tutorial/tutorial_wrike_certificate.png) + b. Azure AD Identifier -6. To configure single sign-on on **Wrike** side, you need to send the downloaded **Federation Metadata XML** to [Wrike support team](mailto:support@team.wrike.com). They set this setting to have the SAML SSO connection set properly on both sides. + c. Logout URL -### Creating an Azure AD test user +### Configure Wrike Single Sign-On + +To configure single sign-on on **Wrike** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Wrike support team](mailto:support@team.wrike.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](common/create_aaduser_01.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![Creating an Azure AD test user](common/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** field, enter **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com - - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - d. Select **Create**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -### Creating a Wrike test user + d. Click **Create**. -The objective of this section is to create a user called Britta Simon in Wrike. Wrike supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access Wrike if it doesn't exist yet. ->[!Note] ->If you need to create a user manually, contact [Wrike support team](mailto:support@team.wrike.com). - -### Assigning the Azure AD test user +### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wrike. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Wrike**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Wrike**. - ![Configure Single Sign-On](./media/wrike-tutorial/tutorial_wrike_app.png) + ![The Wrike link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) 5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -6. In the **Add Assignment** dialog select the **Assign** button. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -### Testing single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +### Create Wrike test user -When you click the Wrike tile in the Access Panel, you should get automatically signed-on to your Wrike application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +In this section, a user called Britta Simon is created in Wrike. Wrike supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Wrike, a new one is created when you attempt to access Wrike. + +>[!Note] +>If you need to create a user manually, contact [Wrike support team](mailto:support@team.wrike.com). + +### Test single sign-on + +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -## Additional resources +When you click the Wrike tile in the Access Panel, you should be automatically signed in to the Wrike for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: common/tutorial_general_01.png -[2]: common/tutorial_general_02.png -[3]: common/tutorial_general_03.png -[4]: common/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: common/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[201]: common/tutorial_general_201.png -[202]: common/tutorial_general_202.png -[203]: common/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/yardielearning-tutorial.md b/articles/active-directory/saas-apps/yardielearning-tutorial.md index b1d0e60562759..6801682ce7e05 100644 --- a/articles/active-directory/saas-apps/yardielearning-tutorial.md +++ b/articles/active-directory/saas-apps/yardielearning-tutorial.md @@ -4,7 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: daveba +manager: mtillman +ms.reviewer: barbkess ms.assetid: 7ea58b54-ec5b-4576-8586-814b11d0f4fb ms.service: active-directory @@ -12,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 06/13/2017 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -21,210 +22,183 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Yardi eLearning In this tutorial, you learn how to integrate Yardi eLearning with Azure Active Directory (Azure AD). - Integrating Yardi eLearning with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Yardi eLearning -- You can enable your users to automatically get signed-on to Yardi eLearning (Single Sign-On) with their Azure AD accounts -- You can manage your accounts in one central location - the Azure portal +* You can control in Azure AD who has access to Yardi eLearning. +* You can enable your users to be automatically signed in to Yardi eLearning (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Yardi eLearning, you need the following items: -- An Azure AD subscription -- A Yardi eLearning single-sign on enabled subscription +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Yardi eLearning single sign-on enabled subscription -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. +## Scenario description -To test the steps in this tutorial, you should follow these recommendations: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/). +* Yardi eLearning supports **SP** initiated SSO -## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: - -1. Adding Yardi eLearning from the gallery -1. Configuring and testing Azure AD single sign-on +* Yardi eLearning supports **Just In Time** user provisioning ## Adding Yardi eLearning from the gallery + To configure the integration of Yardi eLearning into Azure AD, you need to add Yardi eLearning from the gallery to your list of managed SaaS apps. **To add Yardi eLearning from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![Active Directory][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![Applications][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Applications][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Yardi eLearning**. + ![The New application button](common/add-new-app.png) - ![Creating an Azure AD test user](./media/yardielearning-tutorial/tutorial_yardielearning_search.png) +4. In the search box, type **Yardi eLearning**, select **Yardi eLearning** from result panel then click **Add** button to add the application. -1. In the results panel, select **Yardi eLearning**, and then click **Add** button to add the application. + ![Yardi eLearning in the results list](common/search-new-app.png) - ![Creating an Azure AD test user](./media/yardielearning-tutorial/tutorial_yardielearning_addfromgallery.png) +## Configure and test Azure AD single sign-on -## Configuring and testing Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Yardi eLearning based on a test user called "Britta Simon." - -For single sign-on to work, Azure AD needs to know what the counterpart user in Yardi eLearning is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Yardi eLearning needs to be established. - -In Yardi eLearning, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. +In this section, you configure and test Azure AD single sign-on with Yardi eLearning based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Yardi eLearning needs to be established. To configure and test Azure AD single sign-on with Yardi eLearning, you need to complete the following building blocks: -1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Creating a Yardi eLearning test user](#creating-a-yardi-elearning-test-user)** - to have a counterpart of Britta Simon in Yardi eLearning that is linked to the Azure AD representation of user. -1. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works. +1. **[Configure Azure AD single sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. +2. **[Configure Yardi eLearning single sign-On](#configure-yardi-elearning-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Yardi eLearning test user](#create-yardi-elearning-test-user)** - to have a counterpart of Britta Simon in Yardi eLearning that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. -### Configuring Azure AD single sign-on +### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Yardi eLearning application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Yardi eLearning, perform the following steps:** +To configure Azure AD single sign-on with Yardi eLearning, perform the following steps: -1. In the Azure portal, on the **Yardi eLearning** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Yardi eLearning** application integration page, select **Single sign-on**. - ![Configure Single Sign-On][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Configure Single Sign-On](./media/yardielearning-tutorial/tutorial_yardielearning_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Yardi eLearning Domain and URLs** section, perform the following steps: + ![Single sign-on select mode](common/select-saml-option.png) - ![Configure Single Sign-On](./media/yardielearning-tutorial/tutorial_yardielearning_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.yardielearning.com/login` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Identifier** textbox, type a URL using the following pattern: `https://.yardielearning.com/trust` +4. On the **Basic SAML Configuration** section, perform the following steps: - > [!NOTE] - > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [Yardi eLearning Client support team](mailto:elearning@yardi.com) to get these values. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + ![Yardi eLearning Domain and URLs single sign-on information](common/sp-identifier.png) - ![Configure Single Sign-On](./media/yardielearning-tutorial/tutorial_yardielearning_certificate.png) + a. In the **Sign on URL** text box, type a URL using the following pattern: + `https://.yardielearning.com/login` -1. Click **Save** button. + b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: + `https://.yardielearning.com/trust` - ![Configure Single Sign-On](./media/yardielearning-tutorial/tutorial_general_400.png) + > [!NOTE] + > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Yardi eLearning Client support team](mailto:elearning@yardi.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. To configure single sign-on on **Yardi eLearning** side, you need to send the downloaded **Metadata XML** to [Yardi eLearning support team](mailto:elearning@yardi.com). +5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) -> + ![The Certificate download link](common/metadataxml.png) -### Creating an Azure AD test user -The objective of this section is to create a test user in the Azure portal called Britta Simon. +6. On the **Set up Yardi eLearning** section, copy the appropriate URL(s) as per your requirement. -![Create Azure AD User][100] + ![Copy configuration URLs](common/copy-configuration-urls.png) -**To create a test user in Azure AD, perform the following steps:** + a. Login URL -1. In the **Azure portal**, on the left navigation pane, click **Azure Active Directory** icon. + b. Azure AD Identifier - ![Creating an Azure AD test user](./media/yardielearning-tutorial/create_aaduser_01.png) + c. Logout URL -1. To display the list of users, go to **Users and groups** and click **All users**. - - ![Creating an Azure AD test user](./media/yardielearning-tutorial/create_aaduser_02.png) +### Configure Yardi eLearning Single Sign-On -1. To open the **User** dialog, click **Add** on the top of the dialog. - - ![Creating an Azure AD test user](./media/yardielearning-tutorial/create_aaduser_03.png) +To configure single sign-on on **Yardi eLearning** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Yardi eLearning support team](mailto:elearning@yardi.com). They set this setting to have the SAML SSO connection set properly on both sides. -1. On the **User** dialog page, perform the following steps: - - ![Creating an Azure AD test user](./media/yardielearning-tutorial/create_aaduser_04.png) +### Create an Azure AD test user - a. In the **Name** textbox, type **BrittaSimon**. +The objective of this section is to create a test user in the Azure portal called Britta Simon. - b. In the **User name** textbox, type the **email address** of BrittaSimon. +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - c. Select **Show Password** and write down the value of the **Password**. + ![The "Users and groups" and "All users" links](common/users.png) - d. Click **Create**. - -### Creating a Yardi eLearning test user +2. Select **New user** at the top of the screen. -The objective of this section is to create a user called Britta Simon in Yardi eLearning. Yardi eLearning supports just-in-time provisioning, which is by default enabled. + ![New user Button](common/new-user.png) -There is no action item for you in this section. A new user is created during an attempt to access Yardi eLearning if it doesn't exist yet. +3. In the User properties, perform the following steps. ->[!NOTE] ->If you need to create a user manually, you need to contact the [Yardi eLearning support team](mailto:elearning@yardi.com). + ![The User dialog box](common/user-properties.png) -### Assigning the Azure AD test user + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Yardi eLearning. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. + + d. Click **Create**. -![Assign User][200] +### Assign the Azure AD test user -**To assign Britta Simon to Yardi eLearning, perform the following steps:** +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Yardi eLearning. -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Yardi eLearning**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) -1. In the applications list, select **Yardi eLearning**. +2. In the applications list, select **Yardi eLearning**. - ![Configure Single Sign-On](./media/yardielearning-tutorial/tutorial_yardielearning_app.png) + ![The Yardi eLearning link in the Applications list](common/all-applications.png) -1. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. -1. Click **Select** button on **Users and groups** dialog. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. -1. Click **Assign** button on **Add Assignment** dialog. - -### Testing single sign-on +7. In the **Add Assignment** dialog click the **Assign** button. -The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel. +### Create Yardi eLearning test user -When you click the Yardi eLearning tile in the Access Panel, you should get automatically signed-on to your Yardi eLearning application. +In this section, a user called Britta Simon is created in Yardi eLearning. Yardi eLearning supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Yardi eLearning, a new one is created after authentication. -## Additional resources +>[!NOTE] +>If you need to create a user manually, you need to contact the [Yardi eLearning support team](mailto:elearning@yardi.com). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +### Test single sign-on +In this section, you test your Azure AD single sign-on configuration using the Access Panel. +When you click the Yardi eLearning tile in the Access Panel, you should be automatically signed in to the Yardi eLearning for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional resources -[1]: ./media/yardielearning-tutorial/tutorial_general_01.png -[2]: ./media/yardielearning-tutorial/tutorial_general_02.png -[3]: ./media/yardielearning-tutorial/tutorial_general_03.png -[4]: ./media/yardielearning-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/yardielearning-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/yardielearning-tutorial/tutorial_general_200.png -[201]: ./media/yardielearning-tutorial/tutorial_general_201.png -[202]: ./media/yardielearning-tutorial/tutorial_general_202.png -[203]: ./media/yardielearning-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/saas-apps/zendesk-provisioning-tutorial.md b/articles/active-directory/saas-apps/zendesk-provisioning-tutorial.md index f67a920255f09..3e4d0da265193 100644 --- a/articles/active-directory/saas-apps/zendesk-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/zendesk-provisioning-tutorial.md @@ -7,21 +7,21 @@ author: zhchia writer: zhchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 01d5e4d5-d856-42c4-a504-96fa554baf66 ms.service: active-directory ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/31/2018 +ms.date: 03/27/2019 ms.author: v-ant ms.collection: M365-identity-device-management --- # Tutorial: Configure Zendesk for automatic user provisioning -The objective of this tutorial is to demonstrate the steps to be performed in Zendesk and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Zendesk. +The objective of this tutorial is to demonstrate the steps to be performed in Zendesk and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Zendesk. > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). @@ -30,57 +30,52 @@ The objective of this tutorial is to demonstrate the steps to be performed in Ze The scenario outlined in this tutorial assumes that you already have the following prerequisites: -* An Azure AD tenant -* A Zendesk tenant with the [Enterprise](https://www.zendesk.com/product/pricing/) plan or better enabled -* A user account in Zendesk with Admin permissions +* An Azure AD tenant +* A Zendesk tenant with the [Enterprise](https://www.zendesk.com/product/pricing/) plan or better enabled +* A user account in Zendesk with Admin permissions > [!NOTE] -> The Azure AD provisioning integration relies on the [Zendesk Rest API](https://developer.zendesk.com/rest_api/docs/zendesk-apis/resources), which is available to Zendesk teams on the Enterprise plan or better. +> The Azure AD provisioning integration relies on the [Zendesk Rest API](https://developer.zendesk.com/rest_api/docs/core/introduction), which is available to Zendesk teams on the Enterprise plan or better. ## Adding Zendesk from the gallery + Before configuring Zendesk for automatic user provisioning with Azure AD, you need to add Zendesk from the Azure AD application gallery to your list of managed SaaS applications. **To add Zendesk from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] - -2. Navigate to **Enterprise applications** > **All applications**. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Enterprise applications Section][2] - -3. To add Zendesk, click the **New application** button on the top of the dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![The New application button][3] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -4. In the search box, type **Zendesk**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk6.png) +3. To add new application, click **New application** button on the top of dialog. -5. In the results panel, select **Zendesk**, and then click the **Add** button to add Zendesk to your list of SaaS applications. + ![The New application button](common/add-new-app.png) - ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk7.png) +4. In the search box, type **Zendesk**, select **Zendesk** from result panel then click **Add** button to add the application. - ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk20.png) + ![Zendesk in the results list](common/search-new-app.png) ## Assigning users to Zendesk -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. +Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zendesk. Once decided, you can assign these users and/or groups to Zendesk by following the instructions here: -* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) +* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md) ### Important tips for assigning users to Zendesk -* Zendesk roles are automatically and dynamically populated in the Azure portal UI today. Before assigning Zendesk roles to users, ensure that an initial sync is completed against Zendesk to retrieve the latest roles in your Zendesk tenant. +* Zendesk roles are automatically and dynamically populated in the Azure portal UI today. Before assigning Zendesk roles to users, ensure that an initial sync is completed against Zendesk to retrieve the latest roles in your Zendesk tenant. -* It is recommended that a single Azure AD user is assigned to Zendesk to test your initial automatic user provisioning configuration. Additional users and/or groups may be assigned later once the tests are successful. +* It is recommended that a single Azure AD user is assigned to Zendesk to test your initial automatic user provisioning configuration. Additional users and/or groups may be assigned later once the tests are successful. -* It is recommended that a single Azure AD user is assigned to Zendesk to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to Zendesk to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to Zendesk, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Zendesk, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Zendesk @@ -91,14 +86,16 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Zendesk in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Zendesk**. -2. Select Zendesk from your list of SaaS applications. - - ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk3.png) + ![Enterprise applications blade](common/enterprise-applications.png) + +2. In the applications list, select **Zendesk**. + + ![The Zendesk link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. - + ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk16.png) 4. Set the **Provisioning Mode** to **Automatic**. @@ -112,18 +109,19 @@ This section guides you through the steps to configure the Azure AD provisioning * In the **Secret Token** field, populate the secret token as described in Step 6. * In the **Domain** field, populate the subdomain of your Zendesk tenant. - Example: For an account with a tenant URL of https://my-tenant.zendesk.com, your subdomain would be **my-tenant**. + Example: For an account with a tenant URL of `https://my-tenant.zendesk.com`, your subdomain would be **my-tenant**. 6. The **Secret Token** for your Zendesk account is located in **Admin > API > Settings**. Ensure that **Token Access** is set to **Enabled**. ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk4.png) + ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk2.png) 7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Zendesk. If the connection fails, ensure your Zendesk account has Admin permissions and try again. ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk19.png) - + 8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**. ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk9.png) @@ -160,13 +158,14 @@ This section guides you through the steps to configure the Azure AD provisioning ![Zendesk Provisioning](./media/zendesk-provisioning-tutorial/ZenDesk18.png) - This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zendesk. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../manage-apps/check-status-user-account-provisioning.md). ## Connector Limitations + * Zendesk supports usage of groups for Users with Agent roles only. For more information, please refer to [Zendesk's documentation](https://support.zendesk.com/hc/en-us/articles/203661966-Creating-managing-and-using-groups). + * When a custom role is assigned to a user and/or group, the Azure AD automatic user provisioning service will also assign the default role **Agent**. Only **Agents** can be assigned a custom role. For more information, refer to this [Zendesk API documentation](https://developer.zendesk.com/rest_api/docs/support/users#json-format-for-agent-or-admin-requests). ## Additional resources diff --git a/articles/active-directory/saas-apps/zscaler-beta-provisioning-tutorial.md b/articles/active-directory/saas-apps/zscaler-beta-provisioning-tutorial.md index e7c8581a10466..45c3878d7b9a9 100644 --- a/articles/active-directory/saas-apps/zscaler-beta-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/zscaler-beta-provisioning-tutorial.md @@ -7,13 +7,14 @@ author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 83db6b8d-503b-48f3-b918-f9fba1369d53 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 03/03/2019 +ms.date: 03/27/2019 ms.author: v-ant-msft --- @@ -23,46 +24,42 @@ The objective of this tutorial is to demonstrate the steps to be performed in Zs > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). -> +> + > This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following: -* An Azure AD tenant -* A Zscaler Beta tenant -* A user account in Zscaler Beta with Admin permissions +* An Azure AD tenant +* A Zscaler Beta tenant +* A user account in Zscaler Beta with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the Zscaler Beta SCIM API, which is available to Zscaler Beta developers for accounts with the Enterprise package. ## Adding Zscaler Beta from the gallery + Before configuring Zscaler Beta for automatic user provisioning with Azure AD, you need to add Zscaler Beta from the Azure AD application gallery to your list of managed SaaS applications. **To add Zscaler Beta from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] - -2. Navigate to **Enterprise applications** > **All applications**. - - ![The Enterprise applications Section][2] +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. -3. To add Zscaler Beta, click the **New application** button on the top of the dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![The New application button][3] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -4. In the search box, type **Zscaler Beta**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/app-search.png) +3. To add new application, click **New application** button on the top of dialog. -5. In the results panel, select **Zscaler Beta**, and then click the **Add** button to add Zscaler Beta to your list of SaaS applications. + ![The New application button](common/add-new-app.png) - ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/app-search-results.png) +4. In the search box, type **Zscaler Beta**, select **Zscaler Beta** from result panel then click **Add** button to add the application. - ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/app-creation.png) + ![Zscaler Beta in the results list](common/search-new-app.png) ## Assigning users to Zscaler Beta @@ -70,13 +67,13 @@ Azure Active Directory uses a concept called "assignments" to determine which us Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler Beta. Once decided, you can assign these users and/or groups to Zscaler Beta by following the instructions here: -* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) +* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) ### Important tips for assigning users to Zscaler Beta -* It is recommended that a single Azure AD user is assigned to Zscaler Beta to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to Zscaler Beta to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to Zscaler Beta, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Zscaler Beta, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Zscaler Beta @@ -87,11 +84,13 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Zscaler Beta in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Zscaler Beta**. -2. Select Zscaler Beta from your list of SaaS applications. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/app-instance-search.png) +2. In the applications list, select **Zscaler Beta**. + + ![The Zscaler Beta link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. @@ -103,20 +102,20 @@ This section guides you through the steps to configure the Azure AD provisioning 5. Under the **Admin Credentials** section, input the **Tenant URL** and **Secret Token** of your Zscaler Beta account as described in Step 6. -6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler Beta portal user interface and click on **SAML** under **Authentication Type**. +6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler Beta portal user interface and click on **SAML** under **Authentication Type**. ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/secret-token-1.png) - - Click on **Configure SAML** to open the **Configuration SAML** options. + + Click on **Configure SAML** to open the **Configuration SAML** options. ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/secret-token-2.png) - + Select **Enable SCIM-Based Provisioning** to retrieve **Base URL** and **Bearer Token**, then save the settings. Copy the **Base URL** to **Tenant URL**, and **Bearer Token** to **Secret Token** in the Azure portal. 7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Zscaler Beta. If the connection fails, ensure your Zscaler Beta account has Admin permissions and try again. ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/test-connection.png) - + 8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox **Send an email notification when a failure occurs**. ![Zscaler Beta Provisioning](./media/zscaler-beta-provisioning-tutorial/notification.png) diff --git a/articles/active-directory/saas-apps/zscaler-one-provisioning-tutorial.md b/articles/active-directory/saas-apps/zscaler-one-provisioning-tutorial.md index d5a0d64e95dd4..5fd4e90dcb2b2 100644 --- a/articles/active-directory/saas-apps/zscaler-one-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/zscaler-one-provisioning-tutorial.md @@ -7,13 +7,14 @@ author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 72f6ba2b-73ed-420a-863a-aff672f26fa3 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 03/03/2019 +ms.date: 03/27/2019 ms.author: v-ant-msft --- @@ -23,46 +24,42 @@ The objective of this tutorial is to demonstrate the steps to be performed in Zs > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). -> +> + > This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following: -* An Azure AD tenant -* A Zscaler One tenant -* A user account in Zscaler One with Admin permissions +* An Azure AD tenant +* A Zscaler One tenant +* A user account in Zscaler One with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the Zscaler One SCIM API, which is available to Zscaler One developers for accounts with the Enterprise package. ## Adding Zscaler One from the gallery + Before configuring Zscaler One for automatic user provisioning with Azure AD, you need to add Zscaler One from the Azure AD application gallery to your list of managed SaaS applications. **To add Zscaler One from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] - -2. Navigate to **Enterprise applications** > **All applications**. - - ![The Enterprise applications Section][2] +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. -3. To add Zscaler One, click the **New application** button on the top of the dialog. + ![The Azure Active Directory button](common/select-azuread.png) - ![The New application button][3] +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -4. In the search box, type **Zscaler One**. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/app-search.png) +3. To add new application, click **New application** button on the top of dialog. -5. In the results panel, select **Zscaler One**, and then click the **Add** button to add Zscaler One to your list of SaaS applications. + ![The New application button](common/add-new-app.png) - ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/app-search-results.png) +4. In the search box, type **Zscaler One**, select **Zscaler One** from result panel then click **Add** button to add the application. - ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/app-creation.png) + ![Zscaler One in the results list](common/search-new-app.png) ## Assigning users to Zscaler One @@ -70,13 +67,13 @@ Azure Active Directory uses a concept called "assignments" to determine which us Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler One. Once decided, you can assign these users and/or groups to Zscaler One by following the instructions here: -* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) +* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) ### Important tips for assigning users to Zscaler One -* It is recommended that a single Azure AD user is assigned to Zscaler One to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to Zscaler One to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to Zscaler One, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Zscaler One, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Zscaler One @@ -87,11 +84,13 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Zscaler One in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Zscaler One**. -2. Select Zscaler One from your list of SaaS applications. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/app-instance-search.png) +2. In the applications list, select **Zscaler One**. + + ![The Zscaler One link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. @@ -103,20 +102,20 @@ This section guides you through the steps to configure the Azure AD provisioning 5. Under the **Admin Credentials** section, input the **Tenant URL** and **Secret Token** of your Zscaler One account as described in Step 6. -6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler One portal user interface and click on **SAML** under **Authentication Type**. +6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler One portal user interface and click on **SAML** under **Authentication Type**. ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/secret-token-1.png) - - Click on **Configure SAML** to open **Configuration SAML** options. + + Click on **Configure SAML** to open **Configuration SAML** options. ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/secret-token-2.png) - + Select **Enable SCIM-Based Provisioning** to retrieve **Base URL** and **Bearer Token**, then save the settings. Copy the **Base URL** to **Tenant URL** and **Bearer Token** to **Secret Token** in the Azure portal. 7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Zscaler One. If the connection fails, ensure your Zscaler One account has Admin permissions and try again. ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/test-connection.png) - + 8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox **Send an email notification when a failure occurs**. ![Zscaler One Provisioning](./media/zscaler-one-provisioning-tutorial/notification.png) diff --git a/articles/active-directory/saas-apps/zscaler-provisioning-tutorial.md b/articles/active-directory/saas-apps/zscaler-provisioning-tutorial.md index 9d3c759f0a2ef..6b7f1a0174a8d 100644 --- a/articles/active-directory/saas-apps/zscaler-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/zscaler-provisioning-tutorial.md @@ -7,13 +7,14 @@ author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 31f67481-360d-4471-88c9-1cc9bdafee24 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 03/03/2019 +ms.date: 03/27/2019 ms.author: v-ant-msft --- @@ -23,46 +24,42 @@ The objective of this tutorial is to demonstrate the steps to be performed in Zs > [!NOTE] > This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). -> +> + > This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites The scenario outlined in this tutorial assumes that you already have the following: -* An Azure AD tenant -* A Zscaler tenant -* A user account in Zscaler with Admin permissions +* An Azure AD tenant +* A Zscaler tenant +* A user account in Zscaler with Admin permissions > [!NOTE] > The Azure AD provisioning integration relies on the Zscaler SCIM API, which is available to Zscaler developers for accounts with the Enterprise package. ## Adding Zscaler from the gallery + Before configuring Zscaler for automatic user provisioning with Azure AD, you need to add Zscaler from the Azure AD application gallery to your list of managed SaaS applications. **To add Zscaler from the Azure AD application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. - - ![The Azure Active Directory button][1] - -2. Navigate to **Enterprise applications** > **All applications**. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Enterprise applications Section][2] + ![The Azure Active Directory button](common/select-azuread.png) -3. To add Zscaler, click the **New application** button on the top of the dialog. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The New application button][3] + ![The Enterprise applications blade](common/enterprise-applications.png) -4. In the search box, type **Zscaler**. +3. To add new application, click **New application** button on the top of dialog. - ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/app-search.png) + ![The New application button](common/add-new-app.png) -5. In the results panel, select **Zscaler**, and then click the **Add** button to add Zscaler to your list of SaaS applications. +4. In the search box, type **Zscaler**, select **Zscaler** from result panel then click **Add** button to add the application. - ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/app-search-results.png) - - ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/app-creation.png) + ![Zscaler in the results list](common/search-new-app.png) ## Assigning users to Zscaler @@ -70,13 +67,13 @@ Azure Active Directory uses a concept called "assignments" to determine which us Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler. Once decided, you can assign these users and/or groups to Zscaler by following the instructions here: -* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) +* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) ### Important tips for assigning users to Zscaler -* It is recommended that a single Azure AD user is assigned to Zscaler to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* It is recommended that a single Azure AD user is assigned to Zscaler to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. -* When assigning a user to Zscaler, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When assigning a user to Zscaler, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. ## Configuring automatic user provisioning to Zscaler @@ -87,11 +84,13 @@ This section guides you through the steps to configure the Azure AD provisioning ### To configure automatic user provisioning for Zscaler in Azure AD: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise Applications**, select **All applications**, then select **Zscaler**. + + ![Enterprise applications blade](common/enterprise-applications.png) -2. Select Zscaler from your list of SaaS applications. +2. In the applications list, select **Zscaler**. - ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/app-instance-search.png) + ![The Zscaler link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. @@ -103,20 +102,20 @@ This section guides you through the steps to configure the Azure AD provisioning 5. Under the **Admin Credentials** section, input the **Tenant URL** and **Secret Token** of your Zscaler account as described in Step 6. -6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler portal user interface and click on **SAML** under **Authentication Type**. +6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler portal user interface and click on **SAML** under **Authentication Type**. ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/secret-token-1.png) - Click on **Configure SAML** to open **Configuration SAML** options. + Click on **Configure SAML** to open **Configuration SAML** options. ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/secret-token-2.png) - + Select **Enable SCIM-Based Provisioning** to retrieve **Base URL** and **Bearer Token**, then save the settings. Copy the **Base URL** to **Tenant URL**, and **Bearer Token** to **Secret Token** in the Azure portal. 7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Zscaler. If the connection fails, ensure your Zscaler account has Admin permissions and try again. ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/test-connection.png) - + 8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox **Send an email notification when a failure occurs**. ![Zscaler Provisioning](./media/zscaler-provisioning-tutorial/notification.png) diff --git a/articles/active-directory/saas-apps/zscaler-three-provisioning-tutorial.md b/articles/active-directory/saas-apps/zscaler-three-provisioning-tutorial.md index bc4485f0fd7ed..1062d4fe757bf 100644 --- a/articles/active-directory/saas-apps/zscaler-three-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/zscaler-three-provisioning-tutorial.md @@ -1,165 +1,157 @@ --- title: 'Tutorial: Configure Zscaler Three for automatic user provisioning with Azure Active Directory | Microsoft Docs' -description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Zscaler Three. +description: In this tutorial, you'll learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Zscaler Three. services: active-directory documentationcenter: '' author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 385a1153-0f47-4e41-8f44-da1b49d7629e ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 03/03/2019 +ms.topic: tutorial +ms.date: 03/27/2019 ms.author: v-ant-msft --- # Tutorial: Configure Zscaler Three for automatic user provisioning -The objective of this tutorial is to demonstrate the steps to be performed in Zscaler Three and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Zscaler Three. +In this tutorial, you'll learn how to configure Azure Active Directory (Azure AD) to automatically provision and deprovision users and/or groups to Zscaler Three. > [!NOTE] -> This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). -> -> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This tutorial describes a connector that's built on the Azure AD user provisioning service. For important details on what this service does and how it works, and answers to frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). +> +> This connector is currently in Public Preview. For more information on the general Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites -The scenario outlined in this tutorial assumes that you already have the following: +To complete the steps outlined in this tutorial, you need the following: -* An Azure AD tenant -* A Zscaler Three tenant -* A user account in Zscaler Three with Admin permissions +* An Azure AD tenant. +* A Zscaler Three tenant. +* A user account in Zscaler Three with admin permissions. > [!NOTE] -> The Azure AD provisioning integration relies on the Zscaler Three SCIM API, which is available to Zscaler Three developers for accounts with the Enterprise package. +> The Azure AD provisioning integration relies on the Zscaler ZSCloud SCIM API, which is available for Enterprise accounts. ## Adding Zscaler Three from the gallery -Before configuring Zscaler Three for automatic user provisioning with Azure AD, you need to add Zscaler Three from the Azure AD application gallery to your list of managed SaaS applications. -**To add Zscaler Three from the Azure AD application gallery, perform the following steps:** +Before you configure Zscaler Three for automatic user provisioning with Azure AD, you need to add Zscaler Three from the Azure AD application gallery to your list of managed SaaS applications. -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. +In the [Azure portal](https://portal.azure.com), in the left pane, select **Azure Active Directory**: - ![The Azure Active Directory button][1] +![Select Azure Active Directory](common/select-azuread.png) -2. Navigate to **Enterprise applications** > **All applications**. +Go to **Enterprise applications** and then select **All applications**: - ![The Enterprise applications Section][2] +![Enterprise applications](common/enterprise-applications.png) -3. To add Zscaler Three, click the **New application** button on the top of the dialog. +To add an application, select **New application** at the top of the window: - ![The New application button][3] +![Select New application](common/add-new-app.png) -4. In the search box, type **Zscaler Three**. +In the search box, enter **Zscaler Three**. Select **Zscaler Three** in the results and then select **Add**. - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/app-search.png) +![Results list](common/search-new-app.png) -5. In the results panel, select **Zscaler Three**, and then click the **Add** button to add Zscaler Three to your list of SaaS applications. +## Assign users to Zscaler Three - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/app-search-results.png) +Azure AD users need to be assigned access to selected apps before they can use them. In the context of automatic user provisioning, only the users or groups that are assigned to an application in Azure AD are synchronized. - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/app-creation.png) - -## Assigning users to Zscaler Three - -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. - -Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler Three. Once decided, you can assign these users and/or groups to Zscaler Three by following the instructions here: - -* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) +Before you configure and enable automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler Three. After you decide that, you can assign these users and groups to Zscaler Three by following the instructions in [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal). ### Important tips for assigning users to Zscaler Three -* It is recommended that a single Azure AD user is assigned to Zscaler Three to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* We recommended that you first assign a single Azure AD user to Zscaler Three to test the automatic user provisioning configuration. You can assign more users and groups later. -* When assigning a user to Zscaler Three, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When you assign a user to Zscaler Three, you need to select any valid application-specific role (if available) in the assignment dialog box. Users with the **Default Access** role are excluded from provisioning. -## Configuring automatic user provisioning to Zscaler Three +## Set up automatic user provisioning -This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Zscaler Three based on user and/or group assignments in Azure AD. +This section guides you through the steps for configuring the Azure AD provisioning service to create, update, and disable users and groups in Zscaler Three based on user and group assignments in Azure AD. > [!TIP] -> You may also choose to enable SAML-based single sign-on for Zscaler Three, following the instructions provided in the [Zscaler Three single sign-on tutorial](zscaler-three-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other. +> You might also want to enable SAML-based single sign-on for Zscaler Three. If you do, follow the instructions in the [Zscaler Three single sign-on tutorial](zscaler-three-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, but the two features complement each other. -### To configure automatic user provisioning for Zscaler Three in Azure AD: +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise applications** > **All applications** > **Zscaler Three**: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. + ![Enterprise applications](common/enterprise-applications.png) -2. Select Zscaler Three from your list of SaaS applications. +2. In the applications list, select **Zscaler Three**: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/app-instance-search.png) + ![Applications list](common/all-applications.png) -3. Select the **Provisioning** tab. +3. Select the **Provisioning** tab: ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/provisioning-tab.png) -4. Set the **Provisioning Mode** to **Automatic**. +4. Set the **Provisioning Mode** to **Automatic**: + + ![Set the Provisioning Mode](./media/zscaler-three-provisioning-tutorial/provisioning-credentials.png) + +5. In the **Admin Credentials** section, enter the **Tenant URL** and **Secret Token** of your Zscaler Three account, as described in the next step. - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/provisioning-credentials.png) +6. To get the **Tenant URL** and **Secret Token**, go to **Administration** > **Authentication Settings** in the Zscaler Three portal and select **SAML** under **Authentication Type**: -5. Under the **Admin Credentials** section, input the **Tenant URL** and **Secret Token** of your Zscaler Three account as described in Step 6. + ![Zscaler Three Authentication Settings](./media/zscaler-three-provisioning-tutorial/secret-token-1.png) -6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler Three portal user interface and click on **SAML** under **Authentication Type**. + Select **Configure SAML** to open the **Configure SAML** window: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/secret-token-1.png) + ![Configure SAML window](./media/zscaler-three-provisioning-tutorial/secret-token-2.png) - Click on **Configure SAML** to open **Configuration SAML** options. + Select **Enable SCIM-Based Provisioning** and copy the **Base URL** and **Bearer Token**, and then save the settings. In the Azure portal, paste the **Base URL** into the **Tenant URL** box and the **Bearer Token** into the **Secret Token** box. - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/secret-token-2.png) - - Select **Enable SCIM-Based Provisioning** to retrieve **Base URL** and **Bearer Token**, then save the settings. Copy the **Base URL** to **Tenant URL** and **Bearer Token** to **Secret Token** in the Azure portal. +7. After you enter the values in the **Tenant URL** and **Secret Token** boxes, select **Test Connection** to make sure Azure AD can connect to Zscaler Three. If the connection fails, make sure your Zscaler Three account has admin permissions and try again. -7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Zscaler Three. If the connection fails, ensure your Zscaler Three account has Admin permissions and try again. + ![Test the connection](./media/zscaler-three-provisioning-tutorial/test-connection.png) - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/test-connection.png) - -8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox **Send an email notification when a failure occurs**. +8. In the **Notification Email** box, enter the email address of a person or group that should receive the provisioning error notifications. Select **Send an email notification when a failure occurs**: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/notification.png) + ![Set up notification email](./media/zscaler-three-provisioning-tutorial/notification.png) -9. Click **Save**. +9. Select **Save**. -10. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Zscaler Three**. +10. In the **Mappings** section, select **Synchronize Azure Active Directory Users to ZscalerThree**: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/user-mappings.png) + ![Synchronize Azure AD users](./media/zscaler-three-provisioning-tutorial/user-mappings.png) -11. Review the user attributes that are synchronized from Azure AD to Zscaler Three in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Zscaler Three for update operations. Select the **Save** button to commit any changes. +11. Review the user attributes that are synchronized from Azure AD to Zscaler Three in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the user accounts in Zscaler Three for update operations. Select **Save** to commit any changes. - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/user-attribute-mappings.png) + ![Attribute Mappings](./media/zscaler-three-provisioning-tutorial/user-attribute-mappings.png) -12. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Zscaler Three**. +12. In the **Mappings** section, select **Synchronize Azure Active Directory Groups to ZscalerThree**: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/group-mappings.png) + ![Synchronize Azure AD groups](./media/zscaler-three-provisioning-tutorial/group-mappings.png) -13. Review the group attributes that are synchronized from Azure AD to Zscaler Three in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Zscaler Three for update operations. Select the **Save** button to commit any changes. +13. Review the group attributes that are synchronized from Azure AD to Zscaler Three in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the groups in Zscaler Three for update operations. Select **Save** to commit any changes. - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/group-attribute-mappings.png) + ![Attribute Mappings](./media/zscaler-three-provisioning-tutorial/group-attribute-mappings.png) -14. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](./../active-directory-saas-scoping-filters.md). +14. To configure scoping filters, refer to the instructions in the [Scoping filter tutorial](./../active-directory-saas-scoping-filters.md). -15. To enable the Azure AD provisioning service for Zscaler Three, change the **Provisioning Status** to **On** in the **Settings** section. +15. To enable the Azure AD provisioning service for Zscaler Three, change the **Provisioning Status** to **On** in the **Settings** section: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/provisioning-status.png) + ![Provisioning Status](./media/zscaler-three-provisioning-tutorial/provisioning-status.png) -16. Define the users and/or groups that you would like to provision to Zscaler Three by choosing the desired values in **Scope** in the **Settings** section. +16. Define the users and/or groups that you want to provision to Zscaler Three by choosing the values you want under **Scope** in the **Settings** section: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/scoping.png) + ![Scope values](./media/zscaler-three-provisioning-tutorial/scoping.png) -17. When you are ready to provision, click **Save**. +17. When you're ready to provision, select **Save**: - ![Zscaler Three Provisioning](./media/zscaler-three-provisioning-tutorial/save-provisioning.png) + ![Select Save](./media/zscaler-three-provisioning-tutorial/save-provisioning.png) -This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zscaler Three. +This operation starts the initial synchronization of all users and groups defined under **Scope** in the **Settings** section. The initial sync takes longer than subsequent syncs, which occur about every 40 minutes, as long as the Azure AD provisioning service is running. You can monitor progress in the **Synchronization Details** section. You can also follow links to a provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zscaler Three. -For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../active-directory-saas-provisioning-reporting.md). +For information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../active-directory-saas-provisioning-reporting.md). ## Additional resources -* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) +* [Managing user account provisioning for enterprise apps](../manage-apps/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps diff --git a/articles/active-directory/saas-apps/zscaler-three-tutorial.md b/articles/active-directory/saas-apps/zscaler-three-tutorial.md index c3bf2ee3428c5..08c5476fd573a 100644 --- a/articles/active-directory/saas-apps/zscaler-three-tutorial.md +++ b/articles/active-directory/saas-apps/zscaler-three-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: f352e00d-68d3-4a77-bb92-717d055da56f ms.service: active-directory @@ -13,46 +13,37 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 12/12/2018 +ms.topic: tutorial +ms.date: 04/09/2019 ms.author: jeedes -ms.collection: M365-identity-device-management --- # Tutorial: Azure Active Directory integration with Zscaler Three In this tutorial, you learn how to integrate Zscaler Three with Azure Active Directory (Azure AD). - Integrating Zscaler Three with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Zscaler Three. -- You can enable your users to automatically get signed-on to Zscaler Three (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Zscaler Three. +* You can enable your users to be automatically signed-in to Zscaler Three (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md) +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Zscaler Three, you need the following items: -- An Azure AD subscription -- A Zscaler Three single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) +* Zscaler Three single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Zscaler Three supports **SP** initiated SSO -1. Adding Zscaler Three from the gallery -2. Configuring and testing Azure AD single sign-on +* Zscaler Three supports **Just In Time** user provisioning ## Adding Zscaler Three from the gallery @@ -60,91 +51,97 @@ To configure the integration of Zscaler Three into Azure AD, you need to add Zsc **To add Zscaler Three from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -2. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] + ![The Enterprise applications blade](common/enterprise-applications.png) 3. To add new application, click **New application** button on the top of dialog. - ![The New application button][3] + ![The New application button](common/add-new-app.png) 4. In the search box, type **Zscaler Three**, select **Zscaler Three** from result panel then click **Add** button to add the application. - ![Zscaler Three in the results list](./media/zscaler-three-tutorial/tutorial_zscalerthree_addfromgallery.png) + ![Zscaler Three in the results list](common/search-new-app.png) ## Configure and test Azure AD single sign-on -In this section, you configure and test Azure AD single sign-on with Zscaler Three based on a test user called "Britta Simon". - -For single sign-on to work, Azure AD needs to know what the counterpart user in Zscaler Three is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Zscaler Three needs to be established. +In this section, you configure and test Azure AD single sign-on with Zscaler Three based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Zscaler Three needs to be established. To configure and test Azure AD single sign-on with Zscaler Three, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. 2. **[Configure Zscaler Three Single Sign-On](#configure-zscaler-three-single-sign-on)** - to configure the Single Sign-On settings on application side. 3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -4. **[Create Zscaler Three test user](#create-zscaler-three-test-user)** - to have a counterpart of Britta Simon in Cisco Umbrella that is linked to the Azure AD representation of user. -5. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Zscaler Three test user](#create-zscaler-three-test-user)** - to have a counterpart of Britta Simon in Zscaler Three that is linked to the Azure AD representation of user. 6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Zscaler Three application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Zscaler Three, perform the following steps:** +To configure Azure AD single sign-on with Zscaler Three, perform the following steps: -1. In the Azure portal, on the **Zscaler Three** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Zscaler Three** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -2. On the **Select a Single sign-on method** dialog, Click **Select** for **SAML** mode to enable single sign-on. +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - ![Configure Single Sign-On](common/tutorial_general_301.png) + ![Single sign-on select mode](common/select-saml-option.png) 3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - ![Configure Single Sign-On](common/editconfigure.png) + ![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps: - ![Zscaler Three Domain and URLs single sign-on information](./media/zscaler-three-tutorial/tutorial_zscalerthree_url.png) + ![Zscaler Three Domain and URLs single sign-on information](common/sp-intiated.png) - In the **Sign-on URL** textbox, type a URL: `https://login.zscalerthree.net/sfc_sso` + In the **Sign-on URL** text box, type a URL: + `https://login.zscalerthree.net/sfc_sso` -5. Zscaler Three application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes & Claims** section on application integration page. On the **Set up Single Sign-On with SAML page**, click **Edit** button to open **User Attributes & Claims** dialog. +5. Your Zscaler Three application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog. - ![The Attribute link](./media/zscaler-three-tutorial/tutorial_zscalerthree_attribute.png) + ![image](common/edit-attribute.png) -6. In the **User Claims** section on the **User Attributes** dialog, configure SAML token attribute as shown in the image above and perform the following steps: - - | Name | Source Attribute | +6. In addition to above, Zscaler Three application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table: + + | Name | Source Attribute | | ---------| ------------ | | memberOf | user.assignedroles | a. Click **Add new claim** to open the **Manage user claims** dialog. - ![image](./common/new_save_attribute.png) - - ![image](./common/new_attribute_details.png) + ![image](common/new-save-attribute.png) - b. From the **Source attribute** list, selelct the attribute value. + ![image](common/new-attribute-details.png) - c. Click **Ok**. + b. In the **Name** textbox, type the attribute name shown for that row. - d. Click **Save**. + c. Leave the **Namespace** blank. + + d. Select Source as **Attribute**. + + e. From the **Source attribute** list, type the attribute value shown for that row. + + f. Click **Save**. > [!NOTE] > Please click [here](https://docs.microsoft.com/azure/active-directory/active-directory-enterprise-app-role-management) to know how to configure Role in Azure AD -7. On the **SAML Signing Certificate** page, in the **SAML Signing Certificate** section, click **Download** to download **Certificate (Base64)** and then save certificate file on your computer. +7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - ![The Certificate download link](./media/zscaler-three-tutorial/tutorial_zscalerthree_certificate.png) + ![The Certificate download link](common/certificatebase64.png) -8. On the **Set up Zscaler Three** section, copy the appropriate URL as per your requirement. +8. On the **Set up Zscaler Three** section, copy the appropriate URL(s) as per your requirement. + + ![Copy configuration URLs](common/copy-configuration-urls.png) a. Login URL @@ -152,64 +149,62 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf c. Logout URL - ![Zscaler Three Configuration](common/configuresection.png) - ### Configure Zscaler Three Single Sign-On -1. In a different web browser window, log in to your Zscaler Three company site as an administrator. +1. In a different web browser window, sign in to your Zscaler Three company site as an administrator. -1. Go to **Administration > Authentication > Authentication Settings** and perform the following steps: +2. Go to **Administration > Authentication > Authentication Settings** and perform the following steps: - ![Administration](./media/zscaler-three-tutorial/ic800206.png "Administration") + ![Administration](./media/zscaler-three-tutorial/ic800206.png "Administration") - a. Under Authentication Type, choose **SAML**. + a. Under Authentication Type, choose **SAML**. - b. Click **Configure SAML**. + b. Click **Configure SAML**. -1. On the **Edit SAML** window, perform the following steps: and click Save. +3. On the **Edit SAML** window, perform the following steps: and click Save. - ![Manage Users & Authentication](./media/zscaler-three-tutorial/ic800208.png "Manage Users & Authentication") + ![Manage Users & Authentication](./media/zscaler-three-tutorial/ic800208.png "Manage Users & Authentication") - a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal. + a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal. - b. In the **Login Name Attribute** textbox, enter **NameID**. + b. In the **Login Name Attribute** textbox, enter **NameID**. - c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**. + c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**. - d. Toggle the **Enable SAML Auto-Provisioning**. + d. Toggle the **Enable SAML Auto-Provisioning**. - e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes. + e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes. - f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes. + f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes. - g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes. + g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes. - i. Click **Save**. + h. Click **Save**. -1. On the **Configure User Authentication** dialog page, perform the following steps: +4. On the **Configure User Authentication** dialog page, perform the following steps: - ![Administration](./media/zscaler-three-tutorial/ic800207.png) + ![Administration](./media/zscaler-three-tutorial/ic800207.png) - a. Hover over the **Activation** menu near the bottom left. + a. Hover over the **Activation** menu near the bottom left. - b. Click **Activate**. + b. Click **Activate**. ## Configuring proxy settings ### To configure the proxy settings in Internet Explorer 1. Start **Internet Explorer**. -1. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog. +2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog. ![Internet Options](./media/zscaler-three-tutorial/ic769492.png "Internet Options") -1. Click the **Connections** tab. +3. Click the **Connections** tab. ![Connections](./media/zscaler-three-tutorial/ic769493.png "Connections") -1. Click **LAN settings** to open the **LAN Settings** dialog. +4. Click **LAN settings** to open the **LAN Settings** dialog. -1. In the Proxy server section, perform the following steps: +5. In the Proxy server section, perform the following steps: ![Proxy server](./media/zscaler-three-tutorial/ic769494.png "Proxy server") @@ -223,58 +218,51 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog. -1. Click **OK** to close the **Internet Options** dialog. +6. Click **OK** to close the **Internet Options** dialog. -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. 1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. - ![Create Azure AD User][100] + ![The "Users and groups" and "All users" links](common/users.png) 2. Select **New user** at the top of the screen. - ![Creating an Azure AD test user](common/create_aaduser_01.png) + ![New user Button](common/new-user.png) 3. In the User properties, perform the following steps. - ![Creating an Azure AD test user](common/create_aaduser_02.png) + ![The User dialog box](common/user-properties.png) - a. In the **Name** field, enter **BrittaSimon**. + a. In the **Name** field enter **BrittaSimon**. - b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension** - For example, BrittaSimon@contoso.com - - c. Select **Properties**, select the **Show password** check box, and then write down the value that's displayed in the Password box. + b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com - d. Select **Create**. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. -### Create Zscaler Three test user - -The objective of this section is to create a user called Britta Simon in Zscaler Three. Zscaler Three supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access Zscaler Three if it doesn't exist yet. ->[!Note] ->If you need to create a user manually, contact [Zscaler Three support team](https://www.zscaler.com/company/contact). + d. Click **Create**. ### Assign the Azure AD test user In this section, you enable Britta Simon to use Azure single sign-on by granting access to Zscaler Three. -1. In the Azure portal, select **Enterprise Applications**, select **All applications**. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Zscaler Three**. - ![Assign User][201] + ![Enterprise applications blade](common/enterprise-applications.png) 2. In the applications list, select **Zscaler Three**. - ![Configure Single Sign-On](./media/zscaler-three-tutorial/tutorial_zscalerthree_app.png) + ![The Zscaler Three link in the Applications list](common/all-applications.png) -3. In the menu on the left, click **Users and groups**. +3. In the menu on the left, select **Users and groups**. - ![Assign User][202] + ![The "Users and groups" link](common/users-groups-blade.png) -4. Click **Add** button and then select **Users and groups** on **Add Assignment** dialog. +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - ![Assign User][203] + ![The Add Assignment pane](common/add-assign-user.png) 5. In the **Users and groups** dialog, select the user like **Britta Simon** from the list, then click the **Select** button at the bottom of the screen. @@ -288,27 +276,24 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting ![image](./media/zscaler-three-tutorial/tutorial_zscalerthree_assign.png) -### Test single sign-on +### Create Zscaler Three test user -In this section, you test your Azure AD single sign-on configuration using the Access Panel. +In this section, a user called Britta Simon is created in Zscaler Three. Zscaler Three supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Zscaler Three, a new one is created when you attempt to access Zscaler Three. + +>[!Note] +>If you need to create a user manually, contact [Zscaler Three support team](https://www.zscaler.com/company/contact). + +### Test single sign-on -When you click the Zscaler Three tile in the Access Panel, you should get automatically signed-on to your Zscaler Three application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). +In this section, you test your Azure AD single sign-on configuration using the Access Panel. -## Additional resources +When you click the Zscaler Three tile in the Access Panel, you should be automatically signed in to the Zscaler Three for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +## Additional Resources - +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[1]: common/tutorial_general_01.png -[2]: common/tutorial_general_02.png -[3]: common/tutorial_general_03.png -[4]: common/tutorial_general_04.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[100]: common/tutorial_general_100.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) -[201]: common/tutorial_general_201.png -[202]: common/tutorial_general_202.png -[203]: common/tutorial_general_203.png diff --git a/articles/active-directory/saas-apps/zscaler-two-provisioning-tutorial.md b/articles/active-directory/saas-apps/zscaler-two-provisioning-tutorial.md index 14fed963b9ff8..c0042a8b64ee6 100644 --- a/articles/active-directory/saas-apps/zscaler-two-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/zscaler-two-provisioning-tutorial.md @@ -1,165 +1,157 @@ --- title: 'Tutorial: Configure Zscaler Two for automatic user provisioning with Azure Active Directory | Microsoft Docs' -description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Zscaler Two Two. +description: In this tutorial, you'll learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Zscaler Two. services: active-directory documentationcenter: '' author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: 0a250fcd-6ca1-47c2-a780-7a6278186a69 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 03/03/2019 +ms.topic: tutorial +ms.date: 03/27/2019 ms.author: v-ant-msft --- # Tutorial: Configure Zscaler Two for automatic user provisioning -The objective of this tutorial is to demonstrate the steps to be performed in Zscaler Two and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Zscaler Two. +In this tutorial, you'll learn how to configure Azure Active Directory (Azure AD) to automatically provision and deprovision users and/or groups to Zscaler Two. > [!NOTE] -> This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). -> -> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This tutorial describes a connector that's built on the Azure AD user provisioning service. For important details on what this service does and how it works, and answers to frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). +> +> This connector is currently in Public Preview. For more information on the general Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites -The scenario outlined in this tutorial assumes that you already have the following: +To complete the steps outlined in this tutorial, you need the following: -* An Azure AD tenant -* A Zscaler Two tenant -* A user account in Zscaler Two with Admin permissions +* An Azure AD tenant. +* A Zscaler Two tenant. +* A user account in Zscaler Two with admin permissions. > [!NOTE] -> The Azure AD provisioning integration relies on the Zscaler Two SCIM API, which is available to Zscaler Two developers for accounts with the Enterprise package. +> The Azure AD provisioning integration relies on the Zscaler Two SCIM API, which is available for Enterprise accounts. -## Adding Zscaler Two from the gallery -Before configuring Zscaler Two for automatic user provisioning with Azure AD, you need to add Zscaler Two from the Azure AD application gallery to your list of managed SaaS applications. +## Add Zscaler Two from the gallery -**To add Zscaler Two from the Azure AD application gallery, perform the following steps:** +Before you configure Zscaler Two for automatic user provisioning with Azure AD, you need to add Zscaler Two from the Azure AD application gallery to your list of managed SaaS applications. -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. +In the [Azure portal](https://portal.azure.com), in the left pane, select **Azure Active Directory**: - ![The Azure Active Directory button][1] +![Select Azure Active Directory](common/select-azuread.png) -2. Navigate to **Enterprise applications** > **All applications**. +Go to **Enterprise applications** and then select **All applications**: - ![The Enterprise applications Section][2] +![Enterprise applications](common/enterprise-applications.png) -3. To add Zscaler Two, click the **New application** button on the top of the dialog. +To add an application, select **New application** at the top of the window: - ![The New application button][3] +![Select New application](common/add-new-app.png) -4. In the search box, type **Zscaler Two**. +In the search box, enter **Zscaler Two**. Select **Zscaler Two** in the results and then select **Add**. - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/app-search.png) +![Results list](common/search-new-app.png) -5. In the results panel, select **Zscaler Two**, and then click the **Add** button to add Zscaler Two to your list of SaaS applications. +## Assign users to Zscaler Two - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/app-search-results.png) +Azure AD users need to be assigned access to selected apps before they can use them. In the context of automatic user provisioning, only users or groups that are assigned to an application in Azure AD are synchronized. - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/app-creation.png) - -## Assigning users to Zscaler Two - -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. - -Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler Two. Once decided, you can assign these users and/or groups to Zscaler Two by following the instructions here: - -* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) +Before you configure and enable automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler Two. After you decide that, you can assign these users and groups to Zscaler Two by following the instructions in [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal). ### Important tips for assigning users to Zscaler Two -* It is recommended that a single Azure AD user is assigned to Zscaler Two to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* We recommend that you first assign a single Azure AD user to Zscaler Two to test the automatic user provisioning configuration. You can assign more users and groups later. -* When assigning a user to Zscaler Two, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When you assign a user to Zscaler Two, you need to select any valid application-specific role (if available) in the assignment dialog box. Users with the **Default Access** role are excluded from provisioning. -## Configuring automatic user provisioning to Zscaler Two +## Set up automatic user provisioning -This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Zscaler Two based on user and/or group assignments in Azure AD. +This section guides you through the steps for configuring the Azure AD provisioning service to create, update, and disable users and groups in Zscaler Two based on user and group assignments in Azure AD. > [!TIP] -> You may also choose to enable SAML-based single sign-on for Zscaler Two, following the instructions provided in the [Zscaler Two single sign-on tutorial](zscaler-two-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other. +> You might also want to enable SAML-based single sign-on for Zscaler Two. If you do, follow the instructions in the [Zscaler Two single sign-on tutorial](zscaler-two-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, but the two features complement each other. -### To configure automatic user provisioning for Zscaler Two in Azure AD: +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise applications** > **All applications** > **Zscaler Two**: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. + ![Enterprise applications](common/enterprise-applications.png) -2. Select Zscaler Two from your list of SaaS applications. +2. In the applications list, select **Zscaler Two**: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/app-instance-search.png) + ![Applications list](common/all-applications.png) -3. Select the **Provisioning** tab. +3. Select the **Provisioning** tab: ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/provisioning-tab.png) -4. Set the **Provisioning Mode** to **Automatic**. +4. Set the **Provisioning Mode** to **Automatic**: + + ![Set the Provisioning Mode](./media/zscaler-two-provisioning-tutorial/provisioning-credentials.png) + +5. In the **Admin Credentials** section, enter the **Tenant URL** and **Secret Token** of your Zscaler Two account, as described in the next step. + +6. To get the **Tenant URL** and **Secret Token**, go to **Administration** > **Authentication Settings** in the Zscaler Two portal and select **SAML** under **Authentication Type**: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/provisioning-credentials.png) + ![Zscaler Two Authentication Settings](./media/zscaler-two-provisioning-tutorial/secret-token-1.png) -5. Under the **Admin Credentials** section, input the **Tenant URL** and **Secret Token** of your Zscaler Two account as described in Step 6. + Select **Configure SAML** to open the **Configure SAML** window: -6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler Two portal user interface and click on **SAML** under **Authentication Type**. + ![Configure SAML window](./media/zscaler-two-provisioning-tutorial/secret-token-2.png) - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/secret-token-1.png) - - Click on **Configure SAML** to open **Configuration SAML** options. + Select **Enable SCIM-Based Provisioning** and copy the **Base URL** and **Bearer Token**, and then save the settings. In the Azure portal, paste the **Base URL** into the **Tenant URL** box and the **Bearer Token** into the **Secret Token** box. - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/secret-token-2.png) - - Select **Enable SCIM-Based Provisioning** to retrieve **Base URL** and **Bearer Token**, then save the settings. Copy the **Base URL** to **Tenant URL** and **Bearer Token** to **Secret Token** in the Azure portal. +7. After you enter the values in the **Tenant URL** and **Secret Token** boxes, select **Test Connection** to make sure Azure AD can connect to Zscaler Two. If the connection fails, make sure your Zscaler Two account has admin permissions and try again. -7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Zscaler Two. If the connection fails, ensure your Zscaler Two account has Admin permissions and try again. + ![Test the connection](./media/zscaler-two-provisioning-tutorial/test-connection.png) - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/test-connection.png) - -8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox **Send an email notification when a failure occurs**. +8. In the **Notification Email** box, enter the email address of a person or group that should receive the provisioning error notifications. Select **Send an email notification when a failure occurs**: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/notification.png) + ![Set up notification email](./media/zscaler-two-provisioning-tutorial/notification.png) -9. Click **Save**. +9. Select **Save**. -10. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Zscaler Two**. +10. In the **Mappings** section, select **Synchronize Azure Active Directory Users to ZscalerTwo**: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/user-mappings.png) + ![Synchronize Azure AD users](./media/zscaler-two-provisioning-tutorial/user-mappings.png) -11. Review the user attributes that are synchronized from Azure AD to Zscaler Two in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Zscaler Two for update operations. Select the **Save** button to commit any changes. +11. Review the user attributes that are synchronized from Azure AD to Zscaler Two in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the user accounts in Zscaler Two for update operations. Select **Save** to commit any changes. - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/user-attribute-mappings.png) + ![Attribute Mappings](./media/zscaler-two-provisioning-tutorial/user-attribute-mappings.png) -12. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Zscaler Two**. +12. In the **Mappings** section, select **Synchronize Azure Active Directory Groups to ZscalerTwo**: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/group-mappings.png) + ![Synchronize Azure AD groups](./media/zscaler-two-provisioning-tutorial/group-mappings.png) -13. Review the group attributes that are synchronized from Azure AD to Zscaler Two in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Zscaler Two for update operations. Select the **Save** button to commit any changes. +13. Review the group attributes that are synchronized from Azure AD to Zscaler Two in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the groups in Zscaler Two for update operations. Select **Save** to commit any changes. - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/group-attribute-mappings.png) + ![Attribute Mappings](./media/zscaler-two-provisioning-tutorial/group-attribute-mappings.png) -14. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](./../active-directory-saas-scoping-filters.md). +14. To configure scoping filters, refer to the instructions in the [Scoping filter tutorial](./../active-directory-saas-scoping-filters.md). -15. To enable the Azure AD provisioning service for Zscaler Two, change the **Provisioning Status** to **On** in the **Settings** section. +15. To enable the Azure AD provisioning service for Zscaler Two, change the **Provisioning Status** to **On** in the **Settings** section: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/provisioning-status.png) + ![Provisioning Status](./media/zscaler-two-provisioning-tutorial/provisioning-status.png) -16. Define the users and/or groups that you would like to provision to Zscaler Two by choosing the desired values in **Scope** in the **Settings** section. +16. Define the users and/or groups that you want to provision to Zscaler Two by choosing the values you want under **Scope** in the **Settings** section: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/scoping.png) + ![Scope values](./media/zscaler-two-provisioning-tutorial/scoping.png) -17. When you are ready to provision, click **Save**. +17. When you're ready to provision, select **Save**: - ![Zscaler Two Provisioning](./media/zscaler-two-provisioning-tutorial/save-provisioning.png) + ![Select Save](./media/zscaler-two-provisioning-tutorial/save-provisioning.png) -This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zscaler Two. +This operation starts the initial synchronization of all users and groups defined under **Scope** in the **Settings** section. The initial sync takes longer than subsequent syncs, which occur about every 40 minutes, as long as the Azure AD provisioning service is running. You can monitor progress in the **Synchronization Details** section. You can also follow links to a provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zscaler Two. -For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../active-directory-saas-provisioning-reporting.md). +For information about how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../active-directory-saas-provisioning-reporting.md). ## Additional resources -* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) +* [Managing user account provisioning for enterprise apps](../manage-apps/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps diff --git a/articles/active-directory/saas-apps/zscaler-zscloud-provisioning-tutorial.md b/articles/active-directory/saas-apps/zscaler-zscloud-provisioning-tutorial.md index 871c11d67ebbf..ed275a815567c 100644 --- a/articles/active-directory/saas-apps/zscaler-zscloud-provisioning-tutorial.md +++ b/articles/active-directory/saas-apps/zscaler-zscloud-provisioning-tutorial.md @@ -1,165 +1,157 @@ --- title: 'Tutorial: Configure Zscaler ZSCloud for automatic user provisioning with Azure Active Directory | Microsoft Docs' -description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Zscaler ZSCloud. +description: In this tutorial, you'll learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Zscaler ZSCloud. services: active-directory documentationcenter: '' author: zchia writer: zchia manager: beatrizd-msft -ms.assetid: na +ms.assetid: a752be80-d3ef-45d1-ac8f-4fb814c07b07 ms.service: active-directory +ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 03/03/2019 +ms.topic: tutorial +ms.date: 03/27/2019 ms.author: v-ant-msft --- # Tutorial: Configure Zscaler ZSCloud for automatic user provisioning -The objective of this tutorial is to demonstrate the steps to be performed in Zscaler ZSCloud and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Zscaler ZSCloud. +In this tutorial, you'll learn how to configure Azure Active Directory (Azure AD) to automatically provision and deprovision users and/or groups to Zscaler ZSCloud. > [!NOTE] -> This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). -> -> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This tutorial describes a connector that's built on the Azure AD user provisioning service. For important details on what this service does and how it works, and answers to frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../active-directory-saas-app-provisioning.md). +> +> This connector is currently in Public Preview. For more information on the general Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites -The scenario outlined in this tutorial assumes that you already have the following: +To complete the steps outlined in this tutorial, you need the following: -* An Azure AD tenant -* A Zscaler ZSCloud tenant -* A user account in Zscaler ZSCloud with Admin permissions +* An Azure AD tenant. +* A Zscaler ZSCloud tenant. +* A user account in Zscaler ZSCloud with admin permissions. > [!NOTE] -> The Azure AD provisioning integration relies on the Zscaler ZSCloud SCIM API, which is available to Zscaler ZSCloud developers for accounts with the Enterprise package. +> The Azure AD provisioning integration relies on the Zscaler ZSCloud SCIM API, which is available for Enterprise accounts. -## Adding Zscaler ZSCloud from the gallery -Before configuring Zscaler ZSCloud for automatic user provisioning with Azure AD, you need to add Zscaler ZSCloud from the Azure AD application gallery to your list of managed SaaS applications. +## Add Zscaler ZSCloud from the gallery -**To add Zscaler ZSCloud from the Azure AD application gallery, perform the following steps:** +Before you configure Zscaler ZSCloud for automatic user provisioning with Azure AD, you need to add Zscaler ZSCloud from the Azure AD application gallery to your list of managed SaaS applications. -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Azure Active Directory** icon. +In the [Azure portal](https://portal.azure.com), in the left pane, select **Azure Active Directory**: - ![The Azure Active Directory button][1] +![Select Azure Active Directory](common/select-azuread.png) -2. Navigate to **Enterprise applications** > **All applications**. +Go to **Enterprise applications** and then select **All applications**: - ![The Enterprise applications Section][2] +![Enterprise applications](common/enterprise-applications.png) -3. To add Zscaler ZSCloud, click the **New application** button on the top of the dialog. +To add an application, select **New application** at the top of the window: - ![The New application button][3] +![Select New application](common/add-new-app.png) -4. In the search box, type **Zscaler ZSCloud**. +In the search box, enter **Zscaler ZSCloud**. Select **Zscaler ZSCloud** in the results and then select **Add**. - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/appsearch.png) +![Results list](common/search-new-app.png) -5. In the results panel, select **Zscaler ZSCloud**, and then click the **Add** button to add Zscaler ZSCloud to your list of SaaS applications. +## Assign users to Zscaler ZSCloud - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/appsearchresults.png) +Azure AD users need to be assigned access to selected apps before they can use them. In the context of automatic user provisioning, only the users or groups that are assigned to an application in Azure AD are synchronized. - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/appcreation.png) - -## Assigning users to Zscaler ZSCloud - -Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been "assigned" to an application in Azure AD are synchronized. - -Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler ZSCloud. Once decided, you can assign these users and/or groups to Zscaler ZSCloud by following the instructions here: - -* [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal) +Before you configure and enable automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler ZSCloud. After you decide that, you can assign these users and groups to Zscaler ZSCloud by following the instructions in [Assign a user or group to an enterprise app](https://docs.microsoft.com/azure/active-directory/active-directory-coreapps-assign-user-azure-portal). ### Important tips for assigning users to Zscaler ZSCloud -* It is recommended that a single Azure AD user is assigned to Zscaler ZSCloud to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later. +* We recommend that you first assign a single Azure AD user to Zscaler ZSCloud to test the automatic user provisioning configuration. You can assign more users and groups later. -* When assigning a user to Zscaler ZSCloud, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. +* When you assign a user to Zscaler ZSCloud, you need to select any valid application-specific role (if available) in the assignment dialog box. Users with the **Default Access** role are excluded from provisioning. -## Configuring automatic user provisioning to Zscaler ZSCloud +## Set up automatic user provisioning -This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Zscaler ZSCloud based on user and/or group assignments in Azure AD. +This section guides you through the steps for configuring the Azure AD provisioning service to create, update, and disable users and groups in Zscaler ZSCloud based on user and group assignments in Azure AD. > [!TIP] -> You may also choose to enable SAML-based single sign-on for Zscaler ZSCloud, following the instructions provided in the [Zscaler ZSCloud single sign-on tutorial](zscaler-zsCloud-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other. +> You might also want to enable SAML-based single sign-on for Zscaler ZSCloud. If you do, follow the instructions in the [Zscaler ZSCloud single sign-on tutorial](zscaler-zsCloud-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, but the two features complement each other. -### To configure automatic user provisioning for Zscaler ZSCloud in Azure AD: +1. Sign in to the [Azure portal](https://portal.azure.com) and select **Enterprise applications** > **All applications** > **Zscaler ZSCloud**: -1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory > Enterprise applications > All applications**. + ![Enterprise applications](common/enterprise-applications.png) -2. Select Zscaler ZSCloud from your list of SaaS applications. +2. In the applications list, select **Zscaler ZSCloud**: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/appinstancesearch.png) + ![Applications list](common/all-applications.png) -3. Select the **Provisioning** tab. +3. Select the **Provisioning** tab: ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/provisioningtab.png) -4. Set the **Provisioning Mode** to **Automatic**. +4. Set the **Provisioning Mode** to **Automatic**: + + ![Set the Provisioning Mode](./media/zscaler-zscloud-provisioning-tutorial/provisioningcredentials.png) + +5. In the **Admin Credentials** section, enter the **Tenant URL** and **Secret Token** of your Zscaler ZSCloud account, as described in the next step. - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/provisioningcredentials.png) +6. To get the **Tenant URL** and **Secret Token**, go to **Administration** > **Authentication Settings** in the Zscaler ZSCloud portal and select **SAML** under **Authentication Type**: -5. Under the **Admin Credentials** section, input the **Tenant URL** and **Secret Token** of your Zscaler ZSCloud account as described in Step 6. + ![Zscaler ZSCloud Authentication Settings](./media/zscaler-zscloud-provisioning-tutorial/secrettoken1.png) -6. To obtain the **Tenant URL** and **Secret Token**, navigate to **Administration > Authentication Settings** in the Zscaler ZSCloud portal user interface and click on **SAML** under **Authentication Type**. + Select **Configure SAML** to open the **Configure SAML** window: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/secrettoken1.png) + ![Configure SAML window](./media/zscaler-zscloud-provisioning-tutorial/secrettoken2.png) - Click on **Configure SAML** to open **Configuration SAML** options. + Select **Enable SCIM-Based Provisioning** and copy the **Base URL** and **Bearer Token**, and then save the settings. In the Azure portal, paste the **Base URL** into the **Tenant URL** box and the **Bearer Token** into the **Secret Token** box. - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/secrettoken2.png) - - Select **Enable SCIM-Based Provisioning** to retrieve **Base URL** and **Bearer Token**, then save the settings. Copy the **Base URL** to **Tenant URL** and **Bearer Token** to **Secret Token** in the Azure portal. +7. After you enter the values in the **Tenant URL** and **Secret Token** boxes, select **Test Connection** to make sure Azure AD can connect to Zscaler ZSCloud. If the connection fails, make sure your Zscaler ZSCloud account has admin permissions and try again. -7. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to Zscaler ZSCloud. If the connection fails, ensure your Zscaler ZSCloud account has Admin permissions and try again. + ![Test the connection](./media/zscaler-zscloud-provisioning-tutorial/testconnection.png) - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/testconnection.png) - -8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox **Send an email notification when a failure occurs**. +8. In the **Notification Email** box, enter the email address of a person or group that should receive the provisioning error notifications. Select **Send an email notification when a failure occurs**: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/Notification.png) + ![Set up notification email](./media/zscaler-zscloud-provisioning-tutorial/Notification.png) -9. Click **Save**. +9. Select **Save**. -10. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Zscaler ZSCloud**. +10. In the **Mappings** section, select **Synchronize Azure Active Directory Users to ZscalerZSCloud**: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/usermappings.png) + ![Synchronize Azure AD users](./media/zscaler-zscloud-provisioning-tutorial/usermappings.png) -11. Review the user attributes that are synchronized from Azure AD to Zscaler ZSCloud in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Zscaler ZSCloud for update operations. Select the **Save** button to commit any changes. +11. Review the user attributes that are synchronized from Azure AD to Zscaler ZSCloud in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the user accounts in Zscaler ZSCloud for update operations. Select **Save** to commit any changes. - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/userattributemappings.png) + ![Attribute Mappings](./media/zscaler-zscloud-provisioning-tutorial/userattributemappings.png) -12. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Zscaler ZSCloud**. +12. In the **Mappings** section, select **Synchronize Azure Active Directory Groups to ZscalerZSCloud**: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/groupmappings.png) + ![Synchronize Azure AD groups](./media/zscaler-zscloud-provisioning-tutorial/groupmappings.png) -13. Review the group attributes that are synchronized from Azure AD to Zscaler ZSCloud in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Zscaler ZSCloud for update operations. Select the **Save** button to commit any changes. +13. Review the group attributes that are synchronized from Azure AD to Zscaler ZSCloud in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the groups in Zscaler ZSCloud for update operations. Select **Save** to commit any changes. - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/groupattributemappings.png) + ![Attribute Mappings](./media/zscaler-zscloud-provisioning-tutorial/groupattributemappings.png) -14. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](./../active-directory-saas-scoping-filters.md). +14. To configure scoping filters, refer to the instructions in the [Scoping filter tutorial](./../active-directory-saas-scoping-filters.md). -15. To enable the Azure AD provisioning service for Zscaler ZSCloud, change the **Provisioning Status** to **On** in the **Settings** section. +15. To enable the Azure AD provisioning service for Zscaler ZSCloud, change the **Provisioning Status** to **On** in the **Settings** section: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/provisioningstatus.png) + ![Provisioning Status](./media/zscaler-zscloud-provisioning-tutorial/provisioningstatus.png) -16. Define the users and/or groups that you would like to provision to Zscaler ZSCloud by choosing the desired values in **Scope** in the **Settings** section. +16. Define the users and/or groups that you want to provision to Zscaler ZSCloud by choosing the values you want under **Scope** in the **Settings** section: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/scoping.png) + ![Scope values](./media/zscaler-zscloud-provisioning-tutorial/scoping.png) -17. When you are ready to provision, click **Save**. +17. When you're ready to provision, select **Save**: - ![Zscaler ZSCloud Provisioning](./media/zscaler-zscloud-provisioning-tutorial/saveprovisioning.png) + ![Select Save](./media/zscaler-zscloud-provisioning-tutorial/saveprovisioning.png) -This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zscaler ZSCloud. +This operation starts the initial synchronization of all users and groups defined under **Scope** in the **Settings** section. The initial sync takes longer than subsequent syncs, which occur about every 40 minutes, as long as the Azure AD provisioning service is running. You can monitor progress in the **Synchronization Details** section. You can also follow links to a provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zscaler ZSCloud. -For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../active-directory-saas-provisioning-reporting.md). +For information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../active-directory-saas-provisioning-reporting.md). ## Additional resources -* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md) +* [Managing user account provisioning for enterprise apps](../manage-apps/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps diff --git a/articles/active-directory/saas-apps/zscalerprivateaccessadministrator-tutorial.md b/articles/active-directory/saas-apps/zscalerprivateaccessadministrator-tutorial.md index bb8112ff830b7..dcc79c93e2a0d 100644 --- a/articles/active-directory/saas-apps/zscalerprivateaccessadministrator-tutorial.md +++ b/articles/active-directory/saas-apps/zscalerprivateaccessadministrator-tutorial.md @@ -4,8 +4,8 @@ description: Learn how to configure single sign-on between Azure Active Director services: active-directory documentationCenter: na author: jeevansd -manager: femila -ms.reviewer: joflore +manager: mtillman +ms.reviewer: barbkess ms.assetid: c87392a7-e7fe-4cdc-a8e6-afe1ed975172 ms.service: active-directory @@ -13,8 +13,8 @@ ms.subservice: saas-app-tutorial ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na -ms.topic: article -ms.date: 02/08/2018 +ms.topic: tutorial +ms.date: 04/03/2019 ms.author: jeedes ms.collection: M365-identity-device-management @@ -22,124 +22,134 @@ ms.collection: M365-identity-device-management # Tutorial: Azure Active Directory integration with Zscaler Private Access Administrator In this tutorial, you learn how to integrate Zscaler Private Access Administrator with Azure Active Directory (Azure AD). - Integrating Zscaler Private Access Administrator with Azure AD provides you with the following benefits: -- You can control in Azure AD who has access to Zscaler Private Access Administrator. -- You can enable your users to automatically get signed-on to Zscaler Private Access Administrator (Single Sign-On) with their Azure AD accounts. -- You can manage your accounts in one central location - the Azure portal. +* You can control in Azure AD who has access to Zscaler Private Access Administrator. +* You can enable your users to be automatically signed-in to Zscaler Private Access Administrator (Single Sign-On) with their Azure AD accounts. +* You can manage your accounts in one central location - the Azure portal. -If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). +If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis). +If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites To configure Azure AD integration with Zscaler Private Access Administrator, you need the following items: -- An Azure AD subscription -- A Zscaler Private Access Administrator single sign-on enabled subscription - -> [!NOTE] -> To test the steps in this tutorial, we do not recommend using a production environment. - -To test the steps in this tutorial, you should follow these recommendations: - -- Do not use your production environment, unless it is necessary. -- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). +* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/) +* Zscaler Private Access Administrator single sign-on enabled subscription ## Scenario description -In this tutorial, you test Azure AD single sign-on in a test environment. -The scenario outlined in this tutorial consists of two main building blocks: -1. Adding Zscaler Private Access Administrator from the gallery -1. Configuring and testing Azure AD single sign-on +In this tutorial, you configure and test Azure AD single sign-on in a test environment. + +* Zscaler Private Access Administrator supports **SP** and **IDP** initiated SSO ## Adding Zscaler Private Access Administrator from the gallery + To configure the integration of Zscaler Private Access Administrator into Azure AD, you need to add Zscaler Private Access Administrator from the gallery to your list of managed SaaS apps. **To add Zscaler Private Access Administrator from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. - ![The Azure Active Directory button][1] + ![The Azure Active Directory button](common/select-azuread.png) -1. Navigate to **Enterprise applications**. Then go to **All applications**. +2. Navigate to **Enterprise Applications** and then select the **All Applications** option. - ![The Enterprise applications blade][2] - -1. To add new application, click **New application** button on the top of dialog. + ![The Enterprise applications blade](common/enterprise-applications.png) - ![The New application button][3] +3. To add new application, click **New application** button on the top of dialog. -1. In the search box, type **Zscaler Private Access Administrator**, select **Zscaler Private Access Administrator** from result panel then click **Add** button to add the application. + ![The New application button](common/add-new-app.png) - ![Zscaler Private Access Administrator in the results list](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addfromgallery.png) +4. In the search box, type **Zscaler Private Access Administrator**, select **Zscaler Private Access Administrator** from result panel then click **Add** button to add the application. -## Configure and test Azure AD single sign-on + ![Zscaler Private Access Administrator in the results list](common/search-new-app.png) -In this section, you configure and test Azure AD single sign-on with Zscaler Private Access Administrator based on a test user called "Britta Simon". +## Configure and test Azure AD single sign-on -For single sign-on to work, Azure AD needs to know what the counterpart user in Zscaler Private Access Administrator is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Zscaler Private Access Administrator needs to be established. +In this section, you configure and test Azure AD single sign-on with Zscaler Private Access Administrator based on a test user called **Britta Simon**. +For single sign-on to work, a link relationship between an Azure AD user and the related user in Zscaler Private Access Administrator needs to be established. To configure and test Azure AD single sign-on with Zscaler Private Access Administrator, you need to complete the following building blocks: 1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. -1. **[Create a Zscaler Private Access Administrator test user](#create-a-zscaler-private-access-administrator-test-user)** - to have a counterpart of Britta Simon in Zscaler Private Access Administrator that is linked to the Azure AD representation of user. -1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. -1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. +2. **[Configure Zscaler Private Access Administrator Single Sign-On](#configure-zscaler-private-access-administrator-single-sign-on)** - to configure the Single Sign-On settings on application side. +3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. +5. **[Create Zscaler Private Access Administrator test user](#create-zscaler-private-access-administrator-test-user)** - to have a counterpart of Britta Simon in Zscaler Private Access Administrator that is linked to the Azure AD representation of user. +6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. ### Configure Azure AD single sign-on -In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Zscaler Private Access Administrator application. +In this section, you enable Azure AD single sign-on in the Azure portal. -**To configure Azure AD single sign-on with Zscaler Private Access Administrator, perform the following steps:** +To configure Azure AD single sign-on with Zscaler Private Access Administrator, perform the following steps: -1. In the Azure portal, on the **Zscaler Private Access Administrator** application integration page, click **Single sign-on**. +1. In the [Azure portal](https://portal.azure.com/), on the **Zscaler Private Access Administrator** application integration page, select **Single sign-on**. - ![Configure single sign-on link][4] + ![Configure single sign-on link](common/select-sso.png) -1. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. - - ![Single sign-on dialog box](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_samlbase.png) +2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. -1. On the **Zscaler Private Access Administrator Domain and URLs** section if you wish to configure the application in **IDP** initiated mode: + ![Single sign-on select mode](common/select-saml-option.png) - ![Zscaler Private Access Administrator Domain and URLs single sign-on information](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_url.png) +3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - a. In the **Identifier** textbox, type a URL using the following pattern: `https://.private.zscaler.com/auth/metadata` + ![Edit Basic SAML Configuration](common/edit-urls.png) - b. In the **Reply URL** textbox, type a URL using the following pattern: `https://.private.zscaler.com/auth/sso` +4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: - c. Check **Show advanced URL settings** + ![Zscaler Private Access Administrator Domain and URLs single sign-on information](common/idp-relay.png) - d. In the **RelayState** textbox, type a value: `idpadminsso` + a. In the **Identifier** text box, type a URL using the following pattern: + `https://.private.zscaler.com/auth/metadata` -1. If you wish to configure the application in **SP** initiated mode perform the following steps: + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://.private.zscaler.com/auth/sso` - In the **Sign-on URL** textbox, type a URL using the following pattern: `https://.private.zscaler.com/auth/sso` + c. Click **Set additional URLs**. - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Zscaler Private Access Administrator support team](https://help.zscaler.com/zpa-submit-ticket) to get these values. - -1. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. + d. In the **Relay State** text box, type a URL: + `idpadminsso` + +5. If you wish to configure the application in **SP** initiated mode, perform the following step: + + ![Zscaler Private Access Administrator Domain and URLs single sign-on information](common/both-signonurl.png) + + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://.private.zscaler.com/auth/sso` + + > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Zscaler Private Access Administrator Client support team](https://help.zscaler.com/zpa-submit-ticket) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. - ![The Certificate download link](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_certificate.png) +6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. -1. Click **Save** button. + ![The Certificate download link](common/metadataxml.png) - ![Configure Single Sign-On Save button](./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_400.png) +7. On the **Set up Zscaler Private Access Administrator** section, copy the appropriate URL(s) as per your requirement. -1. In a different web browser window, login to Zscaler Private Access Administrator as an Administrator. + ![Copy configuration URLs](common/copy-configuration-urls.png) -1. On the top, click **Administration** and navigate to **AUTHENTICATION** section click **IdP Configuration**. + a. Login URL + + b. Azure AD Identifier + + c. Logout URL + +### Configure Zscaler Private Access Administrator Single Sign-On + +1. In a different web browser window, sign to Zscaler Private Access Administrator as an Administrator. + +2. On the top, click **Administration** and navigate to **AUTHENTICATION** section click **IdP Configuration**. ![Zscaler Private Access Administrator admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_admin.png) -1. In the top right corner, click **Add IdP Configuration**. +3. In the top right corner, click **Add IdP Configuration**. ![Zscaler Private Access Administrator addidp](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addpidp.png) -1. On the **Add IdP Configuration** page perform the following steps: +4. On the **Add IdP Configuration** page perform the following steps: ![Zscaler Private Access Administrator idpselect](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_idpselect.png) @@ -155,136 +165,107 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf e. Click **Save**. -> [!TIP] -> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) - -### Create an Azure AD test user +### Create an Azure AD test user The objective of this section is to create a test user in the Azure portal called Britta Simon. - ![Create an Azure AD test user][100] - -**To create a test user in Azure AD, perform the following steps:** +1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**. -1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. + ![The "Users and groups" and "All users" links](common/users.png) - ![The Azure Active Directory button](./media/zscalerprivateaccessadministrator-tutorial/create_aaduser_01.png) +2. Select **New user** at the top of the screen. -1. To display the list of users, go to **Users and groups**, and then click **All users**. + ![New user Button](common/new-user.png) - ![The "Users and groups" and "All users" links](./media/zscalerprivateaccessadministrator-tutorial/create_aaduser_02.png) +3. In the User properties, perform the following steps. -1. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. + ![The User dialog box](common/user-properties.png) - ![The Add button](./media/zscalerprivateaccessadministrator-tutorial/create_aaduser_03.png) - -1. In the **User** dialog box, perform the following steps: - - ![The User dialog box](./media/zscalerprivateaccessadministrator-tutorial/create_aaduser_04.png) - - a. In the **Name** box, type **BrittaSimon**. - - b. In the **User name** box, type the email address of user Britta Simon. + a. In the **Name** field enter **BrittaSimon**. + + b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com - c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. + c. Select **Show password** check box, and then write down the value that's displayed in the Password box. d. Click **Create**. - -### Create a Zscaler Private Access Administrator test user -To enable Azure AD users to log in to Zscaler Private Access Administrator, they must be provisioned into Zscaler Private Access Administrator. In the case of Zscaler Private Access Administrator, provisioning is a manual task. +### Assign the Azure AD test user -**To provision a user account, perform the following steps:** +In this section, you enable Britta Simon to use Azure single sign-on by granting access to Zscaler Private Access Administrator. -1. Log in to your Zscaler Private Access Administrator company site as an administrator. +1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Zscaler Private Access Administrator**. -1. On the top, click **Administration** and navigate to **AUTHENTICATION** section click **IdP Configuration**. + ![Enterprise applications blade](common/enterprise-applications.png) - ![Zscaler Private Access Administrator admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_admin.png) +2. In the applications list, select **Zscaler Private Access Administrator**. -1. Click **Administrators** from left side of the menu. + ![The Zscaler Private Access Administrator link in the Applications list](common/all-applications.png) - ![Zscaler Private Access Administrator administrator](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_adminstrator.png) +3. In the menu on the left, select **Users and groups**. -1. In the top right corner, click **Add Administrator**: + ![The "Users and groups" link](common/users-groups-blade.png) - ![Zscaler Private Access Administrator add admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addadmin.png) +4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. -1. In the **Add Administrator** page, perform the following steps: + ![The Add Assignment pane](common/add-assign-user.png) - ![Zscaler Private Access Administrator user admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_useradmin.png) +5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - a. In the **Username** textbox, enter the email of user like **BrittaSimon\@contoso.com**. +6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. - b. In the **Password** textbox, type the Password. +7. In the **Add Assignment** dialog click the **Assign** button. - c. In the **Confirm Password** textbox, type the Password. +### Create Zscaler Private Access Administrator test user - d. Select **Role** as **Zscaler Private Access Administrator**. +To enable Azure AD users to sign in to Zscaler Private Access Administrator, they must be provisioned into Zscaler Private Access Administrator. In the case of Zscaler Private Access Administrator, provisioning is a manual task. - e. In the **Email** textbox, enter the email of user like **BrittaSimon\@contoso.com**. +**To provision a user account, perform the following steps:** - f. In the **Phone** textbox, type the Phone number. +1. Sign in to your Zscaler Private Access Administrator company site as an administrator. - g. In the **Timezone** textbox, select the Timezone. +2. On the top, click **Administration** and navigate to **AUTHENTICATION** section click **IdP Configuration**. - h. Click **Save**. + ![Zscaler Private Access Administrator admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_admin.png) -### Assign the Azure AD test user +3. Click **Administrators** from left side of the menu. -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Zscaler Private Access Administrator. + ![Zscaler Private Access Administrator administrator](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_adminstrator.png) -![Assign the user role][200] +4. In the top right corner, click **Add Administrator**: -**To assign Britta Simon to Zscaler Private Access Administrator, perform the following steps:** + ![Zscaler Private Access Administrator add admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addadmin.png) -1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. +5. In the **Add Administrator** page, perform the following steps: - ![Assign User][201] + ![Zscaler Private Access Administrator user admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_useradmin.png) -1. In the applications list, select **Zscaler Private Access Administrator**. + a. In the **Username** textbox, enter the email of user like BrittaSimon@contoso.com. - ![The Zscaler Private Access Administrator link in the Applications list](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_app.png) + b. In the **Password** textbox, type the Password. -1. In the menu on the left, click **Users and groups**. + c. In the **Confirm Password** textbox, type the Password. - ![The "Users and groups" link][202] + d. Select **Role** as **Zscaler Private Access Administrator**. -1. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. + e. In the **Email** textbox, enter the email of user like BrittaSimon@contoso.com. - ![The Add Assignment pane][203] + f. In the **Phone** textbox, type the Phone number. -1. On **Users and groups** dialog, select **Britta Simon** in the Users list. + g. In the **Timezone** textbox, select the Timezone. -1. Click **Select** button on **Users and groups** dialog. + h. Click **Save**. -1. Click **Assign** button on **Add Assignment** dialog. - -### Test single sign-on +### Test single sign-on In this section, you test your Azure AD single sign-on configuration using the Access Panel. -When you click the Zscaler Private Access Administrator tile in the Access Panel, you should get automatically signed-on to your Zscaler Private Access Administrator application. -For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/active-directory-saas-access-panel-introduction.md). - -## Additional resources - -* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](tutorial-list.md) -* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - - +When you click the Zscaler Private Access Administrator tile in the Access Panel, you should be automatically signed in to the Zscaler Private Access Administrator for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). - +## Additional Resources -[1]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_01.png -[2]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_02.png -[3]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_03.png -[4]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_04.png +- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) -[100]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_100.png +- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) -[200]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_200.png -[201]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_201.png -[202]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_202.png -[203]: ./media/zscalerprivateaccessadministrator-tutorial/tutorial_general_203.png +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) diff --git a/articles/active-directory/user-help/media/security-info/two-factor-auth-signin-another-way.png b/articles/active-directory/user-help/media/security-info/two-factor-auth-signin-another-way.png new file mode 100644 index 0000000000000..71b2d5c1ed2f1 Binary files /dev/null and b/articles/active-directory/user-help/media/security-info/two-factor-auth-signin-another-way.png differ diff --git a/articles/active-directory/user-help/user-help-join-device-on-network.md b/articles/active-directory/user-help/user-help-join-device-on-network.md index e1e94321d0ba0..d4008d39fadd0 100644 --- a/articles/active-directory/user-help/user-help-join-device-on-network.md +++ b/articles/active-directory/user-help/user-help-join-device-on-network.md @@ -58,7 +58,7 @@ You can make sure that you're joined by looking at your settings. ![Accounts on the Settings screen](./media/user-help-join-device-on-network/join-device-settings-accounts.png) -2. Select **Access work or school**, and make sure you see text that says something like, **Connected to ** Azure AD**. +2. Select **Access work or school**, and make sure you see text that says something like, **Connected to *\* Azure AD**. ![Access work or school screen with connected contoso account](./media/user-help-join-device-on-network/join-device-oobe-verify.png) @@ -103,7 +103,7 @@ You can make sure that you're joined by looking at your settings. ![Accounts on the Settings screen](./media/user-help-join-device-on-network/join-device-settings-accounts.png) -2. Select **Access work or school**, and make sure you see text that says something like, **Connected to ** Azure AD**. +2. Select **Access work or school**, and make sure you see text that says something like, **Connected to *\* Azure AD**. ![Access work or school screen with connected contoso account](./media/user-help-join-device-on-network/join-device-setup-verify.png) diff --git a/articles/active-directory/user-help/user-help-sign-in.md b/articles/active-directory/user-help/user-help-sign-in.md index e0d8844b2802e..314c269be36d7 100644 --- a/articles/active-directory/user-help/user-help-sign-in.md +++ b/articles/active-directory/user-help/user-help-sign-in.md @@ -30,29 +30,42 @@ After you set up two-step verification or security info, you'll be able to sign 2. Select **Approve** from the approval notification sent to your mobile device. - ## Sign in using an authenticator app code on your mobile device 1. Sign in to your account with your username and password. 2. Open your authenticator app and type the randomly generated code for your account into the **Enter code** box. - ## Sign in using your phone number 1. Sign in to your account with your username and password. 2. Answer your phone and follow the instructions. - ## Sign in using a text message 1. Sign in to your account with your username and password. 2. Open the text message and type the code from your text message into the **Enter code** box. +## Sign in using another verification method +If for some reason you're unable to use your primary sign-in method, you can use another previously set up verification method. + +1. Sign in to your account normally, and then choose the **Sign in another way** link on the **Two-step verification** page. + + ![Change sign in verification method](media/security-info/two-factor-auth-signin-another-way.png) + + >[!Note] + >If you don't see the **Sign in another way** link, it means that you haven't set up any other verification methods and that you'll have to contact your administrator for help signing into your account. After your administrator helps you to sign in, make sure you add additional verification methods. For more info about adding verification methods, see the [Manage your settings for two-step verification](multi-factor-authentication-end-user-manage-settings.md) article. + > + >If you see the **Sign in another way** link, but still don't see any other verification methods, you'll have to contact your administrator for help signing in to your account. + +2. Choose your alternative verification method, and continue with the two-step verification process. + +3. After you're back in your account, you can update your verification methods (if necessary). For more info about add or changing your methods, see the [Manage your settings for two-step verification](multi-factor-authentication-end-user-manage-settings.md) article. ## Next steps + - Learn about security info in the [Security info (preview) overview](user-help-security-info-overview.md) article. - Learn about two-step verification in the [Two-step verification overview](user-help-two-step-verification-overview.md) article. diff --git a/articles/active-directory/users-groups-roles/TOC.yml b/articles/active-directory/users-groups-roles/TOC.yml index 1e0eaa4ac0f8f..222d70ac9dd90 100644 --- a/articles/active-directory/users-groups-roles/TOC.yml +++ b/articles/active-directory/users-groups-roles/TOC.yml @@ -66,8 +66,6 @@ href: domains-admin-takeover.md - name: Azure AD Connect href: /azure/active-directory/connect/active-directory-aadconnect?context=azure/active-directory/users-groups-roles/context/ugr-context - - name: Configure company branding - href: /azure/active-directory/fundamentals/customize-branding?context=azure/active-directory/users-groups-roles/context/ugr-context - name: Manage groups items: - name: Manage access with groups @@ -122,10 +120,12 @@ href: licensing-service-plan-reference.md - name: Azure AD administrator roles items: - - name: Roles and permissions + - name: Roles and permissions href: directory-assign-admin-roles.md - name: View and assign roles href: directory-manage-roles-portal.md + - name: Assign roles with PowerShell + href: roles-assign-powershell.md - name: Delegate app admin roles href: roles-delegate-app-roles.md - name: Least-privileged roles by task @@ -140,6 +140,14 @@ href: directory-emergency-access.md - name: Administrative units href: directory-administrative-units.md + - name: Manage sign-in + items: + - name: Customize company branding + href: /azure/active-directory/fundamentals/customize-branding?context=azure/active-directory/users-groups-roles/context/ugr-context + - name: Sign-in options + href: signin-account-support.md + - name: Home Realm Discovery + href: signin-realm-discovery.md - name: Integrate services with Azure AD items: - name: Integrate LinkedIn with Azure AD diff --git a/articles/active-directory/users-groups-roles/directory-assign-admin-roles.md b/articles/active-directory/users-groups-roles/directory-assign-admin-roles.md index c81ac41fcc469..d43740381fcce 100644 --- a/articles/active-directory/users-groups-roles/directory-assign-admin-roles.md +++ b/articles/active-directory/users-groups-roles/directory-assign-admin-roles.md @@ -10,7 +10,7 @@ ms.service: active-directory ms.workload: identity ms.subservice: users-groups-roles ms.topic: article -ms.date: 03/27/2019 +ms.date: 04/09/2019 ms.author: curtand ms.reviewer: vincesm ms.custom: it-pro @@ -93,7 +93,7 @@ The following administrator roles are available: * **[Device Administrators](#device-administrators)**: This role is available for assignment only as an additional local administrator in [Device settings](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/DeviceSettings/menuId/). Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory. -* **[Directory Readers](#directory-readers)**: This is a legacy role that is to be assigned to applications that do not support the [Consent Framework](../develop/quickstart-v1-integrate-apps-with-azure-ad.md). It should not be assigned to any users. +* **[Directory Readers](#directory-readers)**: This is a role that should be assigned only to legacy applications that do not support the [Consent Framework](../develop/quickstart-v1-integrate-apps-with-azure-ad.md). Don't assign it to users. * **[Directory Synchronization Accounts](#directory-synchronization-accounts)**: Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use. diff --git a/articles/active-directory/users-groups-roles/licensing-ps-examples.md b/articles/active-directory/users-groups-roles/licensing-ps-examples.md index 81e6c2e1c28d3..618853f61973a 100644 --- a/articles/active-directory/users-groups-roles/licensing-ps-examples.md +++ b/articles/active-directory/users-groups-roles/licensing-ps-examples.md @@ -116,7 +116,7 @@ Get-MsolGroup -All | Where {$_.Licenses} | Foreach { $licenseAssignedCount = 0; $licenseErrorCount = 0; - Get-MsolGroupMember -All -GroupObjectId $groupId + Get-MsolGroupMember -All -GroupObjectId $groupId | #get full info about each user in the group Get-MsolUser -ObjectId {$_.ObjectId} | Foreach { $user = $_; diff --git a/articles/active-directory/users-groups-roles/licensing-service-plan-reference.md b/articles/active-directory/users-groups-roles/licensing-service-plan-reference.md index 70b7d0587df74..14b78b614d4d1 100644 --- a/articles/active-directory/users-groups-roles/licensing-service-plan-reference.md +++ b/articles/active-directory/users-groups-roles/licensing-service-plan-reference.md @@ -13,7 +13,7 @@ ms.service: active-directory ms.topic: article ms.workload: identity ms.subservice: users-groups-roles -ms.date: 01/28/2019 +ms.date: 04/10/2019 ms.author: curtand ms.reviewer: ajayanti1 ms.custom: "it-pro;seo-update-azuread-jan" @@ -29,80 +29,81 @@ When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic - **String ID**: Used by PowerShell v1.0 cmdlets when performing operations on licenses - **GUID**: GUID used by Azure AD Graph and Microsoft Graph - **Service plans included**: A list of service plans in the product that correspond to the string ID and GUID +- **Service plans included (friendly names)**: A list of service plans (friendly names) in the product that correspond to the string ID and GUID >[!NOTE] >This information is accurate as of August 17, 2018. -| Product name | String ID | GUID | Service plans included | +| Product name | String ID | GUID | Service plans included | Service plans included (friendly names) | | --- | --- | --- |--- | -| AUDIO CONFERENCING | MCOMEETADV | 0c266dff-15dd-4b49-8397-2bb16070ed52 |MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40) | -| AZURE ACTIVE DIRECTORY BASIC | AAD_BASIC | 2b9c8e7c-319c-43a2-a2a0-48c5c6161de7 | AAD_BASIC (c4da7f8a-5ee2-4c99-a7e1-87d2df57f6fe) | -| AZURE ACTIVE DIRECTORY PREMIUM P1 | AAD_PREMIUM | 078d2b04-f1bd-4111-bbd4-b4b1b354cef4 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0) | -| AZURE ACTIVE DIRECTORY PREMIUM P2 | AAD_PREMIUM_P2 | 84a661c4-e949-4bd2-a560-ed7766fcaf2b | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0) | -| AZURE INFORMATION PROTECTION PLAN 1 | RIGHTSMANAGEMENT | c52ea49f-fe5d-4e95-93ba-1de91d380f89 | RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3) | -| DYNAMICS 365 CUSTOMER ENGAGEMENT PLAN ENTERPRISE EDITION | DYN365_ENTERPRISE_PLAN1 | ea126fc5-a19e-42e2-a731-da9d437bffcf | DYN365_ENTERPRISE_P1 (d56f3deb-50d8-465a-bedb-f079817ccac1)
FLOW_DYN_P2 (b650d915-9886-424b-a08d-633cede56f57)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_P2 (0b03f40b-c404-40c3-8651-2aceb74365fa)
PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| DYNAMICS 365 FOR CUSTOMER SERVICE ENTERPRISE EDITION | DYN365_ENTERPRISE_CUSTOMER_SERVICE | 749742bf-0d37-4158-a120-33567104deeb | DYN365_ENTERPRISE_CUSTOMER_SERVICE (99340b49-fb81-4b1e-976b-8f2ae8e9394f)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| DYNAMICS 365 FOR FINANCIALS BUSINESS EDITION | DYN365_FINANCIALS_BUSINESS_SKU | cc13a803-544e-4464-b4e4-6d6169a138fa | DYN365_FINANCIALS_BUSINESS (920656a2-7dd8-4c83-97b6-a356414dbd36)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | -| DYNAMICS 365 FOR SALES AND CUSTOMER SERVICE ENTERPRISE EDITION | DYN365_ENTERPRISE_SALES_CUSTOMERSERVICE | 8edc2cf8-6438-4fa9-b6e3-aa1660c640cc | DYN365_ENTERPRISE_P1 (d56f3deb-50d8-465a-bedb-f079817ccac1)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| DYNAMICS 365 FOR SALES ENTERPRISE EDITION | DYN365_ENTERPRISE_SALES | 1e1a282c-9c54-43a2-9310-98ef728faace | DYN365_ENTERPRISE_SALES (2da8e897-7791-486b-b08f-cc63c8129df7)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| DYNAMICS 365 FOR TEAM MEMBERS ENTERPRISE EDITION | DYN365_ENTERPRISE_TEAM_MEMBERS | 8e7a3d30-d97d-43ab-837c-d7701cef83dc | DYN365_Enterprise_Talent_Attract_TeamMember (643d201a-9884-45be-962a-06ba97062e5e)
DYN365_Enterprise_Talent_Onboard_TeamMember (f2f49eef-4b3f-4853-809a-a055c6103fe0)
DYN365_ENTERPRISE_TEAM_MEMBERS (6a54b05e-4fab-40e7-9828-428db3b336fa)
Dynamics_365_for_Operations_Team_members (f5aa7b45-8a36-4cd1-bc37-5d06dea98645)
Dynamics_365_for_Retail_Team_members (c0454a3d-32b5-4740-b090-78c32f48f0ad)
Dynamics_365_for_Talent_Team_members (d5156635-0704-4f66-8803-93258f8b2678)
FLOW_DYN_TEAM (1ec58c70-f69c-486a-8109-4b87ce86e449)
POWERAPPS_DYN_TEAM (52e619e2-2730-439a-b0d3-d09ab7e8b705)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| DYNAMICS 365 UNF OPS PLAN ENT EDITION | Dynamics_365_for_Operations | ccba3cfe-71ef-423a-bd87-b6df3dce59a9 | DDYN365_CDS_DYN_P2 (d1142cfd-872e-4e77-b6ff-d98ec5a51f66)
DYN365_TALENT_ENTERPRISE (65a1ebf4-6732-4f00-9dcb-3d115ffdeecd)
Dynamics_365_for_Operations (95d2cd7b-1007-484b-8595-5e97e63fe189)
Dynamics_365_for_Retail (a9e39199-8369-444b-89c1-5fe65ec45665)
Dynamics_365_Hiring_Free_PLAN (f815ac79-c5dd-4bcc-9b78-d97f7b817d0d)
Dynamics_365_Onboarding_Free_PLAN (300b8114-8555-4313-b861-0c115d820f50)
FLOW_DYN_P2 (b650d915-9886-424b-a08d-633cede56f57)
POWERAPPS_DYN_P2 (0b03f40b-c404-40c3-8651-2aceb74365fa) | -| ENTERPRISE MOBILITY + SECURITY E3 | EMS | efccb6f7-5641-4e0e-bd10-b4976e1bf68e | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3) | -| ENTERPRISE MOBILITY + SECURITY E5 | EMSPREMIUM | b05e124f-c7cc-45a0-a6aa-8cf78c946968 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)
ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)
ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
RMS_S_PREMIUM2 (5689bec4-755d-4753-8b61-40975025187c) | -| EXCHANGE ONLINE (PLAN 1) | EXCHANGESTANDARD | 4b9405b0-7788-4568-add1-99614e613b69 | EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c) | -| EXCHANGE ONLINE (PLAN 2) | EXCHANGEENTERPRISE | 19ec0d23-8335-4cbd-94ac-6050e30712fa | EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0) | -| EXCHANGE ONLINE ARCHIVING FOR EXCHANGE ONLINE | EXCHANGEARCHIVE_ADDON | ee02fd1b-340e-4a4b-b355-4a514e4c8943 | EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793) | -| EXCHANGE ONLINE ARCHIVING FOR EXCHANGE SERVER | EXCHANGEARCHIVE | 90b5e015-709a-4b8b-b08e-3200f994494c | EXCHANGE_S_ARCHIVE (da040e0a-b393-4bea-bb76-928b3fa1cf5a) | -| EXCHANGE ONLINE ESSENTIALS | EXCHANGEESSENTIALS | 7fc0182e-d107-4556-8329-7caaa511197b | EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c) | -| EXCHANGE ONLINE ESSENTIALS | EXCHANGE_S_ESSENTIALS | e8f81a67-bd96-4074-b108-cf193eb9433b | EXCHANGE_S_ESSENTIALS (1126bef5-da20-4f07-b45e-ad25d2581aa8) | -| EXCHANGE ONLINE KIOSK | EXCHANGEDESKLESS | 80b2d799-d2ba-4d2a-8842-fb0d0f3a4b82 | EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113) | -| EXCHANGE ONLINE POP | EXCHANGETELCO | cb0a98a8-11bc-494c-83d9-c1b1ac65327e | EXCHANGE_B_STANDARD (90927877-dcff-4af6-b346-2332c0b15bb7) | -| INTUNE | INTUNE_A | 061f9ace-7d42-4136-88ac-31dc755f143f | INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | -| MICROSOFT 365 BUSINESS | SPB | cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46 | AAD_SMB (de377cbc-0019-4ec2-b77c-3f223947e102)
BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
INTUNE_SMBIZ (8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
O365_SB_Relationship_Management (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
WINBIZ (8e229017-d77b-43d5-9305-903395523b99)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| MICROSOFT 365 E3 | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
WIN10_PRO_ENT_SUB (21b439ba-a0ca-424f-a6cc-52f954a5b111)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| MICROSOFT DYNAMICS CRM ONLINE BASIC | CRMPLAN2 | 906af65a-2970-46d5-9b58-4e9aa50f0657 | CRMPLAN2 (bf36ca64-95c6-4918-9275-eb9f4ce2c04f)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | -| MICROSOFT DYNAMICS CRM ONLINE | CRMSTANDARD | d17b27af-3f49-4822-99f9-56a661538792 | CRMSTANDARD (f9646fb2-e3b2-4309-95de-dc4833737456)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
MDM_SALES_COLLABORATION (3413916e-ee66-4071-be30-6f94d4adfeda)
NBPROFESSIONALFORCRM (3e58e97c-9abe-ebab-cd5f-d543d1529634)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | -| MICROSOFT INTUNE A DIRECT | INTUNE_A | 061f9ace-7d42-4136-88ac-31dc755f143f | INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | -| MS IMAGINE ACADEMY | IT_ACADEMY_AD | ba9a34de-4489-469d-879c-0f0f145321cd | IT_ACADEMY_AD (d736def0-1fde-43f0-a5be-e3f8b2de6e41) | -| OFFICE 365 BUSINESS | O365_BUSINESS | cdd28e44-67e3-425e-be4c-737fab2899d3 | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| OFFICE 365 BUSINESS | SMB_BUSINESS | b214fe43-f5a3-4703-beeb-fa97188220fc | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| OFFICE 365 BUSINESS ESSENTIALS | O365_BUSINESS_ESSENTIALS | 3b555118-da6a-4418-894f-7df1e2096870 | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 BUSINESS ESSENTIALS | SMB_BUSINESS_ESSENTIALS | dab7782a-93b1-4074-8bb1-0e61318bea0b | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | -| OFFICE 365 BUSINESS PREMIUM | O365_BUSINESS_PREMIUM | f245ecc8-75af-4f8e-b61f-27d8114de5f3 | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
O365_SB_Relationship_Management (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 BUSINESS PREMIUM | SMB_BUSINESS_PREMIUM | ac5cef5d-921b-4f97-9ef3-c99076e5470f | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
O365_SB_Relationship_Management (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | -| OFFICE 365 ENTERPRISE E1 | STANDARDPACK | 18181a46-0d4e-45cd-891e-60aabd171b4e | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)) | -| OFFICE 365 ENTERPRISE E2 | STANDARDWOFFPACK | 6634e0ce-1a9f-428c-a498-f84ec7b8aa2e | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 ENTERPRISE E3 | ENTERPRISEPACK | 6fd2c87f-b296-42f0-b197-1e91e994b900 | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 ENTERPRISE E3 DEVELOPER | DEVELOPERPACK | 189a915c-fe4f-4ffa-bde4-85b9628d07a0 | BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINT_S_DEVELOPER (a361d6e2-509e-4e25-a8ad-950060064ef4)
SHAREPOINTWAC_DEVELOPER (527f7cdd-0e86-4c47-b879-f5fd357a3ac6)
STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929) | -| OFFICE 365 ENTERPRISE E4 | ENTERPRISEWITHSCAL | 1392051d-0cb9-4b7a-88d5-621fee5e8711 | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MCOVOICECONF (27216c54-caf8-4d0d-97e2-517afb5c08f6)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 ENTERPRISE E5 | ENTERPRISEPREMIUM | c7df2760-2c81-4ef7-b578-5b5392b571df | ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)
BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)
BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)
EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)
FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)
LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)
MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)
MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 ENTERPRISE E5 WITHOUT AUDIO CONFERENCING | ENTERPRISEPREMIUM_NOPSTNCONF | 26d45bd9-adf1-46cd-a9e1-51e9a5524128 | ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)
BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)
BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)
EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)
FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)
LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)
MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 F1 | DESKLESSPACK | 4b585984-651b-448a-9e53-3b10f069cf7f | BPOS_S_TODO_FIRSTLINE (80873e7a-cd2a-4e67-b061-1b5381a676a5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)
FLOW_O365_S1 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)
FORMS_PLAN_K (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)
MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_S1 (e0287f9f-e222-4f98-9a83-f379e249159a)
SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_K (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | -| OFFICE 365 MIDSIZE BUSINESS | MIDSIZEPACK | 04a7fb0d-32e0-4241-b4f5-3f7618cd1162 | EXCHANGE_S_STANDARD_MIDMARKET (fc52cc4b-ed7d-472d-bbe7-b081c23ecc56)
MCOSTANDARD_MIDMARKET (b2669e95-76ef-4e7e-a367-002f60a39f3e)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
SHAREPOINTENTERPRISE_MIDMARKET (6b5b6a67-fc72-4a1f-a2b5-beecf05de761)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | -| OFFICE 365 PROPLUS | OFFICESUBSCRIPTION | c2273bd0-dff7-4215-9ef5-2c7bcfb06425 | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| OFFICE 365 SMALL BUSINESS | LITEPACK | bd09678e-b83c-4d3f-aaba-3dad4abd128b | EXCHANGE_L_STANDARD (d42bdbd6-c335-4231-ab3d-c8f348d5aff5)
MCOLITE (70710b6b-3ab4-4a38-9f6d-9f169461650a)
SHAREPOINTLITE (a1f3d0a8-84c0-4ae0-bae4-685917b8ab48)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| OFFICE 365 SMALL BUSINESS PREMIUM | LITEPACK_P2 | fc14ec4a-4169-49a4-a51e-2c852931814b | EXCHANGE_L_STANDARD (d42bdbd6-c335-4231-ab3d-c8f348d5aff5)
MCOLITE (70710b6b-3ab4-4a38-9f6d-9f169461650a)
OFFICE_PRO_PLUS_SUBSCRIPTION_SMBIZ (8ca59559-e2ca-470b-b7dd-afd8c0dee963)
SHAREPOINTLITE (a1f3d0a8-84c0-4ae0-bae4-685917b8ab48)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| ONEDRIVE FOR BUSINESS (PLAN 1) | WACONEDRIVESTANDARD | e6778190-713e-4e4f-9119-8b8238de25df | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| ONEDRIVE FOR BUSINESS (PLAN 2) | WACONEDRIVEENTERPRISE | ed01faf2-1d88-4947-ae91-45ca18703a96 | ONEDRIVEENTERPRISE (afcafa6a-d966-4462-918c-ec0b4e0fe642)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| POWER BI FOR OFFICE 365 ADD-ON | POWER_BI_ADDON | 45bc2c81-6072-436a-9b0b-3b12eefbc402 | BI_AZURE_P1 (2125cfd7-2110-4567-83c4-c1cd5275163d)
SQL_IS_SSIM (fc0a60aa-feee-4746-a0e3-aecfe81a38dd) | -| POWER BI PRO | POWER_BI_PRO | f8a1db68-be16-40ed-86d5-cb42ce701560 | BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | -| PROJECT FOR OFFICE 365 | PROJECTCLIENT | a10d5e58-74da-4312-95c8-76be4e5b75a0 | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3) | -| PROJECT ONLINE ESSENTIALS | PROJECTESSENTIALS | 776df282-9fc0-4862-99e2-70e561b9909e | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| PROJECT ONLINE PREMIUM | PROJECTPREMIUM | 09015f9f-377f-4538-bbb5-f75ceb09358a | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| PROJECT ONLINE PREMIUM WITHOUT PROJECT CLIENT | PROJECTONLINE_PLAN_1 | 2db84718-652c-47a7-860c-f10d8abbdae3 | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| PROJECT ONLINE PROFESSIONAL | PROJECTPROFESSIONAL | 53818b1b-4a27-454b-8896-0dba576410e6 | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | -| PROJECT ONLINE WITH PROJECT FOR OFFICE 365 | PROJECTONLINE_PLAN_2 | f82a60b8-1ee3-4cfb-a4fe-1c6a53c2656c | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | -| SHAREPOINT ONLINE (PLAN 1) | SHAREPOINTSTANDARD | 1fc08a02-8b3d-43b9-831e-f76859e04e1a | SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1) | -| SHAREPOINT ONLINE (PLAN 2) | SHAREPOINTENTERPRISE | a9732ec9-17d9-494c-a51c-d6b45b384dcb | SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72) | -| SKYPE FOR BUSINESS CLOUD PBX | MCOEV | e43b5b99-8dfb-405f-9987-dc307f34bcbd | MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | -| SKYPE FOR BUSINESS ONLINE (PLAN 1) | MCOIMP | b8b749f8-a4ef-4887-9539-c95b1eaa5db7 | MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf) | -| SKYPE FOR BUSINESS ONLINE (PLAN 2) | MCOSTANDARD | d42c793f-6c78-4f43-92ca-e8f6a02b035f | MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | -| SKYPE FOR BUSINESS PSTN CONFERENCING | MCOMEETADV | 0c266dff-15dd-4b49-8397-2bb16070ed52 | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40) | -| SKYPE FOR BUSINESS PSTN DOMESTIC AND INTERNATIONAL CALLING | MCOPSTN2 | d3b4fe1f-9992-4930-8acb-ca6ec609365e | MCOPSTN2 (5a10155d-f5c1-411a-a8ec-e99aae125390) | -| SKYPE FOR BUSINESS PSTN DOMESTIC CALLING | MCOPSTN1 | 0dab259f-bf13-4952-b7f8-7db8f131b28d | MCOPSTN1 (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8) | -| VISIO ONLINE PLAN 1 | VISIOONLINE_PLAN1 | 4b244418-9658-4451-a2b8-b5e2b364e9bd | ONEDRIVE_BASIC (da792a53-cbc0-4184-a10d-e544dd34b3c1)
VISIOONLINE (2bdbaf8f-738f-4ac7-9234-3c3ee2ce7d0f) | -| VISIO Online Plan 2 | VISIOCLIENT | c5928f49-12ba-48f7-ada3-0d743a3601d5 | ONEDRIVE_BASIC (da792a53-cbc0-4184-a10d-e544dd34b3c1)
VISIO_CLIENT_SUBSCRIPTION (663a804f-1c30-4ff0-9915-9db84f0d1cea)
VISIOONLINE (2bdbaf8f-738f-4ac7-9234-3c3ee2ce7d0f) | -| WINDOWS 10 ENTERPRISE E3 | WIN10_PRO_ENT_SUB | cb10e6cd-9da4-4992-867b-67546b1db821 | WIN10_PRO_ENT_SUB (21b439ba-a0ca-424f-a6cc-52f954a5b111) +| AUDIO CONFERENCING | MCOMEETADV | 0c266dff-15dd-4b49-8397-2bb16070ed52 |MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40) | AUDIO CONFERENCING(3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40) | +| AZURE ACTIVE DIRECTORY BASIC | AAD_BASIC | 2b9c8e7c-319c-43a2-a2a0-48c5c6161de7 | AAD_BASIC (c4da7f8a-5ee2-4c99-a7e1-87d2df57f6fe) | MICROSOFT AZURE ACTIVE DIRECTORY BASIC(c4da7f8a-5ee2-4c99-a7e1-87d2df57f6fe) | +| AZURE ACTIVE DIRECTORY PREMIUM P1 | AAD_PREMIUM | 078d2b04-f1bd-4111-bbd4-b4b1b354cef4 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0) | AZURE ACTIVE DIRECTORY PREMIUM P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION (8a256a2b-b617-496d-b51b-e76466e88db0)
CLOUD APP SECURITY DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9) | +| AZURE ACTIVE DIRECTORY PREMIUM P2 | AAD_PREMIUM_P2 | 84a661c4-e949-4bd2-a560-ed7766fcaf2b | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0) | AZURE ACTIVE DIRECTORY PREMIUM P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION (8a256a2b-b617-496d-b51b-e76466e88db0)
CLOUD APP SECURITY DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
AZURE ACTIVE DIRECTORY PREMIUM P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998) | +| AZURE INFORMATION PROTECTION PLAN 1 | RIGHTSMANAGEMENT | c52ea49f-fe5d-4e95-93ba-1de91d380f89 | RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3) | AZURE INFORMATION PROTECTION PREMIUM P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)| +| DYNAMICS 365 CUSTOMER ENGAGEMENT PLAN ENTERPRISE EDITION | DYN365_ENTERPRISE_PLAN1 | ea126fc5-a19e-42e2-a731-da9d437bffcf | DYN365_ENTERPRISE_P1 (d56f3deb-50d8-465a-bedb-f079817ccac1)
FLOW_DYN_P2 (b650d915-9886-424b-a08d-633cede56f57)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_P2 (0b03f40b-c404-40c3-8651-2aceb74365fa)
PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | MICROSOFT SOCIAL ENGAGEMENT - SERVICE DISCONTINUATION (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS FOR DYNAMICS 365 (0b03f40b-c404-40c3-8651-2aceb74365fa)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
FLOW FOR DYNAMICS 365 (b650d915-9886-424b-a08d-633cede56f57)
DYNAMICS 365 CUSTOMER ENGAGEMENT PLAN (d56f3deb-50d8-465a-bedb-f079817ccac1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
PROJECT ONLINE DESKTOP CLIENT (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
PROJECT ONLINE SERVICE (fe71d6c3-a2ea-4499-9778-da042bf08063) | +| DYNAMICS 365 FOR CUSTOMER SERVICE ENTERPRISE EDITION | DYN365_ENTERPRISE_CUSTOMER_SERVICE | 749742bf-0d37-4158-a120-33567104deeb | DYN365_ENTERPRISE_CUSTOMER_SERVICE (99340b49-fb81-4b1e-976b-8f2ae8e9394f)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) |MICROSOFT SOCIAL ENGAGEMENT - SERVICE DISCONTINUATION (03acaee3-9492-4f40-aed4-bcb6b32981b6)
PROJECT ONLINE ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
FLOW FOR DYNAMICS 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)
POWERAPPS FOR DYNAMICS 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
DYNAMICS 365 FOR CUSTOMER SERVICE (99340b49-fb81-4b1e-976b-8f2ae8e9394f)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | +| DYNAMICS 365 FOR FINANCIALS BUSINESS EDITION | DYN365_FINANCIALS_BUSINESS_SKU | cc13a803-544e-4464-b4e4-6d6169a138fa | DYN365_FINANCIALS_BUSINESS (920656a2-7dd8-4c83-97b6-a356414dbd36)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) |FLOW FOR DYNAMICS 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)
POWERAPPS FOR DYNAMICS 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
DYNAMICS 365 FOR FINANCIALS (920656a2-7dd8-4c83-97b6-a356414dbd36) | +| DYNAMICS 365 FOR SALES AND CUSTOMER SERVICE ENTERPRISE EDITION | DYN365_ENTERPRISE_SALES_CUSTOMERSERVICE | 8edc2cf8-6438-4fa9-b6e3-aa1660c640cc | DYN365_ENTERPRISE_P1 (d56f3deb-50d8-465a-bedb-f079817ccac1)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) |DYNAMICS 365 CUSTOMER ENGAGEMENT PLAN (d56f3deb-50d8-465a-bedb-f079817ccac1)
FLOW FOR DYNAMICS 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)
MICROSOFT SOCIAL ENGAGEMENT - SERVICE DISCONTINUATION (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS FOR DYNAMICS 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT ONLINE ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | +| DYNAMICS 365 FOR SALES ENTERPRISE EDITION | DYN365_ENTERPRISE_SALES | 1e1a282c-9c54-43a2-9310-98ef728faace | DYN365_ENTERPRISE_SALES (2da8e897-7791-486b-b08f-cc63c8129df7)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | DYNAMICS 365 FOR SALES (2da8e897-7791-486b-b08f-cc63c8129df7)
FLOW FOR DYNAMICS 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)
MICROSOFT SOCIAL ENGAGEMENT - SERVICE DISCONTINUATION (03acaee3-9492-4f40-aed4-bcb6b32981b6)
POWERAPPS FOR DYNAMICS 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)
PROJECT ONLINE ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | +| DYNAMICS 365 FOR TEAM MEMBERS ENTERPRISE EDITION | DYN365_ENTERPRISE_TEAM_MEMBERS | 8e7a3d30-d97d-43ab-837c-d7701cef83dc | DYN365_Enterprise_Talent_Attract_TeamMember (643d201a-9884-45be-962a-06ba97062e5e)
DYN365_Enterprise_Talent_Onboard_TeamMember (f2f49eef-4b3f-4853-809a-a055c6103fe0)
DYN365_ENTERPRISE_TEAM_MEMBERS (6a54b05e-4fab-40e7-9828-428db3b336fa)
Dynamics_365_for_Operations_Team_members (f5aa7b45-8a36-4cd1-bc37-5d06dea98645)
Dynamics_365_for_Retail_Team_members (c0454a3d-32b5-4740-b090-78c32f48f0ad)
Dynamics_365_for_Talent_Team_members (d5156635-0704-4f66-8803-93258f8b2678)
FLOW_DYN_TEAM (1ec58c70-f69c-486a-8109-4b87ce86e449)
POWERAPPS_DYN_TEAM (52e619e2-2730-439a-b0d3-d09ab7e8b705)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | DYNAMICS 365 FOR TALENT - ATTRACT EXPERIENCE TEAM MEMBER (643d201a-9884-45be-962a-06ba97062e5e)
DYNAMICS 365 FOR TALENT - ONBOARD EXPERIENCE (f2f49eef-4b3f-4853-809a-a055c6103fe0)
DYNAMICS 365 FOR TEAM MEMBERS (6a54b05e-4fab-40e7-9828-428db3b336fa)
DYNAMICS_365_FOR_OPERATIONS_TEAM_MEMBERS (f5aa7b45-8a36-4cd1-bc37-5d06dea98645)
DYNAMICS 365 FOR RETAIL TEAM MEMBERS (c0454a3d-32b5-4740-b090-78c32f48f0ad)
DYNAMICS 365 FOR TALENT TEAM MEMBERS (d5156635-0704-4f66-8803-93258f8b2678)
FLOW FOR DYNAMICS 365 (1ec58c70-f69c-486a-8109-4b87ce86e449)
POWERAPPS FOR DYNAMICS 365 (52e619e2-2730-439a-b0d3-d09ab7e8b705)
PROJECT ONLINE ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | +| DYNAMICS 365 UNF OPS PLAN ENT EDITION | Dynamics_365_for_Operations | ccba3cfe-71ef-423a-bd87-b6df3dce59a9 | DDYN365_CDS_DYN_P2 (d1142cfd-872e-4e77-b6ff-d98ec5a51f66)
DYN365_TALENT_ENTERPRISE (65a1ebf4-6732-4f00-9dcb-3d115ffdeecd)
Dynamics_365_for_Operations (95d2cd7b-1007-484b-8595-5e97e63fe189)
Dynamics_365_for_Retail (a9e39199-8369-444b-89c1-5fe65ec45665)
Dynamics_365_Hiring_Free_PLAN (f815ac79-c5dd-4bcc-9b78-d97f7b817d0d)
Dynamics_365_Onboarding_Free_PLAN (300b8114-8555-4313-b861-0c115d820f50)
FLOW_DYN_P2 (b650d915-9886-424b-a08d-633cede56f57)
POWERAPPS_DYN_P2 (0b03f40b-c404-40c3-8651-2aceb74365fa) | COMMON DATA SERVICE (d1142cfd-872e-4e77-b6ff-d98ec5a51f66)
DYNAMICS 365 FOR TALENT (65a1ebf4-6732-4f00-9dcb-3d115ffdeecd)
DYNAMICS_365_FOR_OPERATIONS (95d2cd7b-1007-484b-8595-5e97e63fe189)
DYNAMICS 365 FOR RETAIL (a9e39199-8369-444b-89c1-5fe65ec45665)
Dynamics_365_Hiring_Free_PLAN (f815ac79-c5dd-4bcc-9b78-d97f7b817d0d)
DYNAMICS 365 FOR TALENT: ONBOARD (300b8114-8555-4313-b861-0c115d820f50)
FLOW FOR DYNAMICS 365(b650d915-9886-424b-a08d-633cede56f57)
POWERAPPS FOR DYNAMICS 365 (0b03f40b-c404-40c3-8651-2aceb74365fa) | +| ENTERPRISE MOBILITY + SECURITY E3 | EMS | efccb6f7-5641-4e0e-bd10-b4976e1bf68e | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3) | AZURE ACTIVE DIRECTORY PREMIUM P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
CLOUD APP SECURITY DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9
MICROSOFT INTUNE (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION (8a256a2b-b617-496d-b51b-e76466e88db0)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
AZURE INFORMATION PROTECTION PREMIUM P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3) | +| ENTERPRISE MOBILITY + SECURITY E5 | EMSPREMIUM | b05e124f-c7cc-45a0-a6aa-8cf78c946968 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)
ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)
ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
RMS_S_PREMIUM2 (5689bec4-755d-4753-8b61-40975025187c) | AZURE ACTIVE DIRECTORY PREMIUM P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
AZURE ACTIVE DIRECTORY PREMIUM P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)
MICROSOFT CLOUD APP SECURITY (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)
AZURE ADVANCED THREAT PROTECTION (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)
MICROSOFT INTUNE (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION (8a256a2b-b617-496d-b51b-e76466e88db0)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
AZURE INFORMATION PROTECTION PREMIUM P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
AZURE INFORMATION PROTECTION PREMIUM P2 (5689bec4-755d-4753-8b61-40975025187c) | +| EXCHANGE ONLINE (PLAN 1) | EXCHANGESTANDARD | 4b9405b0-7788-4568-add1-99614e613b69 | EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c) | EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)| +| EXCHANGE ONLINE (PLAN 2) | EXCHANGEENTERPRISE | 19ec0d23-8335-4cbd-94ac-6050e30712fa | EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0) | EXCHANGE ONLINE (PLAN 2)(efb87545-963c-4e0d-99df-69c6916d9eb0) | +| EXCHANGE ONLINE ARCHIVING FOR EXCHANGE ONLINE | EXCHANGEARCHIVE_ADDON | ee02fd1b-340e-4a4b-b355-4a514e4c8943 | EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793) | EXCHANGE ONLINE ARCHIVING FOR EXCHANGE ONLINE (176a09a6-7ec5-4039-ac02-b2791c6ba793) | +| EXCHANGE ONLINE ARCHIVING FOR EXCHANGE SERVER | EXCHANGEARCHIVE | 90b5e015-709a-4b8b-b08e-3200f994494c | EXCHANGE_S_ARCHIVE (da040e0a-b393-4bea-bb76-928b3fa1cf5a) | EXCHANGE ONLINE ARCHIVING FOR EXCHANGE SERVER (da040e0a-b393-4bea-bb76-928b3fa1cf5a) | +| EXCHANGE ONLINE ESSENTIALS | EXCHANGEESSENTIALS | 7fc0182e-d107-4556-8329-7caaa511197b | EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c) | EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)| +| EXCHANGE ONLINE ESSENTIALS | EXCHANGE_S_ESSENTIALS | e8f81a67-bd96-4074-b108-cf193eb9433b | EXCHANGE_S_ESSENTIALS (1126bef5-da20-4f07-b45e-ad25d2581aa8) | EXCHANGE_S_ESSENTIALS (1126bef5-da20-4f07-b45e-ad25d2581aa8) | +| EXCHANGE ONLINE KIOSK | EXCHANGEDESKLESS | 80b2d799-d2ba-4d2a-8842-fb0d0f3a4b82 | EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113) | EXCHANGE ONLINE KIOSK (4a82b400-a79f-41a4-b4e2-e94f5787b113) | +| EXCHANGE ONLINE POP | EXCHANGETELCO | cb0a98a8-11bc-494c-83d9-c1b1ac65327e | EXCHANGE_B_STANDARD (90927877-dcff-4af6-b346-2332c0b15bb7) | EXCHANGE ONLINE POP (90927877-dcff-4af6-b346-2332c0b15bb7) | +| INTUNE | INTUNE_A | 061f9ace-7d42-4136-88ac-31dc755f143f | INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | MICROSOFT INTUNE (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | +| MICROSOFT 365 BUSINESS | SPB | cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46 | AAD_SMB (de377cbc-0019-4ec2-b77c-3f223947e102)
BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
INTUNE_SMBIZ (8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
O365_SB_Relationship_Management (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
WINBIZ (8e229017-d77b-43d5-9305-903395523b99)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | AZURE ACTIVE DIRECTORY (de377cbc-0019-4ec2-b77c-3f223947e102)
BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE ARCHIVING FOR EXCHANGE ONLINE (176a09a6-7ec5-4039-ac02-b2791c6ba793)
EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
MICROSOFT INTUNE (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
INTUNE_SMBIZ (8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
OUTLOOK CUSTOMER MANAGER (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE 365 BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
AZURE INFORMATION PROTECTION PREMIUM P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E1 SKU (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
WINDOWS 10 BUSINESS (8e229017-d77b-43d5-9305-903395523b99)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| MICROSOFT 365 E3 | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)
BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)
INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
WIN10_PRO_ENT_SUB (21b439ba-a0ca-424f-a6cc-52f954a5b111)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | AZURE ACTIVE DIRECTORY PREMIUM P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
CLOUD APP SECURITY DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9
BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE (PLAN 2)(efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)
MICROSOFT FORMS (PLAN E3) (2789c901-c14e-48ab-a76a-be334d9d793a)
MICROSOFT INTUNE (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION (8a256a2b-b617-496d-b51b-e76466e88db0)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS FOR OFFICE 365(c68f8d98-5534-41c8-bf36-22fa496fa792)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
AZURE INFORMATION PROTECTION PREMIUM P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
WINDOWS 10 ENTERPRISE (21b439ba-a0ca-424f-a6cc-52f954a5b111
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| MICROSOFT DYNAMICS CRM ONLINE BASIC | CRMPLAN2 | 906af65a-2970-46d5-9b58-4e9aa50f0657 | CRMPLAN2 (bf36ca64-95c6-4918-9275-eb9f4ce2c04f)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | MICROSOFT DYNAMICS CRM ONLINE BASIC(bf36ca64-95c6-4918-9275-eb9f4ce2c04f)
FLOW FOR DYNAMICS 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)
POWERAPPS FOR DYNAMICS 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | +| MICROSOFT DYNAMICS CRM ONLINE | CRMSTANDARD | d17b27af-3f49-4822-99f9-56a661538792 | CRMSTANDARD (f9646fb2-e3b2-4309-95de-dc4833737456)
FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)
MDM_SALES_COLLABORATION (3413916e-ee66-4071-be30-6f94d4adfeda)
NBPROFESSIONALFORCRM (3e58e97c-9abe-ebab-cd5f-d543d1529634)
POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | MICROSOFT DYNAMICS CRM ONLINE PROFESSIONAL(f9646fb2-e3b2-4309-95de-dc4833737456)
FLOW FOR DYNAMICS 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)
MICROSOFT DYNAMICS MARKETING SALES COLLABORATION - ELIGIBILITY CRITERIA APPLY (3413916e-ee66-4071-be30-6f94d4adfeda
MICROSOFT SOCIAL ENGAGEMENT PROFESSIONAL - ELIGIBILITY CRITERIA APPLY (3e58e97c-9abe-ebab-cd5f-d543d1529634)
POWERAPPS FOR DYNAMICS 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | +| MICROSOFT INTUNE A DIRECT | INTUNE_A | 061f9ace-7d42-4136-88ac-31dc755f143f | INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | MICROSOFT INTUNE (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | +| MS IMAGINE ACADEMY | IT_ACADEMY_AD | ba9a34de-4489-469d-879c-0f0f145321cd | IT_ACADEMY_AD (d736def0-1fde-43f0-a5be-e3f8b2de6e41) | MS IMAGINE ACADEMY (d736def0-1fde-43f0-a5be-e3f8b2de6e41) | +| OFFICE 365 BUSINESS | O365_BUSINESS | cdd28e44-67e3-425e-be4c-737fab2899d3 | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICE 365 BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| OFFICE 365 BUSINESS | SMB_BUSINESS | b214fe43-f5a3-4703-beeb-fa97188220fc | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICE 365 BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| OFFICE 365 BUSINESS ESSENTIALS | O365_BUSINESS_ESSENTIALS | 3b555118-da6a-4418-894f-7df1e2096870 | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 BUSINESS ESSENTIALS | SMB_BUSINESS_ESSENTIALS | dab7782a-93b1-4074-8bb1-0e61318bea0b | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | +| OFFICE 365 BUSINESS PREMIUM | O365_BUSINESS_PREMIUM | f245ecc8-75af-4f8e-b61f-27d8114de5f3 | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
O365_SB_Relationship_Management (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
OUTLOOK CUSTOMER MANAGER (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE 365 BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 BUSINESS PREMIUM | SMB_BUSINESS_PREMIUM | ac5cef5d-921b-4f97-9ef3-c99076e5470f | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
O365_SB_Relationship_Management (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)
OUTLOOK CUSTOMER MANAGER (5bfe124c-bbdc-4494-8835-f1297d457d79)
OFFICE 365 BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)
POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | +| OFFICE 365 ENTERPRISE E1 | STANDARDPACK | 18181a46-0d4e-45cd-891e-60aabd171b4e | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E1 SKU (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)) | +| OFFICE 365 ENTERPRISE E2 | STANDARDWOFFPACK | 6634e0ce-1a9f-428c-a498-f84ec7b8aa2e | BPOS_S_TODO_1(5e62787c-c316-451f-b873-1d05acd4d12c)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)
FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)
MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E1 SKU (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 ENTERPRISE E3 | ENTERPRISEPACK | 6fd2c87f-b296-42f0-b197-1e91e994b900 | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE (PLAN 2)(efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)
MICROSOFT FORMS (PLAN E3) (2789c901-c14e-48ab-a76a-be334d9d793a)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS FOR OFFICE 365(c68f8d98-5534-41c8-bf36-22fa496fa792)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 ENTERPRISE E3 DEVELOPER | DEVELOPERPACK | 189a915c-fe4f-4ffa-bde4-85b9628d07a0 | BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINT_S_DEVELOPER (a361d6e2-509e-4e25-a8ad-950060064ef4)
SHAREPOINTWAC_DEVELOPER (527f7cdd-0e86-4c47-b879-f5fd357a3ac6)
STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929) | BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
EXCHANGE ONLINE (PLAN 2)(efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)
MICROSOFT FORMS (PLAN E5)(e212cbc7-0961-4c40-9825-01117710dcb1)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS FOR OFFICE 365(c68f8d98-5534-41c8-bf36-22fa496fa792)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
SHAREPOINT_S_DEVELOPER (a361d6e2-509e-4e25-a8ad-950060064ef4)
OFFICE ONLINE FOR DEVELOPER (527f7cdd-0e86-4c47-b879-f5fd357a3ac6)
MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929) | +| OFFICE 365 ENTERPRISE E4 | ENTERPRISEWITHSCAL | 1392051d-0cb9-4b7a-88d5-621fee5e8711 | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)
FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
MCOVOICECONF (27216c54-caf8-4d0d-97e2-517afb5c08f6)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE (PLAN 2)(efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)
MICROSOFT FORMS (PLAN E3) (2789c901-c14e-48ab-a76a-be334d9d793a)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
SKYPE FOR BUSINESS ONLINE (PLAN 3) (27216c54-caf8-4d0d-97e2-517afb5c08f6)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS FOR OFFICE 365(c68f8d98-5534-41c8-bf36-22fa496fa792)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 ENTERPRISE E5 | ENTERPRISEPREMIUM | c7df2760-2c81-4ef7-b578-5b5392b571df | ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)
BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)
BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)
EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)
FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)
LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)
MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)
MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | OFFICE 365 CLOUD APP SECURITY (8c098270-9dd4-4350-9b30-ba4703f3b36b)
POWER BI PRO (70d33638-9c74-4d01-bfd3-562de28bd4ba)
BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
OFFICE 365 ADVANCED EDISCOVERY (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)
EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)
EXCHANGE ONLINE (PLAN 2)(efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW FOR OFFICE 365 (07699545-9485-468e-95b6-2fca3738be01)
MICROSOFT FORMS (PLAN E5)(e212cbc7-0961-4c40-9825-01117710dcb1)
LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)
PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)
AUDIO CONFERENCING (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS FOR OFFICE 365 (9c0dab89-a30c-4117-86e7-97bda240acd2)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
OFFICE 365 ADVANCED THREAT PROTECTION (PLAN 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 ENTERPRISE E5 WITHOUT AUDIO CONFERENCING | ENTERPRISEPREMIUM_NOPSTNCONF | 26d45bd9-adf1-46cd-a9e1-51e9a5524128 | ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)
BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)
BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)
EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)
EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)
FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)
LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)
MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)
MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)
PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | OFFICE 365 CLOUD APP SECURITY (8c098270-9dd4-4350-9b30-ba4703f3b36b)
POWER BI PRO (70d33638-9c74-4d01-bfd3-562de28bd4ba)
BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
OFFICE 365 ADVANCED EDISCOVERY (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)
EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)
EXCHANGE ONLINE (PLAN 2)(efb87545-963c-4e0d-99df-69c6916d9eb0)
FLOW FOR OFFICE 365 (07699545-9485-468e-95b6-2fca3738be01)
MICROSOFT FORMS (PLAN E5)(e212cbc7-0961-4c40-9825-01117710dcb1)
LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)
PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)
SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
POWERAPPS FOR OFFICE 365 (9c0dab89-a30c-4117-86e7-97bda240acd2)
MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)
MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
OFFICE 365 ADVANCED THREAT PROTECTION (PLAN 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 F1 | DESKLESSPACK | 4b585984-651b-448a-9e53-3b10f069cf7f | BPOS_S_TODO_FIRSTLINE (80873e7a-cd2a-4e67-b061-1b5381a676a5)
Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)
FLOW_O365_S1 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)
FORMS_PLAN_K (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)
MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf)
OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS_O365_S1 (e0287f9f-e222-4f98-9a83-f379e249159a)
SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
STREAM_O365_K (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_FIRSTLINE (80873e7a-cd2a-4e67-b061-1b5381a676a5)
MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
EXCHANGE ONLINE KIOSK (4a82b400-a79f-41a4-b4e2-e94f5787b113)
FLOW FOR OFFICE 365 K1 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)
MICROSOFT FORMS (PLAN K) (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)
SKYPE FOR BUSINESS ONLINE (PLAN 1) (afc06cb0-b4f4-4473-8286-d644f70d8faf)
OFFICE MOBILE APPS FOR OFFICE 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)
POWERAPPS FOR OFFICE 365 K1 (e0287f9f-e222-4f98-9a83-f379e249159a)
SHAREPOINT ONLINE KIOSK (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
MICROSOFT STREAM FOR O365 K SKU (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)
YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | +| OFFICE 365 MIDSIZE BUSINESS | MIDSIZEPACK | 04a7fb0d-32e0-4241-b4f5-3f7618cd1162 | EXCHANGE_S_STANDARD_MIDMARKET (fc52cc4b-ed7d-472d-bbe7-b081c23ecc56)
MCOSTANDARD_MIDMARKET (b2669e95-76ef-4e7e-a367-002f60a39f3e)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
SHAREPOINTENTERPRISE_MIDMARKET (6b5b6a67-fc72-4a1f-a2b5-beecf05de761)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | EXCHANGE ONLINE PLAN 1(fc52cc4b-ed7d-472d-bbe7-b081c23ecc56)
SKYPE FOR BUSINESS ONLINE (PLAN 2) FOR MIDSIZE(b2669e95-76ef-4e7e-a367-002f60a39f3e)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
SHAREPOINTENTERPRISE_MIDMARKET (6b5b6a67-fc72-4a1f-a2b5-beecf05de761)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
YAMMER_MIDSIZE (41bf139a-4e60-409f-9346-a1361efc6dfb) | +| OFFICE 365 PROPLUS | OFFICESUBSCRIPTION | c2273bd0-dff7-4215-9ef5-2c7bcfb06425 | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| OFFICE 365 SMALL BUSINESS | LITEPACK | bd09678e-b83c-4d3f-aaba-3dad4abd128b | EXCHANGE_L_STANDARD (d42bdbd6-c335-4231-ab3d-c8f348d5aff5)
MCOLITE (70710b6b-3ab4-4a38-9f6d-9f169461650a)
SHAREPOINTLITE (a1f3d0a8-84c0-4ae0-bae4-685917b8ab48)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | EXCHANGE ONLINE (P1)(d42bdbd6-c335-4231-ab3d-c8f348d5aff5)
SKYPE FOR BUSINESS ONLINE (PLAN P1) (70710b6b-3ab4-4a38-9f6d-9f169461650a)
SHAREPOINTLITE (a1f3d0a8-84c0-4ae0-bae4-685917b8ab48)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| OFFICE 365 SMALL BUSINESS PREMIUM | LITEPACK_P2 | fc14ec4a-4169-49a4-a51e-2c852931814b | EXCHANGE_L_STANDARD (d42bdbd6-c335-4231-ab3d-c8f348d5aff5)
MCOLITE (70710b6b-3ab4-4a38-9f6d-9f169461650a)
OFFICE_PRO_PLUS_SUBSCRIPTION_SMBIZ (8ca59559-e2ca-470b-b7dd-afd8c0dee963)
SHAREPOINTLITE (a1f3d0a8-84c0-4ae0-bae4-685917b8ab48)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | EXCHANGE ONLINE (P1)(d42bdbd6-c335-4231-ab3d-c8f348d5aff5)
SKYPE FOR BUSINESS ONLINE (PLAN P1) (70710b6b-3ab4-4a38-9f6d-9f169461650a)
OFFICE_PRO_PLUS_SUBSCRIPTION_SMBIZ (8ca59559-e2ca-470b-b7dd-afd8c0dee963)
SHAREPOINTLITE (a1f3d0a8-84c0-4ae0-bae4-685917b8ab48)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| ONEDRIVE FOR BUSINESS (PLAN 1) | WACONEDRIVESTANDARD | e6778190-713e-4e4f-9119-8b8238de25df | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| ONEDRIVE FOR BUSINESS (PLAN 2) | WACONEDRIVEENTERPRISE | ed01faf2-1d88-4947-ae91-45ca18703a96 | ONEDRIVEENTERPRISE (afcafa6a-d966-4462-918c-ec0b4e0fe642)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | ONEDRIVEENTERPRISE (afcafa6a-d966-4462-918c-ec0b4e0fe642)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | +| POWER BI FOR OFFICE 365 ADD-ON | POWER_BI_ADDON | 45bc2c81-6072-436a-9b0b-3b12eefbc402 | BI_AZURE_P1 (2125cfd7-2110-4567-83c4-c1cd5275163d)
SQL_IS_SSIM (fc0a60aa-feee-4746-a0e3-aecfe81a38dd) |MICROSOFT POWER BI REPORTING AND ANALYTICS PLAN 1 (2125cfd7-2110-4567-83c4-c1cd5275163d)
MICROSOFT POWER BI INFORMATION SERVICES PLAN 1(fc0a60aa-feee-4746-a0e3-aecfe81a38dd | +| POWER BI PRO | POWER_BI_PRO | f8a1db68-be16-40ed-86d5-cb42ce701560 | BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | POWER BI PRO (70d33638-9c74-4d01-bfd3-562de28bd4ba) | +| PROJECT FOR OFFICE 365 | PROJECTCLIENT | a10d5e58-74da-4312-95c8-76be4e5b75a0 | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3) | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3) | +| PROJECT ONLINE ESSENTIALS | PROJECTESSENTIALS | 776df282-9fc0-4862-99e2-70e561b9909e | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
PROJECT ONLINE ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| PROJECT ONLINE PREMIUM | PROJECTPREMIUM | 09015f9f-377f-4538-bbb5-f75ceb09358a | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | +| PROJECT ONLINE PREMIUM WITHOUT PROJECT CLIENT | PROJECTONLINE_PLAN_1 | 2db84718-652c-47a7-860c-f10d8abbdae3 | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| PROJECT ONLINE PROFESSIONAL | PROJECTPROFESSIONAL | 53818b1b-4a27-454b-8896-0dba576410e6 | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | +| PROJECT ONLINE WITH PROJECT FOR OFFICE 365 | PROJECTONLINE_PLAN_2 | f82a60b8-1ee3-4cfb-a4fe-1c6a53c2656c | FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)
PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)
SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)
PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)
SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)
SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)
OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | +| SHAREPOINT ONLINE (PLAN 1) | SHAREPOINTSTANDARD | 1fc08a02-8b3d-43b9-831e-f76859e04e1a | SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1) | SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1) | +| SHAREPOINT ONLINE (PLAN 2) | SHAREPOINTENTERPRISE | a9732ec9-17d9-494c-a51c-d6b45b384dcb | SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72) | SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72) | +| SKYPE FOR BUSINESS CLOUD PBX | MCOEV | e43b5b99-8dfb-405f-9987-dc307f34bcbd | MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | +| SKYPE FOR BUSINESS ONLINE (PLAN 1) | MCOIMP | b8b749f8-a4ef-4887-9539-c95b1eaa5db7 | MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf) | SKYPE FOR BUSINESS ONLINE (PLAN 1) (afc06cb0-b4f4-4473-8286-d644f70d8faf) | +| SKYPE FOR BUSINESS ONLINE (PLAN 2) | MCOSTANDARD | d42c793f-6c78-4f43-92ca-e8f6a02b035f | MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | +| SKYPE FOR BUSINESS PSTN CONFERENCING | MCOMEETADV | 0c266dff-15dd-4b49-8397-2bb16070ed52 | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40) | AUDIO CONFERENCING (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40) | +| SKYPE FOR BUSINESS PSTN DOMESTIC AND INTERNATIONAL CALLING | MCOPSTN2 | d3b4fe1f-9992-4930-8acb-ca6ec609365e | MCOPSTN2 (5a10155d-f5c1-411a-a8ec-e99aae125390) | DOMESTIC AND INTERNATIONAL CALLING PLAN (5a10155d-f5c1-411a-a8ec-e99aae125390) | +| SKYPE FOR BUSINESS PSTN DOMESTIC CALLING | MCOPSTN1 | 0dab259f-bf13-4952-b7f8-7db8f131b28d | MCOPSTN1 (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8) | DOMESTIC CALLING PLAN (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8) | +| VISIO ONLINE PLAN 1 | VISIOONLINE_PLAN1 | 4b244418-9658-4451-a2b8-b5e2b364e9bd | ONEDRIVE_BASIC (da792a53-cbc0-4184-a10d-e544dd34b3c1)
VISIOONLINE (2bdbaf8f-738f-4ac7-9234-3c3ee2ce7d0f) | ONEDRIVE_BASIC (da792a53-cbc0-4184-a10d-e544dd34b3c1)
VISIOONLINE (2bdbaf8f-738f-4ac7-9234-3c3ee2ce7d0f) | +| VISIO Online Plan 2 | VISIOCLIENT | c5928f49-12ba-48f7-ada3-0d743a3601d5 | ONEDRIVE_BASIC (da792a53-cbc0-4184-a10d-e544dd34b3c1)
VISIO_CLIENT_SUBSCRIPTION (663a804f-1c30-4ff0-9915-9db84f0d1cea)
VISIOONLINE (2bdbaf8f-738f-4ac7-9234-3c3ee2ce7d0f) | ONEDRIVE_BASIC (da792a53-cbc0-4184-a10d-e544dd34b3c1)
VISIO_CLIENT_SUBSCRIPTION (663a804f-1c30-4ff0-9915-9db84f0d1cea)
VISIOONLINE (2bdbaf8f-738f-4ac7-9234-3c3ee2ce7d0f) | +| WINDOWS 10 ENTERPRISE E3 | WIN10_PRO_ENT_SUB | cb10e6cd-9da4-4992-867b-67546b1db821 | WIN10_PRO_ENT_SUB (21b439ba-a0ca-424f-a6cc-52f954a5b111) | WINDOWS 10 ENTERPRISE (21b439ba-a0ca-424f-a6cc-52f954a5b111 ## Service plans that cannot be assigned at the same time diff --git a/articles/active-directory/users-groups-roles/media/signin-account-support/options-link.png b/articles/active-directory/users-groups-roles/media/signin-account-support/options-link.png new file mode 100644 index 0000000000000..4cda89ccf3007 Binary files /dev/null and b/articles/active-directory/users-groups-roles/media/signin-account-support/options-link.png differ diff --git a/articles/active-directory/users-groups-roles/media/signin-account-support/ui-prompt.png b/articles/active-directory/users-groups-roles/media/signin-account-support/ui-prompt.png new file mode 100644 index 0000000000000..9397a766c9aa7 Binary files /dev/null and b/articles/active-directory/users-groups-roles/media/signin-account-support/ui-prompt.png differ diff --git a/articles/active-directory/users-groups-roles/media/signin-realm-discovery/consumer-domain.png b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/consumer-domain.png new file mode 100644 index 0000000000000..29aacf2909559 Binary files /dev/null and b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/consumer-domain.png differ diff --git a/articles/active-directory/users-groups-roles/media/signin-realm-discovery/incorrect-password.png b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/incorrect-password.png new file mode 100644 index 0000000000000..4aee4c9d24ef2 Binary files /dev/null and b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/incorrect-password.png differ diff --git a/articles/active-directory/users-groups-roles/media/signin-realm-discovery/typo-domain.png b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/typo-domain.png new file mode 100644 index 0000000000000..108f362663613 Binary files /dev/null and b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/typo-domain.png differ diff --git a/articles/active-directory/users-groups-roles/media/signin-realm-discovery/typo-username.png b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/typo-username.png new file mode 100644 index 0000000000000..7b487b57c56d0 Binary files /dev/null and b/articles/active-directory/users-groups-roles/media/signin-realm-discovery/typo-username.png differ diff --git a/articles/active-directory/users-groups-roles/roles-assign-powershell.md b/articles/active-directory/users-groups-roles/roles-assign-powershell.md new file mode 100644 index 0000000000000..7995ca84a4287 --- /dev/null +++ b/articles/active-directory/users-groups-roles/roles-assign-powershell.md @@ -0,0 +1,164 @@ +--- +title: Assign and remove administrator roles assignment with Azure PowerShell - Azure Active Directory | Microsoft Docs +description: For those who frequently manage role assignments, you can now manage members of an Azure AD administrator role with Azure PowerShell. +services: active-directory +author: curtand +manager: mtillman + +ms.service: active-directory +ms.workload: identity +ms.subservice: users-groups-roles +ms.topic: article +ms.date: 04/15/2019 +ms.author: curtand +ms.reviewer: vincesm +ms.custom: it-pro + +ms.collection: M365-identity-device-management +--- +# Assign Azure Active Directory admin roles using PowerShell + +You can automate how you assign roles to user accounts using Azure PowerShell. This article uses the [Azure Active Directory PowerShell Version 2](https:/docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0#directory_roles) module. + +## Prepare PowerShell + +First, you must [download the Azure AD PowerShell module](https://www.powershellgallery.com/packages/AzureAD/). + +## Install the Azure AD PowerShell module + +To install the Azure AD PowerShell module, use the following commands: + +```powershell +install-module azuread +import-module azuread +``` + +To verify that the module is ready to use, use the following command: + +```powershell +get-module azuread + ModuleType Version Name ExportedCommands + ---------- --------- ---- ---------------- + Binary 2.0.0.115 azuread {Add-AzureADAdministrati...} +``` + +Now you can start using the cmdlets in the module. For a full description of the cmdlets in the Azure AD module, please refer to the online reference documentation for [Azure Active Directory PowerShell Version 2](https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0#directory_roles). + +## Permissions required + +Connect to your Azure AD tenant using a global administrator account to assign or remove roles. + +## Assign a single role + +To assign a role, you must first obtain its display name and the name of the role you're assigning. When you have the display name of the account and the name of the role, use the following cmdlets to assign the role to the user. + +``` PowerShell +# Fetch user to assign to role +$roleMember = Get-AzureADUser -ObjectId "username@contoso.com" + +# Fetch User Account Administrator role instance +$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'User Account Administrator'} + +# If role instance does not exist, instantiate it based on the role template +if ($role -eq $null) { + # Instantiate an instance of the role template + $roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq 'User Account Administrator'} + Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId + + # Fetch User Account Administrator role instance again + $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'User Account Administrator'} +} + +# Add user to role +Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $roleMember.ObjectId + +# Fetch role membership for role to confirm +Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser +``` + +## Assign a role to a service principal + +Example of assigning a service principal to a role. + +```powershell +# Fetch a service principal to assign to role +$roleMember = Get-AzureADServicePrincipal -ObjectId "00221b6f-4387-4f3f-aa85-34316ad7f956" + +#Fetch list of all directory roles with object ID +Get-AzureADDirectoryRole + +# Fetch a directory role by ID +$role = Get-AzureADDirectoryRole -ObjectId "5b3fe201-fa8b-4144-b6f1-875829ff7543" + +# Add user to role +Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $roleMember.ObjectId + +# Fetch the assignment for the role to confirm +Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADServicePrincipal +``` + +## Multiple role assignments + +Examples of assigning and removing multiple roles at once. + +```powershell +#File name +$fileName="" + +$input_Excel = New-Object -ComObject Excel.Application +$input_Workbook = $input_Excel.Workbooks.Open($fileName) +$input_Worksheet = $input_Workbook.Sheets.Item(1) + + #Count number of users who have to be assigned to role +$count = $input_Worksheet.UsedRange.Rows.Count + +#Loop through each line of the csv file starting from line 2 (assuming first line is title) +for ($i=2; $i -le $count; $i++) +{ + #Fetch user display name + $displayName = $input_Worksheet.Cells.Item($i,1).Text + + #Fetch role name + $roleName = $input_Worksheet.Cells.Item($i,2).Text + + #Assign role + Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | Where-Object DisplayName -eq $roleName).ObjectId -RefObjectId (Get-AzureADUser | Where-Object DisplayName -eq $displayName).ObjectId +} + +#Remove multiple role assignments +for ($i=2; $i -le $count; $i++) +{ + $displayName = $input_Worksheet.Cells.Item($i,1).Text + $roleName = $input_Worksheet.Cells.Item($i,2).Text + + Remove-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | Where-Object DisplayName -eq $roleName).ObjectId -MemberId (Get-AzureADUser | Where-Object DisplayName -eq $displayName).ObjectId +} +``` + +## Remove a role assignment + +This example removes a role assignment for the specified user. + +```powershell +# Fetch user to assign to role +$roleMember = Get-AzureADUser -ObjectId "username@contoso.com" + +#Fetch list of all directory roles with object id +Get-AzureADDirectoryRole + +# Fetch a directory role by id +$role = Get-AzureADDirectoryRole -ObjectId "5b3fe201-fa8b-4144-b6f1-875829ff7543" + +# Remove user from role +Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $roleMember.ObjectId + +# Fetch role membership for role to confirm +Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser + +``` + +## Next steps + +* Feel free to share with us on the [Azure AD administrative roles forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166032). +* For more about roles and Administrator role assignment, see [Assign administrator roles](directory-assign-admin-roles.md). +* For default user permissions, see a [comparison of default guest and member user permissions](../fundamentals/users-default-permissions.md). diff --git a/articles/active-directory/users-groups-roles/signin-account-support.md b/articles/active-directory/users-groups-roles/signin-account-support.md new file mode 100644 index 0000000000000..ead4db57e1093 --- /dev/null +++ b/articles/active-directory/users-groups-roles/signin-account-support.md @@ -0,0 +1,36 @@ +--- +title: How to know if an Azure AD sign-in page accepts Microsoft accounts | Microsoft Docs +description: How on-screen messaging reflects username lookup during sign-in +services: active-directory +author: curtand +manager: mtillman + +ms.service: active-directory +ms.workload: identity +ms.subservice: users-groups-roles +ms.topic: article +ms.date: 04/10/2019 +ms.author: curtand +ms.reviewer: kexia +ms.custom: it-pro + +ms.collection: M365-identity-device-management +--- + +# Sign-in options for Microsoft accounts in Azure Active Directory + +The Microsoft 365 sign-in page for Azure Active Directory (Azure AD) supports work or school accounts and Microsoft accounts, but depending on the user's situation, it could be one or the other or both. For example, the Azure AD sign-in page supports: + +* Apps that accept sign-ins from both types of account +* Organizations that accept guests + +## Identification +You can tell if the sign-in page your organization uses supports Microsoft accounts by looking at the hint text in the username field. If the hint text says "Email, phone, or Skype", the sign-in page supports Microsoft accounts. + +![Difference between account sign-in pages](./media/signin-account-support/ui-prompt.png) + +[Additional sign-in options work only for personal Microsoft accounts](https://azure.microsoft.com/updates/microsoft-account-signin-options/ ) but can't be used for signing in to work or school account resources. + +## Next steps + +[Customize your sign-in branding](../fundamentals/add-custom-domain.md) \ No newline at end of file diff --git a/articles/active-directory/users-groups-roles/signin-realm-discovery.md b/articles/active-directory/users-groups-roles/signin-realm-discovery.md new file mode 100644 index 0000000000000..fb43cf1b3e993 --- /dev/null +++ b/articles/active-directory/users-groups-roles/signin-realm-discovery.md @@ -0,0 +1,57 @@ +--- +title: Username lookup during sign-in authentication - Azure Active Directory | Microsoft Docs +description: How on-screen messaging reflects username lookup during sign-in +services: active-directory +author: curtand +manager: mtillman + +ms.service: active-directory +ms.workload: identity +ms.subservice: users-groups-roles +ms.topic: article +ms.date: 04/10/2019 +ms.author: curtand +ms.reviewer: kexia +ms.custom: it-pro + +ms.collection: M365-identity-device-management +--- + +# Home realm discovery for Azure Active Directory sign-in pages + +We are changing our Azure Active Directory (Azure AD) sign-in behavior to make room for new authentication methods and improve usability. During sign-in, Azure AD determines where a user needs to authenticate. Azure AD makes intelligent decisions by reading organization and user settings for the username entered on the sign-in page. This is a step towards a password-free future that enables additional credentials like FIDO 2.0. + +## Home realm discovery behavior + +Historically, home realm discovery was governed by the domain that is provided at sign-in or by a Home Realm Discovery policy for some legacy applications. For example, in our discovery behavior an Azure Active Directory user could mistype their username but would still arrive at their organization's credential collection screen. This occurs when the user correctly provides the organization's domain name “contoso.com”. This behavior does not allow the granularity to customize experiences for an individual user. + +To support a wider range of credentials and increase usability, Azure Active Directory’s username lookup behavior during the sign-in process is now updated. The new behavior makes intelligent decisions by reading tenant and user level settings based on the username entered on the sign-in page. To make this possible, Azure Active Directory will check to see if the username that is entered on the sign-in page exists in their specified domain or redirects the user to provide their credentials. + +An additional benefit of this work is improved error messaging. Here are some examples of the improved error messaging when signing in to an application that supports Azure Active Directory users only. + +1. The username is mistyped or the username has not yet been synced to Azure AD: + + ![the username is mistyped or not found](./media/signin-realm-discovery/typo-username.png) + +2. The domain name is mistyped: + + ![the domain name is mistyped or not found](./media/signin-realm-discovery/typo-domain.png) + +3. User tries to sign in with a known consumer domain: + + ![sign-in with a known consumer domain](./media/signin-realm-discovery/consumer-domain.png) + +4. The password is mistyped but the username is accurate: + + ![password is mistyped with good username](./media/signin-realm-discovery/incorrect-password.png) + +> [!IMPORTANT] +> This feature might have an impact on federated domains relying on the old domain level Home Realm Discovery to force federation. For updates on when federated domain support will be added, see [Home realm discovery during sign-in for Microsoft 365 services](https://blogs.azure.net/updates/Admin/Blogs/29/Posts/3170). In the meantime, some organizations have trained their employees to sign in with a username that doesn’t exist in Azure Active Directory but contains the proper domain name, because the domain names routes users currently to their organization's domain endpoint. The new sign-in behavior doesn't allow this. The user is notified to correct the user name, and they aren't allowed to sign in with a username that does not exist in Azure Active Directory. +> +> If you or your organization have practices that depend on the old behavior, it is important for organization administrators to update employee sign-in and authentication documentation and to train employees to use their Azure Active Directory username to sign in. + +If you have concerns with the new behavior, leave your remarks in the **Feedback** section of this article. + +## Next steps + +[Customize your sign-in branding](../fundamentals/add-custom-domain.md) \ No newline at end of file diff --git a/articles/advisor/media/view-recommendations/activate-postponed-2.png b/articles/advisor/media/view-recommendations/activate-postponed-2.png new file mode 100644 index 0000000000000..3bf6f26059b61 Binary files /dev/null and b/articles/advisor/media/view-recommendations/activate-postponed-2.png differ diff --git a/articles/advisor/media/view-recommendations/activate-postponed.png b/articles/advisor/media/view-recommendations/activate-postponed.png new file mode 100644 index 0000000000000..91d19115224df Binary files /dev/null and b/articles/advisor/media/view-recommendations/activate-postponed.png differ diff --git a/articles/advisor/media/view-recommendations/configuration.png b/articles/advisor/media/view-recommendations/configuration.png new file mode 100644 index 0000000000000..d3b0bc326b782 Binary files /dev/null and b/articles/advisor/media/view-recommendations/configuration.png differ diff --git a/articles/advisor/media/view-recommendations/filtering.png b/articles/advisor/media/view-recommendations/filtering.png new file mode 100644 index 0000000000000..a09bb64a5f9d3 Binary files /dev/null and b/articles/advisor/media/view-recommendations/filtering.png differ diff --git a/articles/advisor/media/view-recommendations/postpone-dismiss-multiple.png b/articles/advisor/media/view-recommendations/postpone-dismiss-multiple.png new file mode 100644 index 0000000000000..ed6cd16780032 Binary files /dev/null and b/articles/advisor/media/view-recommendations/postpone-dismiss-multiple.png differ diff --git a/articles/advisor/media/view-recommendations/postpone-dismiss.png b/articles/advisor/media/view-recommendations/postpone-dismiss.png new file mode 100644 index 0000000000000..e4da8adb76afa Binary files /dev/null and b/articles/advisor/media/view-recommendations/postpone-dismiss.png differ diff --git a/articles/advisor/permissions.md b/articles/advisor/permissions.md new file mode 100644 index 0000000000000..222297ff5f23e --- /dev/null +++ b/articles/advisor/permissions.md @@ -0,0 +1,52 @@ +--- +title: Permissions in Azure Advisor +description: Advisor permissions and how they may block your ability to configure subscriptions or postpone or dismiss recommendations. +services: advisor +author: kasparks +ms.service: advisor +ms.topic: article +ms.date: 04/03/2019 +ms.author: kasparks +--- + +# Permissions in Azure Advisor + +Azure Advisor provides recommendations based on the usage and configuration of your Azure resources and subscriptions. Advisor uses the [built-in roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles) provided by [Role-Based Access Control](https://docs.microsoft.com/azure/role-based-access-control/overview) (RBAC) to manage your access to recommendations and Advisor features. + +## Roles and their access + +The following table defines the roles and the access they have within Advisor: + +| **Role** | **View recommendations** | **Edit rules** | **Edit subscription configuration** | **Edit resource group configuration**| **Dismiss and postpone recommendations**| +|---|:---:|:---:|:---:|:---:|:---:| +|Subscription Owner|**X**|**X**|**X**|**X**|**X**| +|Subscription Contributor|**X**|**X**|**X**|**X**|**X**| +|Subscription Reader|**X**|--|--|--|--| +|Resource group Owner|**X**|--|--|**X**|**X**| +|Resource group Contributor|**X**|--|--|**X**|**X**| +|Resource group Reader|**X**|--|--|--|--| +|Resource Owner|**X**|--|--|--|**X**| +|Resource Contributor|**X**|--|--|--|**X**| +|Resource Reader|**X**|--|--|--|--| + +> [!NOTE] +> Access to view recommendations is dependent on your access to the recommendation's impacted resource. + +## Permissions and unavailable actions + +Lack of proper permissions can block your ability to perform actions in Advisor. Following are some common problems. + +### Unable to configure subscriptions or resource groups + +When you attempt to configure subscriptions or resource groups in Advisor, you may see that the option to include or exclude is disabled. This status indicates that you do not have a sufficient level of permission for that resource group or subscription. To resolve this issue, learn how to [grant a user access](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal). + +### Unable to postpone or dismiss a recommendation + +If you receive an error when trying to postpone or dismiss a recommendation, you may not have sufficient permissions. Make sure that you have at least contributor access to the impacted resource of the recommendation you are postponing or dismissing. To resolve this issue, learn how to [grant a user access](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal). + +## Next steps + +This article gave an overview of how Advisor uses RBAC to control user permissions and how to resolve common issues. To learn more about Advisor, see: + +- [What is Azure Advisor?](https://docs.microsoft.com/azure/advisor/advisor-overview) +- [Get started with Azure Advisor](https://docs.microsoft.com/azure/advisor/advisor-get-started) diff --git a/articles/advisor/toc.yml b/articles/advisor/toc.yml index 71b5be862ba94..ba6c9bc7e8af3 100644 --- a/articles/advisor/toc.yml +++ b/articles/advisor/toc.yml @@ -18,6 +18,10 @@ href: advisor-performance-recommendations.md - name: Reduce service costs href: advisor-cost-recommendations.md + - name: Configure recommendations + href: view-recommendations.md + - name: Permissions and blocked actions + href: permissions.md - name: Reference items: - name: Security Center diff --git a/articles/advisor/view-recommendations.md b/articles/advisor/view-recommendations.md new file mode 100644 index 0000000000000..9259dfcc608b6 --- /dev/null +++ b/articles/advisor/view-recommendations.md @@ -0,0 +1,94 @@ +--- +title: View Azure Advisor recommendations that matter to you +description: View and filter Azure Advisor recommendations to reduce noise. +services: advisor +author: kasparks +ms.service: advisor +ms.topic: article +ms.date: 04/03/2019 +ms.author: kasparks +--- + +# View Azure Advisor recommendations that matter to you + +Azure Advisor provides recommendations to help you optimize your Azure deployments. Within Advisor, you have access to a few features that help you to narrow down your recommendations to only those that matter to you. + +## Configure subscriptions and resource groups + +Advisor gives you the ability to select Subscriptions and Resource Groups that matter to you and your organization. You only see recommendations for the subscriptions and resource groups that you select. By default, all are selected. Configuration settings apply to the subscription or resource group, so the same settings apply to everyone that has access to that subscription or resource group. Configuration settings can be changed in the Azure portal or programmatically. + +To make changes in the Azure portal: + +1. Open [Azure Advisor](https://aka.ms/azureadvisordashboard) in the Azure portal. + +1. Select **Configuration** from the menu. + + ![Advisor configuration menu](./media/view-recommendations/configuration.png) + +1. Check the box in the **Include** column for any subscriptions or resource groups to receive Advisor recommendations. If the box is disabled, you may not have permission to make a configuration change on that subscription or resource group. Learn more about [permissions in Azure Advisor](permissions.md). + +1. Click **Apply** at the bottom after you make a change. + +## Filtering your view in the Azure portal + +Configuration settings remain active until changed. If you want to limit the view of recommendations for a single viewing, you can use the drop downs provided at the top of the Advisor panel. From the Overview, High Availability, Security, Performance, Cost, and All Recommendation panels, you can select the Subscriptions, Resource Types, and recommendation status that you want to see. + + ![Advisor filtering menu](./media/view-recommendations/filtering.png) + +## Dismissing and postponing recommendations + +Azure Advisor allows you to dismiss or postpone recommendations on a single resource. If you dismiss a recommendation, you do not see it again unless you manually activate it. However, postponing a recommendation allows you to specify a duration after which the recommendation is automatically activated again. Postponing can be done in the Azure portal or programmatically. + +### Postpone a single recommendation in the Azure portal + +1. Open [Azure Advisor](https://aka.ms/azureadvisordashboard) in the Azure portal. +1. Select a recommendation category to view your recommendations +1. Select a recommendation from the list of recommendations +1. Select Postpone or Dismiss for the recommendation you want to postpone or dismiss + + ![Advisor filtering menu](./media/view-recommendations/postpone-dismiss.png) + +### Postpone or dismiss a multiple recommendations in the Azure portal + +1. Open [Azure Advisor](https://aka.ms/azureadvisordashboard) in the Azure portal. +1. Select a recommendation category to view your recommendations. +1. Select a recommendation from the list of recommendations. +1. Select the checkbox at the left of the row for all resources you want to postpone or dismiss the recommendation. +1. Select **Postpone** or **Dismiss** at the top left of the table. + + ![Advisor filtering menu](./media/view-recommendations/postpone-dismiss-multiple.png) + +> [!NOTE] +> You need contributor or owner permission to dismiss or postpone a recommendation. Learn more about permissions in Azure Advisor. + +> [!NOTE] +> If the selection boxes are disabled, recommendations may still be loading. Please wait for all recommendations to load before trying to postpone or dismiss. + +### Reactivate a postponed or dismissed recommendation + +You can activate a recommendation that has been postponed or dismissed. This action can be done in the Azure portal or programmatically. In the Azure portal: + +1. Open [Azure Advisor](https://aka.ms/azureadvisordashboard) in the Azure portal. + +1. Change the filter on the Overview panel to **Postponed**. Advisor then displays postponed or dismissed recommendations. + + ![Advisor filtering menu](./media/view-recommendations/activate-postponed.png) + +1. Select a category to see **Postponed** and **Dismissed** recommendations. + +1. Select a recommendation from the list of recommendations. This opens recommendations with the **Postponed & Dismissed** tab already selected to show the resources for which this recommendation has been postponed or dismissed. + +1. Click on **Activate** at the end of the row. Once clicked, the recommendation is active for that resource and so removed from this table. The recommendation is now visible in the **Active** tab. + + ![Advisor filtering menu](./media/view-recommendations/activate-postponed-2.png) + +## Next steps + +This article explains how you can view recommendations that matter to you in Azure Advisor. To learn more about Advisor, see: + +- [What is Azure Advisor?](advisor-overview.md) +- [Getting Started with Advisor](advisor-get-started.md) +- [Permissions in Azure Advisor](permissions.md) + + + diff --git a/articles/aks/TOC.yml b/articles/aks/TOC.yml index 85759049f9c28..1370117c57b6d 100644 --- a/articles/aks/TOC.yml +++ b/articles/aks/TOC.yml @@ -310,6 +310,8 @@ href: https://azure.microsoft.com/regions/services/ - name: Pricing href: https://azure.microsoft.com/pricing/details/container-service/ + - name: Support policies + href: support-policies.md - name: Roadmap href: https://azure.microsoft.com/roadmap/ - name: Provide product feedback diff --git a/articles/aks/azure-files-volume.md b/articles/aks/azure-files-volume.md index 5d5f7988d314b..b0e8a290e673b 100644 --- a/articles/aks/azure-files-volume.md +++ b/articles/aks/azure-files-volume.md @@ -46,7 +46,7 @@ az storage account create -n $AKS_PERS_STORAGE_ACCOUNT_NAME -g $AKS_PERS_RESOURC export AZURE_STORAGE_CONNECTION_STRING=`az storage account show-connection-string -n $AKS_PERS_STORAGE_ACCOUNT_NAME -g $AKS_PERS_RESOURCE_GROUP -o tsv` # Create the file share -az storage share create -n $AKS_PERS_SHARE_NAME +az storage share create -n $AKS_PERS_SHARE_NAME --connection-string $AZURE_STORAGE_CONNECTION_STRING # Get storage account key STORAGE_KEY=$(az storage account keys list --resource-group $AKS_PERS_RESOURCE_GROUP --account-name $AKS_PERS_STORAGE_ACCOUNT_NAME --query "[0].value" -o tsv) diff --git a/articles/aks/support-policies.md b/articles/aks/support-policies.md new file mode 100644 index 0000000000000..d27ad4998ab3b --- /dev/null +++ b/articles/aks/support-policies.md @@ -0,0 +1,161 @@ +--- +title: Azure Kubernetes Service (AKS) support policies +description: Learn about Azure Kubernetes Service (AKS) support policies, shared responsibility, Preview/Alpha/Beta features. +services: container-service +author: jnoller + +ms.service: container-service +ms.topic: article +ms.date: 04/01/2019 +ms.author: jenoller + +#Customer intent: As a cluster operator or developer, I want to understand what components for AKS I need to manage, and those managed by Microsoft including security patches, networking and preview features. +--- + +# Azure Kubernetes Service (AKS) support policies + +This article provides details around AKS technical support policies, limitations, and details including worker node management, managed control plane components, third-party open-source components, and security / patch management. + +## Service updates & releases + +* For release info, see the [AKS Release Notes][1] +* For features in public preview, see [AKS Preview Features and Related Projects][2] + +## What is 'managed' + +Unlike base IaaS cloud components such as compute or networking, which expose low-level controls and customization options for users to leverage, the AKS service provides a turn-key Kubernetes deployment that represents the common set of configurations and capabilities required for Kubernetes. Customers who use this service have a limited number of customizations, deployment, and other options. This also means that customers do not need to worry or manage the Kubernetes cluster(s) directly. + +With AKS, the customer gets a fully managed **control plane** – where the control plane contains all components and services required to operate and provide Kubernetes clusters to end users. All Kubernetes components are maintained and operated by Microsoft. + +With the managed **control plane** the following components are managed and monitored by Microsoft: + +* Kubelet / Kubernetes API server(s) +* Etcd or a compatible Key/Value store – including quality of service, scalability, and runtime +* DNS services (for example, kube-dns / CoreDNS) +* Kubernetes Proxy/networking + +AKS is not a 100% managed **cluster** solution. Certain components (such as worker nodes) have certain **shared responsibilities** cases where actions to maintain the AKS cluster require user interaction. For example, worker node OS security patch application. + + **Managed**, means that Microsoft and the AKS team deploys, operates, and is responsible for the availability and functionality of these services. **Customers cannot alter these components**. Customization is limited to ensure a consistent and scalable user experience. For a fully customizable solution, see [AKS-Engine](https://github.com/Azure/aks-engine). + +> [!NOTE] +> It's important to understand that Azure Kubernetes Service worker nodes appear in the Azure Portal as regular Azure IaaS Resources, although these Virtual Machines are deployed into a custom Azure Resource Group (prefixed with MC\\*). A user might alter them, SSH into them just like normal virtual machines (you cannot, however, change the base OS image, and changes might not persist through an update or reboot), and you can attach other Azure resource to them, or otherwise modify them. **However, doing this of out of band management and customization means that the AKS cluster itself can become unsupportable. Avoid worker node alteration unless directed by Microsoft Support.** + +## What is shared responsibility + +At cluster creation time, AKS creates a number of Kubernetes worker nodes defined by the customer. These nodes, as noted are where customer workloads are executed. Customers own and can view or modify these worker nodes. + +Because these nodes are executing private code and store sensitive data, Microsoft support has **limited access** to all Customer cluster nodes. Microsoft support cannot log into, execute commands, or view logs for these nodes without express customer permission and/or assistance to execute debugging commands as directed by the support team. + +Due to the sensitive nature of these worker nodes, Microsoft takes great care to limit the 'behind the scenes' management of these nodes. Even if the Kubernetes master nodes, etcd, and other components fail (managed by Microsoft) your workload will continue to run in many cases. If worker nodes are modified without care, it can result in data and/or workload loss, and render the cluster unsupportable. + +## Azure Kubernetes Service Support coverage + +**Microsoft provides technical support for the following:** + +* Connectivity to all Kubernetes components provided and supported by the Kubernetes service (such as the API server) +* Management, Uptime, QoS and operations of Kubernetes control plane services (Kubernetes Master nodes, API Server, etcd, kube-dns for example. +* Etcd support includes automated, transparent backups of all etcd data every 30 minutes for disaster planning and cluster state restoration. These backups are not available directly to customers/users and are used to ensure data reliability and consistency +* Any integration points in the Azure Cloud Provider driver for Kubernetes such as integrations to other Azure services such as Load balancers, Persistent Volumes, Networking (Kubernetes and Azure CNI) +* Questions or issues around customization of control plane components such as the Kubernetes API server, etcd, and kube-dns. +* Issues about networking topics, such as Azure CNI, Kubenet, or other network access and functionality issues (DNS resolution, packet loss, routing, and so on). + * Networking scenarios supported include Kubenet (Basic) and Advanced Networking (Azure CNI) within the cluster and associated components, connectivity to other Azure services and applications. Additionally, ingress controllers and ingress/load balancer configuration, network performance and latency are supported by Microsoft. + +**Microsoft does not provide technical support for the following:** + +* Advisory/"How-To" use Kubernetes questions, for example how to create custom ingress controllers, application workload questions, and third-party/OSS packages or tools are out of scope. + * Advisory tickets for AKS cluster functionality, customization, tuning – e.g Kubernetes operations issues/how-tos are within scope. +* Third-party open-source projects not provided as part of the Kubernetes control plane or deployed with AKS clusters, such as Istio, Helm, Envoy, and others. + * For third-party open-source projects, such as Helm and Kured, best effort support is provided for examples and applications provided in Microsoft documentation and where that third-party open-source tool integrates with the Kubernetes Azure cloud provider or other AKS-specific bugs. +* Third-party closed-source software – this can include security scanning tools, networking devices or software. +* Issues about "multi-cloud" or multi-vendor build-outs are not supported, for example running a Federated multi public cloud vendor solution is not supported. +* Specific network customizations, other than those documented in the official [AKS documentation][3]. + > [!NOTE] + > Issues and bugs around Network Security Groups is supported. For example, support can answer questions around NSGs failing to update, or unexpected NSG or Load Balancer behavior. + +## Azure Kubernetes Service Support coverage (Worker Nodes) + +### Microsoft responsibilities for Azure Kubernetes Service worker nodes + +As noted in the `shared responsibility` section, Kubernetes worker nodes fall into a joint-responsibility model, where: + +* Provides the base operating system image with required additions (such as monitoring and networking agents) +* Automatic delivery of operating system patches to the worker nodes +* Automatic remediation of issues with Kubernetes control plane components running on the worker nodes, such as: + * kube-proxy + * networking tunnels that provide communication paths to the Kubernetes master components + * kubelet + * docker/moby daemon + +> [!NOTE] +> If a control plane component is non-operational on a worker node, the AKS team may need to reboot the entire worker node to resolve the issue. This is done on behalf of a user and not performed unless a customer escalation is made (due to access to the customers active workload and data). Whenever possible AKS personnel will work to make any required reboot non-application impacting. + +### Customer responsibilities for Azure Kubernetes Service worker nodes + +**Microsoft does not:** + +- Automatically Reboot worker nodes for OS level patches to take effect **(Currently, see below)** + +Operating system patches are delivered to the worker nodes, however it is the **customer's responsibility** to reboot the worker nodes for the changes to take effect. This auto-patching includes shared libraries, daemons such as SSHD, and other system/OS level components. + +For Kubernetes upgrades, **customers are responsible for the execution of the upgrade** via the Azure Control panel, or the Azure CLI. This applies for updates containing security or functionality improvements to Kubernetes. + +> [!NOTE] +> As AKS is a `managed service` our end goals of the service include removing responsibility for patches, updates, log collection and more to make it a more completely managed and hands-off service. These items (node rebooting, auto-patching) may be removed in future releases as our capabilities to do end to end management increase. + +### Security issues and patching + +In some cases (such as CVEs), a security flaw may be found in one or more of the components of the AKS service. In such scenarios, AKS will patch all impacted clusters to mitigate the issue if possible, or provide upgrade guidance to users. + +For worker nodes impacted by such a security hole, if a zero-downtime patch of the issue is available, the AKS team will apply that fix and notify users of the change. + +If a security patch requires worker node reboots, Microsoft will notify customer of this requirement and the customer is responsible to execute the reboot or update to get the patch for their cluster. If users do not apply the patches per AKS guidance, their cluster will continue to be vulnerable to the issue(s). + +### Node maintenance and access + +Because worker nodes are a shared responsibility and under the ownership of customers, customers can log into these workers and perform potentially harmful changes, such as kernel updates, removing packages and installing new packages. + +If customers perform destructive actions, or actions that trigger control plane components to go offline or otherwise become non-functional, the AKS service will detect this failure and perform autoremediation to restore the worker node to the previous working state. + +Although customers can log into and alter worker nodes, it is *discouraged* because this can make your cluster unsupportable. + +## Network ports, access, and Network Security Groups + +As a managed service, AKS has specific networking and connectivity requirements. These requirements are less flexible than normal IaaS components. Unlike other IaaS components, certain operations (such as the customization of Network Security Group rules, specific port blocking, URL whitelisting, and so on) can render your cluster unsupportable (for example, firewall rules blocking outbound port 443). + +> [!NOTE] +> Completely locking down egress (for example, explicit domain/port whitelisting) from your cluster is not a supported AKS scenario at this time. The list of URLs and Ports is subject to change without warning and can be provided by Azure Support via a ticket. The provided list is only for customers who are willing to accept that *the availability of your cluster could be affected at any time.* + +## Alpha/Beta Kubernetes features (not supported) + +AKS only supports stable features within the upstream Kubernetes project. Alpha/Beta features available in upstream Kubernetes are not supported unless otherwise communicated and documented. + +There are two cases where Alpha or Beta features may be rolled out prior to GA: + +* Customers have met with the AKS product, support, or engineering teams and have been explicitly asked to try these new features. +* These features have been [enabled via a Feature Flag][2] (explicit opt-in) + +## Preview features / feature Flags + +For features and functionality that require extended testing, community and user feedback, Microsoft will release new preview features, or features behind a feature flag. These features should be considered pre-release / Beta, and are exposed to give users a chance to try out these new features. + +However, these preview / feature flag features are not meant for production use – APIs, behavior change, bug fixes, and other changes can be made that can result in unstable clusters and downtime. Support for these features is limited to bug/issue reporting. Do not enable these features on production systems or subscriptions. + +> [!NOTE] +> Enabling preview features takes effect at the Azure **subscription** level. Do not install preview features on production subscription as it can change default API behavior impacting regular operations. + +## Upstream bugs and issues + +Given the speed of development in the upstream Kubernetes project, there are invariably bugs that cannot be patched or worked-around within the AKS system, and instead require larger patches to upstream projects (such as Kubernetes, Node/Worker OSes and Kernels). For components we own (such as the Azure Cloud Provider), AKS/Azure personnel are committed to fixing the issue upstream in the community. + +For cases where a technical support issue is root-caused to one or more upstream bugs, AKS support and engineering will do the following items: + +* Identify and link the upstream bugs with any supporting details as to why this impacts your cluster and/or workload. Customers will be provided with links to the required repos/issues to watch the issues and see when a new Kubernetes/other release will include the fix(es) +* Potential work-arounds or mitigations: In some cases it may be possible to work around the issue – in this case, a "[known-issue](https://github.com/Azure/AKS/issues?q=is%3Aissue+is%3Aopen+label%3Aknown-issue)" will be filed on the AKS repository that explains: + * The issue, and link to upstream bugs + * The workaround, and details around upgrade/other persistence of the solution + * Rough timelines for inclusion based on the upstream release cadence + +[1]: https://github.com/Azure/AKS/releases +[2]: https://github.com/Azure/AKS/blob/master/previews.md +[3]: https://docs.microsoft.com/azure/aks/ diff --git a/articles/aks/use-network-policies.md b/articles/aks/use-network-policies.md index 1870e3a52dc30..bb3b4a857bc10 100644 --- a/articles/aks/use-network-policies.md +++ b/articles/aks/use-network-policies.md @@ -6,7 +6,7 @@ author: iainfoulds ms.service: container-service ms.topic: article -ms.date: 02/12/2019 +ms.date: 04/08/2019 ms.author: iainfou --- @@ -14,7 +14,7 @@ ms.author: iainfou When you run modern, microservices-based applications in Kubernetes, you often want to control which components can communicate with each other. The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. Let's say you likely want to block traffic directly to back-end applications. The *Network Policy* feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster. -Calico, an open source networking and network security solution founded by Tigera, offers a network policy engine which can implement Kubernetes network policy rules. This article shows you how to install the Calico network policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. +This article shows you how to install the network policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. This feature is currently in preview. > [!IMPORTANT] > AKS preview features are self-service and opt-in. Previews are provided to gather feedback and bugs from our community. However, they are not supported by Azure technical support. If you create a cluster, or add these features to existing clusters, that cluster is unsupported until the feature is no longer in preview and graduates to general availability (GA). @@ -23,7 +23,7 @@ Calico, an open source networking and network security solution founded by Tiger ## Before you begin -You need the Azure CLI version 2.0.56 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. +You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. To create an AKS cluster that can use network policy, first enable a feature flag on your subscription. To register the *EnableNetworkPolicy* feature flag, use the [az feature register][az-feature-register] command as shown in the following example: @@ -47,7 +47,35 @@ az provider register --namespace Microsoft.ContainerService All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them. -Network policies are Kubernetes resources that let you control the traffic flow between pods. You can choose to allow or deny traffic based on settings like assigned labels, namespace, or traffic port. Network policies are defined as YAML manifests. These policies can be included as part of a wider manifest that also creates a deployment or service. +Network Policy is a Kubernetes specification that defines access policies for communication between Pods. Using Network Policies, you define an ordered set of rules to send and receive traffic and apply them to a collection of pods that match one or more label selectors. + +These network policy rules are defined as YAML manifests. Network policies can be included as part of a wider manifest that also creates a deployment or service. + +### Network policy options in AKS + +Azure provides two ways to implement network policy. You choose a network policy option when you create an AKS cluster. The policy option can't be changed after the cluster is created: + +* Azure’s own implementation, called *Azure Network Policies*. +* *Calico Network Policies*, an open-source network and network security solution founded by [Tigera][tigera]. + +Both implementations use Linux *IPTables* to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable filter rules. + +Network policy only works with the Azure CNI (advanced) option. Implementation is different for the two options: + +* *Azure Network Policies* - the Azure CNI sets up a bridge in the VM host for intra-node networking. The filtering rules are applied when the packets pass through the bridge. +* *Calico Network Policies* - the Azure CNI sets up local kernel routes for the intra-node traffic. The policies are applied on the pod’s network interface. + +### Differences between Azure and Calico policies and their capabilities + +| Capability | Azure | Calico | +|------------------------------------------|----------------------------|-----------------------------| +| Supported platforms | Linux | Linux | +| Supported networking options | Azure CNI | Azure CNI | +| Compliance with Kubernetes specification | All policy types supported | All policy types supported | +| Additional features | None | Extended policy model consisting of Global Network Policy, Global Network Set, and Host Endpoint. For more information on using the `calicoctl` CLI to manage these extended features, see [calicoctl user reference][calicoctl]. | +| Support | Supported by Azure support and Engineering team | Calico community support. For more information on additional paid support, see [Project Calico support options][calico-support]. | + +## Create an AKS cluster and enable network policy To see network policies in action, let's create and then expand on a policy that defines traffic flow: @@ -55,9 +83,7 @@ To see network policies in action, let's create and then expand on a policy that * Allow traffic based on pod labels. * Allow traffic based on namespace. -## Create an AKS cluster and enable network policy - -Network policy can only be enabled when the cluster is created. You can't enable network policy on an existing AKS cluster. +First, let's create an AKS cluster that supports network policy. The network policy feature can only be enabled when the cluster is created. You can't enable network policy on an existing AKS cluster. To use network policy with an AKS cluster, you must use the [Azure CNI plug-in][azure-cni] and define your own virtual network and subnets. For more detailed information on how to plan out the required subnet ranges, see [configure advanced networking][use-advanced-networking]. @@ -67,6 +93,7 @@ The following example script: * Creates an Azure Active Directory (Azure AD) service principal for use with the AKS cluster. * Assigns *Contributor* permissions for the AKS cluster service principal on the virtual network. * Creates an AKS cluster in the defined virtual network and enables network policy. + * The *azure* network policy option is used. To use Calico as the network policy option instead, use the `--network-policy calico` parameter. Provide your own secure *SP_PASSWORD*. You can replace the *RESOURCE_GROUP_NAME* and *CLUSTER_NAME* variables: @@ -118,7 +145,7 @@ az aks create \ --vnet-subnet-id $SUBNET_ID \ --service-principal $SP_ID \ --client-secret $SP_PASSWORD \ - --network-policy calico + --network-policy azure ``` It takes a few minutes to create the cluster. When the cluster is ready, configure `kubectl` to connect to your Kubernetes cluster by using the [az aks get-credentials][az-aks-get-credentials] command. This command downloads credentials and configures the Kubernetes CLI to use them: @@ -450,6 +477,9 @@ To learn more about policies, see [Kubernetes network policies][kubernetes-netwo [terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/ [policy-rules]: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors [aks-github]: https://github.com/azure/aks/issues] +[tigera]: https://www.tigera.io/ +[calicoctl]: https://docs.projectcalico.org/v3.5/reference/calicoctl/ +[calico-support]: https://www.projectcalico.org/support [install-azure-cli]: /cli/azure/install-azure-cli diff --git a/articles/analysis-services/TOC.yml b/articles/analysis-services/TOC.yml index d0772680f8a27..665b33862b2a7 100644 --- a/articles/analysis-services/TOC.yml +++ b/articles/analysis-services/TOC.yml @@ -132,7 +132,7 @@ - name: Power Query M href: https://msdn.microsoft.com/library/mt211003.aspx - name: Tabular Model Scripting Language (TMSL) - href: https://docs.microsoft.com/sql/analysis-services/tabular-model-scripting-language-tmsl-reference + href: https://docs.microsoft.com/bi-reference/tmsl/tabular-model-scripting-language-tmsl-reference - name: Tabular Object Model (TOM) href: https://docs.microsoft.com/sql/analysis-services/tabular-model-programming-compatibility-level-1200/introduction-to-the-tabular-object-model-tom-in-analysis-services-amo - name: Resource and object limits diff --git a/articles/analysis-services/analysis-services-capacity-limits.md b/articles/analysis-services/analysis-services-capacity-limits.md index 1bcbd3d7bed32..ec1f962d5c94b 100644 --- a/articles/analysis-services/analysis-services-capacity-limits.md +++ b/articles/analysis-services/analysis-services-capacity-limits.md @@ -5,7 +5,7 @@ author: minewiskan manager: kfile ms.service: azure-analysis-services ms.topic: conceptual -ms.date: 12/19/2018 +ms.date: 04/11/2019 ms.author: owend ms.reviewer: minewiskan diff --git a/articles/analysis-services/analysis-services-data-providers.md b/articles/analysis-services/analysis-services-data-providers.md index 54e69ae6e0060..b03693a77be4c 100644 --- a/articles/analysis-services/analysis-services-data-providers.md +++ b/articles/analysis-services/analysis-services-data-providers.md @@ -5,7 +5,7 @@ author: minewiskan manager: kfile ms.service: azure-analysis-services ms.topic: conceptual -ms.date: 03/12/2019 +ms.date: 04/05/2019 ms.author: owend ms.reviewer: minewiskan @@ -19,10 +19,10 @@ Client libraries are necessary for client applications and tools to connect to A |Download |Product version | |---------|---------| -|[MSOLAP (amd64)](https://go.microsoft.com/fwlink/?linkid=829576) | 15.0.11.19 | -|[MSOLAP (x86)](https://go.microsoft.com/fwlink/?linkid=829575) | 15.0.11.19 | -|[AMO](https://go.microsoft.com/fwlink/?linkid=829578) | 15.15.0.0 | -|[ADOMD](https://go.microsoft.com/fwlink/?linkid=829577) | 15.15.0.0 | +|[MSOLAP (amd64)](https://go.microsoft.com/fwlink/?linkid=829576) | 15.0.15.26 | +|[MSOLAP (x86)](https://go.microsoft.com/fwlink/?linkid=829575) | 15.0.15.26 | +|[AMO](https://go.microsoft.com/fwlink/?linkid=829578) | 15.17.1.0 | +|[ADOMD](https://go.microsoft.com/fwlink/?linkid=829577) | 15.17.1.0 | ## AMO and ADOMD (NuGet packages) @@ -30,8 +30,8 @@ Analysis Services Management Objects (AMO) and ADOMD client libraries are availa |Package | Product version | |---------|---------| -|[AMO](https://www.nuget.org/packages/Microsoft.AnalysisServices.retail.amd64/) | 15.15.0.0 | -|[ADOMD](https://www.nuget.org/packages/Microsoft.AnalysisServices.AdomdClient.retail.amd64/) | 15.15.0.0 | +|[AMO](https://www.nuget.org/packages/Microsoft.AnalysisServices.retail.amd64/) | 15.17.1 | +|[ADOMD](https://www.nuget.org/packages/Microsoft.AnalysisServices.AdomdClient.retail.amd64/) | 15.17.1 | NuGet package assemblies AssemblyVersion follow semantic versioning: MAJOR.MINOR.PATCH. NuGet references load the expected version even if there is a different version in the GAC (resulting from MSI install). PATCH is incremented for each release. AMO and ADOMD versions are kept in-sync. diff --git a/articles/analysis-services/analysis-services-samples.md b/articles/analysis-services/analysis-services-samples.md index 636b909db341e..619cdf3b67298 100644 --- a/articles/analysis-services/analysis-services-samples.md +++ b/articles/analysis-services/analysis-services-samples.md @@ -5,7 +5,7 @@ author: minewiskan manager: kfile ms.service: azure-analysis-services ms.topic: conceptual -ms.date: 10/18/2018 +ms.date: 04/11/2019 ms.author: owend ms.reviewer: minewiskan diff --git a/articles/api-management/api-management-howto-create-subscriptions.md b/articles/api-management/api-management-howto-create-subscriptions.md index cb36ed65f8207..dc4386d984421 100644 --- a/articles/api-management/api-management-howto-create-subscriptions.md +++ b/articles/api-management/api-management-howto-create-subscriptions.md @@ -33,7 +33,8 @@ To take the steps in this article, the prerequisites are as follows: 1. Select **Subscriptions** in the menu on the left. 2. Select **Add subscription**. 3. Provide a name of the subscription and select the scope. -4. Select **Save**. +4. Optionally, choose if the subscription should be associated with a user. +5. Select **Save**. ![Flexible subscriptions](./media/api-management-subscriptions/flexible-subscription.png) diff --git a/articles/api-management/api-management-howto-deploy-multi-region.md b/articles/api-management/api-management-howto-deploy-multi-region.md index ad34b3c11fde0..36f51c4944a50 100644 --- a/articles/api-management/api-management-howto-deploy-multi-region.md +++ b/articles/api-management/api-management-howto-deploy-multi-region.md @@ -12,7 +12,7 @@ ms.workload: mobile ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 08/15/2018 +ms.date: 04/04/2019 ms.author: apimpm --- @@ -20,7 +20,7 @@ ms.author: apimpm Azure API Management supports multi-region deployment, which enables API publishers to distribute a single Azure API management service across any number of desired Azure regions. This helps reduce request latency perceived by geographically distributed API consumers and also improves service availability if one region goes offline. -A new Azure API Management service initially contains only one [unit][unit] in a single Azure region, the Primary Region. Additional regions can be easily added through the Azure portal. An API Management gateway server is deployed to each region and call traffic will be routed to the closest gateway. If a region goes offline, the traffic is automatically redirected to the next closest gateway. +A new Azure API Management service initially contains only one [unit][unit] in a single Azure region, the Primary Region. Additional regions can be easily added through the Azure portal. An API Management gateway server is deployed to each region and call traffic will be routed to the closest gateway in terms of latency. If a region goes offline, the traffic is automatically redirected to the next closest gateway. > [!NOTE] > Azure API Management replicates only the API gateway component across regions. The service management component is hosted only in the Primary Region. In case of an outage in the Primary Region, applying configuration changes to an Azure API Management service instance is not possible - including settings or policies updates. @@ -102,6 +102,20 @@ To fully leverage geographical distribution of your system, you should have back ``` +> [!TIP] +> You may also front your backend services with [Azure Traffic Manager](https://azure.microsoft.com/services/traffic-manager/), direct the API calls to the Traffic Manager, and let it resolve the routing automatically. + +## Use custom routing to API Management regional gateways + +API Management routes the requests to a regional *gateway* based on [the lowest latency](../traffic-manager/traffic-manager-routing-methods.md#performance). Although it is not possible to override this setting in API Management, you can use your own Traffic Manager with custom routing rules. + +1. Create your own [Azure Traffic Manager](https://azure.microsoft.com/services/traffic-manager/). +1. If you are using a custom domain, [use it with the Traffic Manager](../traffic-manager/traffic-manager-point-internet-domain.md) instead of the API Management service. +1. [Configure the API Management regional endpoints in Traffic Manager](../traffic-manager/traffic-manager-manage-endpoints.md). The regional endpoints follow the URL pattern of `https://--01.regional.azure-api.net`, for example `https://contoso-westus2-01.regional.azure-api.net`. +1. [Configure the API Management regional status endpoints in Traffic Manager](../traffic-manager/traffic-manager-monitoring.md). The regional status endpoints follow the URL pattern of `https://--01.regional.azure-api.net/status-0123456789abcdef`, for example `https://contoso-westus2-01.regional.azure-api.net/status-0123456789abcdef`. +1. Specify [the routing method](../traffic-manager/traffic-manager-routing-methods.md) of the Traffic Manager. + + [api-management-management-console]: ./media/api-management-howto-deploy-multi-region/api-management-management-console.png [api-management-scale-service]: ./media/api-management-howto-deploy-multi-region/api-management-scale-service.png diff --git a/articles/api-management/api-management-howto-setup-delegation.md b/articles/api-management/api-management-howto-setup-delegation.md index 358133d1273ab..045d00f51d859 100644 --- a/articles/api-management/api-management-howto-setup-delegation.md +++ b/articles/api-management/api-management-howto-setup-delegation.md @@ -13,26 +13,28 @@ ms.workload: mobile ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 12/15/2016 +ms.date: 04/04/2019 ms.author: apimpm --- # How to delegate user registration and product subscription -Delegation allows you to use your existing website for handling developer sign-in/sign-up and subscription to products as opposed to using the built-in functionality in the developer portal. This enables your website to own the user data and perform the validation of these steps in a custom way. + +Delegation allows you to use your existing website for handling developer sign in/sign up and subscription to products, as opposed to using the built-in functionality in the developer portal. This enables your website to own the user data and perform the validation of these steps in a custom way. [!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)] -## Delegating developer sign in and sign-up -To delegate developer sign-in and sign-up to your existing website, you will need to create a special delegation endpoint on your site that acts as the entry-point for any such request initiated from the API Management developer portal. +## Delegating developer sign in and sign up + +To delegate developer sign in and sign up to your existing website, you'll need to create a special delegation endpoint on your site. It needs to act as the entry-point for any such request initiated from the API Management developer portal. The final workflow will be as follows: -1. Developer clicks on the sign-in or sign-up link at the API Management developer portal +1. Developer clicks on the sign in or sign up link at the API Management developer portal 2. Browser is redirected to the delegation endpoint -3. Delegation endpoint in return redirects to or presents UI asking user to sign in or sign-up +3. Delegation endpoint in return redirects to or presents UI asking user to sign in or sign up 4. On success, the user is redirected back to the API Management developer portal page they started from -To begin, let's first set-up API Management to route requests via your delegation endpoint. In the API Management publisher portal, click on **Security** and then click the **Delegation** tab. Click the checkbox to enable 'Delegate sign-in & sign-up'. +To begin, let's first set-up API Management to route requests via your delegation endpoint. In the API Management publisher portal, click on **Security** and then click the **Delegation** tab. Click the checkbox to enable 'Delegate sign in & sign up'. ![Delegation page][api-management-delegation-signin-up] @@ -47,10 +49,10 @@ Now you need to create the **delegation endpoint**. It has to perform a number o > > - Query parameters for the sign-in / sign up case: + Query parameters for the sign in / sign up case: * **operation**: identifies what type of delegation request it is - it can only be **SignIn** in this case - * **returnUrl**: the URL of the page where the user clicked on a sign-in or sign-up link + * **returnUrl**: the URL of the page where the user clicked on a sign in or sign up link * **salt**: a special salt string used for computing a security hash * **sig**: a computed security hash to be used for comparison to your own computed hash 2. Verify that the request is coming from Azure API Management (optional, but highly recommended for security) @@ -61,9 +63,9 @@ Now you need to create the **delegation endpoint**. It has to perform a number o > > * Compare the above-computed hash to the value of the **sig** query parameter. If the two hashes match, move on to the next step, otherwise deny the request. -3. Verify that you are receiving a request for sign-in/sign-up: the **operation** query parameter will be set to "**SignIn**". -4. Present the user with UI to sign in or sign-up -5. If the user is signing-up you have to create a corresponding account for them in API Management. [Create a user] with the API Management REST API. When doing so, ensure that you set the user ID to the same it is in your user store or to an ID that you can keep track of. +3. Verify that you are receiving a request for sign in/sign up: the **operation** query parameter will be set to "**SignIn**". +4. Present the user with UI to sign in or sign up +5. If the user is signing-up you have to create a corresponding account for them in API Management. [Create a user] with the API Management REST API. When doing so, ensure that you set the user ID to the same value as in your user store or to an ID that you can keep track of. 6. When the user is successfully authenticated: * [request a single-sign-on (SSO) token] via the API Management REST API @@ -83,26 +85,25 @@ In addition to the **SignIn** operation, you can also perform account management You must pass the following query parameters for account management operations. * **operation**: identifies what type of delegation request it is (ChangePassword, ChangeProfile, or CloseAccount) -* **userId**: the user id of the account to manage +* **userId**: the user ID of the account to manage * **salt**: a special salt string used for computing a security hash * **sig**: a computed security hash to be used for comparison to your own computed hash ## Delegating product subscription -Delegating product subscription works similarly to delegating user sign-in/-up. The final workflow would be as follows: +Delegating product subscription works similarly to delegating user sign in/-up. The final workflow would be as follows: -1. Developer selects a product in the API Management developer portal and clicks on the Subscribe button -2. Browser is redirected to the delegation endpoint -3. Delegation endpoint performs required product subscription steps - this is up to you and may entail redirecting to another page to request billing information, asking additional questions, or simply storing the information and not requiring any user action +1. Developer selects a product in the API Management developer portal and clicks on the Subscribe button. +2. Browser is redirected to the delegation endpoint. +3. Delegation endpoint performs required product subscription steps. It's up to you to design the steps. They may include redirecting to another page to request billing information, asking additional questions, or simply storing the information and not requiring any user action. To enable the functionality, on the **Delegation** page click **Delegate product subscription**. -Then ensure the delegation endpoint performs the following actions: +Next, ensure the delegation endpoint does the following actions: 1. Receive a request in the following form: > *http:\//www.yourwebsite.com/apimdelegation?operation={operation}&productId={product to subscribe to}&userId={user making request}&salt={string}&sig={string}* - > - > + > Query parameters for the product subscription case: @@ -111,9 +112,11 @@ Then ensure the delegation endpoint performs the following actions: * "Unsubscribe": a request to unsubscribe a user from a product * "Renew": a request to renew a subscription (for example, that may be expiring) * **productId**: the ID of the product the user requested to subscribe to - * **userId**: the ID of the user for whom the request is made + * **subscriptionId**: on *Unsubscribe* and *Renew* - the ID of the product subscription + * **userId**: the ID of the user the request is made for * **salt**: a special salt string used for computing a security hash * **sig**: a computed security hash to be used for comparison to your own computed hash + 2. Verify that the request is coming from Azure API Management (optional, but highly recommended for security) * Compute an HMAC-SHA512 of a string based on the **productId**, **userId**, and **salt** query parameters: @@ -122,11 +125,17 @@ Then ensure the delegation endpoint performs the following actions: > > * Compare the above-computed hash to the value of the **sig** query parameter. If the two hashes match, move on to the next step, otherwise deny the request. -3. Perform any product subscription processing based on the type of operation requested in **operation** - for example, billing, further questions, etc. +3. Process product subscription based on the type of operation requested in **operation** - for example, billing, further questions, etc. 4. On successfully subscribing the user to the product on your side, subscribe the user to the API Management product by [calling the REST API for product subscription]. ## Example Code -These code samples show how to take the *delegation validation key*, which is set in the Delegation screen of the publisher portal, to create a HMAC, which is then used to validate the signature, proving the validity of the passed returnUrl. The same code works for the productId and userId with slight modification. + +These code samples show how to: + +* Take the *delegation validation key*, which is set in the Delegation screen of the publisher portal +* Create an HMAC, which is then used to validate the signature, proving the validity of the passed returnUrl. + +The same code works for the productId and userId with slight modification. **C# code to generate hash of returnUrl** @@ -169,7 +178,7 @@ For more information on delegation, see the following video: > > -[Delegating developer sign-in and sign-up]: #delegate-signin-up +[Delegating developer sign in and sign up]: #delegate-signin-up [Delegating product subscription]: #delegate-product-subscription [request a single-sign-on (SSO) token]: https://docs.microsoft.com/rest/api/apimanagement/User/GenerateSsoUrl [create a user]: https://docs.microsoft.com/rest/api/apimanagement/user/createorupdate diff --git a/articles/api-management/api-management-sample-send-request.md b/articles/api-management/api-management-sample-send-request.md index 9912921cf9263..e67b205823e5d 100644 --- a/articles/api-management/api-management-sample-send-request.md +++ b/articles/api-management/api-management-sample-send-request.md @@ -197,7 +197,7 @@ Once you have this information, you can make requests to all the backend systems -@($"https://production.acme.com/throughput?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")" +@($"https://production.acme.com/accidentdata?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")" GET ``` @@ -248,7 +248,7 @@ The complete policy looks as follows: - @($"https://production.acme.com/throughput?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")" + @($"https://production.acme.com/accidentdata?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")" GET diff --git a/articles/api-management/api-management-subscriptions.md b/articles/api-management/api-management-subscriptions.md index a56e431b0c8c2..f7a70f1beb76b 100644 --- a/articles/api-management/api-management-subscriptions.md +++ b/articles/api-management/api-management-subscriptions.md @@ -46,9 +46,6 @@ Traditionally, subscriptions in API Management were always associated with a sin ### Subscriptions for all APIs or an individual API -> [!NOTE] -> Currently, this feature is available in the API Management Consumption tier only. - When we introduced the [Consumption](https://aka.ms/apimconsumptionblog) tier of API Management, we made a few changes to streamline key management: - First, we added two more subscription scopes: all APIs and a single API. The scope of subscriptions is no longer limited to an API product. It's now possible to create keys that grant access to an API, or all APIs within an API Management instance, without needing to create a product and add the APIs to it first. Also, each API Management instance now comes with an immutable, all-APIs subscription. This subscription makes it easier and more straightforward to test and debug APIs within the test console. diff --git a/articles/api-management/api-management-using-with-internal-vnet.md b/articles/api-management/api-management-using-with-internal-vnet.md index bfd1f658976f8..3fae2cd4596c9 100644 --- a/articles/api-management/api-management-using-with-internal-vnet.md +++ b/articles/api-management/api-management-using-with-internal-vnet.md @@ -42,6 +42,7 @@ To perform the steps described in this article, you must have: [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] + **An Azure API Management instance**. For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md). ++ When an API Management service is deployed in a virtual network, a [list of ports](./api-management-using-with-vnet.md#required-ports) are used and need to be opened. ## Creating an API Management in an internal virtual network The API Management service in an internal virtual network is hosted behind an [internal load balancer (classic)](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-get-started-ilb-classic-cloud). This is the only option available and can't be changed. diff --git a/articles/api-management/api-management-using-with-vnet.md b/articles/api-management/api-management-using-with-vnet.md index ddc65fcf048b2..bf099445e9738 100644 --- a/articles/api-management/api-management-using-with-vnet.md +++ b/articles/api-management/api-management-using-with-vnet.md @@ -55,7 +55,7 @@ To perform the steps described in this article, you must have: * **Internal**: the API Management gateway and developer portal are accessible only from within the virtual network via an internal load balancer. The gateway can access resources within the virtual network. - ![Private peering][api-management-vnet-private]` + ![Private peering][api-management-vnet-private] You will now see a list of all regions where your API Management service is provisioned. Select a VNET and subnet for every region. The list is populated with both classic and Resource Manager virtual networks available in your Azure subscriptions that are setup in the region you are configuring. @@ -103,6 +103,7 @@ Following is a list of common misconfiguration issues that can occur while deplo * **Ports required for API Management**: Inbound and Outbound traffic into the Subnet in which API Management is deployed can be controlled using [Network Security Group][Network Security Group]. If any of these ports are unavailable, API Management may not operate properly and may become inaccessible. Having one or more of these ports blocked is another common misconfiguration issue when using API Management with a VNET. + When an API Management service instance is hosted in a VNET, the ports in the following table are used. | Source / Destination Port(s) | Direction | Transport protocol | [Service Tags](../virtual-network/security-overview.md#service-tags)
Source / Destination | Purpose (*) | Virtual Network type | @@ -152,7 +153,7 @@ When an API Management service instance is hosted in a VNET, the ports in the fo > 13.84.189.17/32, 13.85.22.63/32, 23.96.224.175/32, 23.101.166.38/32, 52.162.110.80/32, 104.214.19.224/32, 13.64.39.16/32, 40.81.47.216/32, > 51.145.179.78/32, 52.142.95.35/32, 40.90.185.46/32, 20.40.125.155/32 - * For other of API Management service dependencies which are force tunneled, their should be way to resolve the hostname and reach out to the endpoint. These include + * For other API Management service dependencies which are force tunneled, there should be a way to resolve the hostname and reach out to the endpoint. These include - Metrics and Health Monitoring - Azure portal Diagnostics - SMTP Relay diff --git a/articles/api-management/import-function-app-as-api.md b/articles/api-management/import-function-app-as-api.md index 7c9f11574bf99..56d38ca0eb8cb 100644 --- a/articles/api-management/import-function-app-as-api.md +++ b/articles/api-management/import-function-app-as-api.md @@ -66,7 +66,7 @@ Follow the steps below to create a new API from an Azure Function App. ![Add from Function App](./media/import-function-app-as-api/add-05.png) > [!NOTE] - > You can import only Functions that are based off HTTP trigger and have the authorization level setting set to *Anonymous* or *Function*. + > You can import only Functions that are based off HTTP trigger and have the authorization level setting set to *Anonymous* or *Function*. At this moment, Linux Function Apps are not supported. 7. Switch to the **Full** view and assign **Product** to your new API. If needed, edit other pre-populated fields. @@ -108,11 +108,14 @@ Follow the steps below to append Azure Function App to an existing API. ![Append from Function App](./media/import-function-app-as-api/append-04.png) -## Generated Azure Function App host key +## Authorization Import of an Azure Function App automatically generates: -* host key inside the Function App with the name apim-{*your Azure API Management service instance name*}, -* named value inside the Azure API Management instance with the name {*your Azure Function App instance name*}-key, which contains the created host key. + +* Host key inside the Function App with the name apim-{*your Azure API Management service instance name*}, +* Named value inside the Azure API Management instance with the name {*your Azure Function App instance name*}-key, which contains the created host key. + +For APIs created after April 4th 2019, the host key is passed in HTTP requests from API Management to the Function App in a header. Older APIs pass the host key as [a query parameter](../azure-functions/functions-bindings-http-webhook.md#api-key-authorization). This behavior may be changed through the `PATCH Backend` [REST API call](https://docs.microsoft.com/rest/api/apimanagement/backend/update#backendcredentialscontract) on the *Backend* entity associated with the Function App. > [!WARNING] > Removing or changing value of either the Azure Function App host key or Azure API Management named value will break the communication between the services. The values do not sync automatically. diff --git a/articles/api-management/transform-api.md b/articles/api-management/transform-api.md index a79136ebf6649..f61af966a5f9b 100644 --- a/articles/api-management/transform-api.md +++ b/articles/api-management/transform-api.md @@ -77,7 +77,7 @@ The original response should look like this: ![Policies](./media/transform-api/transform-api.png) -7. Modify your **** code to look like this: +7. Modify your **\** code to look like this: diff --git a/articles/app-service/app-service-ip-restrictions.md b/articles/app-service/app-service-ip-restrictions.md index 496f4892e0a37..a8b3b42e915f8 100644 --- a/articles/app-service/app-service-ip-restrictions.md +++ b/articles/app-service/app-service-ip-restrictions.md @@ -81,3 +81,9 @@ The JSON syntax for the earlier example is: "name": "allowed access" } ], + +## Function App IP Restrictions + +IP restrictions are available for both Function Apps with the same functionality as App Service plans. Note that enabling IP restrictions will disable the portal code editor for any disallowed IPs. + +[Learn more here](../azure-functions/functions-networking-options.md#inbound-ip-restrictions) \ No newline at end of file diff --git a/articles/app-service/app-service-web-get-started-windows-container.md b/articles/app-service/app-service-web-get-started-windows-container.md index 3ed29494f5154..eac99d3363a17 100644 --- a/articles/app-service/app-service-web-get-started-windows-container.md +++ b/articles/app-service/app-service-web-get-started-windows-container.md @@ -12,7 +12,7 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 04/03/2019 +ms.date: 04/12/2019 ms.author: cephalin ms.custom: mvc ms.custom: seodec18 @@ -176,7 +176,7 @@ To tell App Service to pull in the new image from Docker Hub, restart the app. B You are free to use a different custom Docker image to run your app. However, you must choose the right [parent image](https://docs.docker.com/develop/develop-images/baseimages/) for the framework you want: - To deploy .NET Framework apps, use a parent image based on the Windows Server Core 2019 [Long-Term Servicing Channel (LTSC)](https://docs.microsoft.com/windows-server/get-started/semi-annual-channel-overview#long-term-servicing-channel-ltsc) release. -- To deploy .NET Core apps, use a parent image based on the Windows Server Nano 1809 [Long-Term Servicing Channel (LTSC)](https://docs.microsoft.com/windows-server/get-started/semi-annual-channel-overview#long-term-servicing-channel-ltsc) release. +- To deploy .NET Core apps, use a parent image based on the Windows Server Nano 1809 [Semi-Annual Servicing Channel (SAC)](https://docs.microsoft.com/windows-server/get-started-19/servicing-channels-19#semi-annual-channel) release. It takes some time to download a parent image during app start-up. However, you can reduce start-up time by using one of the following parent images that are already cached in Azure App Service: diff --git a/articles/app-service/app-service-web-tutorial-dotnetcore-sqldb.md b/articles/app-service/app-service-web-tutorial-dotnetcore-sqldb.md index 38b59887145dc..7472ad3a67947 100644 --- a/articles/app-service/app-service-web-tutorial-dotnetcore-sqldb.md +++ b/articles/app-service/app-service-web-tutorial-dotnetcore-sqldb.md @@ -1,5 +1,5 @@ --- -title: Build .NET Core app with SQL Database - Azure App Service | Microsoft Docs +title: ASP.NET Core with SQL Database - Azure App Service | Microsoft Docs description: Learn how to get a .NET Core app working in Azure App Service, with connection to a SQL Database. services: app-service\web documentationcenter: dotnet @@ -18,7 +18,7 @@ ms.custom: mvc ms.custom: seodec18 --- -# Tutorial: Build a .NET Core and SQL Database app in Azure App Service +# Tutorial: Build an ASP.NET Core and SQL Database app in Azure App Service > [!NOTE] > This article deploys an app to App Service on Windows. To deploy to App Service on _Linux_, see [Build a .NET Core and SQL Database app in Azure App Service on Linux](./containers/tutorial-dotnetcore-sqldb-app.md). diff --git a/articles/app-service/app-service-web-tutorial-nodejs-mongodb-app.md b/articles/app-service/app-service-web-tutorial-nodejs-mongodb-app.md index 039db2f8aaeb6..77fdd2f24a3b8 100644 --- a/articles/app-service/app-service-web-tutorial-nodejs-mongodb-app.md +++ b/articles/app-service/app-service-web-tutorial-nodejs-mongodb-app.md @@ -1,6 +1,6 @@ --- -title: Build Node.js app with MongoDB - Azure App Service | Microsoft Docs -description: Learn how to get a Node.js app working in Azure, with connection to a Cosmos DB database with a MongoDB connection string. +title: Node.js (MEAN.js) with MongoDB - Azure App Service | Microsoft Docs +description: Learn how to get a Node.js app working in Azure, with connection to a Cosmos DB database with a MongoDB connection string. MEAN.js is used in the tutorial. services: app-service\web documentationcenter: nodejs author: cephalin diff --git a/articles/app-service/app-service-web-tutorial-php-mysql.md b/articles/app-service/app-service-web-tutorial-php-mysql.md index c1a37105b9ebf..d5763235e2fce 100644 --- a/articles/app-service/app-service-web-tutorial-php-mysql.md +++ b/articles/app-service/app-service-web-tutorial-php-mysql.md @@ -1,6 +1,6 @@ --- -title: Build PHP app with MySQL - Azure App Service | Microsoft Docs -description: Learn how to get a PHP app working in Azure, with connection to a MySQL database in Azure. +title: PHP (Laravel) with MySQL - Azure App Service | Microsoft Docs +description: Learn how to get a PHP app working in Azure, with connection to a MySQL database in Azure. Laravel is used in the tutorial. services: app-service\web documentationcenter: php author: cephalin diff --git a/articles/app-service/configure-authentication-provider-facebook.md b/articles/app-service/configure-authentication-provider-facebook.md index 83aeb258e4246..094e1678bdec1 100644 --- a/articles/app-service/configure-authentication-provider-facebook.md +++ b/articles/app-service/configure-authentication-provider-facebook.md @@ -44,7 +44,7 @@ To complete the procedure in this topic, you must have a Facebook account that h > The app secret is an important security credential. Do not share this secret with anyone or distribute it within a client application. > > -9. The Facebook account which was used to register the application is an administrator of the app. At this point, only administrators can sign into this application. To authenticate other Facebook accounts, click **App Review** and enable **Make public** to enable general public access using Facebook authentication. +9. The Facebook account which was used to register the application is an administrator of the app. At this point, only administrators can sign into this application. To authenticate other Facebook accounts, click **App Review** and enable **Make \ public** to enable general public access using Facebook authentication. ## Add Facebook information to your application 1. Back in the [Azure portal], navigate to your application. Click **Settings** > **Authentication / Authorization**, and make sure that **App Service Authentication** is **On**. diff --git a/articles/app-service/containers/app-service-linux-faq.md b/articles/app-service/containers/app-service-linux-faq.md index eea678c4d0749..40f3c6b78bb48 100644 --- a/articles/app-service/containers/app-service-linux-faq.md +++ b/articles/app-service/containers/app-service-linux-faq.md @@ -158,7 +158,7 @@ In order to use ACR with multi-container, **all container images** need to be ho Create the following application settings: - DOCKER_REGISTRY_SERVER_USERNAME -- DOCKER_REGISTRY_SERVER_URL (full URL, ex: https://.azurecr.io) +- DOCKER_REGISTRY_SERVER_URL (full URL, ex: `https://.azurecr.io`) - DOCKER_REGISTRY_SERVER_PASSWORD (enable admin access in ACR settings) Within the configuration file, reference your ACR image like the following example: diff --git a/articles/app-service/containers/app-service-linux-java.md b/articles/app-service/containers/app-service-linux-java.md index e59d939e16b52..c5e7881b515d7 100644 --- a/articles/app-service/containers/app-service-linux-java.md +++ b/articles/app-service/containers/app-service-linux-java.md @@ -65,10 +65,14 @@ For more information, see [Streaming logs with the Azure CLI](../troubleshoot-di ### App logging -Enable [application logging](/azure/app-service/troubleshoot-diagnostic-logs#enablediag) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az-webapp-log-config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. Logging to the local App Service filesystem instance is disabled 12 hours after it is configured. If you need longer retention, configure the application to write output to a Blob storage container. +Enable [application logging](/azure/app-service/troubleshoot-diagnostic-logs#enablediag) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az-webapp-log-config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. Logging to the local App Service filesystem instance is disabled 12 hours after it is configured. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the `/home/LogFiles/Application/` directory. If your application uses [Logback](https://logback.qos.ch/) or [Log4j](https://logging.apache.org/log4j) for tracing, you can forward these traces for review into Azure Application Insights using the logging framework configuration instructions in [Explore Java trace logs in Application Insights](/azure/application-insights/app-insights-java-trace-logs). +### Troubleshooting Tools + +The built-in Java images are based on the [Alpine Linux](https://alpine-linux.readthedocs.io/en/latest/getting_started.html) operating system. Use the `apk` package manager to install any troubleshooting tools or commands. + ## Customization and tuning Azure App Service for Linux supports out of the box tuning and customization through the Azure Portal and CLI. Review the following articles for non-Java specific web app configuration: @@ -77,32 +81,35 @@ Azure App Service for Linux supports out of the box tuning and customization thr - [Set up a custom domain](/azure/app-service/app-service-web-tutorial-custom-domain?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) - [Enable SSL](/azure/app-service/app-service-web-tutorial-custom-ssl?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) - [Add a CDN](/azure/cdn/cdn-add-to-web-app?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) +- [Configure the Kudu site](https://github.com/projectkudu/kudu/wiki/Configurable-settings#linux-on-app-service-settings) ### Set Java runtime options -To set allocated memory or other JVM runtime options in both the Tomcat and Java SE environments, set the JAVA_OPTS as shown below as an [application setting](/azure/app-service/web-sites-configure#app-settings). App Service Linux passes this setting as an environment variable to the Java runtime when it starts. +To set allocated memory or other JVM runtime options in both the Tomcat and Java SE environments, create an [application setting](/azure/app-service/web-sites-configure#app-settings) named `JAVA_OPTS` with the options. App Service Linux passes this setting as an environment variable to the Java runtime when it starts. -In the Azure portal, under **Application Settings** for the web app, create a new app setting named `JAVA_OPTS` that includes the additional settings, such as `$JAVA_OPTS -Xms512m -Xmx1204m`. +In the Azure portal, under **Application Settings** for the web app, create a new app setting named `JAVA_OPTS` that includes the additional settings, such as `-Xms512m -Xmx1204m`. -To configure the app setting from the Azure App Service Linux Maven plugin, add setting/value tags in the Azure plugin section. The following example sets a specific minimum and maximum Java heapsize: +To configure the app setting from the Maven plugin, add setting/value tags in the Azure plugin section. The following example sets a specific minimum and maximum Java heapsize: ```xml JAVA_OPTS - $JAVA_OPTS -Xms512m -Xmx1204m + -Xms512m -Xmx1204m ``` Developers running a single application with one deployment slot in their App Service plan can use the following options: -- B1 and S1 instances: -Xms1024m -Xmx1024m -- B2 and S2 instances: -Xms3072m -Xmx3072m -- B3 and S3 instances: -Xms6144m -Xmx6144m +- B1 and S1 instances: `-Xms1024m -Xmx1024m` +- B2 and S2 instances: `-Xms3072m -Xmx3072m` +- B3 and S3 instances: `-Xms6144m -Xmx6144m` When tuning application heap settings, review your App Service plan details and take into account multiple applications and deployment slot needs to find the optimal allocation of memory. +If you are deploying a JAR application, it should be named `app.jar` so that the built-in image can correctly identify your app. (The Maven plugin does this renaming automatically.) If you do not wish to rename your JAR to `app.jar`, you can upload a shell script with the command to run your JAR. Then paste the full path to this script in the [Startup File](https://docs.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#startup-file) textbox in the Configuration section of the Portal. + ### Turn on web sockets Turn on support for web sockets in the Azure portal in the **Application settings** for the application. You'll need to restart the application for the setting to take effect. @@ -122,7 +129,7 @@ az webapp start -n ${WEBAPP_NAME} -g ${WEBAPP_RESOURCEGROUP_NAME} ### Set default character encoding -In the Azure portal, under **Application Settings** for the web app, create a new app setting named `JAVA_OPTS` with value `$JAVA_OPTS -Dfile.encoding=UTF-8`. +In the Azure portal, under **Application Settings** for the web app, create a new app setting named `JAVA_OPTS` with value `-Dfile.encoding=UTF-8`. Alternatively, you can configure the app setting using the App Service Maven plugin. Add the setting name and value tags in the plugin configuration: @@ -130,11 +137,15 @@ Alternatively, you can configure the app setting using the App Service Maven plu JAVA_OPTS - $JAVA_OPTS -Dfile.encoding=UTF-8 + -Dfile.encoding=UTF-8 ``` +### Adjust startup timeout + +If your Java application is particularly large, you should increase the startup time limit. To do this, create an application setting, `WEBSITES_CONTAINER_START_TIME_LIMIT` and set it to the number of seconds that App Service should wait before timing out. The maximum value is `1800` seconds. + ## Secure applications Java applications running in App Service for Linux have the same set of [security best practices](/azure/security/security-paas-applications-using-app-services) as other applications. diff --git a/articles/app-service/containers/app-service-linux-ssh-support.md b/articles/app-service/containers/app-service-linux-ssh-support.md index 3730c82a94ce2..09e5030e28438 100644 --- a/articles/app-service/containers/app-service-linux-ssh-support.md +++ b/articles/app-service/containers/app-service-linux-ssh-support.md @@ -31,73 +31,11 @@ You can also connect to the container directly from your local development machi ## Open SSH session in browser -To make an SSH client connection with your container, your app should be running. - -Paste the following URL into your browser and replace \ with your app name: - -``` -https://.scm.azurewebsites.net/webssh/host -``` - -If you are not already authenticated, you are required to authenticate with your Azure subscription to connect. Once authenticated, you see an in-browser shell, where you can run commands inside your container. - -![SSH connection](./media/app-service-linux-ssh-support/app-service-linux-ssh-connection.png) +[!INCLUDE [Open SSH session in browser](../../../includes/app-service-web-ssh-connect-no-h.md)] ## Use SSH support with custom Docker images -In order for a custom Docker image to support SSH communication between the container and the client in the Azure portal, perform the following steps for your Docker image. - -These steps are shown in the Azure App Service repository as [an example](https://github.com/Azure-App-Service/node/blob/master/6.9.3/). - -1. Include the `openssh-server` installation in [`RUN` instruction](https://docs.docker.com/engine/reference/builder/#run) in the Dockerfile for your image and set the password for the root account to `"Docker!"`. - - > [!NOTE] - > This configuration does not allow external connections to the container. SSH can only - > be accessed via the Kudu / SCM Site, which is authenticated using the publishing - > credentials. - - ```Dockerfile - # ------------------------ - # SSH Server support - # ------------------------ - RUN apt-get update \ - && apt-get install -y --no-install-recommends openssh-server \ - && echo "root:Docker!" | chpasswd - ``` - -2. Add a [`COPY` instruction](https://docs.docker.com/engine/reference/builder/#copy) to the Dockerfile to copy a [sshd_config](https://man.openbsd.org/sshd_config) file to the */etc/ssh/* directory. Your configuration file should be based on the sshd_config file in the Azure-App-Service GitHub repository [here](https://github.com/Azure-App-Service/node/blob/master/10.14/sshd_config). - - > [!NOTE] - > The *sshd_config* file must include the following or the connection fails: - > * `Ciphers` must include at least one of the following: `aes128-cbc,3des-cbc,aes256-cbc`. - > * `MACs` must include at least one of the following: `hmac-sha1,hmac-sha1-96`. - - ```Dockerfile - COPY sshd_config /etc/ssh/ - ``` - -3. Include port 2222 in the [`EXPOSE` instruction](https://docs.docker.com/engine/reference/builder/#expose) for the Dockerfile. Although the root password is known, port 2222 cannot be accessed from the internet. It is an internal only port accessible only by containers within the bridge network of a private virtual network. - - ```Dockerfile - EXPOSE 2222 80 - ``` - -4. Make sure to start the SSH service using a shell script (see example at [init_container.sh](https://github.com/Azure-App-Service/node/blob/master/6.9.3/startup/init_container.sh)). - - ```bash - #!/bin/bash - service ssh start - ``` - -The Dockerfile uses the [`ENTRYPOINT` instruction](https://docs.docker.com/engine/reference/builder/#entrypoint) to run the script. - - ```Dockerfile - COPY init_container.sh /opt/startup - ... - RUN chmod 755 /opt/startup/init_container.sh - ... - ENTRYPOINT ["/opt/startup/init_container.sh"] - ``` +See [Configure SSH in a custom container](configure-custom-container.md#enable-ssh). ## Open SSH session from remote shell @@ -109,10 +47,10 @@ Using TCP tunneling you can create a network connection between your development To get started, you need to install [Azure CLI](/cli/azure/install-azure-cli?view=azure-cli-latest). To see how it works without installing Azure CLI, open [Azure Cloud Shell](../../cloud-shell/overview.md). -Open a remote connection to your app using the [az webapp remote-connection create](/cli/azure/ext/webapp/webapp/remote-connection?view=azure-cli-latest#ext-webapp-az-webapp-remote-connection-create) command. Specify _\_, _\_ and \__ for your app. +Open a remote connection to your app using the [az webapp remote-connection create](/cli/azure/ext/webapp/webapp/remote-connection?view=azure-cli-latest#ext-webapp-az-webapp-remote-connection-create) command. Specify _\_, _\_ and \__ for your app. ```azurecli-interactive -az webapp remote-connection create --subscription --resource-group -n & +az webapp remote-connection create --subscription --resource-group -n & ``` > [!TIP] diff --git a/articles/app-service/containers/choose-deployment-type.md b/articles/app-service/containers/choose-deployment-type.md index 921cce414d7b7..e153d4f613b8c 100644 --- a/articles/app-service/containers/choose-deployment-type.md +++ b/articles/app-service/containers/choose-deployment-type.md @@ -24,7 +24,7 @@ ms.custom: seodec18 [App Service on Linux](app-service-linux-intro.md) offers three different paths to getting your application published to the web: - **Custom image deployment**: "Dockerize" your app into a Docker image that contains all of your files and dependencies in a ready-to-run package. -- **Multi-container deployment**: "Dockerize" your app across multiple containers using a Docker Compose or a Kubernetes configuration file. For more information, see [Multi-container app](#multi-container-apps-supportability). +- **Multi-container deployment**: "Dockerize" your app across multiple containers using a Docker Compose or a Kubernetes configuration file. - **App deployment with a built-in platform image**: Our built-in platform images contain common web app runtimes and dependencies, such as Node and PHP. Use any one of the [Azure App Service deployment methods](../deploy-local-git.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) to deploy your app to your web app's storage, and then use a built-in platform image to run it. ## Which method is right for your app? @@ -39,38 +39,3 @@ The primary factors to consider are: - **Disk read/write requirements**: All web apps are allocated a storage volume for web content. This volume, backed by Azure Storage, is mounted to `/home` in the app's filesystem. Unlike files in the container filesystem, files in the content volume are accessible across all scale instances of an app, and modifications will persist across app restarts. However, the disk latency of the content volume is higher and more variable than the latency of the local container filesystem, and access can be impacted by platform upgrades, unplanned downtime, and network connectivity issues. Apps that require heavy read-only access to content files may benefit from custom image deployment, which places files in the image filesystem instead of on the content volume. - **Build resource usage**: When an app is deployed from source, the deployment scripts run by Kudu use the same App Service Plan compute and storage resources as the running app. Large app deployments may consume more resources or time than desired. In particular, many deployment workflows generate heavy disk activity on the app content volume, which is not optimized for such activity. A custom image delivers all of your app's files and dependencies to Azure in a single package with no need for additional file transfers or deployment actions. - **Need for rapid iteration**: Dockerizing an app requires additional build steps. For changes to take effect, you must push your new image to a repository with each update. These updates are then pulled to the Azure environment. If one of the built-in containers meets your app's needs, deploying from source may offer a faster development workflow. - -## Multi-container apps supportability - -### Supported Docker Compose configuration options -- command -- entrypoint -- environment -- image -- ports -- restart -- services -- volumes - -### Unsupported Docker Compose configuration options -- build (not allowed) -- depends_on (ignored) -- networks (ignored) -- secrets (ignored) -- ports other than 80 and 8080 (ignored) - -> [!NOTE] -> Any other options not explicitly called out are also ignored in Public Preview. - -### Supported Kubernetes configuration options -- args -- command -- containers -- image -- name -- ports -- spec - -> [!NOTE] ->Any other Kubernetes options not explicitly called out aren't supported in Public Preview. -> diff --git a/articles/app-service/containers/configure-custom-container.md b/articles/app-service/containers/configure-custom-container.md new file mode 100644 index 0000000000000..420478142969e --- /dev/null +++ b/articles/app-service/containers/configure-custom-container.md @@ -0,0 +1,186 @@ +--- +title: Configure customer containers - Azure App Service | Microsoft Docs +description: Learn how to configure Node.js apps to work in Azure App Service +services: app-service +documentationcenter: '' +author: cephalin +manager: jpconnock +editor: '' + +ms.service: app-service +ms.workload: na +ms.tgt_pltfrm: na +ms.devlang: dotnet +ms.topic: article +ms.date: 03/28/2019 +ms.author: cephalin +--- + +# Configure a custom Linux container for Azure App Service + +This article shows you how to configure a custom Linux container to run on Azure App Service. + +This guide provides key concepts and instructions for containerization of Linux apps in App Service. If you've never used Azure App Service, follow the [custom container quickstart](quickstart-docker-go.md) and [tutorial](tutorial-custom-docker-image.md) first. There's also a [multi-container app quickstart](quickstart-multi-container.md) and [tutorial](tutorial-multi-container-app.md). + +## Configure port number + +The web server in your custom image may use a port other than 80. You tell Azure about the port that your custom uses by using the `WEBSITES_PORT` app setting. The GitHub page for the [Python sample in this tutorial](https://github.com/Azure-Samples/docker-django-webapp-linux) shows that you need to set `WEBSITES_PORT` to _8000_. You can set it by running [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. For example: + +```azurecli-interactive +az webapp config appsettings set --resource-group --name --settings WEBSITES_PORT=8000 +``` + +## Configure environment variables + +Your custom container may use environment variables that need to be supplied externally. You can pass them in by running [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. For example: + +```azurecli-interactive +az webapp config appsettings set --resource-group --name --settings WORDPRESS_DB_HOST="myownserver.mysql.database.azure.com" +``` + +This method works both for single-container apps or multi-container apps, where the environment variables are specified in the *docker-compose.yml* file. + +## Use persistent shared storage + +You can use the */home* directory in your app's file system to persist files across restarts and share them across instances. The `/home` in your app is provided to enable your container app to access persistent storage. + +When persistent storage is disabled, then writes to the `/home` directory aren't persisted across app restarts or across multiple instances. The only exception is the `/home/LogFiles` directory, which is used to store the Docker and container logs. When persistent storage is enabled, all writes to the `/home` directory are persisted and can be accessed by all instances of a scaled-out app. + +By default, persistent storage is *disabled*. To enable or disable it, set the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting by running [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. For example: + +```azurecli-interactive +az webapp config appsettings set --resource-group --name --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=true +``` + +> [!NOTE] +> You can also [configure your own persistent storage](how-to-serve-content-from-azure-storage.md). + +## Enable SSH + +SSH enables secure communication between a container and a client. In order for a custom container to support SSH, you must add it into the Dockerfile itself. + +> [!TIP] +> All built-in Linux containers have added the SSH instructions in their image repositories. You can go through the following instructions with the [Node.js 10.14 repository](https://github.com/Azure-App-Service/node/blob/master/10.14) to see how it's enabled there. + +- Use the [RUN](https://docs.docker.com/engine/reference/builder/#run) instruction to install the SSH server and set the password for the root account to `"Docker!"`. For example, for an image based on [Alpine Linux](https://hub.docker.com/_/alpine), you need the following commands: + + ```Dockerfile + RUN apk add openssh \ + && echo "root:Docker!" | chpasswd + ``` + + This configuration doesn't allow external connections to the container. SSH is available only through `https://.scm.azurewebsites.net` and authenticated with the publishing credentials. + +- Add [this sshd_config file](https://github.com/Azure-App-Service/node/blob/master/10.14/sshd_config) to your image repository, and use the [COPY](https://docs.docker.com/engine/reference/builder/#copy) instruction to copy the file to the */etc/ssh/* directory. For more information about *sshd_config* files, see [OpenBSD documentation](https://man.openbsd.org/sshd_config). + + ```Dockerfile + COPY sshd_config /etc/ssh/ + ``` + + > [!NOTE] + > The *sshd_config* file must include the following items: + > - `Ciphers` must include at least one item in this list: `aes128-cbc,3des-cbc,aes256-cbc`. + > - `MACs` must include at least one item in this list: `hmac-sha1,hmac-sha1-96`. + +- Use the [EXPOSE](https://docs.docker.com/engine/reference/builder/#expose) instruction to open port 2222 in the container. Although the root password is known, port 2222 is inaccessible from the internet. It's accessible only by containers within the bridge network of a private virtual network. + + ```Dockerfile + EXPOSE 80 2222 + ``` + +- In the start-up script for your container, start the SSH server. + + ```bash + /usr/sbin/sshd + ``` + + For an example, see how the default [Node.js 10.14 container](https://github.com/Azure-App-Service/node/blob/master/10.14/startup/init_container.sh) starts the SSH server. + +## Access diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + +## Configure multi-container apps + +- [Use persistent storage in Docker Compose](#use-persistent-storage-in-docker-compose) +- [Preview limitations](#preview-limitations) +- [Docker Compose options](#docker-compose-options) +- [Kubernetes configuration options](#kubernetes-configuration-options) + +### Use persistent storage in Docker Compose + +Multi-container apps like WordPress need persistent storage to function properly. To enable it, your Docker Compose configuration must point to a storage location *outside* your container. Storage locations inside your container don't persist changes beyond app restart. + +Enable persistent storage by setting the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting, using the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in Cloud Shell. + +```azurecli-interactive +az webapp config appsettings set --resource-group --name --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE +``` + +In your *docker-compose.yml* file, map the `volumes` option to `${WEBAPP_STORAGE_HOME}`. `WEBAPP_STORAGE_HOME` is an environment variable in App Service that is mapped to persistent storage for your app. For example: + +```yaml +wordpress: + image: wordpress:latest + volumes: + - ${WEBAPP_STORAGE_HOME}/site/wwwroot:/var/www/html + - ${WEBAPP_STORAGE_HOME}/phpmyadmin:/var/www/phpmyadmin + - ${WEBAPP_STORAGE_HOME}/LogFiles:/var/log +``` + +### Preview limitations + +Multi-container is currently in preview. The following App Service platform features are not supported: + +- Authentication / Authorization +- Managed Identities + +### Docker Compose options + +The following lists show supported and unsupported Docker Compose configuration options: + +#### Supported options + +- command +- entrypoint +- environment +- image +- ports +- restart +- services +- volumes + +#### Unsupported options + +- build (not allowed) +- depends_on (ignored) +- networks (ignored) +- secrets (ignored) +- ports other than 80 and 8080 (ignored) + +> [!NOTE] +> Any other options not explicitly called out are ignored in Public Preview. + +### Kubernetes configuration options + +The following configuration options are supported for Kubernetes: + +- args +- command +- containers +- image +- name +- ports +- spec + +> [!NOTE] +> Any other options not explicitly called out aren't supported in Public Preview. +> + +## Next steps + +> [!div class="nextstepaction"] +> [Tutorial: Deploy from private container repository](tutorial-custom-docker-image.md) + +> [!div class="nextstepaction"] +> [Tutorial: Multi-container WordPress app](tutorial-multi-container-app.md) diff --git a/articles/app-service/containers/configure-language-dotnetcore.md b/articles/app-service/containers/configure-language-dotnetcore.md new file mode 100644 index 0000000000000..285370da40d09 --- /dev/null +++ b/articles/app-service/containers/configure-language-dotnetcore.md @@ -0,0 +1,144 @@ +--- +title: Configure ASP.NET Core apps - Azure App Service | Microsoft Docs +description: Learn how to configure ASP.NET Core apps to work in Azure App Service +services: app-service +documentationcenter: '' +author: cephalin +manager: jpconnock +editor: '' + +ms.service: app-service +ms.workload: na +ms.tgt_pltfrm: na +ms.devlang: dotnet +ms.topic: article +ms.date: 03/28/2019 +ms.author: cephalin + +--- + +# Configure a Linux ASP.NET Core app for Azure App Service + +ASP.NET Core apps must be deployed as compiled binaries. The Visual Studio publishing tool builds the solution and then deploys the compiled binaries directly, whereas the App Service deployment engine deploys the code repository first and then compiles the binaries. + +This guide provides key concepts and instructions for ASP.NET Core developers who use a built-in Linux container in App Service. If you've never used Azure App Service, follow the [ASP.NET Core quickstart](quickstart-dotnetcore.md) and [ASP.NET Core with SQL Database tutorial](tutorial-dotnetcore-sqldb-app.md) first. + +## Show .NET Core version + +To show the current .NET Core version, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config show --resource-group --name --query linuxFxVersion +``` + +To show all supported .NET Core versions, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp list-runtimes --linux | grep DOTNETCORE +``` + +## Set .NET Core version + +Run the following command in the [Cloud Shell](https://shell.azure.com) to set the .NET Core version to 2.1: + +```azurecli-interactive +az webapp config set --name --resource-group --linux-fx-version "DOTNETCORE|2.1" +``` + +## Access environment variables + +In App Service, you can [set app settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings) outside of your app code. Then you can access them using the standard ASP.NET pattern: + +```csharp +include Microsoft.Extensions.Configuration; +// retrieve App Service app setting +System.Configuration.ConfigurationManager.AppSettings["MySetting"] +// retrieve App Service connection string +Configuration.GetConnectionString("MyDbConnection") +``` + +If you configure an app setting with the same name in App Service and in *Web.config*, the App Service value takes precedence over the Web.config value. The Web.config value lets you debug the app locally, but the App Service value lets your run the app in product with production settings. Connection strings work in the same way. This way, you can keep your application secrets outside of your code repository and access the appropriate values without changing your code. + +## Get detailed exceptions page + +When your ASP.NET app generates an exception in the Visual Studio debugger, the browser displays a detailed exception page, but in App Service that page is replaced by a generic **HTTP 500** error or **An error occurred while processing your request.** message. To display the detailed exception page in App Service, Add the `ASPNETCORE_ENVIRONMENT` app setting to your app by running the following command in the Cloud Shell. + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings ASPNETCORE_ENVIRONMENT="Development" +``` + +## Detect HTTPS session + +In App Service, [SSL termination](https://wikipedia.org/wiki/TLS_termination_proxy) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to know if the user requests are encrypted or not, configure the Forwarded Headers Middleware in *Startup.cs*: + +- Configure the middleware with [ForwardedHeadersOptions](https://docs.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.forwardedheadersoptions) to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers in `Startup.ConfigureServices`. +- Add private IP address ranges to the known networks, so that the middleware can trust the App Service load balancer. +- Invoke the [UseForwardedHeaders](https://docs.microsoft.com/dotnet/api/microsoft.aspnetcore.builder.forwardedheadersextensions.useforwardedheaders) method in `Startup.Configure` before calling other middlewares. + +Putting all three elements together, your code looks like the following example: + +```csharp +public void ConfigureServices(IServiceCollection services) +{ + services.AddMvc(); + + services.Configure(options => + { + options.ForwardedHeaders = + ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto; + options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("::ffff:10.0.0.0"), 104)); + options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("::ffff:192.168.0.0"), 112)); + options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("::ffff:172.16.0.0"), 108)); + }); +} + +public void Configure(IApplicationBuilder app, IHostingEnvironment env) +{ + app.UseForwardedHeaders(); + + ... + + app.UseMvc(); +} +``` + +For more information, see [Configure ASP.NET Core to work with proxy servers and load balancers](https://docs.microsoft.com/aspnet/core/host-and-deploy/proxy-load-balancer). + +## Deploy multi-project solutions + +When you deploy an ASP.NET repository to the deployment engine with a *.csproj* file in the root directory, the engine deploys the project. When you deploy an ASP.NET repository with an *.sln* file in the root directory, the engine picks the first Web Site or Web Application Project it finds as the App Service app. It's possible for the engine not to pick the project you want. + +To deploy a multi-project solution, you can specify the project to use in App Service in two different ways: + +### Using .deployment file + +Add a *.deployment* file to the repository root and add the following code: + +``` +[config] +project = /.csproj +``` + +### Using app settings + +In the Azure Cloud Shell, add an app setting to your App Service app by running the following CLI command. Replace *\*, *\*, and *\* with the appropriate values. + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings PROJECT="/.csproj" +``` + +## Access diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + +## Open SSH session in browser + +[!INCLUDE [Open SSH session in browser](../../../includes/app-service-web-ssh-connect-builtin-no-h.md)] + +## Next steps + +> [!div class="nextstepaction"] +> [Tutorial: ASP.NET Core app with SQL Database](tutorial-dotnetcore-sqldb-app.md) + +> [!div class="nextstepaction"] +> [App Service Linux FAQ](app-service-linux-faq.md) \ No newline at end of file diff --git a/articles/app-service/containers/configure-language-java.md b/articles/app-service/containers/configure-language-java.md new file mode 100644 index 0000000000000..5900ddb4e7724 --- /dev/null +++ b/articles/app-service/containers/configure-language-java.md @@ -0,0 +1,409 @@ +--- +title: Configure Linux Java apps - Azure App Service | Microsoft Docs +description: Learn how to configure Java apps running in Azure App Service on Linux. +keywords: azure app service, web app, linux, oss, java +services: app-service +author: rloutlaw +manager: angerobe +ms.service: app-service +ms.workload: na +ms.tgt_pltfrm: na +ms.devlang: java +ms.topic: article +ms.date: 03/28/2019 +ms.author: routlaw +ms.custom: seodec18 + +--- + +# Configure a Linux Java app for Azure App Service + +Azure App Service on Linux lets Java developers to quickly build, deploy, and scale their Tomcat or Java Standard Edition (SE) packaged web applications on a fully managed Linux-based service. Deploy applications with Maven plugins from the command line or in editors like IntelliJ, Eclipse, or Visual Studio Code. + +This guide provides key concepts and instructions for Java developers who use a built-in Linux container in App Service. If you've never used Azure App Service, follow the [Java quickstart](quickstart-java.md) and [Java with PostgreSQL tutorial](tutorial-java-enterprise-postgresql-app.md) first. + +## Logging and debugging apps + +Performance reports, traffic visualizations, and health checkups are available for each app through the Azure portal. For more information, see [Azure App Service diagnostics overview](../overview-diagnostics.md). + +### SSH console access + +[!INCLUDE [Open SSH session in browser](../../../includes/app-service-web-ssh-connect-builtin-no-h.md)] + +### Stream diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + +For more information, see [Streaming logs with the Azure CLI](../troubleshoot-diagnostic-logs.md#streaming-with-azure-cli). + +### App logging + +Enable [application logging](../troubleshoot-diagnostic-logs.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#enablediag) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az-webapp-log-config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. Logging to the local App Service filesystem instance is disabled 12 hours after it is configured. If you need longer retention, configure the application to write output to a Blob storage container. + +If your application uses [Logback](https://logback.qos.ch/) or [Log4j](https://logging.apache.org/log4j) for tracing, you can forward these traces for review into Azure Application Insights using the logging framework configuration instructions in [Explore Java trace logs in Application Insights](/azure/application-insights/app-insights-java-trace-logs). + +## Customization and tuning + +Azure App Service for Linux supports out of the box tuning and customization through the Azure portal and CLI. Review the following articles for non-Java-specific web app configuration: + +- [Configure App Service settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) +- [Set up a custom domain](../app-service-web-tutorial-custom-domain.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) +- [Enable SSL](../app-service-web-tutorial-custom-ssl.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) +- [Add a CDN](../../cdn/cdn-add-to-web-app.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) + +### Set Java runtime options + +To set allocated memory or other JVM runtime options in both the Tomcat and Java SE environments, set the JAVA_OPTS as shown below as an [application setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings). App Service Linux passes this setting as an environment variable to the Java runtime when it starts. + +In the Azure portal, under **Application Settings** for the web app, create a new app setting named `JAVA_OPTS` that includes the additional settings, such as `$JAVA_OPTS -Xms512m -Xmx1204m`. + +To configure the app setting from the Azure App Service Linux Maven plugin, add setting/value tags in the Azure plugin section. The following example sets a specific minimum and maximum Java heap size: + +```xml + + + JAVA_OPTS + $JAVA_OPTS -Xms512m -Xmx1204m + + +``` + +Developers running a single application with one deployment slot in their App Service plan can use the following options: + +- B1 and S1 instances: -Xms1024m -Xmx1024m +- B2 and S2 instances: -Xms3072m -Xmx3072m +- B3 and S3 instances: -Xms6144m -Xmx6144m + + +When tuning application heap settings, review your App Service plan details and take into account multiple applications and deployment slot needs to find the optimal allocation of memory. + +### Turn on web sockets + +Turn on support for web sockets in the Azure portal in the **Application settings** for the application. You'll need to restart the application for the setting to take effect. + +Turn on web socket support using the Azure CLI with the following command: + +```azurecli-interactive +az webapp config set --name --resource-group --web-sockets-enabled true +``` + +Then restart your application: + +```azurecli-interactive +az webapp stop --name --resource-group +az webapp start --name --resource-group +``` + +### Set default character encoding + +In the Azure portal, under **Application Settings** for the web app, create a new app setting named `JAVA_OPTS` with value `$JAVA_OPTS -Dfile.encoding=UTF-8`. + +Alternatively, you can configure the app setting using the App Service Maven plugin. Add the setting name and value tags in the plugin configuration: + +```xml + + + JAVA_OPTS + $JAVA_OPTS -Dfile.encoding=UTF-8 + + +``` + +## Secure applications + +Java applications running in App Service for Linux have the same set of [security best practices](/azure/security/security-paas-applications-using-app-services) as other applications. + +### Authenticate users + +Set up app authentication in the Azure portal with the **Authentication and Authorization** option. From there, you can enable authentication using Azure Active Directory or social logins like Facebook, Google, or GitHub. Azure portal configuration only works when configuring a single authentication provider. For more information, see [Configure your App Service app to use Azure Active Directory login](../configure-authentication-provider-aad.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) and the related articles for other identity providers. + +If you need to enable multiple sign-in providers, follow the instructions in the [customize App Service authentication](../app-service-authentication-how-to.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) article. + + Spring Boot developers can use the [Azure Active Directory Spring Boot starter](/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory?view=azure-java-stable) to secure applications using familiar Spring Security annotations and APIs. + +### Configure TLS/SSL + +Follow the instructions in the [Bind an existing custom SSL certificate](../app-service-web-tutorial-custom-ssl.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) to upload an existing SSL certificate and bind it to your application's domain name. By default your application will still allow HTTP connections-follow the specific steps in the tutorial to enforce SSL and TLS. + +## Configure APM platforms + +This section shows how to connect Java applications deployed on Azure App Service on Linux with the NewRelic and AppDynamics application performance monitoring (APM) platforms. + +[Configure New Relic](#configure-new-relic) +[Configure AppDynamics](#configure-appdynamics) + +### Configure New Relic + +1. Create a NewRelic account at [NewRelic.com](https://newrelic.com/signup) +2. Download the Java agent from NewRelic, it will have a file name similar to `newrelic-java-x.x.x.zip`. +3. Copy your license key, you'll need it to configure the agent later. +4. [SSH into your App Service instance](app-service-linux-ssh-support.md) and create a new directory `/home/site/wwwroot/apm`. +5. Upload the unpacked NewRelic Java agent files into a directory under `/home/site/wwwroot/apm`. The files for your agent should be in `/home/site/wwwroot/apm/newrelic`. +6. Modify the YAML file at `/home/site/wwwroot/apm/newrelic/newrelic.yml` and replace the placeholder license value with your own license key. +7. In the Azure portal, browse to your application in App Service and create a new Application Setting. + - If your app is using **Java SE**, create an environment variable named `JAVA_OPTS` with the value `-javaagent:/home/site/wwwroot/apm/newrelic/newrelic.jar`. + - If you're using **Tomcat**, create an environment variable named `CATALINA_OPTS` with the value `-javaagent:/home/site/wwwroot/apm/newrelic/newrelic.jar`. + - If you're using **WildFly**, see the New Relic documentation [here](https://docs.newrelic.com/docs/agents/java-agent/additional-installation/wildfly-version-11-installation-java) for guidance about installing the Java agent and JBoss configuration. + - If you already have an environment variable for `JAVA_OPTS` or `CATALINA_OPTS`, append the `javaagent` option to the end of the current value. + +### Configure AppDynamics + +1. Create an AppDynamics account at [AppDynamics.com](https://www.appdynamics.com/community/register/) +1. Download the Java agent from the AppDynamics website, the file name will be similar to `AppServerAgent-x.x.x.xxxxx.zip` +1. [SSH into your App Service instance](app-service-linux-ssh-support.md) and create a new directory `/home/site/wwwroot/apm`. +1. Upload the Java agent files into a directory under `/home/site/wwwroot/apm`. The files for your agent should be in `/home/site/wwwroot/apm/appdynamics`. +1. In the Azure portal, browse to your application in App Service and create a new Application Setting. + - If you're using **Java SE**, create an environment variable named `JAVA_OPTS` with the value `-javaagent:/home/site/wwwroot/apm/appdynamics/javaagent.jar -Dappdynamics.agent.applicationName=` where `` is your App Service name. + - If you're using **Tomcat**, create an environment variable named `CATALINA_OPTS` with the value `-javaagent:/home/site/wwwroot/apm/appdynamics/javaagent.jar -Dappdynamics.agent.applicationName=` where `` is your App Service name. + - If you're using **WildFly**, see the AppDynamics documentation [here](https://docs.appdynamics.com/display/PRO45/JBoss+and+Wildfly+Startup+Settings) for guidance about installing the Java agent and JBoss configuration. + +## Configure Tomcat + +### Connect to data sources + +>[!NOTE] +> If your application uses the Spring Framework or Spring Boot, you can set database connection information for Spring Data JPA as environment variables [in your application properties file]. Then use [app settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings) to define these values for your application in the Azure portal or CLI. + +These instructions apply to all database connections. You will need to fill placeholders with your chosen database's driver class name and JAR file. Provided is a table with class names and driver downloads for common databases. + +| Database | Driver Class Name | JDBC Driver | +|------------|-----------------------------------------------|------------------------------------------------------------------------------------------| +| PostgreSQL | `org.postgresql.Driver` | [Download](https://jdbc.postgresql.org/download.html) | +| MySQL | `com.mysql.jdbc.Driver` | [Download](https://dev.mysql.com/downloads/connector/j/) (Select "Platform Independent") | +| SQL Server | `com.microsoft.sqlserver.jdbc.SQLServerDriver` | [Download](https://docs.microsoft.com/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server-2017#available-downloads-of-jdbc-driver-for-sql-server) | + +To configure Tomcat to use Java Database Connectivity (JDBC) or the Java Persistence API (JPA), first customize the `CATALINA_OPTS` environment variable that is read in by Tomcat at start-up. Set these values through an app setting in the [App Service Maven plugin](https://github.com/Microsoft/azure-maven-plugins/blob/develop/azure-webapp-maven-plugin/README.md): + +```xml + + + CATALINA_OPTS + "$CATALINA_OPTS -Ddbuser=${DBUSER} -Ddbpassword=${DBPASSWORD} -DconnURL=${CONNURL}" + + +``` + +Or set the environment variables in the "Application Settings" blade in the Azure portal. + +Next, determine if the data source should be available to one application or to all applications running on the Tomcat servlet. + +#### Application-level data sources + +1. Create a `context.xml` file in the `META-INF/` directory of your project. Create the `META-INF/` directory if it does not exist. + +2. In `context.xml`, add a `Context` element to link the data source to a JNDI address. Replace the `driverClassName` placeholder with your driver's class name from the table above. + + ```xml + + + + ``` + +3. Update your application's `web.xml` to use the data source in your application. + + ```xml + + jdbc/dbconnection + javax.sql.DataSource + + ``` + +#### Shared server-level resources + +1. Copy the contents of `/usr/local/tomcat/conf` into `/home/tomcat/conf` on your App Service Linux instance using SSH if you don't have a configuration there already. + ``` + mkdir -p /home/tomcat + cp -a /usr/local/tomcat/conf /home/tomcat/conf + ``` + +2. Add a Context element in your `server.xml` within the `` element. + + ```xml + + ... + + + + ... + + ``` + +3. Update your application's `web.xml` to use the data source in your application. + + ```xml + + jdbc/dbconnection + javax.sql.DataSource + + ``` + +#### Finalize configuration + +Finally, place the driver JARs in the Tomcat classpath and restart your App Service. + +1. Ensure that the JDBC driver files are available to the Tomcat classloader by placing them in the `/home/tomcat/lib` directory. (Create this directory if it does not already exist.) To upload these files to your App Service instance, perform the following steps: + 1. In the [Cloud Shell](https://shell.azure.com), install the webapp extension: + + ```azurecli-interactive + az extension add -–name webapp + ``` + + 2. Run the following CLI command to create an SSH tunnel from your local system to App Service: + + ```azurecli-interactive + az webapp remote-connection create --resource-group --name --port + ``` + + 3. Connect to the local tunneling port with your SFTP client and upload the files to the `/home/tomcat/lib` folder. + + Alternatively, you can use an FTP client to upload the JDBC driver. Follow these [instructions for getting your FTP credentials](../deploy-configure-credentials.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json). + +2. If you created a server-level data source, restart the App Service Linux application. Tomcat will reset `CATALINA_HOME` to `/home/tomcat/conf` and use the updated configuration. + +## Configure WildFly server + +[Scale with App Service](#scale-with-app-service) +[Customize application server configuration](#customize-application-server-configuration) +[Modules and dependencies](#modules-and-dependencies) +[Data sources](#data-sources) +[Enable messaging providers](#enable-messaging-providers) +[Configure session management caching](#configure-session-management-caching) + +### Scale with App Service + +The WildFly application server running in App Service on Linux runs in standalone mode, not in a domain configuration. When you scale out the App Service Plan, each WildFly instance is configured as a standalone server. + + Scale your application vertically or horizontally with [scale rules](../../monitoring-and-diagnostics/monitoring-autoscale-get-started.md) and by [increasing your instance count](../web-sites-scale.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json). + +### Customize application server configuration + +Web App instances are stateless, so each new instance started must be configured on startup to support the Wildfly configuration needed by application. +You can write a startup Bash script to call the WildFly CLI to: + +- Set up data sources +- Configure messaging providers +- Add other modules and dependencies to the Wildfly server configuration. + + The script runs when Wildfly is up and running, but before the application starts. The script should use the [JBOSS CLI](https://docs.jboss.org/author/display/WFLY/Command+Line+Interface) called from `/opt/jboss/wildfly/bin/jboss-cli.sh` to configure the application server with any configuration or changes needed after the server starts. + +Do not use the interactive mode of the CLI to configure Wildfly. Instead, you can provide a script of commands to the JBoss CLI using the `--file` command, for example: + +```bash +/opt/jboss/wildfly/bin/jboss-cli.sh -c --file=/path/to/your/jboss_commands.cli +``` + +Upload the startup script to `/home/site/deployments/tools` in your App Service instance. See [this document](../deploy-configure-credentials.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#userscope) for instructions on getting your FTP credentials. + +Set the **Startup Script** field in the Azure portal to the location of your startup shell script, for example `/home/site/deployments/tools/your-startup-script.sh`. + +Supply [app settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings) in the application configuration to pass environment variables for use in the script. Application settings keep connection strings and other secrets needed to configure your application out of version control. + +### Modules and dependencies + +To install modules and their dependencies into the Wildfly classpath via the JBoss CLI, you will need to create the following files in their own directory. Some modules and dependencies might need additional configuration such as JNDI naming or other API-specific configuration, so this list is a minimum set of what you'll need to configure a dependency in most cases. + +- An [XML module descriptor](https://jboss-modules.github.io/jboss-modules/manual/#descriptors). This XML file defines the name, attributes, and dependencies of your module. This [example module.xml file](https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6/html/administration_and_configuration_guide/example_postgresql_xa_datasource) defines a Postgres module, its JAR file JDBC dependency, and other module dependencies required. +- Any necessary JAR file dependencies for your module. +- A script with your JBoss CLI commands to configure the new module. This file will contain your commands to be executed by the JBoss CLI to configure the server to use the dependency. For documentation on the commands to add modules, datasources, and messaging providers, refer to [this document](https://access.redhat.com/documentation/red_hat_jboss_enterprise_application_platform/7.0/html-single/management_cli_guide/#how_to_cli). +- A Bash startup script to call the JBoss CLI and execute the script in the previous step. This file will be executed when your App Service instance is restarted or when new instances are provisioned during a scale-out. This startup script is where you can perform any other configurations for your application as the JBoss commands are passed to the JBoss CLI. At minimum, this file can be a single command to pass your JBoss CLI command script to the JBoss CLI: + +```bash +`/opt/jboss/wildfly/bin/jboss-cli.sh -c --file=/path/to/your/jboss_commands.cli` +``` + +Once you have the files and content for your module, follow the steps below to add the module to the Wildfly application server. + +1. FTP your files to `/home/site/deployments/tools` in your App Service instance. See this document for instructions on getting your FTP credentials. +2. In the Application Settings blade of the Azure portal, set the “Startup Script” field to the location of your startup shell script, for example `/home/site/deployments/tools/your-startup-script.sh` . +3. Restart your App Service instance by pressing the **Restart** button in the **Overview** section of the Portal or using the Azure CLI. + +### Data sources + +To configure Wildfly for a data source connection, follow the same process outlined above in the Installing Modules and Dependencies section. You can follow the same steps for any Azure Database service. + +1. Download the JDBC driver for your database flavor. For convenience, here are the drivers for [Postgres](https://jdbc.postgresql.org/download.html) and [MySQL](https://dev.mysql.com/downloads/connector/j/). Unpack the download to get the .jar file. +2. Follow the steps outline in "Modules and Dependencies" to create and upload your XML module descriptor, JBoss CLI script, startup script, and JDBC .jar dependency. + +More information on configuring Wildfly with [PostgreSQL](https://developer.jboss.org/blogs/amartin-blog/2012/02/08/how-to-set-up-a-postgresql-jdbc-driver-on-jboss-7) , [MySQL](https://docs.jboss.org/jbossas/docs/Installation_And_Getting_Started_Guide/5/html/Using_other_Databases.html#Using_other_Databases-Using_MySQL_as_the_Default_DataSource), and [SQL Database](https://docs.jboss.org/jbossas/docs/Installation_And_Getting_Started_Guide/5/html/Using_other_Databases.html#d0e3898) is available. You can use these customized instructions along with the generalized approach above to add data source definitions to your server. + +### Enable messaging providers + +To enable message driven Beans using Service Bus as the messaging mechanism: + +1. Use the [Apache QPId JMS messaging library](https://qpid.apache.org/proton/index.html). Include this dependency in your pom.xml (or other build file) for the application. + +2. Create [Service Bus resources](/azure/service-bus-messaging/service-bus-java-how-to-use-jms-api-amqp). Create an Azure Service Bus namespace and queue within that namespace and a Shared Access Policy with send and receive capabilities. + +3. Pass the shared access policy key to your code either by URL-encoding the primary key of your policy or [Use the Service Bus SDK](/azure/service-bus-messaging/service-bus-java-how-to-use-jms-api-amqp#setup-jndi-context-and-configure-the-connectionfactory). + +4. Follow the steps outlined in the Installing Modules and Dependencies section with your module XML descriptor, .jar dependencies, JBoss CLI commands, and startup script for the JMS provider. In addition to the four files, you will also need to create an XML file that defines the JNDI name for the JMS queue and topic. See [this repository](https://github.com/JasonFreeberg/widlfly-server-configs/tree/master/appconfig) for reference configuration files. + +### Configure session management caching + +By default App Service on Linux will use session affinity cookies to ensure that client requests with existing sessions are routed the same instance of your application. This default behavior requires no configuration but has some limitations: + +- If an application instance is restarted or scaled down, the user session state in the application server will be lost. +- If applications have long session time out settings or a fixed number of users, it can take some time for autoscaled new instances to receive load since only new sessions will be routed to the newly started instances. + +You can configure Wildfly to use an external session store such as [Azure Cache for Redis](/azure/azure-cache-for-redis/). You will need to [disable the existing ARR Instance Affinity](https://azure.microsoft.com/blog/disabling-arrs-instance-affinity-in-windows-azure-web-sites/) configuration to turn off the session cookie-based routing and allow the configured Wildfly session store to operate without interference. + +## Docker containers + +To use the Azure-supported Zulu JDK in your containers, make sure to pull and use the pre-built images as documented from the [supported Azul Zulu Enterprise for Azure download page](https://www.azul.com/downloads/azure-only/zulu/) or use the `Dockerfile` examples from the [Microsoft Java GitHub repo](https://github.com/Microsoft/java/tree/master/docker). + +## Statement of support + +### Runtime availability + +App Service for Linux supports two runtimes for managed hosting of Java web applications: + +- The [Tomcat servlet container](https://tomcat.apache.org/) for running applications packaged as web archive (WAR) files. Supported versions are 8.5 and 9.0. +- Java SE runtime environment for running applications packaged as Java archive (JAR) files. Supported versions are Java 8 and 11. + +### JDK versions and maintenance + +Azure's supported Java Development Kit (JDK) is [Zulu](https://www.azul.com/downloads/azure-only/zulu/) provided through [Azul Systems](https://www.azul.com/). + +Major version updates will be provided through new runtime options in Azure App Service for Linux. Customers update to these newer versions of Java by configuring their App Service deployment and are responsible for testing and ensuring the major update meets their needs. + +Supported JDKs are automatically patched on a quarterly basis in January, April, July, and October of each year. + +### Security updates + +Patches and fixes for major security vulnerabilities will be released as soon as they become available from Azul Systems. A "major" vulnerability is defined by a base score of 9.0 or higher on the [NIST Common Vulnerability Scoring System, version 2](https://nvd.nist.gov/cvss.cfm). + +### Deprecation and retirement + +If a supported Java runtime will be retired, Azure developers using the affected runtime will be given a deprecation notice at least six months before the runtime is retired. + +### Local development + +Developers can download the Production Edition of Azul Zulu Enterprise JDK for local development from [Azul's download site](https://www.azul.com/downloads/azure-only/zulu/). + +### Development support + +Product support for the [Azure-supported Azul Zulu JDK](https://www.azul.com/downloads/azure-only/zulu/) is available through when developing for Azure or [Azure Stack](https://azure.microsoft.com/overview/azure-stack/) with a [qualified Azure support plan](https://azure.microsoft.com/support/plans/). + +### Runtime support + +Developers can [open an issue](/azure/azure-supportability/how-to-create-azure-support-request) with the Azul Zulu JDKs through Azure Support if they have a [qualified support plan](https://azure.microsoft.com/support/plans/). + +## Next steps + +Visit the [Azure for Java Developers](/java/azure/) center to find Azure quickstarts, tutorials, and Java reference documentation. + +General questions about using App Service for Linux that aren't specific to the Java development are answered in the [App Service Linux FAQ](app-service-linux-faq.md). \ No newline at end of file diff --git a/articles/app-service/containers/configure-language-nodejs.md b/articles/app-service/containers/configure-language-nodejs.md new file mode 100644 index 0000000000000..f1e4ee161408e --- /dev/null +++ b/articles/app-service/containers/configure-language-nodejs.md @@ -0,0 +1,260 @@ +--- +title: Configure Node.js apps - Azure App Service | Microsoft Docs +description: Learn how to configure Node.js apps to work in Azure App Service +services: app-service +documentationcenter: '' +author: cephalin +manager: jpconnock +editor: '' + +ms.service: app-service +ms.workload: na +ms.tgt_pltfrm: na +ms.devlang: dotnet +ms.topic: article +ms.date: 03/28/2019 +ms.author: cephalin +--- + +# Configure a Linux Node.js app for Azure App Service + +Node.js apps must be deployed with all the required NPM dependencies. The App Service deployment engine (Kudu) automatically runs `npm install --production` for you when you deploy a [Git repository](../deploy-local-git.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json), or a [Zip package](../deploy-zip.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) with build processes switched on. If you deploy your files using [FTP/S](../deploy-ftp.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json), however, you need to upload the required packages manually. + +This guide provides key concepts and instructions for Node.js developers who use a built-in Linux container in App Service. If you've never used Azure App Service, follow the [Node.js quickstart](quickstart-nodejs.md) and [Node.js with MongoDB tutorial](tutorial-nodejs-mongodb-app.md) first. + +## Show Node.js version + +To show the current Node.js version, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config show --resource-group --name --query linuxFxVersion +``` + +To show all supported Node.js versions, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp list-runtimes --linux | grep NODE +``` + +## Set Node.js version + +To set your app to a [supported Node.js version](#show-nodejs-version), run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config set --resource-group --name --linux-fx-version "NODE|10.14" +``` + +This setting specifies the Node.js version to use, both at runtime and during automated package restore in Kudu. + +> [!NOTE] +> You should set the Node.js version in your project's `package.json`. The deployment engine runs in a separate container that contains all the supported Node.js versions. + +## Configure Node.js server + +The Node.js containers come with [PM2](http://pm2.keymetrics.io/), a production process manager. You can configure your app to start with PM2, or with NPM, or with a custom command. + +- [Run custom command](#run-custom-command) +- [Run npm start](#run-npm-start) +- [Run with PM2](#run-with-pm2) + +### Run custom command + +App Service can start your app using a custom command, such as an executable like *run.sh*. For example, to run `npm run start:prod`, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config set --resource-group --name --startup-file "npm run start:prod" +``` + +### Run npm start + +To start your app using `npm start`, just make sure a `start` script is in the *package.json* file. For example: + +```json +{ + ... + "scripts": { + "start": "gulp", + ... + }, + ... +} +``` + +To use a custom *package.json* in your project, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config set --resource-group --name --startup-file ".json" +``` + +### Run with PM2 + +The container automatically starts your app with PM2 when one of the common Node.js files is found in your project: + +- *bin/www* +- *server.js* +- *app.js* +- *index.js* +- *hostingstart.js* +- One of the following [PM2 files](http://pm2.keymetrics.io/docs/usage/application-declaration/#process-file): *process.json* and *ecosystem.config.js* + +You can also configure a custom start file with the following extensions: + +- A *.js* file +- A [PM2 file](http://pm2.keymetrics.io/docs/usage/application-declaration/#process-file) with the extension *.json*, *.config.js*, *.yaml*, or *.yml* + +To add a custom start file, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config set --resource-group --name --startup-file "" +``` + +## Debug remotely + +> [!NOTE] +> Remote debugging is currently in Preview. + +You can debug your Node.js app remotely in [Visual Studio Code](https://code.visualstudio.com/) if you configure it to [run with PM2](#run-with-pm2), except when you run it using a *.config.js, *.yml, or *.yaml*. + +In most cases, no extra configuration is required for your app. If your app is run with a *process.json* file (default or custom), it must have a `script` property in the JSON root. For example: + +```json +{ + "name" : "worker", + "script" : "./index.js", + ... +} +``` + +To set up Visual Studio Code for remote debugging, install the [App Service extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureappservice). Follow the instructions on the extension page and sign in to Azure in Visual Studio Code. + +In the Azure explorer, find the app you want to debug, right-click it and select **Start Remote Debugging**. Click **Yes** to enable it for your app. App Service starts a tunnel proxy for you and attaches the debugger. You can then make requests to the app and see the debugger pausing at break points. + +Once finished with debugging, stop the debugger by selecting **Disconnect**. When prompted, you should click **Yes** to disable remote debugging. To disable it later, right-click your app again in the Azure explorer and select **Disable Remote Debugging**. + +## Access environment variables + +In App Service, you can [set app settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings) outside of your app code. Then you can access them using the standard Node.js pattern. For example, to access an app setting called `NODE_ENV`, use the following code: + +```javascript +process.env.NODE_ENV +``` + +## Run Grunt/Bower/Gulp + +By default, Kudu runs `npm install --production` when it recognizes a Node.js app is deployed. If your app requires any of the popular automation tools, such as Grunt, Bower, or Gulp, you need to supply a [custom deployment script](https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script) to run it. + +To enable your repository to run these tools, you need to add them to the dependencies in *package.json.* For example: + +```json +"dependencies": { + "bower": "^1.7.9", + "grunt": "^1.0.1", + "gulp": "^3.9.1", + ... +} +``` + +From a local terminal window, change directory to your repository root and run the following commands: + +```bash +npm install kuduscript -g +kuduscript --node --scriptType bash --suppressPrompt +``` + +Your repository root now has two additional files: *.deployment* and *deploy.sh*. + +Open *deploy.sh* and find the `Deployment` section, which looks like this: + +```bash +################################################################################################################################## +# Deployment +# ---------- +``` + +This section ends with running `npm install --production`. Add the code section you need to run the required tool *at the end* of the `Deployment` section: + +- [Bower](#bower) +- [Gulp](#gulp) +- [Grunt](#grunt) + +See an [example in the MEAN.js sample](https://github.com/Azure-Samples/meanjs/blob/master/deploy.sh#L112-L135), where the deployment script also runs a custom `npm install` command. + +### Bower + +This snippet runs `bower install`. + +```bash +if [ -e "$DEPLOYMENT_TARGET/bower.json" ]; then + cd "$DEPLOYMENT_TARGET" + eval ./node_modules/.bin/bower install + exitWithMessageOnError "bower failed" + cd - > /dev/null +fi +``` + +### Gulp + +This snippet runs `gulp imagemin`. + +```bash +if [ -e "$DEPLOYMENT_TARGET/gulpfile.js" ]; then + cd "$DEPLOYMENT_TARGET" + eval ./node_modules/.bin/gulp imagemin + exitWithMessageOnError "gulp failed" + cd - > /dev/null +fi +``` + +### Grunt + +This snippet runs `grunt`. + +```bash +if [ -e "$DEPLOYMENT_TARGET/Gruntfile.js" ]; then + cd "$DEPLOYMENT_TARGET" + eval ./node_modules/.bin/grunt + exitWithMessageOnError "Grunt failed" + cd - > /dev/null +fi +``` + +## Detect HTTPS session + +In App Service, [SSL termination](https://wikipedia.org/wiki/TLS_termination_proxy) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted or not, inspect the `X-Forwarded-Proto` header. + +Popular web frameworks let you access the `X-Forwarded-*` information in your standard app pattern. In [Express](https://expressjs.com/), you can use [trust proxies](http://expressjs.com/guide/behind-proxies.html). For example: + +```javascript +app.set('trust proxy', 1) +... +if (req.secure) { + // Do something when HTTPS is used +} +``` + +## Access diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + +## Open SSH session in browser + +[!INCLUDE [Open SSH session in browser](../../../includes/app-service-web-ssh-connect-builtin-no-h.md)] + +## Troubleshooting + +When a working Node.js app behaves differently in App Service or has errors, try the following: + +- [Access the log stream](#access-diagnostic-logs). +- Test the app locally in production mode. App Service runs your Node.js apps in production mode, so you need to make sure that your project works as expected in production mode locally. For example: + - Depending on your *package.json*, different packages may be installed for production mode (`dependencies` vs. `devDependencies`). + - Certain web frameworks may deploy static files differently in production mode. + - Certain web frameworks may use custom startup scripts when running in production mode. +- Run your app in App Service in development mode. For example, in [MEAN.js](http://meanjs.org/), you can set your app to development mode in runtime by [setting the `NODE_ENV` app setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json). + +## Next steps + +> [!div class="nextstepaction"] +> [Tutorial: Node.js app with MongoDB](tutorial-nodejs-mongodb-app.md) + +> [!div class="nextstepaction"] +> [App Service Linux FAQ](app-service-linux-faq.md) \ No newline at end of file diff --git a/articles/app-service/containers/configure-language-php.md b/articles/app-service/containers/configure-language-php.md new file mode 100644 index 0000000000000..485ac4cb4e484 --- /dev/null +++ b/articles/app-service/containers/configure-language-php.md @@ -0,0 +1,255 @@ +--- +title: Configure PHP apps - Azure App Service | Microsoft Docs +description: Learn how to configure PHP apps to work in Azure App Service +services: app-service +documentationcenter: '' +author: cephalin +manager: jpconnock +editor: '' + +ms.service: app-service +ms.workload: na +ms.tgt_pltfrm: na +ms.devlang: dotnet +ms.topic: article +ms.date: 03/28/2019 +ms.author: cephalin + +--- + +# Configure a Linux PHP app for Azure App Service + +This guide shows you how to configure the built-in PHP runtime for web apps, mobile back ends, and API apps in Azure App Service. + +This guide provides key concepts and instructions for PHP developers who use a built-in Linux container in App Service. If you've never used Azure App Service, follow the [PHP quickstart](quickstart-php.md) and [PHP with MySQL tutorial](tutorial-php-mysql-app.md) first. + +## Show PHP version + +To show the current PHP version, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config show --resource-group --name --query linuxFxVersion +``` + +To show all supported PHP versions, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp list-runtimes --linux | grep PHP +``` + +## Set PHP version + +Run the following command in the [Cloud Shell](https://shell.azure.com) to set the PHP version to 7.2: + +```azurecli-interactive +az webapp config set --name --resource-group --linux-fx-version "PHP|7.2" +``` + +## Run Composer + +By default, Kudu doesn't run [Composer](https://getcomposer.org/). To enable Composer automation during Kudu deployment, you need to supply a [custom deployment script](https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script). + +From a local terminal window, change directory to your repository root. Follow the [command-line installation steps](https://getcomposer.org/download/) to download *composer.phar*. + +Run the following commands: + +```bash +npm install kuduscript -g +kuduscript --php --scriptType bash --suppressPrompt +``` + +Your repository root now has two new files in addition to *composer.phar*: *.deployment* and *deploy.sh*. These files work both for Windows and Linux flavors of App Service. + +Open *deploy.sh* and find the `Deployment` section. Replace the whole section with the following code: + +```bash +################################################################################################################################## +# Deployment +# ---------- + +echo PHP deployment + +# 1. KuduSync +if [[ "$IN_PLACE_DEPLOYMENT" -ne "1" ]]; then + "$KUDU_SYNC_CMD" -v 50 -f "$DEPLOYMENT_SOURCE" -t "$DEPLOYMENT_TARGET" -n "$NEXT_MANIFEST_PATH" -p "$PREVIOUS_MANIFEST_PATH" -i ".git;.hg;.deployment;deploy.sh" + exitWithMessageOnError "Kudu Sync failed" +fi + +# 3. Initialize Composer Config +initializeDeploymentConfig + +# 4. Use composer +echo "$DEPLOYMENT_TARGET" +if [ -e "$DEPLOYMENT_TARGET/composer.json" ]; then + echo "Found composer.json" + pushd "$DEPLOYMENT_TARGET" + php composer.phar install $COMPOSER_ARGS + exitWithMessageOnError "Composer install failed" + popd +fi +################################################################################################################################## +``` + +Commit all your changes and deploy your code again. Composer should now be running as part of deployment automation. + +## Customize start-up + +By default, the built-in PHP container run the Apache server. At start-up, it runs `apache2ctl -D FOREGROUND"`. If you like, you can run a different command at start-up, by running the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config set --resource-group --name --startup-file "" +``` + +## Access environment variables + +In App Service, you can [set app settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings) outside of your app code. Then you can access them using the standard [getenv()](https://secure.php.net/manual/function.getenv.php) pattern. For example, to access an app setting called `DB_HOST`, use the following code: + +```php +getenv("DB_HOST") +``` + +## Change site root + +The web framework of your choice may use a subdirectory as the site root. For example, [Laravel](https://laravel.com/), uses the `public/` subdirectory as the site root. + +The default PHP image for App Service uses Apache, and it doesn't let you customize the site root for your app. To work around this limitation, add an *.htaccess* file to your repository root with the following content: + +``` + + RewriteEngine on + + RewriteRule ^.*$ /public/$1 [NC,L,QSA] + +``` + +If you would rather not use *.htaccess* rewrite, you can deploy your Laravel application with a [custom Docker image](quickstart-docker-go.md) instead. + +## Detect HTTPS session + +In App Service, [SSL termination](https://wikipedia.org/wiki/TLS_termination_proxy) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted or not, inspect the `X-Forwarded-Proto` header. + +```php +if (isset($_SERVER['X-Forwarded-Proto']) && $_SERVER['X-Forwarded-Proto'] === 'https') { + // Do something when HTTPS is used +} +``` + +Popular web frameworks let you access the `X-Forwarded-*` information in your standard app pattern. In [CodeIgniter](https://codeigniter.com/), the [is_https()](https://github.com/bcit-ci/CodeIgniter/blob/master/system/core/Common.php#L338-L365) checks the value of `X_FORWARDED_PROTO` by default. + +## Customize php.ini settings + +If you need to make changes to your PHP installation, you can change any of the [php.ini directives](http://www.php.net/manual/ini.list.php) by following these steps. + +> [!NOTE] +> The best way to see the PHP version and the current *php.ini* configuration is to call [phpinfo()](https://php.net/manual/function.phpinfo.php) in your app. +> + +### Customize non-PHP_INI_SYSTEM directives + +To customize PHP_INI_USER, PHP_INI_PERDIR, and PHP_INI_ALL directives (see [php.ini directives](http://www.php.net/manual/ini.list.php)), add an *.htaccess* file to the root directory of your app. + +In the *.htaccess* file, add the directives using the `php_value ` syntax. For example: + +``` +php_value upload_max_filesize 1000M +php_value post_max_size 2000M +php_value memory_limit 3000M +php_value max_execution_time 180 +php_value max_input_time 180 +php_value display_errors On +php_value upload_max_filesize 10M +``` + +Redeploy your app with the changes and restart it. If you deploy it with Kudu (for example, using [Git](../deploy-local-git.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json)), it's automatically restarted after deployment. + +As an alternative to using *.htaccess*, you can use [ini_set()](http://www.php.net/manual/function.ini-set.php) in your app to customize these non-PHP_INI_SYSTEM directives. + +### Customize PHP_INI_SYSTEM directives + +To customize PHP_INI_SYSTEM directives (see [php.ini directives](http://www.php.net/manual/ini.list.php)), you can't use the *.htaccess* approach. App Service provides a separate mechanism using the `PHP_INI_SCAN_DIR` app setting. + +First, run the following command in the [Cloud Shell](https://shell.azure.com) to add an app setting called `PHP_INI_SCAN_DIR`: + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings PHP_INI_SCAN_DIR="/usr/local/etc/php/conf.d:/home/site/ini" +``` + +`/usr/local/etc/php/conf.d` is the default directory where *php.ini* exists. `/home/site/ini` is the custom directory in which you'll add a custom *.ini* file. You separate the values with a `:`. + +Navigate to the web SSH session with your Linux container (`https://cephalin-container.scm.azurewebsites.net/webssh/host`). + +Create a directory in `/home/site` called `ini`, then create an *.ini* file in the `/home/site/ini` directory (for example, *settings.ini)* with the directives you want to customize. Use the same syntax you would use in a *php.ini* file. + +> [!TIP] +> In the built-in Linux containers in App Service, */home* is used as persisted shared storage. +> + +For example, to change the value of [expose_php](http://php.net/manual/ini.core.php#ini.expose-php) run the following commands: + +```bash +cd /home/site +mkdir ini +echo "expose_php = Off" >> ini/setting.ini +``` + +For the changes to take effect, restart the app. + +## Enable PHP extensions + +The built-in PHP installations contain the most commonly used extensions. You can enable additional extensions in the same way that you [customize php.ini directives](#customize-php_ini_system-directives). + +> [!NOTE] +> The best way to see the PHP version and the current *php.ini* configuration is to call [phpinfo()](https://php.net/manual/function.phpinfo.php) in your app. +> + +To enable additional extensions, by following these steps: + +Add a `bin` directory to the root directory of your app and put the `.so` extension files in it (for example, *mongodb.so*). Make sure that the extensions are compatible with the PHP version in Azure and are VC9 and non-thread-safe (nts) compatible. + +Deploy your changes. + +Follow the steps in [Customize PHP_INI_SYSTEM directives](#customize-php_ini_system-directives), add the extensions into the custom *.ini* file with the [extension](https://www.php.net/manual/ini.core.php#ini.extension) or [zend_extension](https://www.php.net/manual/ini.core.php#ini.zend-extension) directives. + +```ini +extension=/home/site/wwwroot/bin/mongodb.so +zend_extension=/home/site/wwwroot/bin/xdebug.so +``` + +For the changes to take effect, restart the app. + +## Access diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + +## Open SSH session in browser + +[!INCLUDE [Open SSH session in browser](../../../includes/app-service-web-ssh-connect-builtin-no-h.md)] + +## Troubleshooting + +When a working PHP app behaves differently in App Service or has errors, try the following: + +- [Access the log stream](#access-diagnostic-logs). +- Test the app locally in production mode. App Service runs your Node.js apps in production mode, so you need to make sure that your project works as expected in production mode locally. For example: + - Depending on your *composer.json*, different packages may be installed for production mode (`require` vs. `require-dev`). + - Certain web frameworks may deploy static files differently in production mode. + - Certain web frameworks may use custom startup scripts when running in production mode. +- Run your app in App Service in debug mode. For example, in [Laravel](http://meanjs.org/), you can configure your app to output debug messages in production by [setting the `APP_DEBUG` app setting to `true`](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json). + +### robots933456 + +You may see the following message in the container logs: + +``` +2019-04-08T14:07:56.641002476Z "-" - - [08/Apr/2019:14:07:56 +0000] "GET /robots933456.txt HTTP/1.1" 404 415 "-" "-" +``` + +You can safely ignore this message. `/robots933456.txt` is a dummy URL path that App Service uses to check if the container is capable of serving requests. A 404 response simply indicates that the path doesn't exist, but it lets App Service know that the container is healthy and ready to respond to requests. + +## Next steps + +> [!div class="nextstepaction"] +> [Tutorial: PHP app with MySQL](tutorial-php-mysql-app.md) + +> [!div class="nextstepaction"] +> [App Service Linux FAQ](app-service-linux-faq.md) \ No newline at end of file diff --git a/articles/app-service/containers/configure-language-ruby.md b/articles/app-service/containers/configure-language-ruby.md new file mode 100644 index 0000000000000..f087955b5d917 --- /dev/null +++ b/articles/app-service/containers/configure-language-ruby.md @@ -0,0 +1,164 @@ +--- +title: Configure Ruby apps - Azure App Service +description: This tutorial describes options for authoring and configuring Ruby apps for Azure App Service on Linux. +services: app-service\web +documentationcenter: '' +author: cephalin +manager: jeconnoc +editor: '' + +ms.assetid: +ms.service: app-service-web +ms.workload: web +ms.tgt_pltfrm: na +ms.devlang: na +ms.topic: quickstart +ms.date: 03/28/2019 +ms.author: astay;cephalin;kraigb +ms.custom: mvc +ms.custom: seodec18 + +--- + +# Configure a Linux Ruby app for Azure App Service + +This article describes how [Azure App Service](app-service-linux-intro.md) runs Ruby apps, and how you can customize the behavior of App Service when needed. Ruby apps must be deployed with all the required [pip](https://pypi.org/project/pip/) modules. + +This guide provides key concepts and instructions for Ruby developers who use a built-in Linux container in App Service. If you've never used Azure App Service, you should follow the [Ruby quickstart](quickstart-ruby.md) and [Ruby with PostgreSQL tutorial](tutorial-ruby-postgres-app.md) first. + +## Show Ruby version + +To show the current Ruby version, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config show --resource-group --name --query linuxFxVersion +``` + +To show all supported Ruby versions, run the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp list-runtimes --linux | grep RUBY +``` + +You can run an unsupported version of Ruby by building your own container image instead. For more information, see [use a custom Docker image](tutorial-custom-docker-image.md). + +## Set Ruby version + +Run the following command in the [Cloud Shell](https://shell.azure.com) to set the Ruby version to 2.3: + +```azurecli-interactive +az webapp config set --resource-group --name --linux-fx-version "RUBY|2.3" +``` + +> [!NOTE] +> If you see errors similar to the following during deployment time: +> ``` +> Your Ruby version is 2.3.3, but your Gemfile specified 2.3.1 +> ``` +> or +> ``` +> rbenv: version `2.3.1' is not installed +> ``` +> It means that the Ruby version configured in your project is different than the version that's installed in the container you're running (`2.3.3` in the example above). In the example above, check both *Gemfile* and *.ruby-version* and verify that the Ruby version is not set, or is set to the version that's installed in the container you're running (`2.3.3` in the example above). + +## Access environment variables + +In App Service, you can [set app settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings) outside of your app code. Then you can access them using the standard [ENV['']](https://ruby-doc.org/core-2.3.3/ENV.html) pattern. For example, to access an app setting called `WEBSITE_SITE_NAME`, use the following code: + +```ruby +ENV['WEBSITE_SITE_NAME'] +``` + +## Customize deployment + +When you deploy a [Git repository](../deploy-local-git.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json), or a [Zip package](../deploy-zip.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) with build processes switched on, the deployment engine (Kudu) automatically runs the following post-deployment steps by default: + +1. Check if a *Gemfile* exists. +1. Run `bundle clean`. +1. Run `bundle install --path "vendor/bundle"`. +1. Run `bundle package` to package gems into vendor/cache folder. + +### Use --without flag + +To run `bundle install` with the [--without](https://bundler.io/man/bundle-install.1.html) flag, set the `BUNDLE_WITHOUT` [app setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) to a comma-separated list of groups. For example, the following command sets it to `development,test`. + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings BUNDLE_WITHOUT="development,test" +``` + +If this setting is defined, then the deployment engine runs `bundle install` with `--without $BUNDLE_WITHOUT`. + +### Precompile assets + +The post-deployment steps don't precompile assets by default. To turn on asset precompilation, set the `ASSETS_PRECOMPILE` [app setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) to `true`. Then the command `bundle exec rake --trace assets:precompile` is run at the end of the post-deployment steps. For example: + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings ASSETS_PRECOMPILE=true +``` + +For more information, see [Serve static assets](#serve-static-assets). + +## Customize start-up + +By default, the Ruby container starts the Rails server in the following sequence (for more information, see the [start-up script](https://github.com/Azure-App-Service/ruby/blob/master/2.3.8/startup.sh)): + +1. Generate a [secret_key_base](https://edgeguides.rubyonrails.org/security.html#environmental-security) value, if one doesn't exist already. This value is required for the app to run in production mode. +1. Set the `RAILS_ENV` environment variable to `production`. +1. Delete any *.pid* file in the *tmp/pids* directory that's left by a previously running Rails server. +1. Check if all dependencies are installed. If not, try installing gems from the local *vendor/cache* directory. +1. Run `rails server -e $RAILS_ENV`. + +You can customize the start-up process in the following ways: + +- [Serve static assets](#serve-static-assets) +- [Run in non-production mode](#run-in-non-production-mode) +- [Set secret_key_base manually](#set-secret_key_base-manually) + +### Serve static assets + +The Rails server in the Ruby container runs in production mode by default, and [assumes that assets are precompiled and are served by your web server](https://guides.rubyonrails.org/asset_pipeline.html#in-production). To serve static assets from the Rails server, you need to do two things: + +- **Precompile the assets** - [Precompile the static assets locally](https://guides.rubyonrails.org/asset_pipeline.html#local-precompilation) and deploy them manually. Or, let the deployment engine handle it instead (see [Precompile assets](#precompile-assets). +- **Enable serving static files** - To serve static assets from the Ruby container, set the `RAILS_SERVE_STATIC_FILES` [set the `RAILS_SERVE_STATIC_FILES` app setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) to `true`. For example: + + ```azurecli-interactive + az webapp config appsettings set --name --resource-group --settings RAILS_SERVE_STATIC_FILES=true + ``` + +### Run in non-production mode + +The Rails server runs in production mode by default. To run in development mode, for example, set the `RAILS_ENV` [app setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) to `development`. + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings RAILS_ENV="development" +``` + +However, this setting alone causes the Rails server to start in development mode, which accepts localhost requests only and isn't accessible outside of the container. To accept remote client requests, set the `APP_COMMAND_LINE` [app setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) to `rails server -b 0.0.0.0`. This app setting lets you run a custom command in the Ruby container. For example: + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings APP_COMMAND_LINE="rails server -b 0.0.0.0" +``` + +### Set secret_key_base manually + +To use your own `secret_key_base` value instead of letting App Service generate one for you, set the `SECRET_KEY_BASE` [app setting](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) with the value you want. For example: + +```azurecli-interactive +az webapp config appsettings set --name --resource-group --settings SECRET_KEY_BASE="" +``` + +## Access diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + +## Open SSH session in browser + +[!INCLUDE [Open SSH session in browser](../../../includes/app-service-web-ssh-connect-builtin-no-h.md)] + +## Next steps + +> [!div class="nextstepaction"] +> [Tutorial: Rails app with PostgreSQL](tutorial-ruby-postgres-app.md) + +> [!div class="nextstepaction"] +> [App Service Linux FAQ](app-service-linux-faq.md) \ No newline at end of file diff --git a/articles/app-service/containers/how-to-configure-python.md b/articles/app-service/containers/how-to-configure-python.md index 71c7e86faf1ba..1312e5b84a92a 100644 --- a/articles/app-service/containers/how-to-configure-python.md +++ b/articles/app-service/containers/how-to-configure-python.md @@ -12,18 +12,22 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 01/29/2019 +ms.date: 03/28/2019 ms.author: astay;cephalin;kraigb ms.custom: mvc ms.custom: seodec18 --- -# Configure your Python app for Azure App Service -This article describes how [Azure App Service](app-service-linux-intro.md) runs Python apps, and how you can customize the behavior of App Service when needed. Python apps needs to be deployed with all the required [pip](https://pypi.org/project/pip/) modules. -The App Service deployment engine (Kudu) automatically activates a virtual environment and runs `pip install -r requirements.txt` for you when you deploy a [Git repository](../deploy-local-git.md), or a [Zip package](../deploy-zip.md) with build processes switched on. +# Configure a Linux Python app for Azure App Service + +This article describes how [Azure App Service](app-service-linux-intro.md) runs Python apps, and how you can customize the behavior of App Service when needed. Python apps must be deployed with all the required [pip](https://pypi.org/project/pip/) modules. + +The App Service deployment engine automatically activates a virtual environment and runs `pip install -r requirements.txt` for you when you deploy a [Git repository](../deploy-local-git.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json), or a [Zip package](../deploy-zip.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) with build processes switched on. + +This guide provides key concepts and instructions for Python developers who use a built-in Linux container in App Service. If you've never used Azure App Service, you should follow the [Python quickstart](quickstart-python.md) and [Python with PostgreSQL tutorial](tutorial-python-postgresql-app.md) first. > [!NOTE] -> [Python on the Windows flavor of App Service](https://docs.microsoft.com/visualstudio/python/managing-python-on-azure-app-service) is deprecated and is not recommended for use. +> Linux is currently the recommended option for running Python apps in App Service. For information on the Windows option, see [Python on the Windows flavor of App Service](https://docs.microsoft.com/visualstudio/python/managing-python-on-azure-app-service). > ## Show Python version @@ -31,7 +35,7 @@ The App Service deployment engine (Kudu) automatically activates a virtual envir To show the current Python version, run the following command in the [Cloud Shell](https://shell.azure.com): ```azurecli-interactive -az webapp config show --resource-group --name --query linuxFxVersion +az webapp config show --resource-group --name --query linuxFxVersion ``` To show all supported Python versions, run the following command in the [Cloud Shell](https://shell.azure.com): @@ -47,16 +51,19 @@ You can run an unsupported version of Python by building your own container imag Run the following command in the [Cloud Shell](https://shell.azure.com) to set the Python version to 3.7: ```azurecli-interactive -az webapp config set --resource-group --name --linux-fx-version "PYTHON|3.7" +az webapp config set --resource-group --name --linux-fx-version "PYTHON|3.7" ``` ## Container characteristics Python apps deployed to App Service on Linux run within a Docker container that's defined in the GitHub repository, [Python 3.6](https://github.com/Azure-App-Service/python/tree/master/3.6.6) or [Python 3.7](https://github.com/Azure-App-Service/python/tree/master/3.7.0). + This container has the following characteristics: - Apps are run using the [Gunicorn WSGI HTTP Server](https://gunicorn.org/), using the additional arguments `--bind=0.0.0.0 --timeout 600`. + - By default, the base image includes the Flask web framework, but the container supports other frameworks that are WSGI-compliant and compatible with Python 3.7, such as Django. + - To install additional packages, such as Django, create a [*requirements.txt*](https://pip.pypa.io/en/stable/user_guide/#requirements-files) file in the root of your project using `pip freeze > requirements.txt`. Then, publish your project to App Service using Git deployment, which automatically runs `pip install -r requirements.txt` in the container to install your app's dependencies. ## Container startup process @@ -79,7 +86,7 @@ For Django apps, App Service looks for a file named `wsgi.py` within your app co gunicorn --bind=0.0.0.0 --timeout 600 .wsgi ``` -If you want more specific control over the startup command, use a custom startup command and replace `` with the name of the module that contains *wsgi.py*. +If you want more specific control over the startup command, use a [custom startup command](#customize-startup-command) and replace `` with the name of the module that contains *wsgi.py*. ### Flask app @@ -92,7 +99,7 @@ gunicorn --bind=0.0.0.0 --timeout 600 application:app gunicorn --bind=0.0.0.0 --timeout 600 app:app ``` -If your main app module is contained in a different file, use a different name for the app object, or you want to provide additional arguments to Gunicorn, use a custom startup command. +If your main app module is contained in a different file, use a different name for the app object, or you want to provide additional arguments to Gunicorn, use a [custom startup command](#customize-startup-command). ### Default behavior @@ -102,7 +109,13 @@ If the App Service doesn't find a custom command, a Django app, or a Flask app, ## Customize startup command -You can control the container's startup behavior by providing a custom Gunicorn startup command. For example, if you have a Flask app whose main module is *hello.py* and the Flask app object in that file is named `myapp`, then the command is as follows: +You can control the container's startup behavior by providing a custom Gunicorn startup command. To do this, running the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config set --resource-group --name --startup-file "" +``` + +For example, if you have a Flask app whose main module is *hello.py* and the Flask app object in that file is named `myapp`, then *\* is as follows: ```bash gunicorn --bind=0.0.0.0 --timeout 600 hello:myapp @@ -114,27 +127,20 @@ If your main module is in a subfolder, such as `website`, specify that folder wi gunicorn --bind=0.0.0.0 --timeout 600 --chdir website hello:myapp ``` -You can also add any additional arguments for Gunicorn to the command, such as `--workers=4`. For more information, see [Running Gunicorn](https://docs.gunicorn.org/en/stable/run.html) (docs.gunicorn.org). +You can also add any additional arguments for Gunicorn to *\*, such as `--workers=4`. For more information, see [Running Gunicorn](https://docs.gunicorn.org/en/stable/run.html) (docs.gunicorn.org). -To use a non-Gunicorn server, such as [aiohttp](https://aiohttp.readthedocs.io/en/stable/web_quickstart.html), you can run: +To use a non-Gunicorn server, such as [aiohttp](https://aiohttp.readthedocs.io/en/stable/web_quickstart.html), you can replace *\* with something like this: ```bash python3.7 -m aiohttp.web -H localhost -P 8080 package.module:init_func ``` -To provide a custom command, do the following steps: - -1. Navigate to the [Application settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json) page on the Azure portal. -1. In the **Runtime** settings, set the **Stack** option to **Python 3.7**, and enter the command directly in the **Startup File** field. -Alternately, you can save the command in a text file in the root of your project, using a name like *startup.txt* (or any name you want). Then deploy that file to App Service, and specify the filename in the **Startup File** field instead. This option allows you to manage the command within your source code repository rather than through the Azure portal. -1. Select **Save**. The App Service restarts automatically, and after a few seconds you should see the custom startup command applied. - > [!Note] > App Service ignores any errors that occur when processing a custom command file, then continues its startup process by looking for Django and Flask apps. If you don't see the behavior you expect, check that your startup file is deployed to App Service and that it doesn't contain any errors. ## Access environment variables -In App Service, you can set app settings outside of your app code (see [Set environment variables](../web-sites-configure.md)). Then you can access them using the standard [os.environ](https://docs.python.org/3/library/os.html#os.environ) pattern. For example, to access an app setting called `WEBSITE_SITE_NAME`, use the following code: +In App Service, you can [set app settings](../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#app-settings) outside of your app code. Then you can access them using the standard [os.environ](https://docs.python.org/3/library/os.html#os.environ) pattern. For example, to access an app setting called `WEBSITE_SITE_NAME`, use the following code: ```python os.environ['WEBSITE_SITE_NAME'] @@ -151,14 +157,35 @@ if 'X-Forwarded-Proto' in request.headers and request.headers['X-Forwarded-Proto Popular web frameworks let you access the `X-Forwarded-*` information in your standard app pattern. In [CodeIgniter](https://codeigniter.com/), the [is_https()](https://github.com/bcit-ci/CodeIgniter/blob/master/system/core/Common.php#L338-L365) checks the value of `X_FORWARDED_PROTO` by default. +## Access diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + +## Open SSH session in browser + +[!INCLUDE [Open SSH session in browser](../../../includes/app-service-web-ssh-connect-builtin-no-h.md)] + ## Troubleshooting - **You see the default app after deploying your own app code.** The default app appears because you either haven't deployed your app code to App Service, or App Service failed to find your app code and ran the default app instead. - Restart the App Service, wait 15-20 seconds, and check the app again. - Be sure you're using App Service for Linux rather than a Windows-based instance. From the Azure CLI, run the command `az webapp show --resource-group --name --query kind`, replacing `` and `` accordingly. You should see `app,linux` as output; otherwise, recreate the App Service and choose Linux. - Use SSH or the Kudu console to connect directly to the App Service and verify that your files exist under *site/wwwroot*. If your files don't exist, review your deployment process and redeploy the app. -- If your files exist, then App Service wasn't able to identify your specific startup file. Check that your app is structured as App Service expects for [Django](#django-app) or [Flask](#flask-app), or use a custom startup command. +- If your files exist, then App Service wasn't able to identify your specific startup file. Check that your app is structured as App Service expects for [Django](#django-app) or [Flask](#flask-app), or use a [custom startup command](#customize-startup-command). - **You see the message "Service Unavailable" in the browser.** The browser has timed out waiting for a response from App Service, which indicates that App Service started the Gunicorn server, but the arguments that specify the app code are incorrect. - Refresh the browser, especially if you're using the lowest pricing tiers in your App Service Plan. The app may take longer to start up when using free tiers, for example, and becomes responsive after you refresh the browser. - Check that your app is structured as App Service expects for [Django](#django-app) or [Flask](#flask-app), or use a [custom startup command](#customize-startup-command). -- Use SSH or the Kudu Console to connect to the App Service, then examine the diagnostic logs stored in the *LogFiles* folder. For more information on logging, see [Enable diagnostics logging for web apps in Azure App Service](../troubleshoot-diagnostic-logs.md). +- [Access the log stream](#access-diagnostic-logs). + +## Next steps + +The built-in Python image in App Service on Linux is currently in Preview, and you can customize the command used to start your app. You can also create production Python apps using a custom container instead. + +> [!div class="nextstepaction"] +> [Tutorial: Python app with PostgreSQL](tutorial-python-postgresql-app.md) + +> [!div class="nextstepaction"] +> [Tutorial: Deploy from private container repository](tutorial-custom-docker-image.md) + +> [!div class="nextstepaction"] +> [App Service Linux FAQ](app-service-linux-faq.md) \ No newline at end of file diff --git a/articles/app-service/containers/media/app-service-linux-using-custom-docker-image/app-service-linux-browse-local.png b/articles/app-service/containers/media/app-service-linux-using-custom-docker-image/app-service-linux-browse-local.png index 67206590b6fa8..0b1b724134850 100644 Binary files a/articles/app-service/containers/media/app-service-linux-using-custom-docker-image/app-service-linux-browse-local.png and b/articles/app-service/containers/media/app-service-linux-using-custom-docker-image/app-service-linux-browse-local.png differ diff --git a/articles/app-service/containers/media/how-to-configure-python/default-python-app.png b/articles/app-service/containers/media/how-to-configure-python/default-python-app.png index 58f703fc04a59..b696b1d385a7b 100644 Binary files a/articles/app-service/containers/media/how-to-configure-python/default-python-app.png and b/articles/app-service/containers/media/how-to-configure-python/default-python-app.png differ diff --git a/articles/app-service/containers/quickstart-docker-go.md b/articles/app-service/containers/quickstart-docker-go.md index c5a6dd1eeabfe..83ba6005ab855 100644 --- a/articles/app-service/containers/quickstart-docker-go.md +++ b/articles/app-service/containers/quickstart-docker-go.md @@ -10,13 +10,13 @@ ms.assetid: b97bd4e6-dff0-4976-ac20-d5c109a559a8 ms.service: app-service ms.devlang: go ms.topic: quickstart -ms.date: 01/17/2018 +ms.date: 03/28/2019 ms.author: msangapu ms.custom: mvc ms.custom: seodec18 --- -# Deploy a Docker/Go web app in Web App for Containers +# Run a custom Linux container in Azure App Service [App Service Linux](app-service-linux-intro.md) provides pre-defined application stacks on Linux with support for languages such as .NET, PHP, Node.js and others. You can also use a custom Docker image to run your web app on an application stack that is not already defined in Azure. This quickstart shows how to create a web app and deploy a Go image from Docker Hub. You create the web app using the [Azure CLI](https://docs.microsoft.com/cli/azure/get-started-with-azure-cli). @@ -72,4 +72,10 @@ http://.azurewebsites.net/hello ## Next steps > [!div class="nextstepaction"] -> [Use a custom Docker image](tutorial-custom-docker-image.md) \ No newline at end of file +> [Tutorial: Deploy from private container repository](tutorial-custom-docker-image.md) + +> [!div class="nextstepaction"] +> [Configure a custom container](configure-custom-container.md) + +> [!div class="nextstepaction"] +> [Tutorial: Multi-container WordPress app](tutorial-multi-container-app.md) diff --git a/articles/app-service/containers/quickstart-dotnetcore.md b/articles/app-service/containers/quickstart-dotnetcore.md index a6dbb8b47df26..e6503598ee19c 100644 --- a/articles/app-service/containers/quickstart-dotnetcore.md +++ b/articles/app-service/containers/quickstart-dotnetcore.md @@ -5,7 +5,7 @@ keywords: azure app service, web app, dotnet, core, linux, oss services: app-service documentationCenter: '' author: cephalin -manager: syntaxc4 +manager: jeconnoc editor: '' ms.assetid: c02959e6-7220-496a-a417-9b2147638e2e @@ -14,8 +14,8 @@ ms.workload: web ms.tgt_pltfrm: linux ms.devlang: na ms.topic: quickstart -ms.date: 04/11/2018 -ms.author: cfowler +ms.date: 03/27/2019 +ms.author: cephalin ms.custom: mvc ms.custom: seodec18 --- @@ -45,7 +45,7 @@ To complete this quickstart: In a terminal window on your machine, create a directory named `hellodotnetcore` and change the current directory to it. ```bash -md hellodotnetcore +mkdir hellodotnetcore cd hellodotnetcore ``` @@ -184,4 +184,7 @@ The left menu provides different pages for configuring your app. ## Next steps > [!div class="nextstepaction"] -> [Build a .NET Core and SQL Database app in Azure App Service on Linux](tutorial-dotnetcore-sqldb-app.md) +> [Tutorial: ASP.NET Core app with SQL Database](tutorial-dotnetcore-sqldb-app.md) + +> [!div class="nextstepaction"] +> [Configure ASP.NET Core app](configure-language-dotnetcore.md) diff --git a/articles/app-service/containers/quickstart-java.md b/articles/app-service/containers/quickstart-java.md index a8b5ab06ab82d..406ca4f63c549 100644 --- a/articles/app-service/containers/quickstart-java.md +++ b/articles/app-service/containers/quickstart-java.md @@ -4,7 +4,7 @@ description: In this quickstart, you deploy your first Java Hello World in Azure services: app-service\web documentationcenter: '' author: msangapu -manager: cfowler +manager: jeconnoc editor: '' ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a @@ -13,7 +13,7 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: Java ms.topic: quickstart -ms.date: 12/10/2018 +ms.date: 03/27/2019 ms.author: msangapu ms.custom: mvc #Customer intent: As a Java developer, I want deploy a java app so that it is hosted on Azure App Service. @@ -95,17 +95,15 @@ Once deployment has completed, browse to the deployed application using the foll **Congratulations!** You've deployed your first Java app to App Service on Linux. - [!INCLUDE [cli-samples-clean-up](../../../includes/cli-samples-clean-up.md)] - ## Next steps -In this quickstart, you used Maven to create a Java app, configured the [Maven Plugin for Azure Web Apps](https://github.com/Microsoft/azure-maven-plugins/tree/develop/azure-webapp-maven-plugin), then deployed a web archive packaged Java app to App Service on Linux. Refer to the following tutorials and how-to articles for more information hosting Java applications on App Service on Linux. +> [!div class="nextstepaction"] +> [Tutorial: Java Enterprise app with PostgreSQL](tutorial-java-enterprise-postgresql-app.md) -- [Tutorial: Deploy a Java Enterprise app with PostgreSQL](tutorial-java-enterprise-postgresql-app.md) -- [Configure a Tomcat data source](app-service-linux-java.md#tomcat) -- [CI/CD with Jenkins](/azure/jenkins/deploy-jenkins-app-service-plugin) -- [Set up application performance monitoring tools](how-to-java-apm-monitoring.md) -- [Java developer's guide for App Service on Linux](app-service-linux-java.md) +> [!div class="nextstepaction"] +> [Configure Java app](configure-custom-container.md) +> [!div class="nextstepaction"] +> [CI/CD with Jenkins](/azure/jenkins/deploy-jenkins-app-service-plugin) diff --git a/articles/app-service/containers/quickstart-multi-container.md b/articles/app-service/containers/quickstart-multi-container.md index c94fa2e08685e..43d7d37dba16d 100644 --- a/articles/app-service/containers/quickstart-multi-container.md +++ b/articles/app-service/containers/quickstart-multi-container.md @@ -1,7 +1,7 @@ --- title: Create multi-container app using Docker Compose - Azure App Service description: Deploy your first multi-container app in Azure Web App for Containers in minutes -keywords: azure app service, web app, linux, docker, compose, multicontainer, multi-container, web app for containers, multiple containers, container, kubernetes, wordpress, azure db for mysql, production database with containers +keywords: azure app service, web app, linux, docker, compose, multicontainer, multi-container, web app for containers, multiple containers, container, wordpress, azure db for mysql, production database with containers services: app-service\web documentationcenter: '' author: msangapu @@ -13,14 +13,14 @@ ms.workload: na ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 06/22/2018 +ms.date: 03/27/2019 ms.author: msangapu ms.custom: mvc ms.custom: seodec18 --- # Create a multi-container (preview) app using a Docker Compose configuration -[Web App for Containers](app-service-linux-intro.md) provides a flexible way to use Docker images. This quickstart shows how to deploy a multi-container app to Web App for Containers in the [Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/overview) using a Docker Compose configuration. For Kubernetes and a full end-to-end solution using Azure DB for MySQL, follow the [multi-container tutorial](tutorial-multi-container-app.md). +[Web App for Containers](app-service-linux-intro.md) provides a flexible way to use Docker images. This quickstart shows how to deploy a multi-container app to Web App for Containers in the [Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/overview) using a Docker Compose configuration. You'll complete this quickstart in Cloud Shell, but you can also run these commands locally with [Azure CLI](/cli/azure/install-azure-cli) (2.0.32 or later). @@ -134,7 +134,10 @@ Browse to the deployed app at (`http://.azurewebsites.net`). The app m ## Next steps > [!div class="nextstepaction"] -> [Create a multi-container WordPress app in Web App for Containers](tutorial-multi-container-app.md) +> [Tutorial: Multi-container WordPress app](tutorial-multi-container-app.md) + +> [!div class="nextstepaction"] +> [Configure a custom container](configure-custom-container.md) [1]: ./media/tutorial-multi-container-app/azure-multi-container-wordpress-install.png \ No newline at end of file diff --git a/articles/app-service/containers/quickstart-nodejs.md b/articles/app-service/containers/quickstart-nodejs.md index c339d0e97618f..df2b360ae5891 100644 --- a/articles/app-service/containers/quickstart-nodejs.md +++ b/articles/app-service/containers/quickstart-nodejs.md @@ -13,7 +13,7 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 11/20/2018 +ms.date: 03/27/2019 ms.author: msangapu ms.custom: mvc ms.custom: seodec18 @@ -187,4 +187,7 @@ This command may take a minute to run. ## Next steps > [!div class="nextstepaction"] -> [Node.js with MongoDB](tutorial-nodejs-mongodb-app.md) +> [Tutorial: Node.js app with MongoDB](tutorial-nodejs-mongodb-app.md) + +> [!div class="nextstepaction"] +> [Configure Node.js app](configure-language-nodejs.md) diff --git a/articles/app-service/containers/quickstart-php.md b/articles/app-service/containers/quickstart-php.md index 2791970d3da9c..4ff3195b41fac 100644 --- a/articles/app-service/containers/quickstart-php.md +++ b/articles/app-service/containers/quickstart-php.md @@ -3,8 +3,8 @@ title: Create PHP app on Linux - Azure App Service | Microsoft Docs description: Deploy your first PHP Hello World in App Service on Linux in minutes. services: app-service\web documentationcenter: '' -author: syntaxc4 -manager: erikre +author: cephalin +manager: jeconnoc editor: '' ms.assetid: 6feac128-c728-4491-8b79-962da9a40788 @@ -13,8 +13,8 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 08/30/2017 -ms.author: cfowler +ms.date: 03/27/2019 +ms.author: cephalin ms.custom: mvc ms.custom: seodec18 --- @@ -165,4 +165,7 @@ The left menu provides different pages for configuring your app. ## Next steps > [!div class="nextstepaction"] -> [PHP with MySQL](tutorial-php-mysql-app.md) +> [Tutorial: PHP app with MySQL](tutorial-php-mysql-app.md) + +> [!div class="nextstepaction"] +> [Configure PHP app](configure-language-php.md) diff --git a/articles/app-service/containers/quickstart-python.experimental.md b/articles/app-service/containers/quickstart-python.experimental.md index 79f475bceb9c1..a408f0b8b3cf7 100644 --- a/articles/app-service/containers/quickstart-python.experimental.md +++ b/articles/app-service/containers/quickstart-python.experimental.md @@ -13,7 +13,7 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 02/14/2019 +ms.date: 03/28/2019 ms.author: cephalin ms.custom: mvc ms.custom: seodec18 @@ -167,13 +167,10 @@ The left menu provides different pages for configuring your app. The built-in Python image in App Service on Linux is currently in Preview, and you can customize the command used to start your app . You can also create production Python apps using a custom container instead. > [!div class="nextstepaction"] -> [Python with PostgreSQL](tutorial-python-postgresql-app.md) +> [Tutorial: Python app with PostgreSQL](tutorial-python-postgresql-app.md) > [!div class="nextstepaction"] -> [Configure a custom startup command](how-to-configure-python.md#customize-startup-command) +> [Configure Python app](how-to-configure-python.md) > [!div class="nextstepaction"] -> [Troubleshooting](how-to-configure-python.md#troubleshooting) - -> [!div class="nextstepaction"] -> [Use custom images](tutorial-custom-docker-image.md) +> [Tutorial: Deploy from private container repository](tutorial-custom-docker-image.md) diff --git a/articles/app-service/containers/quickstart-python.md b/articles/app-service/containers/quickstart-python.md index 6a4434fbc2010..64fc0ce705103 100644 --- a/articles/app-service/containers/quickstart-python.md +++ b/articles/app-service/containers/quickstart-python.md @@ -13,7 +13,7 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 02/08/2019 +ms.date: 03/27/2019 ms.author: cephalin ms.custom: mvc ms.custom: seodec18 @@ -108,7 +108,7 @@ Checking connectivity... done. Change to the directory that contains the sample code and run the `az webapp up` command. -In the following example, replace with a unique app name. +In the following example, replace `` with a unique app name. ```bash cd python-docs-hello-world @@ -204,13 +204,10 @@ The left menu provides different pages for configuring your app. The built-in Python image in App Service on Linux is currently in Preview, and you can customize the command used to start your app . You can also create production Python apps using a custom container instead. > [!div class="nextstepaction"] -> [Python with PostgreSQL](tutorial-python-postgresql-app.md) +> [Tutorial: Python app with PostgreSQL](tutorial-python-postgresql-app.md) > [!div class="nextstepaction"] -> [Configure a custom startup command](how-to-configure-python.md#customize-startup-command) +> [Configure Python app](how-to-configure-python.md) > [!div class="nextstepaction"] -> [Troubleshooting](how-to-configure-python.md#troubleshooting) - -> [!div class="nextstepaction"] -> [Use custom images](tutorial-custom-docker-image.md) +> [Tutorial: Run Python app in custom container](tutorial-custom-docker-image.md) diff --git a/articles/app-service/containers/quickstart-ruby.md b/articles/app-service/containers/quickstart-ruby.md index e6a7c7759e638..1663efd833d95 100644 --- a/articles/app-service/containers/quickstart-ruby.md +++ b/articles/app-service/containers/quickstart-ruby.md @@ -4,8 +4,8 @@ description: Learn to create a Ruby on Rails app with App Service on Linux. keywords: azure app service, linux, oss, ruby, rails services: app-service documentationcenter: '' -author: SyntaxC4 -manager: cfowler +author: cephalin +manager: jeconnoc editor: '' ms.assetid: 6d00c73c-13cb-446f-8926-923db4101afa @@ -14,8 +14,8 @@ ms.workload: na ms.tgt_pltfrm: na ms.devlang: na ms.topic: quickstart -ms.date: 01/23/2019 -ms.author: cfowler +ms.date: 03/27/2019 +ms.author: cephalin ms.custom: mvc ms.custom: seodec18 --- @@ -24,7 +24,7 @@ ms.custom: seodec18 [Azure App Service on Linux](app-service-linux-intro.md) provides a highly scalable, self-patching web hosting service. This quickstart shows you how to create a basic [Ruby on Rails](https://rubyonrails.org/) application that can then be deployed to Azure as a Web App on Linux. > [!NOTE] -> The Ruby development stack only supports Ruby on Rails at this time. If you want to use a different platform, such as Sinatra, or if you want to use an [unsupported Ruby version](app-service-linux-intro.md), please see the quickstart for [Web App for Containers](https://docs.microsoft.com/azure/app-service/containers/). +> The Ruby development stack only supports Ruby on Rails at this time. If you want to use a different platform, such as Sinatra, or if you want to use an [unsupported Ruby version](app-service-linux-intro.md), you need to [run it in a custom container](quickstart-docker-go.md). ![Hello-world](./media/quickstart-ruby/hello-world-updated.png) @@ -135,4 +135,7 @@ http://.azurewebsites.net ## Next steps > [!div class="nextstepaction"] -> [Ruby on Rails with Postgres](tutorial-ruby-postgres-app.md) +> [Tutorial: Ruby on Rails with Postgres](tutorial-ruby-postgres-app.md) + +> [!div class="nextstepaction"] +> [Configure Ruby app](configure-language-ruby.md) diff --git a/articles/app-service/containers/toc.yml b/articles/app-service/containers/toc.yml index b10fb3b5d0b34..a22f4e7a6530d 100644 --- a/articles/app-service/containers/toc.yml +++ b/articles/app-service/containers/toc.yml @@ -23,7 +23,7 @@ href: quickstart-python.md - name: Create Ruby app href: quickstart-ruby.md - - name: Create Docker/Go app + - name: Run custom container href: quickstart-docker-go.md - name: Create multi-container app href: quickstart-multi-container.md @@ -47,7 +47,7 @@ href: tutorial-java-enterprise-postgresql-app.md - name: Multi-container app href: tutorial-multi-container-app.md - - name: Custom Docker image + - name: Run container from ACR href: tutorial-custom-docker-image.md - name: Map Custom Domain href: ../app-service-web-tutorial-custom-domain.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json @@ -71,10 +71,6 @@ href: ../overview-hosting-plans.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json - name: App Service Environment href: ../environment/intro.md - - name: Java developer guide - href: app-service-linux-java.md - - name: Java Enterprise guide - href: app-service-java-enterprise.md - name: Inbound and outbound IPs href: ../overview-inbound-outbound-ips.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json - name: Authentication and authorization @@ -87,10 +83,22 @@ items: - name: Configure app items: - - name: Python image - href: how-to-configure-python.md - name: Use app settings href: ../web-sites-configure.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json + - name: Configure ASP.NET Core + href: configure-language-dotnetcore.md + - name: Configure Node.js + href: configure-language-nodejs.md + - name: Configure PHP + href: configure-language-php.md + - name: Configure Java + href: configure-language-java.md + - name: Configure Python + href: how-to-configure-python.md + - name: Configure Ruby + href: configure-language-ruby.md + - name: Configure custom container + href: configure-custom-container.md - name: Serve content with Storage href: how-to-serve-content-from-azure-storage.md - name: Deploy to Azure @@ -157,8 +165,6 @@ href: ../web-sites-monitor.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json - name: Enable logs href: ../troubleshoot-diagnostic-logs.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json - - name: Java APM integrations - href: how-to-java-apm-monitoring.md - name: Manage app items: - name: Back up an app diff --git a/articles/app-service/containers/tutorial-custom-docker-image.md b/articles/app-service/containers/tutorial-custom-docker-image.md index 17963034715f9..ffbc63da0f65a 100644 --- a/articles/app-service/containers/tutorial-custom-docker-image.md +++ b/articles/app-service/containers/tutorial-custom-docker-image.md @@ -1,5 +1,5 @@ --- -title: Use a custom Docker image for Web App for Containers - Azure App Service | Microsoft Docs +title: Build a custom image and for Web App for Containers - Azure App Service | Microsoft Docs description: How to use a custom Docker image for Web App for Containers. keywords: azure app service, web app, linux, docker, container services: app-service @@ -14,23 +14,24 @@ ms.workload: na ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 10/24/2017 +ms.date: 03/27/2019 ms.author: msangapu ms.custom: mvc ms.custom: seodec18 --- -# Use a custom Docker image for Web App for Containers +# Tutorial: Build a custom image and run in App Service from a private registry -[Web App for Containers](app-service-linux-intro.md) provides built-in Docker images on Linux with support for specific versions, such as PHP 7.0 and Node.js 4.5. Web App for Containers uses the Docker container technology to host both built-in images and custom images as a platform as a service. In this tutorial, you learn how to build a custom Docker image and deploy it to Web App for Containers. This pattern is useful when the built-in images don't include your language of choice, or when your application requires a specific configuration that isn't provided within the built-in images. +[App Service](app-service-linux-intro.md) provides built-in Docker images on Linux with support for specific versions, such as PHP 7.0 and Node.js 4.5. App Service uses the Docker container technology to host both built-in images and custom images as a platform as a service. In this tutorial, you learn how to build a custom image and run it in App Service. This pattern is useful when the built-in images don't include your language of choice, or when your application requires a specific configuration that isn't provided within the built-in images. In this tutorial, you learn how to: > [!div class="checklist"] -> * Deploy a custom Docker image to Azure -> * Configure environment variables to run the container -> * Update the Docker image and redeploy it +> * Deploy a custom image to a private container registry +> * Run the custom image in App Service +> * Configure environment variables +> * Update and redeploy the image +> * Access diagnostic logs > * Connect to the container using SSH -> * Deploy a private Docker image to Azure [!INCLUDE [Free trial note](../../../includes/quickstarts-free-trial-note.md)] @@ -40,7 +41,6 @@ To complete this tutorial, you need: * [Git](https://git-scm.com/downloads) * [Docker](https://docs.docker.com/get-started/#setup) -* A [Docker Hub account](https://docs.docker.com/docker-id/) ## Download the sample @@ -81,130 +81,111 @@ EXPOSE 8000 2222 ENTRYPOINT ["init.sh"] ``` -To build the Docker image, run the `docker build` command, and provide a name, _mydockerimage_, and tag, _v1.0.0_. Replace _\_ with your Docker Hub account ID. +Build the Docker image with the `docker build` command. ```bash -docker build --tag /mydockerimage:v1.0.0 . -``` - -The command produces output similar to the following: - -``` -# The output from the commands in this article has been shortened for brevity. - -Sending build context to Docker daemon 5.558MB -Step 1/13 : FROM python:3.4 - ---> 9ff45ddb54e9 -Step 2/13 : RUN mkdir /code - ---> Using cache - ---> f3f3ac01db0a -Step 3/13 : WORKDIR /code - ---> Using cache - ---> 38b32f15b442 -. -. -. -Step 13/13 : ENTRYPOINT init.sh - ---> Running in 5904e4c70043 - ---> e7cf08275692 -Removing intermediate container 5904e4c70043 -Successfully built e7cf08275692 -Successfully tagged cephalin/mydockerimage:v1.0.0 +docker build --tag mydockerimage . ``` Test that the build works by running the Docker container. Issue the [`docker run`](https://docs.docker.com/engine/reference/commandline/run/) command and pass the name and tag of the image to it. Be sure to specify the port using the `-p` argument. ```bash -docker run -p 2222:8000 /mydockerimage:v1.0.0 +docker run -p 8000:8000 mydockerimage ``` -Verify the web app and container are functioning correctly by browsing to `http://localhost:2222`. +Verify the web app and container are functioning correctly by browsing to `http://localhost:8000`. ![Test web app locally](./media/app-service-linux-using-custom-docker-image/app-service-linux-browse-local.png) -> [!NOTE] -> You can also connect to the app container directly from your local development machine using SSH, SFTP, or Visual Studio Code (for live debugging Node.js apps). For more information, see [Remote debugging and SSH in App Service on Linux](https://aka.ms/linux-debug). -> +[!INCLUDE [Try Cloud Shell](../../../includes/cloud-shell-try-it.md)] -## Push the Docker image to Docker Hub +## Deploy app to Azure -A registry is an application that hosts images and provides services image and container services. In order to share your image, you must push it to a registry. +To create an app that uses the image you just created, you run Azure CLI commands that create a resource group, pushes the image, and then creates the App Service plan web app to run it. - +### Create a resource group -> [!NOTE] -> Pushing to a Private Docker Registry? See the optional instructions to [Use a Docker image from any private registry](#use-a-docker-image-from-any-private-registry-optional). +[!INCLUDE [Create resource group](../../../includes/app-service-web-create-resource-group-linux-no-h.md)] - +### Create an Azure Container Registry -Docker Hub is a registry for Docker images that allows you to host your own repositories, either public or private. To push a custom Docker image to the public Docker Hub, use the [`docker push`](https://docs.docker.com/engine/reference/commandline/push/) command and provide a full image name and tag. A full image name and tag looks like the following sample: +In the Cloud Shell, use the [`az acr create`](/cli/azure/acr?view=azure-cli-latest#az-acr-create) command to create an Azure Container Registry. -``` -/image-name:tag +```azurecli-interactive +az acr create --name --resource-group myResourceGroup --sku Basic --admin-enabled true ``` -Before you can push an image, you must sign in to Docker Hub using the [`docker login`](https://docs.docker.com/engine/reference/commandline/login/) command. Replace _\_ with your account name and type in your password into the console at the prompt. +### Sign in to Azure Container Registry -```bash -docker login --username +To push an image to the registry, you need to authenticate with the private registry. In the Cloud Shell, use the [`az acr show`](/cli/azure/acr?view=azure-cli-latest#az-acr-show) command to retrieve the credentials from the registry you created. + +```azurecli-interactive +az acr credential show --name ``` -A "login succeeded" message confirms that you are logged in. Once logged in, you can push the image to Docker Hub using the [`docker push`](https://docs.docker.com/engine/reference/commandline/push/) command. +The output reveals two passwords along with the user name. -```bash -docker push /mydockerimage:v1.0.0 +```json +< + "passwords": [ + { + "name": "password", + "value": "{password}" + }, + { + "name": "password2", + "value": "{password}" + } + ], + "username": "" +} ``` -Verify that the push succeeded by examining the command's output. +From your local terminal window, sign in to the Azure Container Registry using the `docker login` command, as shown in the following example. Replace *\* and *\* with values for your registry. When prompted, type in one of the passwords from the previous step. -``` -The push refers to a repository [docker.io//mydockerimage:v1.0.0] -c33197c3f6d4: Pushed -ccd2c850ee43: Pushed -02dff2853466: Pushed -6ce78153632a: Pushed -efef3f03cc58: Pushed -3439624d77fb: Pushed -3a07adfb35c5: Pushed -2fcec228e1b7: Mounted from library/python -97d2d3bae505: Mounted from library/python -95aadeabf504: Mounted from library/python -b456afdc9996: Mounted from library/python -d752a0310ee4: Mounted from library/python -db64edce4b5b: Mounted from library/python -d5d60fc34309: Mounted from library/python -c01c63c6823d: Mounted from library/python -v1.0.0: digest: sha256:21f2798b20555f4143f2ca0591a43b4f6c8138406041f2d32ec908974feced66 size: 3676 +```bash +docker login .azurecr.io --username ``` - +Tag your local image for the Azure Container Registry. For example: +```bash +docker tag mydockerimage .azurecr.io/mydockerimage:v1.0.0 +``` -[!INCLUDE [Try Cloud Shell](../../../includes/cloud-shell-try-it.md)] +Push the image by using the `docker push` command. Tag the image with the name of the registry, followed by your image name and tag. -## Deploy app to Azure +```bash +docker push .azurecr.io/mydockerimage:v1.0.0 +``` -To create an app that uses the image you just pushed, you run Azure CLI commands that create a group, then a service plan, and finally the web app itself. +Back in the Cloud Shell, verify that the push is successful. -### Create a resource group +```azurecli-interactive +az acr repository list -n +``` -[!INCLUDE [Create resource group](../../../includes/app-service-web-create-resource-group-linux-no-h.md)] +You should get the following output. + +```json +[ + "mydockerimage" +] +``` -### Create a Linux App Service plan +### Create App Service plan -[!INCLUDE [Create app service plan](../../../includes/app-service-web-create-app-service-plan-linux-no-h.md)] +[!INCLUDE [Create app service plan](../../../includes/app-service-web-create-app-service-plan-linux-no-h.md)] -### Create a web app +### Create web app -In the Cloud Shell, create a [web app](app-service-linux-intro.md) in the `myAppServicePlan` App Service plan with the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. Don't forget to replace __ with a unique app name, and _\_ with your Docker ID. +In the Cloud Shell, create a [web app](app-service-linux-intro.md) in the `myAppServicePlan` App Service plan with the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. Replace _\_ with a unique app name, and _\_ with your registry name. ```azurecli-interactive -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --deployment-container-image-name /mydockerimage:v1.0.0 +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --deployment-container-image-name .azurecr.io/mydockerimage:v1.0.0 ``` When the web app has been created, the Azure CLI shows output similar to the following example: @@ -217,40 +198,41 @@ When the web app has been created, the Azure CLI shows output similar to the fol "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } ``` -### Configure environment variables - -Most Docker images have environment variables that need to be configured. If you are using an existing Docker image built by someone else, the image may use a port other than 80. You tell Azure about the port that your image uses by using the `WEBSITES_PORT` app setting. The GitHub page for the [Python sample in this tutorial](https://github.com/Azure-Samples/docker-django-webapp-linux) shows that you need to set `WEBSITES_PORT` to _8000_. +### Configure registry credentials in web app -To set app settings, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. App settings are case-sensitive and space-separated. +For App Service to pull the private image, it needs information about your registry and image. In the Cloud Shell, provide them with the [`az webapp config container set`](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command. Replace *\*, *\*, _\_, and _\_. ```azurecli-interactive -az webapp config appsettings set --resource-group myResourceGroup --name --settings WEBSITES_PORT=8000 +az webapp config container set --name --resource-group myResourceGroup --docker-custom-image-name .azurecr.io/mydockerimage:v1.0.0 --docker-registry-server-url https://.azurecr.io --docker-registry-server-user --docker-registry-server-password ``` - - > [!NOTE] -> Deploying from a Private Docker Registry? See the optional instructions to [Use a Docker image from any private registry](#use-a-docker-image-from-any-private-registry-optional). +> When using a registry other than Docker Hub, `--docker-registry-server-url` must be formatted as `https://` followed by the fully qualified domain name of the registry. +> - +### Configure environment variables - +```azurecli-interactive +az webapp config appsettings set --resource-group myResourceGroup --name --settings WEBSITES_PORT=8000 +``` ### Test the web app -Verify that the web app works by browsing to it (`http://.azurewebsites.net`). +Verify that the web app works by browsing to it (`http://.azurewebsites.net`). + +> [!NOTE] +> The first time you access the app, it may take some time because App Service needs to pull the entire image. If the browser times out, just refresh the page. ![Test web app port configuration](./media/app-service-linux-using-custom-docker-image/app-service-linux-browse-azure.png) @@ -261,20 +243,24 @@ In your local Git repository, open app/templates/app/index.html. Locate the firs ```python + ``` -Once you've modified the Python file and saved it, you must rebuild and push the new Docker image. Then restart the web app for the changes to take effect. Use the same commands that you have previously used in this tutorial. You can refer to [Build the image from the Docker file](#build-the-image-from-the-docker-file) and [Push the Docker image to Docker Hub](#push-the-docker-image-to-docker-hub). Test the web app by following the instructions in [Test the web app](#test-the-web-app). +Once you've modified the Python file and saved it, you must rebuild and push the new Docker image. Then restart the web app for the changes to take effect. Use the same commands that you have previously used in this tutorial. You can refer to [Build the image from the Docker file](#build-the-image-from-the-docker-file) and [Push image to Azure Container Registry](#push-image-to-azure-container-registry). Test the web app by following the instructions in [Test the web app](#test-the-web-app). + +## Access diagnostic logs -## Connect to Web App for Containers using SSH +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] -SSH enables secure communication between a container and a client. In order for a custom Docker image to support SSH, you must build it into a Dockerfile. You enable SSH in the Docker file itself. The SSH instructions have already been added to the sample dockerfile, so you can follow these instructions with your own custom image: +## Enable SSH connections -* A [RUN](https://docs.docker.com/engine/reference/builder/#run) instruction that calls `apt-get`, then sets the password for the root account to `"Docker!"`. +SSH enables secure communication between a container and a client. To enable SSH connection to your container, your custom image must be configured for it. Let's take a look at the sample repository that already has the necessary configuration. + +* In the [Dockerfile](https://github.com/Azure-Samples/docker-django-webapp-linux/blob/master/Dockerfile), the following code installs the SSH server and also sets the sign-in credentials. ```Dockerfile ENV SSH_PASSWD "root:Docker!" @@ -286,39 +272,34 @@ SSH enables secure communication between a container and a client. In order for ``` > [!NOTE] - > This configuration does not allow external connections to the container. SSH is available only through the Kudu/SCM Site. The Kudu/SCM site is authenticated with the publishing credentials. + > This configuration does not allow external connections to the container. SSH is available only through the Kudu/SCM Site. The Kudu/SCM site is authenticated with your Azure account. -* A [COPY](https://docs.docker.com/engine/reference/builder/#copy) instruction that instructs the Docker engine to copy the [sshd_config](https://man.openbsd.org/sshd_config) file to the */etc/ssh/* directory. Your configuration file should be based on [this sshd_config file](https://github.com/Azure-App-Service/node/blob/master/6.11.1/sshd_config). +* The [Dockerfile](https://github.com/Azure-Samples/docker-django-webapp-linux/blob/master/Dockerfile#L18) copies the [sshd_config](https://github.com/Azure-Samples/docker-django-webapp-linux/blob/master/sshd_config file in the repository) to the */etc/ssh/* directory. ```Dockerfile COPY sshd_config /etc/ssh/ ``` - > [!NOTE] - > The *sshd_config* file must include the following items: - > * `Ciphers` must include at least one item in this list: `aes128-cbc,3des-cbc,aes256-cbc`. - > * `MACs` must include at least one item in this list: `hmac-sha1,hmac-sha1-96`. - -* An [EXPOSE](https://docs.docker.com/engine/reference/builder/#expose) instruction that exposes port 2222 in the container. Although the root password is known, port 2222 cannot be accessed from the internet. It is an internal port accessible only by containers within the bridge network of a private virtual network. After that, commands copy SSH configuration details and start the `ssh` service. +* The [Dockerfile](https://github.com/Azure-Samples/docker-django-webapp-linux/blob/master/Dockerfile#L22) exposes port 2222 in the container. It is an internal port accessible only by containers within the bridge network of a private virtual network. ```Dockerfile EXPOSE 8000 2222 ``` -* Make sure to [start the ssh service](https://github.com/Azure-App-Service/node/blob/master/8.9/startup/init_container.sh#L18) by using a shell script in the /bin directory. - - ```bash - #!/bin/bash - service ssh start +* The [entry script](https://github.com/Azure-Samples/docker-django-webapp-linux/blob/master/init.sh#L5) starts the SSH server. + + ```bash + #!/bin/bash + service ssh start ``` - + ### Open SSH connection to container -Web App for Containers does not allow external connections to the container. SSH is available only through the Kudu site, which is accessible at `https://.scm.azurewebsites.net`. +SSH connection is available only through the Kudu site, which is accessible at `https://.scm.azurewebsites.net`. -To connect, browse to `https://.scm.azurewebsites.net/webssh/host` and sign in with your Azure account. +To connect, browse to `https://.scm.azurewebsites.net/webssh/host` and sign in with your Azure account. -You are then redirected to a page displaying an interactive console. +You are then redirected to a page displaying an interactive console. You may wish to verify that certain applications are running in the container. To inspect the container and verify running processes, issue the `top` command at the prompt. @@ -343,219 +324,31 @@ PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 77 root 20 0 21920 2304 1972 R 0.0 0.1 0:00.00 top ``` -Congratulations! You've configured a custom Docker image for a Web App for Containers. - -## Use a private image from Docker Hub (optional) - -In [Create a web app](#create-a-web-app), you specified an image on Docker Hub in the `az webapp create` command. This is good enough for a public image. To use a private image, you need to configure your Docker account ID and password in your Azure web app. - -In the Cloud Shell, follow the `az webapp create` command with [`az webapp config container set`](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set). Replace *\*, and also _\_ and _\_ with your Docker ID and password. - -```azurecli-interactive -az webapp config container set --name --resource-group myResourceGroup --docker-registry-server-user --docker-registry-server-password -``` - -The command reveals output similar to the following JSON string, showing that the configuration change succeeded: - -```json -[ - { - "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE", - "slotSetting": false, - "value": "false" - }, - { - "name": "DOCKER_REGISTRY_SERVER_USERNAME", - "slotSetting": false, - "value": "" - }, - { - "name": "DOCKER_REGISTRY_SERVER_PASSWORD", - "slotSetting": false, - "value": null - }, - { - "name": "DOCKER_CUSTOM_IMAGE_NAME", - "value": "DOCKER|" - } -] -``` - -## Use a Docker image from any private registry (optional) - -In this section, you learn how to use a Docker image from a private registry in Web App for Containers, and it uses Azure Container Registry as an example. The steps for using other private registries are similar. - -Azure Container Registry is a managed Docker service from Azure for hosting private images. The deployments may be any type, including [Docker Swarm](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io/), and Web App for Containers. - -### Create an Azure Container Registry - -In the Cloud Shell, use the [`az acr create`](/cli/azure/acr?view=azure-cli-latest#az-acr-create) command to create an Azure Container Registry. Pass in the name, resource group, and `Basic` for the SKU. Available SKUs are `Classic`, `Basic`, `Standard`, and `Premium`. - -```azurecli-interactive -az acr create --name --resource-group myResourceGroup --sku Basic --admin-enabled true -``` - -Creating a container produces the following output: - -``` - - Finished .. -Create a new service principal and assign access: - az ad sp create-for-rbac --scopes /subscriptions/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/ --role Owner --password - -Use an existing service principal and assign access: - az role assignment create --scope /subscriptions/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/ --role Owner --assignee -{ - "adminUserEnabled": false, - "creationDate": "2017-08-09T04:21:09.654153+00:00", - "id": "/subscriptions//resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/", - "location": "westeurope", - "loginServer": ".azurecr.io", - "name": "", - "provisioningState": "Succeeded", - "resourceGroup": "myResourceGroup", - "sku": { - "name": "Basic", - "tier": "Basic" - }, - "storageAccount": { - "name": "myazurecontainerre042025" - }, - "tags": {}, - "type": "Microsoft.ContainerRegistry/registries" -} -``` - -### Log in to Azure Container Registry - -In order to push an image to the registry, you need to supply credentials so the registry accepts the push. You can retrieve these credentials by using the [`az acr show`](/cli/azure/acr?view=azure-cli-latest#az-acr-show) command in the Cloud Shell. - -```azurecli-interactive -az acr credential show --name -``` - -The command reveals two passwords that can be used with the user name. - -```json -< - "passwords": [ - { - "name": "password", - "value": "{password}" - }, - { - "name": "password2", - "value": "{password}" - } - ], - "username": "" -} -``` - -From your local terminal window, log in to the Azure Container Registry using the `docker login` command. The server name is required to log in. Use the format `{azure-container-registry-name>.azurecr.io`. Type in your password into the console at the prompt. - -```bash -docker login .azurecr.io --username -``` - -Confirm that the login succeeded. - -### Push an image to Azure Container Registry - -> [!NOTE] -> If you're using your own image, tag the image as follows: -> ```bash -> docker tag .azurecr.io/mydockerimage -> ``` - -Push the image by using the `docker push` command. Tag the image with the name of the registry, followed by your image name and tag. - -```bash -docker push .azurecr.io/mydockerimage:v1.0.0 -``` - -Verify that the push successfully added a container to the registry by listing the ACR repositories. +Congratulations! You've configured a custom Linux container in App Service. -```azurecli-interactive -az acr repository list -n -``` - -Listing the images in the registry confirms that `mydockerimage` is in the registry. - -```json -[ - "mydockerimage" -] -``` - -### Configure Web App to use the image from Azure Container Registry (or any private registry) - -You can configure Web App for Containers so that it runs a container stored in the Azure Container Registry. Using the Azure Container Registry is just like using any private registry, so if you need to use your own private registry, the steps to complete this task are similar. - -In the Cloud Shell, run [`az acr credential show`](/cli/azure/acr/credential?view=azure-cli-latest#az-acr-credential-show) to display the username and password for the Azure Container Registry. Copy the username and one of the passwords so you can use it to configure the web app in the next step. - -```bash -az acr credential show --name -``` - -```json -{ - "passwords": [ - { - "name": "password", - "value": "password" - }, - { - "name": "password2", - "value": "password2" - } - ], - "username": "" -} -``` +[!INCLUDE [Clean-up section](../../../includes/cli-script-clean-up.md)] -In the Cloud Shell, run the [`az webapp config container set`](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command to assign the custom Docker image to the web app. Replace *\*, *\*, _\_, and _\_. For Azure Container Registry, *\* is in the format `https://.azurecr.io`. If you are using any registry besides Docker Hub, the image name needs to begin with the fully-qualified domain name (FQDN) of your registry. For Azure Container Registry, this will look like `.azurecr.io/mydockerimage`. +## Next steps -```azurecli-interactive -az webapp config container set --name --resource-group myResourceGroup --docker-custom-image-name .azurecr.io/mydockerimage --docker-registry-server-url https://.azurecr.io --docker-registry-server-user --docker-registry-server-password -``` +What you learned: -> [!NOTE] -> `https://` is required in *\*. -> -> [!NOTE] -> When using registry other than dockerhub, `docker-custom-image-name` must include fully-qualified domain name (FQDN) of your registry. -> For Azure Container Registry, this will look like `.azurecr.io/mydockerimage`. +> [!div class="checklist"] +> * Deploy a custom image to a private container registry +> * Run the custom image in App Service +> * Configure environment variables +> * Update and redeploy the image +> * Access diagnostic logs +> * Connect to the container using SSH -The command reveals output similar to the following JSON string, showing that the configuration change succeeded: +Advance to the next tutorial to learn how to map a custom DNS name to your app. -```json -[ - { - "name": "DOCKER_CUSTOM_IMAGE_NAME", - "slotSetting": false, - "value": "mydockerimage" - }, - { - "name": "DOCKER_REGISTRY_SERVER_URL", - "slotSetting": false, - "value": ".azurecr.io" - }, - { - "name": "DOCKER_REGISTRY_SERVER_USERNAME", - "slotSetting": false, - "value": "" - }, - { - "name": "DOCKER_REGISTRY_SERVER_PASSWORD", - "slotSetting": false, - "value": null - } -] -``` +> [!div class="nextstepaction"] +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) -[!INCLUDE [Clean-up section](../../../includes/cli-script-clean-up.md)] +Or, check out other resources: -## Next steps +> [!div class="nextstepaction"] +> [Configure custom container](configure-custom-container.md) > [!div class="nextstepaction"] -> [Build a Docker Python and PostgreSQL web app in Azure](tutorial-python-postgresql-app.md) \ No newline at end of file +> [Tutorial: Multi-container WordPress app](tutorial-multi-container-app.md) diff --git a/articles/app-service/containers/tutorial-dotnetcore-sqldb-app.md b/articles/app-service/containers/tutorial-dotnetcore-sqldb-app.md index aa501c78d1b8a..5b1cb191980ee 100644 --- a/articles/app-service/containers/tutorial-dotnetcore-sqldb-app.md +++ b/articles/app-service/containers/tutorial-dotnetcore-sqldb-app.md @@ -1,10 +1,10 @@ --- -title: Build .NET Core app with SQL Database on Linux - Azure App Service | Microsoft Docs -description: Learn how to get a .NET Core app working in Azure App Service on Linux, with connection to a SQL Database. +title: ASP.NET Core with SQL Database on Linux - Azure App Service | Microsoft Docs +description: Learn how to get an ASP.NET Core app working in Azure App Service on Linux, with connection to a SQL Database. services: app-service\web documentationcenter: dotnet author: cephalin -manager: syntaxc4 +manager: jeconnoc editor: '' ms.assetid: 0b4d7d0e-e984-49a1-a57a-3c0caa955f0e @@ -13,12 +13,12 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: dotnet ms.topic: tutorial -ms.date: 01/31/2019 +ms.date: 03/27/2019 ms.author: cephalin ms.custom: mvc ms.custom: seodec18 --- -# Build a .NET Core and SQL Database app in Azure App Service on Linux +# Build an ASP.NET Core and SQL Database app in Azure App Service on Linux > [!NOTE] > This article deploys an app to App Service on Linux. To deploy to App Service on _Windows_, see [Build a .NET Core and SQL Database app in Azure App Service](../app-service-web-tutorial-dotnetcore-sqldb.md). @@ -28,7 +28,7 @@ ms.custom: seodec18 ![app running in App Service on Linux](./media/tutorial-dotnetcore-sqldb-app/azure-app-in-browser.png) -What you learn how to: +In this tutorial, you learn how to: > [!div class="checklist"] > * Create a SQL Database in Azure @@ -96,11 +96,11 @@ For SQL Database, this tutorial uses [Azure SQL Database](/azure/sql-database/). In the Cloud Shell, create a SQL Database logical server with the [`az sql server create`](/cli/azure/sql/server?view=azure-cli-latest#az-sql-server-create) command. -Replace the *\* placeholder with a unique SQL Database name. This name is used as the part of the SQL Database endpoint, `.database.windows.net`, so the name needs to be unique across all logical servers in Azure. The name must contain only lowercase letters, numbers, and the hyphen (-) character, and must be between 3 and 50 characters long. Also, replace *\* and *\* with a username and password of your choice. +Replace the *\* placeholder with a unique SQL Database name. This name is used as the part of the SQL Database endpoint, `.database.windows.net`, so the name needs to be unique across all logical servers in Azure. The name must contain only lowercase letters, numbers, and the hyphen (-) character, and must be between 3 and 50 characters long. Also, replace *\* and *\* with a username and password of your choice. ```azurecli-interactive -az sql server create --name --resource-group myResourceGroup --location "West Europe" --admin-user --admin-password +az sql server create --name --resource-group myResourceGroup --location "West Europe" --admin-user --admin-password ``` When the SQL Database logical server is created, the Azure CLI shows information similar to the following example: @@ -109,12 +109,12 @@ When the SQL Database logical server is created, the Azure CLI shows information { "administratorLogin": "sqladmin", "administratorLoginPassword": null, - "fullyQualifiedDomainName": ".database.windows.net", - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Sql/servers/", + "fullyQualifiedDomainName": ".database.windows.net", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Sql/servers/", "identity": null, "kind": "v12.0", "location": "westeurope", - "name": "", + "name": "", "resourceGroup": "myResourceGroup", "state": "Ready", "tags": null, @@ -128,7 +128,7 @@ When the SQL Database logical server is created, the Azure CLI shows information Create an [Azure SQL Database server-level firewall rule](../../sql-database/sql-database-firewall-configure.md) using the [`az sql server firewall create`](/cli/azure/sql/server/firewall-rule?view=azure-cli-latest#az-sql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources. ```azurecli-interactive -az sql server firewall-rule create --resource-group myResourceGroup --server --name AllowYourIp --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 +az sql server firewall-rule create --resource-group myResourceGroup --server --name AllowYourIp --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 ``` ### Create a database @@ -136,15 +136,15 @@ az sql server firewall-rule create --resource-group myResourceGroup --server --name coreDB --service-objective S0 +az sql db create --resource-group myResourceGroup --server --name coreDB --service-objective S0 ``` ### Create connection string -Replace the following string with the *\*, *\*, and *\* you used earlier. +Replace the following string with the *\*, *\*, and *\* you used earlier. ``` -Server=tcp:.database.windows.net,1433;Database=coreDB;User ID=;Password=;Encrypt=true;Connection Timeout=30; +Server=tcp:.database.windows.net,1433;Database=coreDB;User ID=;Password=;Encrypt=true;Connection Timeout=30; ``` This is the connection string for your .NET Core app. Copy it for use later. @@ -167,18 +167,18 @@ In this step, you deploy your SQL Database-connected .NET Core application to Ap ### Configure an environment variable -To set connection strings for your Azure app, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. In the following command, replace *\*, as well as the *\* parameter with the connection string you created earlier. +To set connection strings for your Azure app, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. In the following command, replace *\*, as well as the *\* parameter with the connection string you created earlier. ```azurecli-interactive -az webapp config connection-string set --resource-group myResourceGroup --name --settings MyDbConnection='' --connection-string-type SQLServer +az webapp config connection-string set --resource-group myResourceGroup --name --settings MyDbConnection='' --connection-string-type SQLServer ``` Next, set `ASPNETCORE_ENVIRONMENT` app setting to _Production_. This setting lets you know whether you are running in Azure, because you use SQLite for your local development environment and SQL Database for your Azure environment. -The following example configures a `ASPNETCORE_ENVIRONMENT` app setting in your Azure app. Replace the *\* placeholder. +The following example configures a `ASPNETCORE_ENVIRONMENT` app setting in your Azure app. Replace the *\* placeholder. ```azurecli-interactive -az webapp config appsettings set --name --resource-group myResourceGroup --settings ASPNETCORE_ENVIRONMENT="Production" +az webapp config appsettings set --name --resource-group myResourceGroup --settings ASPNETCORE_ENVIRONMENT="Production" ``` ### Connect to SQL Database in production @@ -205,11 +205,11 @@ else services.BuildServiceProvider().GetService().Database.Migrate(); ``` -If this code detects that it is running in production (which indicates the Azure environment), then it uses the connection string you configured to connect to the SQL Database. +If this code detects that it is running in production (which indicates the Azure environment), then it uses the connection string you configured to connect to the SQL Database. For information on how app settings are accessed in App Service, see [Access environment variables](configure-language-dotnetcore.md#access-environment-variables). -The `Database.Migrate()` call helps you when it is run in Azure, because it automatically creates the databases that your .NET Core app needs, based on its migration configuration. +The `Database.Migrate()` call helps you when it is run in Azure, because it automatically creates the databases that your .NET Core app needs, based on its migration configuration. -Save your changes, then commit it into your Git repository. +Save your changes, then commit it into your Git repository. ```bash git add . @@ -242,7 +242,7 @@ remote: Finished successfully. remote: Running post deployment command(s)... remote: Deployment successful. remote: App container will begin restart within 10 seconds. -To https://.scm.azurewebsites.net/.git +To https://.scm.azurewebsites.net/.git * [new branch] master -> master ``` @@ -251,7 +251,7 @@ To https://.scm.azurewebsites.net/.git Browse to the deployed app using your web browser. ```bash -http://.azurewebsites.net +http://.azurewebsites.net ``` Add a few to-do items. @@ -365,23 +365,9 @@ The sample project already follows the guidance at [ASP.NET Core Logging in Azur > [!NOTE] > The project's log level is set to `Information` in *appsettings.json*. -> - -In App Service on Linux, apps are run inside a container from a default Docker image. You can access the console logs generated from within the container. To get the logs, first turn on container logging by running the [`az webapp log config`](/cli/azure/webapp/log?view=azure-cli-latest#az-webapp-log-config) command in the Cloud Shell. - -```azurecli-interactive -az webapp log config --name --resource-group myResourceGroup --docker-container-logging filesystem -``` - -Once container logging is turned on, watch the log stream by running the [`az webapp log tail`](/cli/azure/webapp/log?view=azure-cli-latest#az-webapp-log-tail) command in the Cloud Shell. - -```azurecli-interactive -az webapp log tail --name --resource-group myResourceGroup -``` - -Once log streaming has started, refresh the Azure app in the browser to get some web traffic. You can now see console logs piped to the terminal. If you don't see console logs immediately, check again in 30 seconds. +> -To stop log streaming at anytime, type `Ctrl`+`C`. +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] For more information on customizing the ASP.NET Core logs, see [Logging in ASP.NET Core](https://docs.microsoft.com/aspnet/core/fundamentals/logging). @@ -415,4 +401,9 @@ What you learned: Advance to the next tutorial to learn how to map a custom DNS name to your app. > [!div class="nextstepaction"] -> [Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md) +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) + +Or, check out other resources: + +> [!div class="nextstepaction"] +> [Configure ASP.NET Core app](configure-language-dotnetcore.md) diff --git a/articles/app-service/containers/tutorial-java-enterprise-postgresql-app.md b/articles/app-service/containers/tutorial-java-enterprise-postgresql-app.md index eb180d1f26a86..e9bd5b0c03a49 100644 --- a/articles/app-service/containers/tutorial-java-enterprise-postgresql-app.md +++ b/articles/app-service/containers/tutorial-java-enterprise-postgresql-app.md @@ -16,9 +16,9 @@ ms.custom: seodec18 # Tutorial: Build a Java EE and Postgres web app in Azure -This tutorial will show you how to create a Java Enterprise Edition (EE) web app on Azure App Service and connect it to a Postgres database. When you are finished, you will have a [WildFly](https://www.wildfly.org/about/) application storing data in [Azure Database for Postgres](https://azure.microsoft.com/services/postgresql/) running on Azure [App Service on Linux](app-service-linux-intro.md). +This tutorial shows you how to create a Java Enterprise Edition (EE) web app on Azure App Service and connect it to a Postgres database. When you are finished, you will have a [WildFly](https://www.wildfly.org/about/) application storing data in [Azure Database for Postgres](https://azure.microsoft.com/services/postgresql/) running on Azure [App Service on Linux](app-service-linux-intro.md). -In this tutorial, you will learn how to: +In this tutorial, you learn how to: > [!div class="checklist"] > * Deploy a Java EE app to Azure using Maven > * Create a Postgres database in Azure @@ -154,7 +154,9 @@ Next, we need to edit our Java Transaction API (JPA) configuration so that our J ## Configure the WildFly application server -Before deploying our reconfigured application, we must update the WildFly application server with the Postgres module and its dependencies. To configure the server, we will need the four files in the `wildfly_config/` directory: +Before deploying our reconfigured application, we must update the WildFly application server with the Postgres module and its dependencies. More configuration information can be found at [Configure WildFly server](configure-language-java.md#configure-wildfly-server). + +To configure the server, we will need the four files in the `wildfly_config/` directory: - **postgresql-42.2.5.jar**: This JAR file is the JDBC driver for Postgres. For more information, see the [official website](https://jdbc.postgresql.org/index.html). - **postgres-module.xml**: This XML file declares a name for the Postgres module (org.postgres). It also specifies the resources and dependencies necessary for the module to be used. @@ -169,7 +171,6 @@ We will need to FTP the contents of `wildfly_config/` to our App Service instanc Using an FTP tool of your choice, transfer the four files in `wildfly_config/` to `/home/site/deployments/tools/`. (Note that you should not transfer the directory, just the files themselves.) - ### Finalize App Service In the App Service blade navigate to the "Application settings" panel. Under "Runtime", set the "Startup File" field to `/home/site/deployments/tools/startup_script.sh`. This will ensure that the shell script is run after the App Service instance is created, but before the WildFly server starts. @@ -191,9 +192,26 @@ Congratulations! Your application is now using a Postgres database and any recor If you don't need these resources for another tutorial (see Next steps), you can delete them by running the following command: ```bash -az group delete --name +az group delete --name ``` ## Next steps -Now that you have a Java EE application deployed to App Service, please see the [Java Enterprise developer guide](https://docs.microsoft.com/azure/app-service/containers/app-service-linux-java) for more information on setting up services, troubleshooting, and scaling your application. +In this tutorial, you learned how to: + +> [!div class="checklist"] +> * Deploy a Java EE app to Azure using Maven +> * Create a Postgres database in Azure +> * Configure the WildFly server to use Postgres +> * Update and redeploy the app +> * Run unit tests on WildFly + +Advance to the next tutorial to learn how to map a custom DNS name to your app. + +> [!div class="nextstepaction"] +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) + +Or, check out other resources: + +> [!div class="nextstepaction"] +> [Configure Java app](configure-language-java.md) diff --git a/articles/app-service/containers/tutorial-java-spring-cosmosdb.md b/articles/app-service/containers/tutorial-java-spring-cosmosdb.md index 0d7e34c31aa93..5d1beec6e7460 100644 --- a/articles/app-service/containers/tutorial-java-spring-cosmosdb.md +++ b/articles/app-service/containers/tutorial-java-spring-cosmosdb.md @@ -264,55 +264,10 @@ You should see the app running with the remote URL in the address bar: ![](./media/tutorial-java-spring-cosmosdb/spring-todo-app-running-in-app-service.jpg) -## View logs to troubleshoot the app +## Stream diagnostic logs -Enable logging for the deployed Java web app in App Service on Linux: +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] -```bash -az webapp log config --name ${WEBAPP_NAME} \ - --resource-group ${RESOURCEGROUP_NAME} \ - --web-server-logging filesystem -``` - -Then stream the web app logs to your terminal: - -```bash -az webapp log tail --name ${WEBAPP_NAME} \ - --resource-group ${RESOURCEGROUP_NAME} -``` - -You'll see the most recent lines of output and as new requests are made to the TODO app they will stream in on the console. To exit the console, use CONTROL+C. - -```bash -bash-3.2$ az webapp log tail --name ${WEBAPP_NAME} --resource-group ${RESOURCEGROUP_NAME} -2018-10-28T22:50:17 Welcome, you are now connected to log-streaming service. -2018-10-28T22:44:56.265890407Z _____ -2018-10-28T22:44:56.265930308Z / _ \ __________ _________ ____ -2018-10-28T22:44:56.265936008Z / /_\ \___ / | \_ __ \_/ __ \ -2018-10-28T22:44:56.265940308Z / | \/ /| | /| | \/\ ___/ -2018-10-28T22:44:56.265944408Z \____|__ /_____ \____/ |__| \___ > -2018-10-28T22:44:56.265948508Z \/ \/ \/ -2018-10-28T22:44:56.265952508Z A P P S E R V I C E O N L I N U X -2018-10-28T22:44:56.265956408Z Documentation: https://aka.ms/webapp-linux -2018-10-28T22:44:56.266260910Z Setup openrc ... -2018-10-28T22:44:57.396926506Z Service `hwdrivers' needs non existent service `dev' -2018-10-28T22:44:57.397294409Z * Caching service dependencies ... [ ok ] -2018-10-28T22:44:57.474152273Z Starting ssh service... -... -... -2018-10-28T22:46:13.432160734Z [INFO] AnnotationMBeanExporter - Registering beans for JMX exposure on startup -2018-10-28T22:46:13.744859424Z [INFO] TomcatWebServer - Tomcat started on port(s): 80 (http) with context path '' -2018-10-28T22:46:13.783230205Z [INFO] TodoApplication - Started TodoApplication in 57.209 seconds (JVM running for 70.815) -2018-10-28T22:46:14.887366993Z 2018-10-28 22:46:14.887 INFO 198 --- [p-nio-80-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet' -2018-10-28T22:46:14.887637695Z [INFO] DispatcherServlet - FrameworkServlet 'dispatcherServlet': initialization started -2018-10-28T22:46:14.998479907Z [INFO] DispatcherServlet - FrameworkServlet 'dispatcherServlet': initialization completed in 111 ms - -2018-10-28T22:49:20.572059062Z Sun Oct 28 22:49:20 GMT 2018 GET ======= /api/todolist ======= -2018-10-28T22:49:25.850543080Z Sun Oct 28 22:49:25 GMT 2018 DELETE ======= /api/todolist/{4f41ab03-1b12-4131-a920-fe5dfec106ca} ======= -2018-10-28T22:49:26.047126614Z Sun Oct 28 22:49:26 GMT 2018 GET ======= /api/todolist ======= -2018-10-28T22:49:30.201740227Z Sun Oct 28 22:49:30 GMT 2018 POST ======= /api/todolist ======= Milk -2018-10-28T22:49:30.413468872Z Sun Oct 28 22:49:30 GMT 2018 GET ======= /api/todolist ======= -``` ## Scale out the TODO App @@ -329,7 +284,7 @@ az appservice plan update --number-of-workers 2 \ If you don't need these resources for another tutorial (see [Next steps](#next)), you can delete them by running the following command in the Cloud Shell:     ```bash -az group delete --name your-azure-group-name +az group delete --name ``` @@ -341,9 +296,9 @@ az group delete --name your-azure-group-name [Spring Data for Cosmos DB](/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-cosmos-db?view=azure-java-stable), [Azure Cosmos DB](/azure/cosmos-db/sql-api-introduction) and -[App Service Linux](/azure/app-service/containers/app-service-linux-intro). +[App Service Linux](app-service-linux-intro.md). Learn more about running Java apps on App Service on Linux in the developer guide. > [!div class="nextstepaction"] -> [Java in App Service Linux dev guide](/azure/app-service/containers/app-service-linux-java) +> [Java in App Service Linux dev guide](configure-language-java.md) diff --git a/articles/app-service/containers/tutorial-multi-container-app.md b/articles/app-service/containers/tutorial-multi-container-app.md index d6a9edb51d311..8cae18ea9ae0d 100644 --- a/articles/app-service/containers/tutorial-multi-container-app.md +++ b/articles/app-service/containers/tutorial-multi-container-app.md @@ -13,7 +13,7 @@ ms.workload: na ms.tgt_pltfrm: na ms.devlang: na ms.topic: tutorial -ms.date: 06/25/2018 +ms.date: 03/27/2019 ms.author: msangapu ms.custom: mvc ms.custom: seodec18 @@ -23,7 +23,8 @@ ms.custom: seodec18 [Web App for Containers](app-service-linux-intro.md) provides a flexible way to use Docker images. In this tutorial, you'll learn how to create a multi-container app using WordPress and MySQL. You'll complete this tutorial in Cloud Shell, but you can also run these commands locally with the [Azure CLI](/cli/azure/install-azure-cli) command-line tool (2.0.32 or later). -In this tutorial, you'll learn how to: +In this tutorial, you learn how to: + > [!div class="checklist"] > * Convert a Docker Compose configuration to work with Web App for Containers > * Convert a Kubernetes configuration to work with Web App for Containers @@ -35,11 +36,6 @@ In this tutorial, you'll learn how to: [!INCLUDE [Free trial note](../../../includes/quickstarts-free-trial-note.md)] -## Preview feature limitations -Multi-container is currently in preview, the following App Service platform features are not supported. We expect to enable these features for Multi-container Web App before General Availability (GA): -* Authentication / Authorization -* Managed Identities - ## Prerequisites To complete this tutorial, you need experience with [Docker Compose](https://docs.docker.com/compose/) or [Kubernetes](https://kubernetes.io/). @@ -50,6 +46,8 @@ For this tutorial, you use the compose file from [Docker](https://docs.docker.co [!code-yml[Main](../../../azure-app-service-multi-container/docker-compose-wordpress.yml)] +For supported configuration options, see [Docker Compose options](configure-custom-container.md#docker-compose-options). + In Cloud Shell, create a tutorial directory and then change to it. ```bash @@ -112,41 +110,14 @@ When the App Service plan has been created, Cloud Shell shows information simila } ``` -## Docker Compose configuration options - -For this tutorial, you use the compose file from [Docker](https://docs.docker.com/compose/wordpress/#define-the-project), but you'll modify it include Azure Database for MySQL, persistent storage, and Redis. Alternatively, you can use a [Kubernetes configuration](#use-a-kubernetes-configuration-optional). The configuration files can be found at [Azure Samples](https://github.com/Azure-Samples/multicontainerwordpress). - -The following lists show supported and unsupported Docker Compose configuration options in Web App for Containers: - -### Supported options - -* command -* entrypoint -* environment -* image -* ports -* restart -* services -* volumes - -### Unsupported options - -* build (not allowed) -* depends_on (ignored) -* networks (ignored) -* secrets (ignored) - -> [!NOTE] -> Any other options not explicitly called out are also ignored in Public Preview. - ### Docker Compose with WordPress and MySQL containers ## Create a Docker Compose app -In your Cloud Shell, create a multi-container [web app](app-service-linux-intro.md) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. Don't forget to replace _\_ with a unique app name. +In your Cloud Shell, create a multi-container [web app](app-service-linux-intro.md) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. Don't forget to replace _\_ with a unique app name. -```bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml +```azurecli-interactive +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml ``` When the web app has been created, Cloud Shell shows output similar to the following example: @@ -160,7 +131,7 @@ When the web app has been created, Cloud Shell shows output similar to the follo "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", + "defaultHostName": ".azurewebsites.net", "enabled": true, < JSON data removed for brevity. > } @@ -168,7 +139,7 @@ When the web app has been created, Cloud Shell shows output similar to the follo ### Browse to the app -Browse to the deployed app at (`http://.azurewebsites.net`). The app may take a few minutes to load. If you receive an error, allow a few more minutes then refresh the browser. If you're having trouble and would like to troubleshoot, review [container logs](#find-docker-container-logs). +Browse to the deployed app at (`http://.azurewebsites.net`). The app may take a few minutes to load. If you receive an error, allow a few more minutes then refresh the browser. If you're having trouble and would like to troubleshoot, review [container logs](#find-docker-container-logs). ![Sample multi-container app on Web App for Containers][1] @@ -182,10 +153,10 @@ It's not recommended to use database containers in a production environment. The Create an Azure Database for MySQL server with the [`az mysql server create`](/cli/azure/mysql/server?view=azure-cli-latest#az-mysql-server-create) command. -In the following command, substitute your MySQL server name where you see the _<mysql_server_name>_ placeholder (valid characters are `a-z`, `0-9`, and `-`). This name is part of the MySQL server's hostname (`.database.windows.net`), it needs to be globally unique. +In the following command, substitute your MySQL server name where you see the _<mysql-server-name>_ placeholder (valid characters are `a-z`, `0-9`, and `-`). This name is part of the MySQL server's hostname (`.database.windows.net`), it needs to be globally unique. ```azurecli-interactive -az mysql server create --resource-group myResourceGroup --name --location "South Central US" --admin-user adminuser --admin-password My5up3rStr0ngPaSw0rd! --sku-name B_Gen4_1 --version 5.7 +az mysql server create --resource-group myResourceGroup --name --location "South Central US" --admin-user adminuser --admin-password My5up3rStr0ngPaSw0rd! --sku-name B_Gen4_1 --version 5.7 ``` Creating the server may take a few minutes to complete. When the MySQL server is created, Cloud Shell shows information similar to the following example: @@ -194,10 +165,10 @@ Creating the server may take a few minutes to complete. When the MySQL server is { "administratorLogin": "adminuser", "administratorLoginPassword": null, - "fullyQualifiedDomainName": ".database.windows.net", - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/", + "fullyQualifiedDomainName": ".database.windows.net", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/", "location": "southcentralus", - "name": "", + "name": "", "resourceGroup": "myResourceGroup", ... } @@ -208,7 +179,7 @@ Creating the server may take a few minutes to complete. When the MySQL server is Create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule?view=azure-cli-latest#az-mysql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources. ```azurecli-interactive -az mysql server firewall-rule create --name allAzureIPs --server --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 +az mysql server firewall-rule create --name allAzureIPs --server --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 ``` > [!TIP] @@ -217,8 +188,8 @@ az mysql server firewall-rule create --name allAzureIPs --server --name wordpress +```azurecli-interactive +az mysql db create --resource-group myResourceGroup --server-name --name wordpress ``` When the database has been created, Cloud Shell shows information similar to the following example: @@ -228,7 +199,7 @@ When the database has been created, Cloud Shell shows information similar to the "additionalProperties": {}, "charset": "latin1", "collation": "latin1_swedish_ci", - "id": "/subscriptions/12db1644-4b12-4cab-ba54-8ba2f2822c1f/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers//databases/wordpress", + "id": "/subscriptions/12db1644-4b12-4cab-ba54-8ba2f2822c1f/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers//databases/wordpress", "name": "wordpress", "resourceGroup": "myResourceGroup", "type": "Microsoft.DBforMySQL/servers/databases" @@ -241,8 +212,8 @@ To connect the WordPress app to this new MySQL server, you'll configure a few Wo To make these changes, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated. -```bash -az webapp config appsettings set --resource-group myResourceGroup --name --settings WORDPRESS_DB_HOST=".mysql.database.azure.com" WORDPRESS_DB_USER="adminuser@" WORDPRESS_DB_PASSWORD="My5up3rStr0ngPaSw0rd!" WORDPRESS_DB_NAME="wordpress" MYSQL_SSL_CA="BaltimoreCyberTrustroot.crt.pem" +```azurecli-interactive +az webapp config appsettings set --resource-group myResourceGroup --name --settings WORDPRESS_DB_HOST=".mysql.database.azure.com" WORDPRESS_DB_USER="adminuser@" WORDPRESS_DB_PASSWORD="My5up3rStr0ngPaSw0rd!" WORDPRESS_DB_NAME="wordpress" MYSQL_SSL_CA="BaltimoreCyberTrustroot.crt.pem" ``` When the app setting has been created, Cloud Shell shows information similar to the following example: @@ -252,12 +223,12 @@ When the app setting has been created, Cloud Shell shows information similar to { "name": "WORDPRESS_DB_HOST", "slotSetting": false, - "value": ".mysql.database.azure.com" + "value": ".mysql.database.azure.com" }, { "name": "WORDPRESS_DB_USER", "slotSetting": false, - "value": "adminuser@" + "value": "adminuser@" }, { "name": "WORDPRESS_DB_NAME", @@ -277,6 +248,8 @@ When the app setting has been created, Cloud Shell shows information similar to ] ``` +For more information on environment variables, see [Configure environment variables](configure-custom-container.md#configure-environment-variables). + ### Use a custom image for MySQL SSL and other configurations By default, SSL is used by Azure Database for MySQL. WordPress requires additional configuration to use SSL with MySQL. The WordPress 'official image' doesn't provide the additional configuration, but a [custom image](https://hub.docker.com/r/microsoft/multicontainerwordpress/builds/) has been prepared fo your convenience. In practice, you would add desired changes to your own image. @@ -311,10 +284,10 @@ Save your changes and exit nano. Use the command `^O` to save and `^X` to exit. ### Update app with new configuration -In Cloud Shell, reconfigure your multi-container [web app](app-service-linux-intro.md) with the [az webapp config container set](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command. Don't forget to replace _\_ with the name of the web app you created earlier. +In Cloud Shell, reconfigure your multi-container [web app](app-service-linux-intro.md) with the [az webapp config container set](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command. Don't forget to replace _\_ with the name of the web app you created earlier. -```bash -az webapp config container set --resource-group myResourceGroup --name --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml +```azurecli-interactive +az webapp config container set --resource-group myResourceGroup --name --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml ``` When the app has been reconfigured, Cloud Shell shows information similar to the following example: @@ -330,20 +303,20 @@ When the app has been reconfigured, Cloud Shell shows information similar to the ### Browse to the app -Browse to the deployed app at (`http://.azurewebsites.net`). The app is now using Azure Database for MySQL. +Browse to the deployed app at (`http://.azurewebsites.net`). The app is now using Azure Database for MySQL. ![Sample multicontainer app on Web App for Containers][1] ## Add persistent storage -Your multi-container is now running in Web App for Containers. However, if you install WordPress now and restart your app later, you'll find that your WordPress installation is gone. This happens because your Docker Compose configuration currently points to a storage location inside your container. The files installed into your container don't persist beyond app restart. In this section, you'll add persistent storage to your WordPress container. +Your multi-container is now running in Web App for Containers. However, if you install WordPress now and restart your app later, you'll find that your WordPress installation is gone. This happens because your Docker Compose configuration currently points to a storage location inside your container. The files installed into your container don't persist beyond app restart. In this section, you'll [add persistent storage](configure-custom-container.md#use-persistent-shared-storage) to your WordPress container. ### Configure environment variables To use of persistent storage, you'll enable this setting within App Service. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated. -```bash -az webapp config appsettings set --resource-group myResourceGroup --name --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE +```azurecli-interactive +az webapp config appsettings set --resource-group myResourceGroup --name --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE ``` When the app setting has been created, Cloud Shell shows information similar to the following example: @@ -387,10 +360,10 @@ services: ### Update app with new configuration -In Cloud Shell, reconfigure your multi-container [web app](app-service-linux-intro.md) with the [az webapp config container set](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command. Don't forget to replace _\_ with a unique app name. +In Cloud Shell, reconfigure your multi-container [web app](app-service-linux-intro.md) with the [az webapp config container set](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command. Don't forget to replace _\_ with a unique app name. -```bash -az webapp config container set --resource-group myResourceGroup --name --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml +```azurecli-interactive +az webapp config container set --resource-group myResourceGroup --name --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml ``` After your command runs, it shows output similar to the following example: @@ -411,7 +384,7 @@ After your command runs, it shows output similar to the following example: ### Browse to the app -Browse to the deployed app at (`http://.azurewebsites.net`). +Browse to the deployed app at (`http://.azurewebsites.net`). The WordPress container is now using Azure Database for MySQL and persistent storage. @@ -434,8 +407,8 @@ Add the redis container to the bottom of the configuration file so it looks like To use Redis, you'll enable this setting, `WP_REDIS_HOST`, within App Service. This is a *required setting* for WordPress to communicate with the Redis host. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated. -```bash -az webapp config appsettings set --resource-group myResourceGroup --name --settings WP_REDIS_HOST="redis" +```azurecli-interactive +az webapp config appsettings set --resource-group myResourceGroup --name --settings WP_REDIS_HOST="redis" ``` When the app setting has been created, Cloud Shell shows information similar to the following example: @@ -446,7 +419,7 @@ When the app setting has been created, Cloud Shell shows information similar to { "name": "WORDPRESS_DB_USER", "slotSetting": false, - "value": "adminuser@" + "value": "adminuser@" }, { "name": "WP_REDIS_HOST", @@ -458,10 +431,10 @@ When the app setting has been created, Cloud Shell shows information similar to ### Update app with new configuration -In Cloud Shell, reconfigure your multi-container [web app](app-service-linux-intro.md) with the [az webapp config container set](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command. Don't forget to replace _\_ with a unique app name. +In Cloud Shell, reconfigure your multi-container [web app](app-service-linux-intro.md) with the [az webapp config container set](/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set) command. Don't forget to replace _\_ with a unique app name. -```bash -az webapp config container set --resource-group myResourceGroup --name --multicontainer-config-type compose --multicontainer-config-file compose-wordpress.yml +```azurecli-interactive +az webapp config container set --resource-group myResourceGroup --name --multicontainer-config-type compose --multicontainer-config-file compose-wordpress.yml ``` After your command runs, it shows output similar to the following example: @@ -477,7 +450,7 @@ After your command runs, it shows output similar to the following example: ### Browse to the app -Browse to the deployed app at (`http://.azurewebsites.net`). +Browse to the deployed app at (`http://.azurewebsites.net`). Complete the steps and install WordPress. @@ -511,34 +484,22 @@ WordPress connects to the Redis server. The connection **status** appears on the In this section, you'll learn how to use a Kubernetes configuration to deploy multiple containers. Make sure you follow earlier steps in to create a [resource group](#create-a-resource-group) and an [App Service plan](#create-an-azure-app-service-plan). Since the majority of the steps are similar to that of the compose section, the configuration file has been combined for you. -### Supported Kubernetes options for multi-container - -* args -* command -* containers -* image -* name -* ports -* spec - -> [!NOTE] ->Any other Kubernetes options not explicitly called out aren't supported in Public Preview. -> - ### Kubernetes configuration file You'll use *kubernetes-wordpress.yml* for this portion of the tutorial. It is displayed here for your reference: [!code-yml[Main](../../../azure-app-service-multi-container/kubernetes-wordpress.yml)] +For supported configuration options, see [Kubernetes configuration options](configure-custom-container.md#kubernetes-configuration-options) + ### Create an Azure Database for MySQL server Create a server in Azure Database for MySQL with the [`az mysql server create`](/cli/azure/mysql/server?view=azure-cli-latest#az-mysql-server-create) command. -In the following command, substitute your MySQL server name where you see the _<mysql_server_name>_ placeholder (valid characters are `a-z`, `0-9`, and `-`). This name is part of the MySQL server's hostname (`.database.windows.net`), it needs to be globally unique. +In the following command, substitute your MySQL server name where you see the _<mysql-server-name>_ placeholder (valid characters are `a-z`, `0-9`, and `-`). This name is part of the MySQL server's hostname (`.database.windows.net`), it needs to be globally unique. ```azurecli-interactive -az mysql server create --resource-group myResourceGroup --name --location "South Central US" --admin-user adminuser --admin-password My5up3rStr0ngPaSw0rd! --sku-name B_Gen4_1 --version 5.7 +az mysql server create --resource-group myResourceGroup --name --location "South Central US" --admin-user adminuser --admin-password My5up3rStr0ngPaSw0rd! --sku-name B_Gen4_1 --version 5.7 ``` When the MySQL server is created, Cloud Shell shows information similar to the following example: @@ -547,10 +508,10 @@ When the MySQL server is created, Cloud Shell shows information similar to the f { "administratorLogin": "adminuser", "administratorLoginPassword": null, - "fullyQualifiedDomainName": ".database.windows.net", - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/", + "fullyQualifiedDomainName": ".database.windows.net", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/", "location": "southcentralus", - "name": "", + "name": "", "resourceGroup": "myResourceGroup", ... } @@ -561,7 +522,7 @@ When the MySQL server is created, Cloud Shell shows information similar to the f Create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule?view=azure-cli-latest#az-mysql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources. ```azurecli-interactive -az mysql server firewall-rule create --name allAzureIPs --server --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 +az mysql server firewall-rule create --name allAzureIPs --server --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 ``` > [!TIP] @@ -572,8 +533,8 @@ az mysql server firewall-rule create --name allAzureIPs --server --name wordpress +```azurecli-interactive +az mysql db create --resource-group myResourceGroup --server-name --name wordpress ``` When the database has been created, Cloud Shell shows information similar to the following example: @@ -583,7 +544,7 @@ When the database has been created, Cloud Shell shows information similar to the "additionalProperties": {}, "charset": "latin1", "collation": "latin1_swedish_ci", - "id": "/subscriptions/12db1644-4b12-4cab-ba54-8ba2f2822c1f/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers//databases/wordpress", + "id": "/subscriptions/12db1644-4b12-4cab-ba54-8ba2f2822c1f/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers//databases/wordpress", "name": "wordpress", "resourceGroup": "myResourceGroup", "type": "Microsoft.DBforMySQL/servers/databases" @@ -592,10 +553,10 @@ When the database has been created, Cloud Shell shows information similar to the ### Create a multi-container app (Kubernetes) -In Cloud Shell, create a multi-container [web app](app-service-linux-intro.md) in the `myResourceGroup` resource group and the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. Don't forget to replace _\_ with a unique app name. +In Cloud Shell, create a multi-container [web app](app-service-linux-intro.md) in the `myResourceGroup` resource group and the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. Don't forget to replace _\_ with a unique app name. -```bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --multicontainer-config-type kube --multicontainer-config-file kubernetes-wordpress.yml +```azurecli-interactive +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --multicontainer-config-type kube --multicontainer-config-file kubernetes-wordpress.yml ``` When the web app has been created, Cloud Shell shows output similar to the following example: @@ -608,7 +569,7 @@ When the web app has been created, Cloud Shell shows output similar to the follo "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", + "defaultHostName": ".azurewebsites.net", "enabled": true, < JSON data removed for brevity. > } @@ -618,8 +579,8 @@ When the web app has been created, Cloud Shell shows output similar to the follo To connect the WordPress app to this new MySQL server, you'll configure a few WordPress-specific environment variables. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated. -```bash -az webapp config appsettings set --resource-group myResourceGroup --name --settings WORDPRESS_DB_HOST=".mysql.database.azure.com" WORDPRESS_DB_USER="adminuser@" WORDPRESS_DB_PASSWORD="My5up3rStr0ngPaSw0rd!" WORDPRESS_DB_NAME="wordpress" MYSQL_SSL_CA="BaltimoreCyberTrustroot.crt.pem" +```azurecli-interactive +az webapp config appsettings set --resource-group myResourceGroup --name --settings WORDPRESS_DB_HOST=".mysql.database.azure.com" WORDPRESS_DB_USER="adminuser@" WORDPRESS_DB_PASSWORD="My5up3rStr0ngPaSw0rd!" WORDPRESS_DB_NAME="wordpress" MYSQL_SSL_CA="BaltimoreCyberTrustroot.crt.pem" ``` When the app setting has been created, Cloud Shell shows information similar to the following example: @@ -629,12 +590,12 @@ When the app setting has been created, Cloud Shell shows information similar to { "name": "WORDPRESS_DB_HOST", "slotSetting": false, - "value": ".mysql.database.azure.com" + "value": ".mysql.database.azure.com" }, { "name": "WORDPRESS_DB_USER", "slotSetting": false, - "value": "adminuser@" + "value": "adminuser@" }, { "name": "WORDPRESS_DB_NAME", @@ -651,14 +612,14 @@ When the app setting has been created, Cloud Shell shows information similar to ### Add persistent storage -Your multi-container is now running in Web App for Containers. The data will be erased on restart because the files aren't persisted. In this section, you'll add persistent storage to your WordPress container. +Your multi-container is now running in Web App for Containers. The data will be erased on restart because the files aren't persisted. In this section, you'll [add persistent storage](configure-custom-container.md#use-persistent-shared-storage) to your WordPress container. ### Configure environment variables To use of persistent storage, you'll enable this setting within App Service. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated. -```bash -az webapp config appsettings set --resource-group myResourceGroup --name --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE +```azurecli-interactive +az webapp config appsettings set --resource-group myResourceGroup --name --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE ``` When the app setting has been created, Cloud Shell shows information similar to the following example: @@ -675,7 +636,7 @@ When the app setting has been created, Cloud Shell shows information similar to ### Browse to the app -Browse to the deployed app at (`http://.azurewebsites.net`). +Browse to the deployed app at (`http://.azurewebsites.net`). The app is now running multiple containers in Web App for Containers. @@ -687,7 +648,7 @@ To use Redis, follow the steps in [Connect WordPress to Redis](#connect-wordpres ## Find Docker Container logs -If you run into issues using multiple containers, you can access the container logs by browsing to: `https://.scm.azurewebsites.net/api/logs/docker`. +If you run into issues using multiple containers, you can access the container logs by browsing to: `https://.scm.azurewebsites.net/api/logs/docker`. You'll see output similar to the following example: @@ -697,7 +658,7 @@ You'll see output similar to the following example: "machineName":"RD00XYZYZE567A", "lastUpdated":"2018-05-10T04:11:45Z", "size":25125, - "href":"https://.scm.azurewebsites.net/api/vfs/LogFiles/2018_05_10_RD00XYZYZE567A_docker.log", + "href":"https://.scm.azurewebsites.net/api/vfs/LogFiles/2018_05_10_RD00XYZYZE567A_docker.log", "path":"/home/LogFiles/2018_05_10_RD00XYZYZE567A_docker.log" } ] @@ -707,6 +668,8 @@ You see a log for each container and an additional log for the parent process. C [!INCLUDE [Clean-up section](../../../includes/cli-script-clean-up.md)] +## Next steps + In this tutorial, you learned how to: > [!div class="checklist"] > * Convert a Docker Compose configuration to work with Web App for Containers @@ -717,10 +680,15 @@ In this tutorial, you learned how to: > * Connect to Azure Database for MySQL > * Troubleshoot errors -## Next steps +Advance to the next tutorial to learn how to map a custom DNS name to your app. + +> [!div class="nextstepaction"] +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) + +Or, check out other resources: > [!div class="nextstepaction"] -> [Use a custom Docker image for Web App for Containers](tutorial-custom-docker-image.md) +> [Configure custom container](configure-custom-container.md) [1]: ./media/tutorial-multi-container-app/azure-multi-container-wordpress-install.png diff --git a/articles/app-service/containers/tutorial-nodejs-mongodb-app.md b/articles/app-service/containers/tutorial-nodejs-mongodb-app.md index 05a139309d067..d75c9bec07224 100644 --- a/articles/app-service/containers/tutorial-nodejs-mongodb-app.md +++ b/articles/app-service/containers/tutorial-nodejs-mongodb-app.md @@ -1,10 +1,10 @@ --- -title: Build Node.js app with MongoDB on Linux - Azure App Service | Microsoft Docs -description: Learn how to get a Node.js app working in Azure App Service on Linux, with connection to a Cosmos DB database with a MongoDB connection string. +title: Node.js (MEAN.js) with MongoDB on Linux - Azure App Service | Microsoft Docs +description: Learn how to get a Node.js app working in Azure App Service on Linux, with connection to a Cosmos DB database with a MongoDB connection string. MEAN.js is used in the tutorial. services: app-service\web documentationcenter: nodejs author: cephalin -manager: syntaxc4 +manager: jeconnoc editor: '' ms.assetid: 0b4d7d0e-e984-49a1-a57a-3c0caa955f0e @@ -13,7 +13,7 @@ ms.workload: web ms.tgt_pltfrm: na ms.devlang: nodejs ms.topic: tutorial -ms.date: 10/10/2017 +ms.date: 03/27/2019 ms.author: cephalin ms.custom: mvc ms.custom: seodec18 @@ -28,7 +28,7 @@ ms.custom: seodec18 ![MEAN.js app running in Azure App Service](./media/tutorial-nodejs-mongodb-app/meanjs-in-azure.png) -What you learn how to: +In this tutorial, you learn how to: > [!div class="checklist"] > * Create a database using Azure Cosmos DB's API for MongoDB @@ -127,10 +127,10 @@ In this step, you create a database account using Azure Cosmos DB's API for Mong In the Cloud Shell, create a Cosmos DB account with the [`az cosmosdb create`](/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-create) command. -In the following command, substitute a unique Cosmos DB name for the *\* placeholder. This name is used as the part of the Cosmos DB endpoint, `https://.documents.azure.com/`, so the name needs to be unique across all Cosmos DB accounts in Azure. The name must contain only lowercase letters, numbers, and the hyphen (-) character, and must be between 3 and 50 characters long. +In the following command, substitute a unique Cosmos DB name for the *\* placeholder. This name is used as the part of the Cosmos DB endpoint, `https://.documents.azure.com/`, so the name needs to be unique across all Cosmos DB accounts in Azure. The name must contain only lowercase letters, numbers, and the hyphen (-) character, and must be between 3 and 50 characters long. ```azurecli-interactive -az cosmosdb create --name --resource-group myResourceGroup --kind MongoDB +az cosmosdb create --name --resource-group myResourceGroup --kind MongoDB ``` The *--kind MongoDB* parameter enables MongoDB client connections. @@ -146,7 +146,7 @@ When the Cosmos DB account is created, the Azure CLI shows information similar t "maxStalenessPrefix": 100 }, "databaseAccountOfferType": "Standard", - "documentEndpoint": "https://.documents.azure.com:443/", + "documentEndpoint": "https://.documents.azure.com:443/", "failoverPolicies": ... < Output truncated for readability > @@ -162,7 +162,7 @@ In this step, you connect your MEAN.js sample application to the Cosmos DB datab To connect to the Cosmos DB database, you need the database key. In the Cloud Shell, use the [`az cosmosdb list-keys`](/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-list-keys) command to retrieve the primary key. ```azurecli-interactive -az cosmosdb list-keys --name --resource-group myResourceGroup +az cosmosdb list-keys --name --resource-group myResourceGroup ``` The Azure CLI shows information similar to the following example: @@ -184,12 +184,12 @@ Copy the value of `primaryMasterKey`. You need this information in the next step In your local MEAN.js repository, in the _config/env/_ folder, create a file named _local-production.js_. _.gitignore_ is configured to keep this file out of the repository. -Copy the following code into it. Be sure to replace the two *\* placeholders with your Cosmos DB database name, and replace the *\* placeholder with the key you copied in the previous step. +Copy the following code into it. Be sure to replace the two *\* placeholders with your Cosmos DB database name, and replace the *\* placeholder with the key you copied in the previous step. ```javascript module.exports = { db: { - uri: 'mongodb://:@.documents.azure.com:10250/mean?ssl=true&sslverifycertificate=false' + uri: 'mongodb://:@.documents.azure.com:10250/mean?ssl=true&sslverifycertificate=false' } }; ``` @@ -222,7 +222,7 @@ MEAN.JS Environment: production Server: http://0.0.0.0:8443 -Database: mongodb://:@.documents.azure.com:10250/mean?ssl=true&sslverifycertificate=false +Database: mongodb://:@.documents.azure.com:10250/mean?ssl=true&sslverifycertificate=false App version: 0.5.0 MEAN.JS version: 0.5.0 ``` @@ -255,13 +255,13 @@ By default, the MEAN.js project keeps _config/env/local-production.js_ out of th To set app settings, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. -The following example configures a `MONGODB_URI` app setting in your Azure app. Replace the *\*, *\*, and *\* placeholders. +The following example configures a `MONGODB_URI` app setting in your Azure app. Replace the *\*, *\*, and *\* placeholders. ```azurecli-interactive -az webapp config appsettings set --name --resource-group myResourceGroup --settings MONGODB_URI="mongodb://:@.documents.azure.com:10250/mean?ssl=true" +az webapp config appsettings set --name --resource-group myResourceGroup --settings MONGODB_URI="mongodb://:@.documents.azure.com:10250/mean?ssl=true" ``` -In Node.js code, you access this app setting with `process.env.MONGODB_URI`, just like you would access any environment variable. +In Node.js code, you [access this app setting](configure-language-nodejs.md#access-environment-variables) with `process.env.MONGODB_URI`, just like you would access any environment variable. In your local MEAN.js repository, open _config/env/production.js_ (not _config/env/local-production.js_), which has production-environment specific configuration. The default MEAN.js app is already configured to use the `MONGODB_URI` environment variable that you created. @@ -292,7 +292,7 @@ remote: Handling node.js deployment. . . remote: Deployment successful. -To https://.scm.azurewebsites.net/.git +To https://.scm.azurewebsites.net/.git  * [new branch]      master -> master ``` @@ -301,14 +301,14 @@ You may notice that the deployment process runs [Gulp](https://gulpjs.com/) afte - _.deployment_ - This file tells App Service to run `bash deploy.sh` as the custom deployment script. - _deploy.sh_ - The custom deployment script. If you review the file, you will see that it runs `gulp prod` after `npm install` and `bower install`. -You can use this approach to add any step to your Git-based deployment. If you restart your Azure app at any point, App Service doesn't rerun these automation tasks. +You can use this approach to add any step to your Git-based deployment. If you restart your Azure app at any point, App Service doesn't rerun these automation tasks. For more information, see [Run Grunt/Bower/Gulp](configure-language-nodejs.md#run-gruntbowergulp). ### Browse to the Azure app Browse to the deployed app using your web browser. ```bash -http://.azurewebsites.net +http://.azurewebsites.net ``` Click **Sign Up** in the top menu and create a dummy user. @@ -447,6 +447,10 @@ Once the `git push` is complete, navigate to your Azure app and try out the new If you added any articles earlier, you still can see them. Existing data in your Cosmos DB is not lost. Also, your updates to the data schema and leaves your existing data intact. +## Stream diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + ## Manage your Azure app Go to the [Azure portal](https://portal.azure.com) to see the app you created. @@ -478,4 +482,9 @@ What you learned: Advance to the next tutorial to learn how to map a custom DNS name to your app. > [!div class="nextstepaction"] -> [Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md) +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) + +Or, check out other resources: + +> [!div class="nextstepaction"] +> [Configure Node.js app](configure-language-nodejs.md) \ No newline at end of file diff --git a/articles/app-service/containers/tutorial-php-mysql-app.md b/articles/app-service/containers/tutorial-php-mysql-app.md index 5bb6aee2b93bd..78c85eda8a605 100644 --- a/articles/app-service/containers/tutorial-php-mysql-app.md +++ b/articles/app-service/containers/tutorial-php-mysql-app.md @@ -1,14 +1,14 @@ --- -title: Build PHP app with MySQL on Linux - Azure App Service | Microsoft Docs -description: Learn how to get a PHP app working in Azure App Service on Linux, with connection to a MySQL database in Azure. +title: PHP (Laravel) with MySQL on Linux - Azure App Service | Microsoft Docs +description: Learn how to get a PHP app working in Azure App Service on Linux, with connection to a MySQL database in Azure. Laravel is used in the tutorial. services: app-service\web author: cephalin -manager: erikre +manager: jeconnoc ms.service: app-service-web ms.workload: web ms.devlang: php ms.topic: tutorial -ms.date: 11/15/2018 +ms.date: 03/27/2019 ms.author: cephalin ms.custom: mvc ms.custom: seodec18 @@ -156,22 +156,22 @@ In this step, you create a MySQL database in [Azure Database for MySQL](/azure/m Create a server in Azure Database for MySQL with the [`az mysql server create`](/cli/azure/mysql/server?view=azure-cli-latest#az-mysql-server-create) command. -In the following command, substitute a unique server name for the *\* placeholder, a user name for the *\*, and a password for the *\* placeholder. The server name is used as part of your MySQL endpoint (`https://.mysql.database.azure.com`), so the name needs to be unique across all servers in Azure. For details on selecting MySQL DB SKU, please see [Create an Azure Database for MySQL server](https://docs.microsoft.com/azure/mysql/quickstart-create-mysql-server-database-using-azure-cli#create-an-azure-database-for-mysql-server). +In the following command, substitute a unique server name for the *\* placeholder, a user name for the *\*, and a password for the *\* placeholder. The server name is used as part of your MySQL endpoint (`https://.mysql.database.azure.com`), so the name needs to be unique across all servers in Azure. For details on selecting MySQL DB SKU, please see [Create an Azure Database for MySQL server](https://docs.microsoft.com/azure/mysql/quickstart-create-mysql-server-database-using-azure-cli#create-an-azure-database-for-mysql-server). ```azurecli-interactive -az mysql server create --resource-group myResourceGroup --name --location "West Europe" --admin-user --admin-password --sku-name B_Gen5_1 +az mysql server create --resource-group myResourceGroup --name --location "West Europe" --admin-user --admin-password --sku-name B_Gen5_1 ``` When the MySQL server is created, the Azure CLI shows information similar to the following example: ```json { - "administratorLogin": "", + "administratorLogin": "", "administratorLoginPassword": null, - "fullyQualifiedDomainName": ".mysql.database.azure.com", - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/", + "fullyQualifiedDomainName": ".mysql.database.azure.com", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/", "location": "westeurope", - "name": "", + "name": "", "resourceGroup": "myResourceGroup", ... } @@ -182,25 +182,25 @@ When the MySQL server is created, the Azure CLI shows information similar to the Create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule?view=azure-cli-latest#az-mysql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources. ```azurecli-interactive -az mysql server firewall-rule create --name allAzureIPs --server --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 +az mysql server firewall-rule create --name allAzureIPs --server --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 ``` > [!TIP] > You can be even more restrictive in your firewall rule by [using only the outbound IP addresses your app uses](../overview-inbound-outbound-ips.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#find-outbound-ips). > -In the Cloud Shell, run the command again to allow access from your local computer by replacing *\* with [your local IPv4 IP address](https://www.whatsmyip.org/). +In the Cloud Shell, run the command again to allow access from your local computer by replacing *\* with [your local IPv4 IP address](https://www.whatsmyip.org/). ```azurecli-interactive -az mysql server firewall-rule create --name AllowLocalClient --server --resource-group myResourceGroup --start-ip-address= --end-ip-address= +az mysql server firewall-rule create --name AllowLocalClient --server --resource-group myResourceGroup --start-ip-address= --end-ip-address= ``` ### Connect to production MySQL server locally -In the terminal window, connect to the MySQL server in Azure. Use the value you specified previously for _<admin_user>_ and _<mysql_server_name>_. When prompted for a password, use the password you specified when you created the database in Azure. +In the terminal window, connect to the MySQL server in Azure. Use the value you specified previously for _<admin-user>_ and _<mysql-server-name>_. When prompted for a password, use the password you specified when you created the database in Azure. ```bash -mysql -u @ -h .mysql.database.azure.com -P 3306 -p +mysql -u @ -h .mysql.database.azure.com -P 3306 -p ``` ### Create a production database @@ -234,7 +234,7 @@ In this step, you connect the PHP application to the MySQL database you created ### Configure the database connection -In the repository root, create an _.env.production_ file and copy the following variables into it. Replace the placeholder _<mysql_server_name>_. +In the repository root, create an _.env.production_ file and copy the following variables into it. Replace the placeholder _<mysql-server-name>_. ```txt APP_ENV=production @@ -242,9 +242,9 @@ APP_DEBUG=true APP_KEY=SomeRandomString DB_CONNECTION=mysql -DB_HOST=.mysql.database.azure.com +DB_HOST=.mysql.database.azure.com DB_DATABASE=sampledb -DB_USERNAME=phpappuser@ +DB_USERNAME=phpappuser@ DB_PASSWORD=MySQLAzure2017 MYSQL_SSL=true ``` @@ -266,12 +266,12 @@ Open _config/database.php_ and add the _sslmode_ and _options_ parameters to `co ... 'sslmode' => env('DB_SSLMODE', 'prefer'), 'options' => (env('MYSQL_SSL')) ? [ - PDO::MYSQL_ATTR_SSL_KEY => '/ssl/BaltimoreCyberTrustRoot.crt.pem', + PDO::MYSQL_ATTR_SSL_KEY => '/ssl/BaltimoreCyberTrustRoot.crt.pem', ] : [] ], ``` -The certificate `BaltimoreCyberTrustRoot.crt.pem` is provided in the repository for convenience in this tutorial. +The certificate `BaltimoreCyberTrustRoot.crt.pem` is provided in the repository for convenience in this tutorial. ### Test the application locally @@ -318,10 +318,7 @@ In this step, you deploy the MySQL-connected PHP application to Azure App Servic The Laravel application starts in the _/public_ directory. The default PHP Docker image for App Service uses Apache, and it doesn't let you customize the `DocumentRoot` for Laravel. However, you can use `.htaccess` to rewrite all requests to point to _/public_ instead of the root directory. In the repository root, an `.htaccess` is added already for this purpose. With it, your Laravel application is ready to be deployed. -> [!NOTE] -> If you would rather not use _.htaccess_ rewrite, you can deploy your Laravel application with a [custom Docker image](quickstart-docker-go.md) instead. -> -> +For more information, see [Change site root](configure-language-php.md#change-site-root). ### Configure a deployment user @@ -339,13 +336,13 @@ The Laravel application starts in the _/public_ directory. The default PHP Docke In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command. -The following command configures the app settings `DB_HOST`, `DB_DATABASE`, `DB_USERNAME`, and `DB_PASSWORD`. Replace the placeholders _<appname>_ and _<mysql_server_name>_. +The following command configures the app settings `DB_HOST`, `DB_DATABASE`, `DB_USERNAME`, and `DB_PASSWORD`. Replace the placeholders _<appname>_ and _<mysql-server-name>_. ```azurecli-interactive -az webapp config appsettings set --name --resource-group myResourceGroup --settings DB_HOST=".mysql.database.azure.com" DB_DATABASE="sampledb" DB_USERNAME="phpappuser@" DB_PASSWORD="MySQLAzure2017" MYSQL_SSL="true" +az webapp config appsettings set --name --resource-group myResourceGroup --settings DB_HOST=".mysql.database.azure.com" DB_DATABASE="sampledb" DB_USERNAME="phpappuser@" DB_PASSWORD="MySQLAzure2017" MYSQL_SSL="true" ``` -You can use the PHP [getenv](https://php.net/manual/en/function.getenv.php) method to access the settings. the Laravel code uses an [env](https://laravel.com/docs/5.4/helpers#method-env) wrapper over the PHP `getenv`. For example, the MySQL configuration in _config/database.php_ looks like the following code: +You can use the PHP [getenv](https://php.net/manual/en/function.getenv.php) method to [access the app settings](configure-language-php.md#access-environment-variables). The Laravel code uses an [env](https://laravel.com/docs/5.4/helpers#method-env) wrapper over the PHP `getenv`. For example, the MySQL configuration in _config/database.php_ looks like the following code: ```php 'mysql' => [ @@ -371,7 +368,7 @@ php artisan key:generate --show Set the application key in the App Service app by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command. Replace the placeholders _<appname>_ and _<outputofphpartisankey:generate>_. ```azurecli-interactive -az webapp config appsettings set --name --resource-group myResourceGroup --settings APP_KEY="" APP_DEBUG="true" +az webapp config appsettings set --name --resource-group myResourceGroup --settings APP_KEY="" APP_DEBUG="true" ``` `APP_DEBUG="true"` tells Laravel to return debugging information when the deployed app encounters errors. When running a production application, set it to `false`, which is more secure. @@ -414,12 +411,12 @@ remote: Running deployment command... > - `deploy.sh` - The custom deployment script. If you review the file, you will see that it runs `php composer.phar install` after `npm install`. > - `composer.phar` - The Composer package manager. > -> You can use this approach to add any step to your Git-based deployment to App Service. For more information, see [Custom Deployment Script](https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script). +> You can use this approach to add any step to your Git-based deployment to App Service. For more information, see [Run Composer](configure-language-php.md#run-composer). > ### Browse to the Azure app -Browse to `http://.azurewebsites.net` and add a few tasks to the list. +Browse to `http://.azurewebsites.net` and add a few tasks to the list. ![PHP app running in Azure App Service](./media/tutorial-php-mysql-app/php-mysql-in-azure.png) @@ -567,6 +564,10 @@ Once the `git push` is complete, navigate to the Azure app and test the new func If you added any tasks, they are retained in the database. Updates to the data schema leave existing data intact. +## Stream diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + ## Manage the Azure app Go to the [Azure portal](https://portal.azure.com) to manage the app you created. @@ -600,4 +601,9 @@ In this tutorial, you learned how to: Advance to the next tutorial to learn how to map a custom DNS name to your app. > [!div class="nextstepaction"] -> [Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md) +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) + +Or, check out other resources: + +> [!div class="nextstepaction"] +> [Configure PHP app](configure-language-php.md) \ No newline at end of file diff --git a/articles/app-service/containers/tutorial-python-postgresql-app.md b/articles/app-service/containers/tutorial-python-postgresql-app.md index 5962681992c59..e549fb770c6db 100644 --- a/articles/app-service/containers/tutorial-python-postgresql-app.md +++ b/articles/app-service/containers/tutorial-python-postgresql-app.md @@ -1,6 +1,6 @@ --- -title: Build a Python app with PostgreSQL on Linux - Azure App Service | Microsoft Docs -description: Learn how to run a data-driven Python app in Azure, with connection to a PostgreSQL database. +title: Python (Django) with PostgreSQL on Linux - Azure App Service | Microsoft Docs +description: Learn how to run a data-driven Python app in Azure, with connection to a PostgreSQL database. Django is used in the tutorial. services: app-service\web documentationcenter: python author: cephalin @@ -9,7 +9,7 @@ ms.service: app-service-web ms.workload: web ms.devlang: python ms.topic: tutorial -ms.date: 11/29/2018 +ms.date: 03/27/2019 ms.author: beverst;cephalin ms.custom: mvc ms.custom: seodec18 @@ -161,21 +161,21 @@ In this step, you create a PostgreSQL database in Azure. When your app is deploy Create a PostgreSQL server with the [`az postgres server create`](/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create) command in the Cloud Shell. -In the following example command, replace *\* with a unique server name, and replace *\* and *\* with the desired user credentials. The user credentials are for the database administrator account. The server name is used as part of your PostgreSQL endpoint (`https://.postgres.database.azure.com`), so the name needs to be unique across all servers in Azure. +In the following example command, replace *\* with a unique server name, and replace *\* and *\* with the desired user credentials. The user credentials are for the database administrator account. The server name is used as part of your PostgreSQL endpoint (`https://.postgres.database.azure.com`), so the name needs to be unique across all servers in Azure. ```azurecli-interactive -az postgres server create --resource-group myResourceGroup --name --location "West Europe" --admin-user --admin-password --sku-name B_Gen4_1 +az postgres server create --resource-group myResourceGroup --name --location "West Europe" --admin-user --admin-password --sku-name B_Gen4_1 ``` When the Azure Database for PostgreSQL server is created, the Azure CLI shows information similar to the following example: ```json { - "administratorLogin": "", - "fullyQualifiedDomainName": ".postgres.database.azure.com", - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforPostgreSQL/servers/", + "administratorLogin": "", + "fullyQualifiedDomainName": ".postgres.database.azure.com", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforPostgreSQL/servers/", "location": "westus", - "name": "", + "name": "", "resourceGroup": "myResourceGroup", "sku": { "capacity": 1, @@ -189,24 +189,23 @@ When the Azure Database for PostgreSQL server is created, the Azure CLI shows in ``` > [!NOTE] -> Remember \ and \ for later. You need them to sign in to the Postgre server and its databases. - +> Remember \ and \ for later. You need them to sign in to the Postgre server and its databases. ### Create firewall rules for the PostgreSQL server In the Cloud Shell, run the following Azure CLI commands to allow access to the database from Azure resources. ```azurecli-interactive -az postgres server firewall-rule create --resource-group myResourceGroup --server-name --start-ip-address=0.0.0.0 --end-ip-address=0.0.0.0 --name AllowAllAzureIPs +az postgres server firewall-rule create --resource-group myResourceGroup --server-name --start-ip-address=0.0.0.0 --end-ip-address=0.0.0.0 --name AllowAllAzureIPs ``` > [!NOTE] > This setting allows network connections from all IPs within the Azure network. For production use, try to configure the most restrictive firewall rules possible by [using only the outbound IP addresses your app uses](../overview-inbound-outbound-ips.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#find-outbound-ips). -In the Cloud Shell, run the command again to allow access from your local computer by replacing *\* with [your local IPv4 IP address](https://www.whatsmyip.org/). +In the Cloud Shell, run the command again to allow access from your local computer by replacing *\* with [your local IPv4 IP address](https://www.whatsmyip.org/). ```azurecli-interactive -az postgres server firewall-rule create --resource-group myResourceGroup --server-name --start-ip-address= --end-ip-address= --name AllowLocalClient +az postgres server firewall-rule create --resource-group myResourceGroup --server-name --start-ip-address= --end-ip-address= --name AllowLocalClient ``` ## Connect Python app to production database @@ -218,7 +217,7 @@ In this step, you connect your Django sample app to the Azure Database for Postg In the Cloud Shell, connect to the database by running the command below. When prompted for your admin password, use the same password you specified in [Create an Azure Database for PostgreSQL server](#create-an-azure-database-for-postgresql-server). ```bash -psql -h .postgres.database.azure.com -U @ postgres +psql -h .postgres.database.azure.com -U @ postgres ``` Just like in your local Postgres server, create the database and user in the Azure Postgres server. @@ -240,14 +239,14 @@ In the local terminal window, change the database environment variables (which y ```bash # Bash -export DBHOST=".postgres.database.azure.com" -export DBUSER="manager@" +export DBHOST=".postgres.database.azure.com" +export DBUSER="manager@" export DBNAME="pollsdb" export DBPASS="supersecretpass" # PowerShell -$Env:DBHOST = ".postgres.database.azure.com" -$Env:DBUSER = "manager@" +$Env:DBHOST = ".postgres.database.azure.com" +$Env:DBUSER = "manager@" $Env:DBNAME = "pollsdb" $Env:DBPASS = "supersecretpass" ``` @@ -310,22 +309,21 @@ For more information on configuring WhiteNoise, see the [WhiteNoise documentatio > [!IMPORTANT] > The database settings section already follows the security best practice of using environment variables. For the complete deployment recommendations, see [Django Documentation: deployment checklist](https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/). - Commit your changes into the repository. ```bash git commit -am "configure for App Service" ``` -### Configure a deployment user +### Configure deployment user [!INCLUDE [Configure deployment user](../../../includes/configure-deployment-user-no-h.md)] -### Create an App Service plan +### Create App Service plan [!INCLUDE [Create app service plan](../../../includes/app-service-web-create-app-service-plan-linux-no-h.md)] -### Create a web app +### Create web app [!INCLUDE [Create web app](../../../includes/app-service-web-create-web-app-python-linux-no-h.md)] @@ -338,9 +336,11 @@ In App Service, you set environment variables as _app settings_ by using the [`a The following example specifies the database connection details as app settings. ```azurecli-interactive -az webapp config appsettings set --name --resource-group myResourceGroup --settings DBHOST=".postgres.database.azure.com" DBUSER="manager@" DBPASS="supersecretpass" DBNAME="pollsdb" +az webapp config appsettings set --name --resource-group myResourceGroup --settings DBHOST=".postgres.database.azure.com" DBUSER="manager@" DBPASS="supersecretpass" DBNAME="pollsdb" ``` +For information on how these app settings are accessed in your code, see [Access environment variables](how-to-configure-python.md#access-environment-variables). + ### Push to Azure from Git [!INCLUDE [app-service-plan-no-h](../../../includes/app-service-web-git-push-to-azure-no-h.md)] @@ -363,7 +363,7 @@ remote: Kudu sync from: '/home/site/repository' to: '/home/site/wwwroot' . remote: Deployment successful. remote: App container will begin restart within 10 seconds. -To https://.scm.azurewebsites.net/.git +To https://.scm.azurewebsites.net/.git 06b6df4..6520eea master -> master ``` @@ -374,32 +374,22 @@ The App Service deployment server sees _requirements.txt_ in the repository root Browse to the deployed app. It takes some time to start because the container needs to be downloaded and run when the app is requested for the first time. If the page times out or displays an error message, wait a few minutes and refresh the page. ```bash -http://.azurewebsites.net +http://.azurewebsites.net ``` You should see the poll question that you created earlier. App Service detects a Django project in your repository by looking for a _wsgi.py_ in each subdirectory, which is created by `manage.py startproject` by default. When it finds the file, it loads the Django app. For more information on how App Service loads Python apps, see [Configure built-in Python image](how-to-configure-python.md). -Navigate to `.azurewebsites.net` and sign in using same admin user you created. If you like, try creating some more poll questions. +Navigate to `.azurewebsites.net` and sign in using same admin user you created. If you like, try creating some more poll questions. ![Python Django application running in locally](./media/tutorial-python-postgresql-app/django-admin-azure.png) **Congratulations!** You're running a Python app in App Service for Linux. -## Access diagnostic logs - -In App Service on Linux, apps are run inside a container from a default Docker image. You can access the console logs generated from within the container. To get the logs, first turn on container logging by running the following command in the Cloud Shell: - -```azurecli-interactive -az webapp log config --name --resource-group myResourceGroup --docker-container-logging filesystem -``` - -Once container logging is turned on, run the following command to see the log stream: +## Stream diagnostic logs -```azurecli-interactive -az webapp log tail --name --resource-group myResourceGroup -``` +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] ## Manage your app in the Azure Portal @@ -429,8 +419,9 @@ In this tutorial, you learned how to: Advance to the next tutorial to learn how to map a custom DNS name to your app. > [!div class="nextstepaction"] -> [Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md) +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) -> [!div class="nextstepaction"] -> [Configure built-in Python image and troubleshoot errors](how-to-configure-python.md) +Or, check out other resources: +> [!div class="nextstepaction"] +> [Configure Python app](how-to-configure-python.md) \ No newline at end of file diff --git a/articles/app-service/containers/tutorial-ruby-postgres-app.md b/articles/app-service/containers/tutorial-ruby-postgres-app.md index bacbbb40e108c..b1d3fc0eaa73b 100644 --- a/articles/app-service/containers/tutorial-ruby-postgres-app.md +++ b/articles/app-service/containers/tutorial-ruby-postgres-app.md @@ -1,15 +1,15 @@ --- -title: Build a Ruby app with Postgres on Linux - Azure App Service | Microsoft Docs -description: Learn how to get a Ruby app working in Azure, with connection to a PostgreSQL database in Azure. +title: Ruby (Rails) with Postgres on Linux - Azure App Service | Microsoft Docs +description: Learn how to get a Ruby app working in Azure, with connection to a PostgreSQL database in Azure. Rails is used in the tutorial. services: app-service\web documentationcenter: '' author: cephalin -manager: cfowler +manager: jeconnoc ms.service: app-service-web ms.workload: web ms.devlang: ruby ms.topic: tutorial -ms.date: 06/15/2018 +ms.date: 03/27/2019 ms.author: cephalin ms.custom: mvc ms.custom: seodec18 @@ -60,7 +60,7 @@ Type `\q` to exit the Postgres client. Create a Postgres user that can create databases by running the following command, using your signed-in Linux username. ```bash -sudo -u postgres createuser -d +sudo -u postgres createuser -d ``` @@ -120,10 +120,10 @@ In this step, you create a Postgres database in [Azure Database for PostgreSQL]( Create a PostgreSQL server with the [`az postgres server create`](/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create) command. -Run the following command in the Cloud Shell, and substitute a unique server name for the *\* placeholder. The server name needs to be unique across all servers in Azure. +Run the following command in the Cloud Shell, and substitute a unique server name for the *\* placeholder. The server name needs to be unique across all servers in Azure. ```azurecli-interactive -az postgres server create --location "West Europe" --resource-group myResourceGroup --name --admin-user adminuser --admin-password My5up3r$tr0ngPa$w0rd! --sku-name GP_Gen4_2 +az postgres server create --location "West Europe" --resource-group myResourceGroup --name --admin-user adminuser --admin-password My5up3r$tr0ngPa$w0rd! --sku-name GP_Gen4_2 ``` When the Azure Database for PostgreSQL server is created, the Azure CLI shows information similar to the following example: @@ -132,10 +132,10 @@ When the Azure Database for PostgreSQL server is created, the Azure CLI shows in { "administratorLogin": "adminuser", "earliestRestoreDate": "2018-06-15T12:38:25.280000+00:00", - "fullyQualifiedDomainName": ".postgres.database.azure.com", - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforPostgreSQL/servers/", + "fullyQualifiedDomainName": ".postgres.database.azure.com", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforPostgreSQL/servers/", "location": "westeurope", - "name": "", + "name": "", "resourceGroup": "myResourceGroup", "sku": { "capacity": 2, @@ -150,10 +150,10 @@ When the Azure Database for PostgreSQL server is created, the Azure CLI shows in ### Configure server firewall -In the Cloud Shell, create a firewall rule for your Postgres server to allow client connections by using the [`az postgres server firewall-rule create`](/cli/azure/postgres/server/firewall-rule?view=azure-cli-latest#az-postgres-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources. Substitute a unique server name for the *\* placeholder. +In the Cloud Shell, create a firewall rule for your Postgres server to allow client connections by using the [`az postgres server firewall-rule create`](/cli/azure/postgres/server/firewall-rule?view=azure-cli-latest#az-postgres-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources. Substitute a unique server name for the *\* placeholder. ```azurecli-interactive -az postgres server firewall-rule create --resource-group myResourceGroup --server --name AllowAllIps --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255 +az postgres server firewall-rule create --resource-group myResourceGroup --server --name AllowAllIps --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255 ``` > [!TIP] @@ -162,10 +162,10 @@ az postgres server firewall-rule create --resource-group myResourceGroup --serve ### Connect to production Postgres server locally -In the Cloud Shell, connect to the Postgres server in Azure. Use the value you specified previously for the _<postgres_server_name>_ placeholders. +In the Cloud Shell, connect to the Postgres server in Azure. Use the value you specified previously for the _<postgres-server-name>_ placeholders. ```bash -psql -U adminuser@ -h .postgres.database.azure.com postgres +psql -U adminuser@ -h .postgres.database.azure.com postgres ``` When prompted for a password, use _My5up3r$tr0ngPa$w0rd!_, which you specified when you created the database server. @@ -183,7 +183,7 @@ CREATE DATABASE sampledb; Create a database user called _railsappuser_ and give it all privileges in the `sampledb` database. ```sql -CREATE USER railsappuser WITH PASSWORD 'MyPostgresAzure2017'; +CREATE USER railsappuser WITH PASSWORD 'MyPostgresAzure2017'; GRANT ALL PRIVILEGES ON DATABASE sampledb TO railsappuser; ``` @@ -215,13 +215,13 @@ Save the changes. Back in the local terminal, set the following environment variables: ```bash -export DB_HOST=.postgres.database.azure.com +export DB_HOST=.postgres.database.azure.com export DB_DATABASE=sampledb -export DB_USERNAME=railsappuser@ +export DB_USERNAME=railsappuser@ export DB_PASSWORD=MyPostgresAzure2017 ``` -Run Rails database migrations with the production values you just configured to create the tables in your Postgres database in Azure Database for PostgreSQL. +Run Rails database migrations with the production values you just configured to create the tables in your Postgres database in Azure Database for PostgreSQL. ```bash rake db:migrate RAILS_ENV=production @@ -242,8 +242,8 @@ rails secret Save the secret key to the respective variables used by the Rails production environment. For convenience, you use the same key for both variables. ```bash -export RAILS_MASTER_KEY= -export SECRET_KEY_BASE= +export RAILS_MASTER_KEY= +export SECRET_KEY_BASE= ``` Enable the Rails production environment to serve JavaScript and CSS files. @@ -297,15 +297,15 @@ In this step, you deploy the Postgres-connected Rails application to Azure App S In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings?view=azure-cli-latest#az-webapp-config-appsettings-set) command in the Cloud Shell. -The following Cloud Shell command configures the app settings `DB_HOST`, `DB_DATABASE`, `DB_USERNAME`, and `DB_PASSWORD`. Replace the placeholders _<appname>_ and _<postgres_server_name>_. +The following Cloud Shell command configures the app settings `DB_HOST`, `DB_DATABASE`, `DB_USERNAME`, and `DB_PASSWORD`. Replace the placeholders _<appname>_ and _<postgres-server-name>_. ```azurecli-interactive -az webapp config appsettings set --name --resource-group myResourceGroup --settings DB_HOST=".postgres.database.azure.com" DB_DATABASE="sampledb" DB_USERNAME="railsappuser@" DB_PASSWORD="MyPostgresAzure2017" +az webapp config appsettings set --name --resource-group myResourceGroup --settings DB_HOST=".postgres.database.azure.com" DB_DATABASE="sampledb" DB_USERNAME="railsappuser@" DB_PASSWORD="MyPostgresAzure2017" ``` ### Configure Rails environment variables -In the local terminal, generate a new secret key for the Rails production environment in Azure. +In the local terminal, [generate a new secret](configure-language-ruby.md#set-secret_key_base-manually) for the Rails production environment in Azure. ```bash rails secret @@ -313,20 +313,20 @@ rails secret Configure the variables required by Rails production environment. -In the following Cloud Shell command, replace the two _<output_of_rails_secret>_ placeholders with the new secret key you generated in the local terminal. +In the following Cloud Shell command, replace the two _<output-of-rails-secret>_ placeholders with the new secret key you generated in the local terminal. ```azurecli-interactive -az webapp config appsettings set --name --resource-group myResourceGroup --settings RAILS_MASTER_KEY="" SECRET_KEY_BASE="" RAILS_SERVE_STATIC_FILES="true" ASSETS_PRECOMPILE="true" +az webapp config appsettings set --name --resource-group myResourceGroup --settings RAILS_MASTER_KEY="" SECRET_KEY_BASE="" RAILS_SERVE_STATIC_FILES="true" ASSETS_PRECOMPILE="true" ``` -`ASSETS_PRECOMPILE="true"` tells the default Ruby container to precompile assets at each Git deployment. +`ASSETS_PRECOMPILE="true"` tells the default Ruby container to precompile assets at each Git deployment. For more information, see [Precompile assets](configure-language-ruby.md#precompile-assets) and [Serve static assets](configure-language-ruby.md#serve-static-assets). ### Push to Azure from Git In the local terminal, add an Azure remote to your local Git repository. ```bash -git remote add azure +git remote add azure ``` Push to the Azure remote to deploy the Ruby on Rails application. You are prompted for the password you supplied earlier as part of the creation of the deployment user. @@ -354,7 +354,7 @@ remote: Running deployment command... ### Browse to the Azure app -Browse to `http://.azurewebsites.net` and add a few tasks to the list. +Browse to `http://.azurewebsites.net` and add a few tasks to the list. ![Ruby on Rails app running in Azure App Service](./media/tutorial-ruby-postgres-app/ruby-postgres-in-azure.png) @@ -471,6 +471,10 @@ Once the `git push` is complete, navigate to the Azure app and test the new func If you added any tasks, they are retained in the database. Updates to the data schema leave existing data intact. +## Stream diagnostic logs + +[!INCLUDE [Access diagnostic logs](../../../includes/app-service-web-logs-access-no-h.md)] + ## Manage the Azure app Go to the [Azure portal](https://portal.azure.com) to manage the app you created. @@ -504,4 +508,9 @@ In this tutorial, you learned how to: Advance to the next tutorial to learn how to map a custom DNS name to your app. > [!div class="nextstepaction"] -> [Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md) +> [Tutorial: Map custom DNS name to your app](../app-service-web-tutorial-custom-domain.md) + +Or, check out other resources: + +> [!div class="nextstepaction"] +> [Configure Ruby app](configure-language-ruby.md) \ No newline at end of file diff --git a/articles/app-service/deploy-staging-slots.md b/articles/app-service/deploy-staging-slots.md index 1895486f6d675..ca526bbc7f6c2 100644 --- a/articles/app-service/deploy-staging-slots.md +++ b/articles/app-service/deploy-staging-slots.md @@ -80,7 +80,12 @@ When you clone configuration from another deployment slot, the cloned configurat * Monitoring and diagnostic settings * Public certificates * WebJobs content -* Hybrid connections +* Hybrid connections * +* VNet integration * +* Service Endpoints * +* Azure CDN * + +Features marked with a * are planned to be made sticky to the slot. **Settings that aren't swapped**: @@ -89,10 +94,15 @@ When you clone configuration from another deployment slot, the cloned configurat * Private certificates and SSL bindings * Scale settings * WebJobs schedulers +* IP restrictions +* Always On +* Protocol Settings (HTTP**S**, TLS version, client certificates) +* Diagnostic log settings +* CORS - + -To configure an app setting or connection string to stick to a specific slot (not swapped), navigate to the **Application settings** page for that slot, then select the **Slot Setting** box for the configuration elements that should stick to the slot. Marking a configuration element as slot specific tells App Service that it's not swappable. +To configure an app setting or connection string to stick to a specific slot (not swapped), navigate to the **Application settings** page for that slot, then select the **Slot Setting** box for the configuration elements that should stick to the slot. Marking a configuration element as slot specific tells App Service that it's not swappable. ![Slot setting](./media/web-sites-staged-publishing/SlotSetting.png) diff --git a/articles/app-service/deploy-zip.md b/articles/app-service/deploy-zip.md index e95b7cf328961..5d2d01d252bee 100644 --- a/articles/app-service/deploy-zip.md +++ b/articles/app-service/deploy-zip.md @@ -28,7 +28,7 @@ This ZIP file deployment uses the same Kudu service that powers continuous integ - Option to turn on the default build process, which includes package restore. - [Deployment customization](https://github.com/projectkudu/kudu/wiki/Configurable-settings#repository-and-deployment-related-settings), including running deployment scripts. - Deployment logs. -- A file size limit of 512 MB. +- A file size limit of 2048 MB. For more information, see [Kudu documentation](https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file). @@ -70,13 +70,23 @@ Make sure your Azure CLI version is 2.0.21 or later. To see which version you ha Deploy the uploaded ZIP file to your web app by using the [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source?view=azure-cli-latest#az-webapp-deployment-source-config-zip) command. -The following example deploys the ZIP file you uploaded. When using a local installation of Azure CLI, specify the path to your local ZIP file for `--src`. +The following example deploys the ZIP file you uploaded. When using a local installation of Azure CLI, specify the path to your local ZIP file for `--src`. ```azurecli-interactive az webapp deployment source config-zip --resource-group myResourceGroup --name --src clouddrive/.zip ``` -This command deploys the files and directories from the ZIP file to your default App Service application folder (`\home\site\wwwroot`) and restarts the app. If any additional custom build process is configured, it is run as well. For more information, see [Kudu documentation](https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file). +This command deploys the files and directories from the ZIP file to your default App Service application folder (`\home\site\wwwroot`) and restarts the app. + +By default, the deployment engine assumes that a ZIP file is ready to run as-is and doesn't run any build automation. To enable the same build automation as in a [Git deployment](deploy-local-git.md), set the `SCM_DO_BUILD_DURING_DEPLOYMENT` app setting by running the following command in the [Cloud Shell](https://shell.azure.com): + +```azurecli-interactive +az webapp config appsettings set --resource-group --name --settings SCM_DO_BUILD_DURING_DEPLOYMENT=true +``` + + + +For more information, see [Kudu documentation](https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file-or-url). [!INCLUDE [app-service-deploy-zip-push-rest](../../includes/app-service-deploy-zip-push-rest.md)] diff --git a/articles/app-service/environment/create-external-ase.md b/articles/app-service/environment/create-external-ase.md index 5065fb2411918..19cb7fea1e18a 100644 --- a/articles/app-service/environment/create-external-ase.md +++ b/articles/app-service/environment/create-external-ase.md @@ -1,4 +1,4 @@ ---- +--- title: Create an External App Service environment - Azure description: Explains how to create an App Service environment while you create an app or standalone services: app-service @@ -17,19 +17,21 @@ ms.author: ccompy ms.custom: seodec18 --- +# Create an External App Service environment + +Azure App Service Environment is a deployment of Azure App Service into a subnet in an Azure virtual network (VNet). + > [!NOTE] -> Each App Service Enviornment has a Virtual IP (VIP), which can be used to contact the App Service Environment. -> -> # Create an External App Service environment # +> Each App Service Environment has a Virtual IP (VIP), which can be used to contact the App Service Environment. -Azure App Service Environment is a deployment of Azure App Service into a subnet in an Azure virtual network (VNet). There are two ways to deploy an App Service Environment (ASE): +There are two ways to deploy an App Service Environment (ASE): - With a VIP on an external IP address, often called an External ASE. - With the VIP on an internal IP address, often called an ILB ASE because the internal endpoint is an Internal Load Balancer (ILB). This article shows you how to create an External ASE. For an overview of the ASE, see [An introduction to the App Service Environment][Intro]. For information on how to create an ILB ASE, see [Create and use an ILB ASE][MakeILBASE]. -## Before you create your ASE ## +## Before you create your ASE After you create your ASE, you can't change the following: @@ -44,7 +46,7 @@ After you create your ASE, you can't change the following: > When you choose a VNet and specify a subnet, make sure that it's large enough to accommodate future growth and scaling needs. We recommend a size of `/24` with 256 addresses. > -## Three ways to create an ASE ## +## Three ways to create an ASE There are three ways to create an ASE: @@ -54,7 +56,7 @@ There are three ways to create an ASE: An External ASE has a public VIP, which means that all HTTP/HTTPS traffic to the apps in the ASE hits an internet-accessible IP address. An ASE with an ILB has an IP address from the subnet used by the ASE. The apps hosted in an ILB ASE aren't exposed directly to the internet. -## Create an ASE and an App Service plan together ## +## Create an ASE and an App Service plan together The App Service plan is a container of apps. When you create an app in App Service, you choose or create an App Service plan. App Service Environments hold App Service plans, and App Service plans hold apps. @@ -138,7 +140,7 @@ To create an ASE while you create an App Service plan: 1. Select **Create** to create the ASE. This process also creates the App Service plan and the app. The ASE, App Service plan, and app are all under the same subscription and also in the same resource group. If your ASE needs a separate resource group or if you need an ILB ASE, follow the steps to create an ASE by itself. -## Create an ASE by itself ## +## Create an ASE by itself If you create an ASE standalone, it has nothing in it. An empty ASE still incurs a monthly charge for the infrastructure. Follow these steps to create an ASE with an ILB or to create an ASE in its own resource group. After you create your ASE, you can create apps in it by using the normal process. Select your new ASE as the location. @@ -166,7 +168,7 @@ If you create an ASE standalone, it has nothing in it. An empty ASE still incurs * If you select an existing VNet, a new subnet is created when the ASE is created. *You can't use a pre-created subnet in the portal. You can create an ASE with an existing subnet if you use a Resource Manager template.* To create an ASE from a template, see [Create an App Service Environment from a template][MakeASEfromTemplate]. -## App Service Environment v1 ## +## App Service Environment v1 You can still create instances of the first version of App Service Environment (ASEv1). To start that process, search the Marketplace for **App Service Environment v1**. You create the ASE in the same way that you create the standalone ASE. When it's finished, your ASEv1 has two front ends and two workers. With ASEv1, you must manage the front ends and workers. They're not automatically added when you create your App Service plans. The front ends act as the HTTP/HTTPS endpoints and send traffic to the workers. The workers are the roles that host your apps. You can adjust the quantity of front ends and workers after you create your ASE. diff --git a/articles/app-service/environment/create-ilb-ase.md b/articles/app-service/environment/create-ilb-ase.md index aa1d98ae3afb7..51087e511a2b3 100644 --- a/articles/app-service/environment/create-ilb-ase.md +++ b/articles/app-service/environment/create-ilb-ase.md @@ -166,13 +166,13 @@ To upload your own certificates and test access: 4. Set the DNS for your ASE domain. You can use a wildcard with your domain in your DNS. To do some simple tests, edit the hosts file on your VM to set the app name to the VIP IP address: - a. If your ASE has the domain name _.ilbase.com_ and you create the app named _mytestapp_, it's addressed at _mytestapp.ilbase.com_. You then set _mytestapp.ilbase.com_ to resolve to the ILB address. (On Windows, the hosts file is at _C:\Windows\System32\drivers\etc\_.) + a. If your ASE has the domain name _.ilbase.com_ and you create the app named _mytestapp_, it's addressed at _mytestapp.ilbase.com_. You then set _mytestapp.ilbase.com_ to resolve to the ILB address. (On Windows, the hosts file is at _C:\Windows\System32\drivers\etc\\_.) b. To test web deployment publishing or access to the advanced console, create a record for _mytestapp.scm.ilbase.com_. -5. Use a browser on that VM and go to https://mytestapp.ilbase.com. (Or go to whatever your app name is with your domain.) +5. Use a browser on that VM and go to https://mytestapp.ilbase.com. (Or go to whatever your app name is with your domain.) -6. Use a browser on that VM and go to https://mytestapp.ilbase.com. If you use a self-signed certificate, accept the lack of security. +6. Use a browser on that VM and go to https://mytestapp.ilbase.com. If you use a self-signed certificate, accept the lack of security. The IP address for your ILB is listed under **IP addresses**. This list also has the IP addresses used by the external VIP and for inbound management traffic. diff --git a/articles/app-service/environment/management-addresses.md b/articles/app-service/environment/management-addresses.md index 68281e6a8bd2a..55eb3f75bcc3a 100644 --- a/articles/app-service/environment/management-addresses.md +++ b/articles/app-service/environment/management-addresses.md @@ -12,30 +12,28 @@ ms.workload: na ms.tgt_pltfrm: na ms.devlang: na ms.topic: article -ms.date: 01/16/2019 +ms.date: 04/03/2019 ms.author: ccompy ms.custom: seodec18 --- # App Service Environment management addresses -The App Service Environment (ASE) is a deployment of the Azure App Service into a subnet in your Azure Virtual Network (VNet). The ASE must be accessible from the management plane used by the Azure App Service. This ASE management traffic traverses the user-controlled network. If this traffic is blocked or misrouted, the ASE will become suspended. For details on the ASE networking dependencies, read [Networking considerations and the App Service Environment][networking]. For general information on the ASE, you can start with [Introduction to the App Service Environment][intro]. +The App Service Environment (ASE) is a single tenant deployment of the Azure App Service that runs in your Azure Virtual Network (VNet). While the ASE does run in your VNet, it must still be accessible from a number of dedicated IP addresses that are used by the Azure App Service to manage the service. In the case of an ASE, the management traffic traverses the user-controlled network. If this traffic is blocked or misrouted, the ASE will become suspended. For details on the ASE networking dependencies, read [Networking considerations and the App Service Environment][networking]. For general information on the ASE, you can start with [Introduction to the App Service Environment][intro]. -All ASEs have a public VIP which management traffic comes into. The incoming management traffic from these addresses comes in from to ports 454 and 455 on the public VIP of your ASE. This document lists the App Service source addresses for management traffic to the ASE. These addresses are in the Service Tag named AppServiceManagement. +All ASEs have a public VIP which management traffic comes into. The incoming management traffic from these addresses comes in from to ports 454 and 455 on the public VIP of your ASE. This document lists the App Service source addresses for management traffic to the ASE. These addresses are also in the IP Service Tag named AppServiceManagement. -You can use the Service Tag named AppServiceManagement in your Network Security Groups in order to lock down inbound management traffic to your ASE. - -The addresses noted below can be configured in a route table. This is important when operating your ASE in a force tunneled VNet where you might otherwise have an asymmetric routing problem. For details on how to configure your ASE to operate in an environment where outbound traffic is sent on premises, read [Configure your ASE with forced tunneling][forcedtunnel] +The addresses noted below can be configured in a route table to avoid asymmetric routing problems with the management traffic. Routes act on traffic at the IP level and do not have an awareness of traffic direction or that the traffic is a part of a TCP reply message. If the reply address for a TCP request is different than the address it was sent to, you have an asymmetric routing problem. To avoid asymmetric routing problems with your ASE management traffic, you need to ensure that replies are sent back from the same address they were sent to. For details on how to configure your ASE to operate in an environment where outbound traffic is sent on premises, read [Configure your ASE with forced tunneling][forcedtunnel] ## List of management addresses ## | Region | Addresses | |--------|-----------| -| All public regions | 70.37.57.58, 157.55.208.185, 52.174.22.21, 13.94.149.179, 13.94.143.126, 13.94.141.115, 52.178.195.197, 52.178.190.65, 52.178.184.149, 52.178.177.147, 13.75.127.117, 40.83.125.161, 40.83.121.56, 40.83.120.64, 52.187.56.50, 52.187.63.37, 52.187.59.251, 52.187.63.19, 52.165.158.140, 52.165.152.214, 52.165.154.193, 52.165.153.122, 104.44.129.255, 104.44.134.255, 104.44.129.243, 104.44.129.141, 23.102.188.65, 191.236.154.88, 13.64.115.203, 65.52.193.203, 70.37.89.222, 52.224.105.172, 23.102.135.246, 52.225.177.153, 65.52.172.237, 52.151.25.45, 40.124.47.188 | +| All public regions | 13.64.115.203, 13.75.127.117, 13.94.141.115, 13.94.143.126, 13.94.149.179, 23.102.135.246, 23.102.188.65, 40.83.120.64, 40.83.121.56, 40.83.125.161, 40.124.47.188, 52.151.25.45, 52.165.152.214, 52.165.153.122, 52.165.154.193, 52.165.158.140, 52.174.22.21, 52.178.177.147, 52.178.184.149, 52.178.190.65, 52.178.195.197, 52.187.56.50, 52.187.59.251, 52.187.63.19, 52.187.63.37, 52.224.105.172, 52.225.177.153, 65.52.14.230, 65.52.172.237, 65.52.193.203, 70.37.57.58, 70.37.89.222, 104.44.129.141, 104.44.129.243, 104.44.129.255, 104.44.134.255, 104.208.54.11, 157.55.176.93, 157.55.208.185, 191.236.154.88 | | Microsoft Azure Government | 23.97.29.209, 13.72.53.37, 13.72.180.105, 23.97.0.17, 23.97.16.184 | ## Configuring a Network Security Group -With Network Security Groups you do not need to worry about the individual addresses or maintaining your own configuration. There is an IP service tag named AppServiceManagement that is kept up to date with all of the addresses. To use this IP service tag in your NSG, go to the portal, open your Network Security Groups UI and select Inbound security rules. If you have a pre-existing rule for the inbound management traffic edit it. If this NSG was not created with your ASE, or if it is all new, then select **Add**. Under the Source drop down, select **Service Tag**. Under the Source service tag, select **AppServiceManagement**. Set the source port ranges to \*, Destination to **Any**, Destination port ranges to **454-455**, Protocol to **TCP**, and Action to **Allow**. If you are making the rule then you need to set the Priority. +With Network Security Groups, you do not need to worry about the individual addresses or maintaining your own configuration. There is an IP service tag named AppServiceManagement that is kept up-to-date with all of the addresses. To use this IP service tag in your NSG, go to the portal, open your Network Security Groups UI, and select Inbound security rules. If you have a pre-existing rule for the inbound management traffic, edit it. If this NSG was not created with your ASE, or if it is all new, then select **Add**. Under the Source drop down, select **Service Tag**. Under the Source service tag, select **AppServiceManagement**. Set the source port ranges to \*, Destination to **Any**, Destination port ranges to **454-455**, Protocol to **TCP**, and Action to **Allow**. If you are making the rule, then you need to set the Priority. ![creating an NSG with the service tag][1] @@ -47,43 +45,46 @@ The management addresses can be placed in a route table with a next hop of inter $rt = "route table name" $location = "azure location" az network route-table create --name $rt --resource-group $rg --location $location - az network route-table route create -g $rg --route-table-name $rt -n 70.37.57.58 --next-hop-type Internet --address-prefix 70.37.57.58/32 - az network route-table route create -g $rg --route-table-name $rt -n 157.55.208.185 --next-hop-type Internet --address-prefix 157.55.208.185/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.174.22.21 --next-hop-type Internet --address-prefix 52.174.22.21/32 - az network route-table route create -g $rg --route-table-name $rt -n 13.94.149.179 --next-hop-type Internet --address-prefix 13.94.149.179/32 - az network route-table route create -g $rg --route-table-name $rt -n 13.94.143.126 --next-hop-type Internet --address-prefix 13.94.143.126/32 - az network route-table route create -g $rg --route-table-name $rt -n 13.94.141.115 --next-hop-type Internet --address-prefix 13.94.141.115/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.178.195.197 --next-hop-type Internet --address-prefix 52.178.195.197/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.178.190.65 --next-hop-type Internet --address-prefix 52.178.190.65/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.178.184.149 --next-hop-type Internet --address-prefix 52.178.184.149/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.178.177.147 --next-hop-type Internet --address-prefix 52.178.177.147/32 + az network route-table route create -g $rg --route-table-name $rt -n 13.64.115.203 --next-hop-type Internet --address-prefix 13.64.115.203/32 az network route-table route create -g $rg --route-table-name $rt -n 13.75.127.117 --next-hop-type Internet --address-prefix 13.75.127.117/32 - az network route-table route create -g $rg --route-table-name $rt -n 40.83.125.161 --next-hop-type Internet --address-prefix 40.83.125.161/32 - az network route-table route create -g $rg --route-table-name $rt -n 40.83.121.56 --next-hop-type Internet --address-prefix 40.83.121.56/32 + az network route-table route create -g $rg --route-table-name $rt -n 13.94.141.115 --next-hop-type Internet --address-prefix 13.94.141.115/32 + az network route-table route create -g $rg --route-table-name $rt -n 13.94.143.126 --next-hop-type Internet --address-prefix 13.94.143.126/32 + az network route-table route create -g $rg --route-table-name $rt -n 13.94.149.179 --next-hop-type Internet --address-prefix 13.94.149.179/32 + az network route-table route create -g $rg --route-table-name $rt -n 23.102.135.246 --next-hop-type Internet --address-prefix 23.102.135.246/32 + az network route-table route create -g $rg --route-table-name $rt -n 23.102.188.65 --next-hop-type Internet --address-prefix 23.102.188.65/32 az network route-table route create -g $rg --route-table-name $rt -n 40.83.120.64 --next-hop-type Internet --address-prefix 40.83.120.64/32 + az network route-table route create -g $rg --route-table-name $rt -n 40.83.121.56 --next-hop-type Internet --address-prefix 40.83.121.56/32 + az network route-table route create -g $rg --route-table-name $rt -n 40.83.125.161 --next-hop-type Internet --address-prefix 40.83.125.161/32 + az network route-table route create -g $rg --route-table-name $rt -n 40.124.47.188 --next-hop-type Internet --address-prefix 40.124.47.188/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.151.25.45 --next-hop-type Internet --address-prefix 52.151.25.45/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.165.152.214 --next-hop-type Internet --address-prefix 52.165.152.214/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.165.153.122 --next-hop-type Internet --address-prefix 52.165.153.122/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.165.154.193 --next-hop-type Internet --address-prefix 52.165.154.193/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.165.158.140 --next-hop-type Internet --address-prefix 52.165.158.140/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.174.22.21 --next-hop-type Internet --address-prefix 52.174.22.21/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.178.177.147 --next-hop-type Internet --address-prefix 52.178.177.147/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.178.184.149 --next-hop-type Internet --address-prefix 52.178.184.149/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.178.190.65 --next-hop-type Internet --address-prefix 52.178.190.65/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.178.195.197 --next-hop-type Internet --address-prefix 52.178.195.197/32 az network route-table route create -g $rg --route-table-name $rt -n 52.187.56.50 --next-hop-type Internet --address-prefix 52.187.56.50/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.187.63.37 --next-hop-type Internet --address-prefix 52.187.63.37/32 az network route-table route create -g $rg --route-table-name $rt -n 52.187.59.251 --next-hop-type Internet --address-prefix 52.187.59.251/32 az network route-table route create -g $rg --route-table-name $rt -n 52.187.63.19 --next-hop-type Internet --address-prefix 52.187.63.19/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.165.158.140 --next-hop-type Internet --address-prefix 52.165.158.140/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.165.152.214 --next-hop-type Internet --address-prefix 52.165.152.214/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.165.154.193 --next-hop-type Internet --address-prefix 52.165.154.193/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.165.153.122 --next-hop-type Internet --address-prefix 52.165.153.122/32 - az network route-table route create -g $rg --route-table-name $rt -n 104.44.129.255 --next-hop-type Internet --address-prefix 104.44.129.255/32 - az network route-table route create -g $rg --route-table-name $rt -n 104.44.134.255 --next-hop-type Internet --address-prefix 104.44.134.255/32 - az network route-table route create -g $rg --route-table-name $rt -n 104.44.129.243 --next-hop-type Internet --address-prefix 104.44.129.243/32 - az network route-table route create -g $rg --route-table-name $rt -n 104.44.129.141 --next-hop-type Internet --address-prefix 104.44.129.141/32 - az network route-table route create -g $rg --route-table-name $rt -n 23.102.188.65 --next-hop-type Internet --address-prefix 23.102.188.65/32 - az network route-table route create -g $rg --route-table-name $rt -n 191.236.154.88 --next-hop-type Internet --address-prefix 191.236.154.88/32 - az network route-table route create -g $rg --route-table-name $rt -n 13.64.115.203 --next-hop-type Internet --address-prefix 13.64.115.203/32 - az network route-table route create -g $rg --route-table-name $rt -n 65.52.193.203 --next-hop-type Internet --address-prefix 65.52.193.203/32 - az network route-table route create -g $rg --route-table-name $rt -n 70.37.89.222 --next-hop-type Internet --address-prefix 70.37.89.222/32 + az network route-table route create -g $rg --route-table-name $rt -n 52.187.63.37 --next-hop-type Internet --address-prefix 52.187.63.37/32 az network route-table route create -g $rg --route-table-name $rt -n 52.224.105.172 --next-hop-type Internet --address-prefix 52.224.105.172/32 - az network route-table route create -g $rg --route-table-name $rt -n 23.102.135.246 --next-hop-type Internet --address-prefix 23.102.135.246/32 az network route-table route create -g $rg --route-table-name $rt -n 52.225.177.153 --next-hop-type Internet --address-prefix 52.225.177.153/32 + az network route-table route create -g $rg --route-table-name $rt -n 65.52.14.230 --next-hop-type Internet --address-prefix 65.52.14.230/32 az network route-table route create -g $rg --route-table-name $rt -n 65.52.172.237 --next-hop-type Internet --address-prefix 65.52.172.237/32 - az network route-table route create -g $rg --route-table-name $rt -n 52.151.25.45 --next-hop-type Internet --address-prefix 52.151.25.45/32 - az network route-table route create -g $rg --route-table-name $rt -n 40.124.47.188 --next-hop-type Internet --address-prefix 40.124.47.188/32 + az network route-table route create -g $rg --route-table-name $rt -n 65.52.193.203 --next-hop-type Internet --address-prefix 65.52.193.203/32 + az network route-table route create -g $rg --route-table-name $rt -n 70.37.57.58 --next-hop-type Internet --address-prefix 70.37.57.58/32 + az network route-table route create -g $rg --route-table-name $rt -n 70.37.89.222 --next-hop-type Internet --address-prefix 70.37.89.222/32 + az network route-table route create -g $rg --route-table-name $rt -n 104.44.129.141 --next-hop-type Internet --address-prefix 104.44.129.141/32 + az network route-table route create -g $rg --route-table-name $rt -n 104.44.129.243 --next-hop-type Internet --address-prefix 104.44.129.243/32 + az network route-table route create -g $rg --route-table-name $rt -n 104.44.129.255 --next-hop-type Internet --address-prefix 104.44.129.255/32 + az network route-table route create -g $rg --route-table-name $rt -n 104.44.134.255 --next-hop-type Internet --address-prefix 104.44.134.255/32 + az network route-table route create -g $rg --route-table-name $rt -n 104.208.54.11 --next-hop-type Internet --address-prefix 104.208.54.11/32 + az network route-table route create -g $rg --route-table-name $rt -n 157.55.176.93 --next-hop-type Internet --address-prefix 157.55.176.93/32 + az network route-table route create -g $rg --route-table-name $rt -n 157.55.208.185 --next-hop-type Internet --address-prefix 157.55.208.185/32 + az network route-table route create -g $rg --route-table-name $rt -n 191.236.154.88 --next-hop-type Internet --address-prefix 191.236.154.88/32 After your route table is created, you need to set it on your ASE subnet. diff --git a/articles/app-service/faq-availability-performance-application-issues.md b/articles/app-service/faq-availability-performance-application-issues.md index 923871bb15527..b5729ecd50d13 100644 --- a/articles/app-service/faq-availability-performance-application-issues.md +++ b/articles/app-service/faq-availability-performance-application-issues.md @@ -19,6 +19,10 @@ ms.author: genli ms.custom: seodec18 --- +> [!NOTE] +> Some of the below guidelines might only work on Windows or Linux App Services. For example, Linux App Services run in 64-bit mode by default. +> + # Application performance FAQs for Web Apps in Azure This article has answers to frequently asked questions (FAQs) about application performance issues for the [Web Apps feature of Azure App Service](https://azure.microsoft.com/services/app-service/web/). diff --git a/articles/app-service/index.yml b/articles/app-service/index.yml index 8a7fc6f25ef6e..c66edde909bd0 100644 --- a/articles/app-service/index.yml +++ b/articles/app-service/index.yml @@ -48,7 +48,7 @@ sections: - image: src: https://docs.microsoft.com/azure/app-service/media/index/logo_java.svg text: Java - href: https://docs.microsoft.com/azure/app-service/app-service-web-get-started-java + href: https://docs.microsoft.com/azure/app-service/containers/quickstart-java - image: src: https://docs.microsoft.com/azure/app-service/media/index/logo_python.svg text: Python (on Linux) diff --git a/articles/app-service/manage-backup.md b/articles/app-service/manage-backup.md index ad3a460f204ad..6dabe37f9d108 100644 --- a/articles/app-service/manage-backup.md +++ b/articles/app-service/manage-backup.md @@ -121,6 +121,9 @@ Sometimes you don't want to back up everything on your app. Here are a few examp Partial backups allow you choose exactly which files you want to back up. +> [!NOTE] +> Individual databases in the backup can be 4GB max but the total max size of the backup is 10GB + ### Exclude files from your backup Suppose you have an app that contains log files and static images that have been backup once and are not going to change. In such cases, you can exclude those folders and files from being stored in your future backups. To exclude files and folders from your backups, create a `_backup.filter` file in the `D:\home\site\wwwroot` folder of your app. Specify the list of files and folders you want to exclude in this file. diff --git a/articles/app-service/overview-security.md b/articles/app-service/overview-security.md index 4dd6a5fbbaa96..8541750ace860 100644 --- a/articles/app-service/overview-security.md +++ b/articles/app-service/overview-security.md @@ -54,7 +54,7 @@ App Service supports both FTP and FTPS for deploying your files. However, FTPS s By default, your App Service app accepts requests from all IP addresses from the internet, but you can limit that access to a small subset of IP addresses. App Service on Windows lets you define a list of IP addresses that are allowed to access your app. The allowed list can include individual IP addresses or a range of IP addresses defined by a subnet mask. For more information, see [Azure App Service Static IP Restrictions](app-service-ip-restrictions.md). -For App Service on Windows, you can also restrict IP addresses dynamically by configuring the _web.config_. For more information, see [Dynamic IP Security ](https://docs.microsoft.com/iis/configuration/system.webServer/security/dynamicIpSecurity/). +For App Service on Windows, you can also restrict IP addresses dynamically by configuring the _web.config_. For more information, see [Dynamic IP Security \](https://docs.microsoft.com/iis/configuration/system.webServer/security/dynamicIpSecurity/). ## Client authentication and authorization diff --git a/articles/app-service/scripts/powershell-scale-manual.md b/articles/app-service/scripts/powershell-scale-manual.md index 7cb19a5674084..805b3efe3865c 100644 --- a/articles/app-service/scripts/powershell-scale-manual.md +++ b/articles/app-service/scripts/powershell-scale-manual.md @@ -37,7 +37,7 @@ If needed, install the Azure PowerShell using the instruction found in the [Azur After the script sample has been run, the following command can be used to remove the resource group, web app, and all related resources. ```powershell -Remove-AzResourceGroup -Name myResourceGroup -Force +Remove-AzResourceGroup -Name $ResourceGroupName -Force ``` ## Script explanation diff --git a/articles/app-service/troubleshoot-domain-ssl-certificates.md b/articles/app-service/troubleshoot-domain-ssl-certificates.md index 0ff2b24e36b26..5f04cb5e0e7ee 100644 --- a/articles/app-service/troubleshoot-domain-ssl-certificates.md +++ b/articles/app-service/troubleshoot-domain-ssl-certificates.md @@ -266,8 +266,8 @@ This problem occurs for one of the following reasons: |Record type|Host|Point to| |------|------|-----| |A|@|IP address for an app| - |TXT|@|.azurewebsites.net| - |CNAME|www|.azurewebsites.net| + |TXT|@|`.azurewebsites.net`| + |CNAME|www|`.azurewebsites.net`| ## FAQ diff --git a/articles/application-gateway/add-http-header-rewrite-rule-powershell.md b/articles/application-gateway/add-http-header-rewrite-rule-powershell.md index 8f272c1b92701..ba8b93ddb5fa5 100644 --- a/articles/application-gateway/add-http-header-rewrite-rule-powershell.md +++ b/articles/application-gateway/add-http-header-rewrite-rule-powershell.md @@ -1,34 +1,54 @@ --- -title: Rewrite HTTP headers in an existing Azure Application Gateway -description: This article provides information on how to rewrite HTTP headers in an existing Azure Application Gateway using Azure PowerShell +title: Rewrite HTTP headers in Azure Application Gateway +description: This article provides information on how to rewrite HTTP headers in Azure Application Gateway using Azure PowerShell services: application-gateway author: abshamsft ms.service: application-gateway ms.topic: article -ms.date: 12/20/2018 +ms.date: 04/12/2019 ms.author: absha --- -# Rewrite HTTP headers in an existing Application gateway +# Rewrite HTTP request and response headers with Azure Application Gateway - Azure PowerShell -You can use Azure PowerShell to -configure [rules to rewrite HTTP request and response headers](rewrite-http-headers.md) in an existing [autoscaling and zone-redundant application gateway SKU](https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) +This article shows you how to use Azure PowerShell to configure an [Application Gateway v2 SKU]() to rewrite the HTTP headers in the requests and responses. > [!IMPORTANT] > The autoscaling and zone-redundant application gateway SKU is currently in public preview. This preview is provided without a service level agreement and is not recommended for production workloads. Certain features may not be supported or may have constrained capabilities. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details. -In this tutorial, you learn how to: - -> [!div class="checklist"] -> -> * Retrieve configuration of an existing application gateway -> * Specify your http header rewrite rule configuration -> * Update the application gateway with the above configuration for rewriting http headers - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. ## Prerequisites -This tutorial requires that you run Azure PowerShell locally. You must have Az module version 1.0.0 or later installed. Run `Import-Module Az` and then`Get-Module Az` to find the version. If you need to upgrade, see [Install Azure PowerShell module](https://docs.microsoft.com/powershell/azure/install-az-ps). After you verify the PowerShell version, run `Login-AzAccount` to create a connection with Azure. +- This tutorial requires that you run Azure PowerShell locally. You must have Az module version 1.0.0 or later installed. Run `Import-Module Az` and then`Get-Module Az` to find the version. If you need to upgrade, see [Install Azure PowerShell module](https://docs.microsoft.com/powershell/azure/install-az-ps). After you verify the PowerShell version, run `Login-AzAccount` to create a connection with Azure. +- You need to have an Application Gateway v2 SKU since the header rewrite capability is not supported for the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](https://docs.microsoft.com/azure/application-gateway/tutorial-autoscale-ps>) before you begin. + +## What is required to rewrite a header + +To configure HTTP header rewrite, you will need to: + +1. Create the new objects required to rewrite the http headers: + + - **RequestHeaderConfiguration**: this object is used to specify the request header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. + + - **ResponseHeaderConfiguration**: this object is used to specify the response header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. + + - **ActionSet**: this object contains the configurations of the request and response headers specified above. + + - **Condition**: It is an optional configuration. if a rewrite condition is added, it will evaluate the content of the HTTP(S) requests and responses. The decision to execute the rewrite action associated with the rewrite condition will be based whether the HTTP(S) request or response matched with the rewrite condition. + + If more than one conditions are associated with an action, then the action will be executed only when all the conditions are met, i.e., a logical AND operation will be performed. + + - **RewriteRule**: contains multiple rewrite action - rewrite condition combinations. + + - **RuleSequence**: This is an optional configuration. It helps determine the order in which the different rewrite rules get executed. This is helpful when there are multiple rewrite rules in a rewrite set. The rewrite rule with lesser rule sequence value gets executed first. If you provide the same rule sequence to two rewrite rules then the order of execution will be non-deterministic. + + If you don't specify the RuleSequence explicitly, a default value of 100 will be set. + + - **RewriteRuleSet**: this object contains multiple rewrite rules which will be associated to a request routing rule. + +2. You will be required to attach the rewriteRuleSet with a routing rule. This is because the rewrite configuration is attached to the source listener via the routing rule. When using a basic routing rule, the header rewrite configuration is associated with a source listener and is a global header rewrite. When a path-based routing rule is used, the header rewrite configuration is defined on the URL path map. So, it only applies to the specific path area of a site. + +You can create multiple http header rewrite sets and each rewrite set can be applied to multiple listeners. However, you can apply only one rewrite set to a specific listener. ## Sign in to Azure @@ -39,20 +59,14 @@ Select-AzSubscription -Subscription "" ## **Specify your http header rewrite rule configuration** -Configure the new objects required to rewrite the http headers: - -- **RequestHeaderConfiguration**: this object is used to specify the request header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. -- **ResponseHeaderConfiguration**: this object is used to specify the response header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. -- **ActionSet**: this object contains the configurations of the request and response headers specified above. -- **RewriteRule**: this object contains all the *actionSets* specified above. -- **RewriteRuleSet**- this object contains all the *rewriteRules* and will need to be attached to a request routing rule - basic or path-based. +In this example, we will modify the redirection URL by rewriting the location header in the http response whenever the location header contains a reference to "azurewebsites.net". To do this, we will add a condition to evaluate whether the location header in the response contains azurewebsites.net by using the pattern `(https?):\/\/.*azurewebsites\.net(.*)$`. We will use `{http_resp_Location_1}://contoso.com{http_resp_Location_2}` as the header value. This will replace *azurewebsites.net* with *contoso.com* in the location header. ```azurepowershell -$requestHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "X-isThroughProxy" -HeaderValue "True" -$responseHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "Strict-Transport-Security" -HeaderValue "max-age=31536000" +$responseHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "Location" -HeaderValue "{http_resp_Location_1}://contoso.com{http_resp_Location_2}" $actionSet = New-AzApplicationGatewayRewriteRuleActionSet -RequestHeaderConfiguration $requestHeaderConfiguration -ResponseHeaderConfiguration $responseHeaderConfiguration -$rewriteRule = New-AzApplicationGatewayRewriteRule -Name rewriteRule1 -ActionSet $actionSet -$rewriteRuleSet = New-AzApplicationGatewayRewriteRuleSet -Name rewriteRuleSet1 -RewriteRule $rewriteRule +$condition = New-AzApplicationGatewayRewriteRuleCondition -Variable "http_resp_Location" -Pattern "(https?):\/\/.*azurewebsites\.net(.*)$" -IgnoreCase +$rewriteRule = New-AzApplicationGatewayRewriteRule -Name LocationHeader -ActionSet $actionSet +$rewriteRuleSet = New-AzApplicationGatewayRewriteRuleSet -Name LocationHeaderRewrite -RewriteRule $rewriteRule ``` ## Retrieve configuration of your existing application gateway @@ -64,13 +78,13 @@ $appgw = Get-AzApplicationGateway -Name "AutoscalingAppGw" -ResourceGroupName "< ## Retrieve configuration of your existing request routing rule ```azurepowershell -$reqRoutingRule = Get-AzApplicationGatewayRequestRoutingRule -Name Rule1 -ApplicationGateway $appgw +$reqRoutingRule = Get-AzApplicationGatewayRequestRoutingRule -Name rule1 -ApplicationGateway $appgw ``` ## Update the application gateway with the configuration for rewriting http headers ```azurepowershell -Add-AzApplicationGatewayRewriteRuleSet -ApplicationGateway $appgw -Name rewriteRuleSet1 -RewriteRule $rewriteRuleSet.RewriteRules +Add-AzApplicationGatewayRewriteRuleSet -ApplicationGateway $appgw -Name LocationHeaderRewrite -RewriteRule $rewriteRuleSet.RewriteRules Set-AzApplicationGatewayRequestRoutingRule -ApplicationGateway $appgw -Name rule1 -RuleType $reqRoutingRule.RuleType -BackendHttpSettingsId $reqRoutingRule.BackendHttpSettings.Id -HttpListenerId $reqRoutingRule.HttpListener.Id -BackendAddressPoolId $reqRoutingRule.BackendAddressPool.Id -RewriteRuleSetId $rewriteRuleSet.Id Set-AzApplicationGateway -ApplicationGateway $appgw ``` @@ -79,7 +93,7 @@ Set-AzApplicationGateway -ApplicationGateway $appgw ```azurepowershell $appgw = Get-AzApplicationGateway -Name "AutoscalingAppGw" -ResourceGroupName "" -Remove-AzApplicationGatewayRewriteRuleSet -Name "rewriteRuleSet1" -ApplicationGateway $appgw +Remove-AzApplicationGatewayRewriteRuleSet -Name "LocationHeaderRewrite" -ApplicationGateway $appgw $requestroutingrule= Get-AzApplicationGatewayRequestRoutingRule -Name "rule1" -ApplicationGateway $appgw $requestroutingrule.RewriteRuleSet= $null set-AzApplicationGateway -ApplicationGateway $appgw @@ -87,5 +101,4 @@ set-AzApplicationGateway -ApplicationGateway $appgw ## Next steps -> [!div class="nextstepaction"] -> [Create an application gateway with URL path-based routing rules](./tutorial-url-route-powershell.md) +To learn more about the configuration required to accomplish some of the common use cases, see [common header rewrite scenarios](https://docs.microsoft.com/azure/application-gateway/rewrite-http-headers). \ No newline at end of file diff --git a/articles/application-gateway/application-gateway-autoscaling-zone-redundant.md b/articles/application-gateway/application-gateway-autoscaling-zone-redundant.md index 636346b8dbb2a..82245c2116ba4 100644 --- a/articles/application-gateway/application-gateway-autoscaling-zone-redundant.md +++ b/articles/application-gateway/application-gateway-autoscaling-zone-redundant.md @@ -25,6 +25,9 @@ Application Gateway and Web Application Firewall (WAF) are now available in Publ ![](./media/application-gateway-autoscaling-zone-redundant/application-gateway-autoscaling-zone-redundant.png) +> [!NOTE] +> The autoscaling and zone-redundant application gateway SKU now supports [default health probe](https://docs.microsoft.com/azure/application-gateway/application-gateway-probe-overview#default-health-probe) to automatically monitor the health of all resources in its back-end pool and highlight those backend members that are considered unhealthy. The default health probe wil be automatically configured for all those backends for which you haven't set up any custom probe configuration. To learn more, see [health probes in application gateway](https://docs.microsoft.com/azure/application-gateway/application-gateway-probe-overview). + ## Feature comparison between v1 SKU and v2 SKU The following table compares the features available with each SKU. diff --git a/articles/application-gateway/application-gateway-create-url-route-cli.md b/articles/application-gateway/application-gateway-create-url-route-cli.md index 1afddf8c6d245..d2a95a5e81540 100644 --- a/articles/application-gateway/application-gateway-create-url-route-cli.md +++ b/articles/application-gateway/application-gateway-create-url-route-cli.md @@ -228,11 +228,11 @@ az network public-ip show \ ![Test base URL in application gateway](./media/application-gateway-create-url-route-cli/application-gateway-nginx.png) -Change the URL to http://:8080/video/test.html to the end of the base URL and you should see something like the following example: +Change the URL to `http://:8080/video/test.html` to the end of the base URL and you should see something like the following example: ![Test images URL in application gateway](./media/application-gateway-create-url-route-cli/application-gateway-nginx-images.png) -Change the URL to http://:8080/video/test.html and you should see something like the following example. +Change the URL to `http://:8080/video/test.html` and you should see something like the following example. ![Test video URL in application gateway](./media/application-gateway-create-url-route-cli/application-gateway-nginx-video.png) diff --git a/articles/application-gateway/application-gateway-crs-rulegroups-rules.md b/articles/application-gateway/application-gateway-crs-rulegroups-rules.md index 5a87aa8d6d0a9..5ca5fda5f52ff 100644 --- a/articles/application-gateway/application-gateway-crs-rulegroups-rules.md +++ b/articles/application-gateway/application-gateway-crs-rulegroups-rules.md @@ -1,28 +1,22 @@ --- title: Azure Application Gateway web application firewall CRS rule groups and rules description: This page provides information on web application firewall CRS rule groups and rules. -documentationcenter: na services: application-gateway author: vhorne - ms.service: application-gateway -ms.devlang: na -ms.topic: article -ms.tgt_pltfrm: na -ms.custom: -ms.workload: infrastructure-services -ms.date: 4/16/2018 +ms.date: 4/11/2019 ms.author: victorh - --- -# List of web application firewall CRS rule groups and rules offered +# Web application firewall CRS rule groups and rules -Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 2.2.9 or 3.0. These rules can be disabled on a rule by rule basis. This article contains the current rules and rulesets offered. +Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.0 or 2.2.9. These rules can be disabled on a rule by rule basis. This article contains the current rules and rulesets offered. -The following tables are the Rule groups and rules that are available when using Application Gateway with web application firewall. Each table represents the rules found in a rule group for a specific CRS version. +The following rule groups and rules are available when using Application Gateway with web application firewall. -## OWASP_3.0 +# [OWASP 3.0](#tab/owasp3) + +## Rule sets ###

General

@@ -34,44 +28,26 @@ The following tables are the Rule groups and rules that are available when using |RuleId|Description| |---|---| -|911011|Rule 911011| -|911012|Rule 911012| |911100|Method is not allowed by policy| -|911013|Rule 911013| -|911014|Rule 911014| -|911015|Rule 911015| -|911016|Rule 911016| -|911017|Rule 911017| -|911018|Rule 911018| ###

REQUEST-913-SCANNER-DETECTION

|RuleId|Description| |---|---| -|913011|Rule 913011| -|913012|Rule 913012| |913100|Found User-Agent associated with security scanner| |913110|Found request header associated with security scanner| |913120|Found request filename/argument associated with security scanner| -|913013|Rule 913013| -|913014|Rule 913014| |913101|Found User-Agent associated with scripting/generic HTTP client| |913102|Found User-Agent associated with web crawler/bot| -|913015|Rule 913015| -|913016|Rule 913016| -|913017|Rule 913017| -|913018|Rule 913018| ###

REQUEST-920-PROTOCOL-ENFORCEMENT

|RuleId|Description| |---|---| -|920011|Rule 920011| -|920012|Rule 920012| |920100|Invalid HTTP Request Line| |920130|Failed to parse request body.| -|920140|Multipart request body failed strict validation = PE %@{REQBODY_PROCESSOR_ERROR} BQ %@{MULTIPART_BOUNDARY_QUOTED} BW %@{MULTIPART_BOUNDARY_WHITESPACE} DB %@{MULTIPART_DATA_BEFORE} DA %@{MULTIPART_DATA_AFTER} HF %@{MULTIPART_HEADER_FOLDING} LF %@{MULTIPART_LF_LINE} SM %@{MULTIPART_SEMICOLON_MISSING} IQ %@{MULTIPART_INVALID_QUOTING} IH %@{MULTIPART_INVALID_HEADER_FOLDING} FLE %@{MULTIPART_FILE_LIMIT_EXCEEDED}| +|920140|Multipart request body failed strict validation| |920160|Content-Length HTTP header is not numeric.| |920170|GET or HEAD Request with Body Content.| |920180|POST request missing Content-Length Header.| @@ -99,30 +75,22 @@ The following tables are the Rule groups and rules that are available when using |920430|HTTP protocol version is not allowed by policy| |920440|URL file extension is restricted by policy| |920450|HTTP header is restricted by policy (%@{MATCHED_VAR})| -|920013|Rule 920013| -|920014|Rule 920014| |920200|Range = Too many fields (6 or more)| |920201|Range = Too many fields for pdf request (35 or more)| |920230|Multiple URL Encoding Detected| |920300|Request Missing an Accept Header| |920271|Invalid character in request (non printable characters)| |920320|Missing User Agent Header| -|920015|Rule 920015| -|920016|Rule 920016| |920272|Invalid character in request (outside of printable chars below ascii 127)| -|920017|Rule 920017| -|920018|Rule 920018| |920202|Range = Too many fields for pdf request (6 or more)| |920273|Invalid character in request (outside of very strict set)| |920274|Invalid character in request headers (outside of very strict set)| -|920460|Rule 920460| +|920460|Abnormal escape characters| ###

REQUEST-921-PROTOCOL-ATTACK

|RuleId|Description| |---|---| -|921011|Rule 921011| -|921012|Rule 921012| |921100|HTTP Request Smuggling Attack.| |921110|HTTP Request Smuggling Attack| |921120|HTTP Response Splitting Attack| @@ -130,75 +98,43 @@ The following tables are the Rule groups and rules that are available when using |921140|HTTP Header Injection Attack via headers| |921150|HTTP Header Injection Attack via payload (CR/LF detected)| |921160|HTTP Header Injection Attack via payload (CR/LF and header-name detected)| -|921013|Rule 921013| -|921014|Rule 921014| |921151|HTTP Header Injection Attack via payload (CR/LF detected)| -|921015|Rule 921015| -|921016|Rule 921016| -|921170|Rule 921170| +|921170|HTTP Parameter Pollution| |921180|HTTP Parameter Pollution (%@{TX.1})| -|921017|Rule 921017| -|921018|Rule 921018| ###

REQUEST-930-APPLICATION-ATTACK-LFI

|RuleId|Description| |---|---| -|930011|Rule 930011| -|930012|Rule 930012| |930100|Path Traversal Attack (/../)| |930110|Path Traversal Attack (/../)| |930120|OS File Access Attempt| |930130|Restricted File Access Attempt| -|930013|Rule 930013| -|930014|Rule 930014| -|930015|Rule 930015| -|930016|Rule 930016| -|930017|Rule 930017| -|930018|Rule 930018| ###

REQUEST-931-APPLICATION-ATTACK-RFI

|RuleId|Description| |---|---| -|931011|Rule 931011| -|931012|Rule 931012| |931100|Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address| |931110|Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload| |931120|Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?)| -|931013|Rule 931013| -|931014|Rule 931014| |931130|Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link| -|931015|Rule 931015| -|931016|Rule 931016| -|931017|Rule 931017| -|931018|Rule 931018| ###

REQUEST-932-APPLICATION-ATTACK-RCE

|RuleId|Description| |---|---| -|932011|Rule 932011| -|932012|Rule 932012| |932120|Remote Command Execution = Windows PowerShell Command Found| |932130|Remote Command Execution = Unix Shell Expression Found| |932140|Remote Command Execution = Windows FOR/IF Command Found| |932160|Remote Command Execution = Unix Shell Code Found| |932170|Remote Command Execution = Shellshock (CVE-2014-6271)| |932171|Remote Command Execution = Shellshock (CVE-2014-6271)| -|932013|Rule 932013| -|932014|Rule 932014| -|932015|Rule 932015| -|932016|Rule 932016| -|932017|Rule 932017| -|932018|Rule 932018| ###

REQUEST-933-APPLICATION-ATTACK-PHP

|RuleId|Description| |---|---| -|933011|Rule 933011| -|933012|Rule 933012| |933100|PHP Injection Attack = Opening/Closing Tag Found| |933110|PHP Injection Attack = PHP Script File Upload Found| |933120|PHP Injection Attack = Configuration Directive Found| @@ -206,58 +142,42 @@ The following tables are the Rule groups and rules that are available when using |933150|PHP Injection Attack = High-Risk PHP Function Name Found| |933160|PHP Injection Attack = High-Risk PHP Function Call Found| |933180|PHP Injection Attack = Variable Function Call Found| -|933013|Rule 933013| -|933014|Rule 933014| |933151|PHP Injection Attack = Medium-Risk PHP Function Name Found| -|933015|Rule 933015| -|933016|Rule 933016| |933131|PHP Injection Attack = Variables Found| |933161|PHP Injection Attack = Low-Value PHP Function Call Found| |933111|PHP Injection Attack = PHP Script File Upload Found| -|933017|Rule 933017| -|933018|Rule 933018| ###

REQUEST-941-APPLICATION-ATTACK-XSS

|RuleId|Description| |---|---| -|941011|Rule 941011| -|941012|Rule 941012| |941100|XSS Attack Detected via libinjection| |941110|XSS Filter - Category 1 = Script Tag Vector| |941130|XSS Filter - Category 3 = Attribute Vector| |941140|XSS Filter - Category 4 = Javascript URI Vector| |941150|XSS Filter - Category 5 = Disallowed HTML Attributes| |941180|Node-Validator Blacklist Keywords| -|941190|IE XSS Filters - Attack Detected.| -|941200|IE XSS Filters - Attack Detected.| -|941210|IE XSS Filters - Attack Detected.| -|941220|IE XSS Filters - Attack Detected.| -|941230|IE XSS Filters - Attack Detected.| -|941240|IE XSS Filters - Attack Detected.| -|941260|IE XSS Filters - Attack Detected.| -|941270|IE XSS Filters - Attack Detected.| -|941280|IE XSS Filters - Attack Detected.| -|941290|IE XSS Filters - Attack Detected.| -|941300|IE XSS Filters - Attack Detected.| +|941190|XSS using style sheets| +|941200|XSS using VML frames| +|941210|XSS using obfuscated Javascript| +|941220|XSS using obfuscated VB Script| +|941230|XSS using 'embed' tag| +|941240|XSS using 'import' or 'implementation' attribute| +|941260|XSS using 'meta' tag| +|941270|XSS using 'link' href| +|941280|XSS using 'base' tag| +|941290|XSS using 'applet' tag| +|941300|XSS using 'object' tag| |941310|US-ASCII Malformed Encoding XSS Filter - Attack Detected.| |941330|IE XSS Filters - Attack Detected.| |941340|IE XSS Filters - Attack Detected.| |941350|UTF-7 Encoding IE XSS - Attack Detected.| -|941013|Rule 941013| -|941014|Rule 941014| |941320|Possible XSS Attack Detected - HTML Tag Handler| -|941015|Rule 941015| -|941016|Rule 941016| -|941017|Rule 941017| -|941018|Rule 941018| ###

REQUEST-942-APPLICATION-ATTACK-SQLI

|RuleId|Description| |---|---| -|942011|Rule 942011| -|942012|Rule 942012| |942100|SQL Injection Attack Detected via libinjection| |942110|SQL Injection Attack: Common Injection Testing Detected| |942130|SQL Injection Attack: SQL Tautology Detected.| @@ -277,37 +197,25 @@ The following tables are the Rule groups and rules that are available when using |942350|Detects MySQL UDF injection and other data/structure manipulation attempts| |942360|Detects concatenated basic SQL injection and SQLLFI attempts| |942370|Detects classic SQL injection probings 2/2| -|942013|Rule 942013| -|942014|Rule 942014| |942150|SQL Injection Attack| |942410|SQL Injection Attack| |942430|Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)| |942440|SQL Comment Sequence Detected.| |942450|SQL Hex Encoding Identified| -|942015|Rule 942015| -|942016|Rule 942016| |942251|Detects HAVING injections| |942460|Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters| -|942017|Rule 942017| -|942018|Rule 942018| ###

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

|RuleId|Description| |---|---| -|943011|Rule 943011| -|943012|Rule 943012| |943100|Possible Session Fixation Attack = Setting Cookie Values in HTML| |943110|Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer| |943120|Possible Session Fixation Attack = SessionID Parameter Name with No Referrer| -|943013|Rule 943013| -|943014|Rule 943014| -|943015|Rule 943015| -|943016|Rule 943016| -|943017|Rule 943017| -|943018|Rule 943018| -## OWASP_2.2.9 +# [OWASP 2.2.9](#tab/owasp2) + +## Rule sets ### crs_20_protocol_violations @@ -316,7 +224,7 @@ The following tables are the Rule groups and rules that are available when using |960911|Invalid HTTP Request Line| |981227|Apache Error = Invalid URI in Request.| |960912|Failed to parse request body.| -|960914|Multipart request body failed strict validation = PE %@{REQBODY_PROCESSOR_ERROR} BQ %@{MULTIPART_BOUNDARY_QUOTED} BW %@{MULTIPART_BOUNDARY_WHITESPACE} DB %@{MULTIPART_DATA_BEFORE} DA %@{MULTIPART_DATA_AFTER} HF %@{MULTIPART_HEADER_FOLDING} LF %@{MULTIPART_LF_LINE} SM %@{MULTIPART_SEMICOLON_MISSING} IQ %@{MULTIPART_INVALID_QUOTING} IH %@{MULTIPART_INVALID_HEADER_FOLDING} FLE %@{MULTIPART_FILE_LIMIT_EXCEEDED}| +|960914|Multipart request body failed strict validation| |960915|Multipart parser detected a possible unmatched boundary.| |960016|Content-Length HTTP header is not numeric.| |960011|GET or HEAD Request with Body Content.| @@ -563,8 +471,8 @@ The following tables are the Rule groups and rules that are available when using |950921|Backdoor access| |950922|Backdoor access| -## Next steps +--- -Learn how to disable WAF rules by visiting: [Customize WAF rules](application-gateway-customize-waf-rules-portal.md) +## Next steps -[1]: ./media/application-gateway-integration-security-center/figure1.png +Learn how to disable WAF rules: [Customize WAF rules](application-gateway-customize-waf-rules-portal.md) \ No newline at end of file diff --git a/articles/application-gateway/application-gateway-end-to-end-ssl-powershell.md b/articles/application-gateway/application-gateway-end-to-end-ssl-powershell.md index 340ff7b8fd16f..a4b6bd3ee0d6d 100644 --- a/articles/application-gateway/application-gateway-end-to-end-ssl-powershell.md +++ b/articles/application-gateway/application-gateway-end-to-end-ssl-powershell.md @@ -5,7 +5,7 @@ services: application-gateway author: vhorne ms.service: application-gateway ms.topic: article -ms.date: 1/10/2019 +ms.date: 4/8/2019 ms.author: victorh --- @@ -47,21 +47,18 @@ The configuration process is described in the following sections. This section walks you through creating a resource group that contains the application gateway. - 1. Sign in to your Azure account. ```powershell Connect-AzAccount ``` - 2. Select the subscription to use for this scenario. ```powershell Select-Azsubscription -SubscriptionName "" ``` - 3. Create a resource group. (Skip this step if you're using an existing resource group.) ```powershell @@ -72,7 +69,6 @@ This section walks you through creating a resource group that contains the appli The following example creates a virtual network and two subnets. One subnet is used to hold the application gateway. The other subnet is used for the back ends that host the web application. - 1. Assign an address range for the subnet to be used for the application gateway. ```powershell @@ -81,8 +77,7 @@ The following example creates a virtual network and two subnets. One subnet is u > [!NOTE] > Subnets configured for an application gateway should be properly sized. An application gateway can be configured for up to 10 instances. Each instance takes one IP address from the subnet. Too small of a subnet can adversely affect scaling out an application gateway. - > - > + > 2. Assign an address range to be used for the back-end address pool. @@ -125,7 +120,6 @@ All configuration items are set before creating the application gateway. The fol $gipconfig = New-AzApplicationGatewayIPConfiguration -Name 'gwconfig' -Subnet $gwSubnet ``` - 2. Create a front-end IP configuration. This setting maps a private or public IP address to the front end of the application gateway. The following step associates the public IP address in the preceding step with the front-end IP configuration. ```powershell @@ -141,7 +135,6 @@ All configuration items are set before creating the application gateway. The fol > [!NOTE] > A fully qualified domain name (FQDN) is also a valid value to use in place of an IP address for the back-end servers. You enable it by using the **-BackendFqdns** switch. - 4. Configure the front-end IP port for the public IP endpoint. This port is the port that end users connect to. ```powershell @@ -172,7 +165,7 @@ All configuration items are set before creating the application gateway. The fol > If you are using host headers and Server Name Indication (SNI) on the back end, the retrieved public key might not be the intended site to which traffic flows. If you're in doubt, visit https://127.0.0.1/ on the back-end servers to confirm which certificate is used for the *default* SSL binding. Use the public key from that request in this section. If you are using host-headers and SNI on HTTPS bindings and you do not receive a response and certificate from a manual browser request to https://127.0.0.1/ on the back-end servers, you must set up a default SSL binding on the them. If you do not do so, probes fail and the back end is not whitelisted. ```powershell - $authcert = New-AzApplicationGatewayAuthenticationCertificate -Name 'whitelistcert1' -CertificateFile C:\users\gwallace\Desktop\cert.cer + $authcert = New-AzApplicationGatewayAuthenticationCertificate -Name 'whitelistcert1' -CertificateFile C:\cert.cer ``` > [!NOTE] @@ -222,7 +215,7 @@ All configuration items are set before creating the application gateway. The fol The following example sets the minimum protocol version to **TLSv1_2** and enables **TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256**, **TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384**, and **TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256** only. ```powershell - $SSLPolicy = New-AzApplicationGatewaySSLPolicy -MinProtocolVersion TLSv1_2 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256" + $SSLPolicy = New-AzApplicationGatewaySSLPolicy -MinProtocolVersion TLSv1_2 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256" -PolicyType Custom ``` ## Create the application gateway diff --git a/articles/application-gateway/application-gateway-waf-configuration.md b/articles/application-gateway/application-gateway-waf-configuration.md index aa3c19e49ef20..b0336bf5c7e29 100644 --- a/articles/application-gateway/application-gateway-waf-configuration.md +++ b/articles/application-gateway/application-gateway-waf-configuration.md @@ -49,6 +49,7 @@ The following are the supported match criteria operators: - **Starts with**: This operator matches all fields that start with the specified selector value. - **Ends with**: This operator matches all request fields that end with the specified selector value. - **Contains**: This operator matches all request fields that contain the specified selector value. +- **Equals any**: This operator matches all request fields. * will be the selector value. In all cases matching is case insensitive and regular expression aren't allowed as selectors. diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/action.png b/articles/application-gateway/media/rewrite-http-headers-portal/action.png new file mode 100644 index 0000000000000..caea73a21e876 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/action.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/add-condition.png b/articles/application-gateway/media/rewrite-http-headers-portal/add-condition.png new file mode 100644 index 0000000000000..4c348e8126d13 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/add-condition.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/add-rewrite-rule.png b/articles/application-gateway/media/rewrite-http-headers-portal/add-rewrite-rule.png new file mode 100644 index 0000000000000..c78806674f0b7 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/add-rewrite-rule.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/add-rewrite-set.png b/articles/application-gateway/media/rewrite-http-headers-portal/add-rewrite-set.png new file mode 100644 index 0000000000000..d9d5eefdbbeb6 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/add-rewrite-set.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/condition.png b/articles/application-gateway/media/rewrite-http-headers-portal/condition.png new file mode 100644 index 0000000000000..0f805075266f7 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/condition.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/create.png b/articles/application-gateway/media/rewrite-http-headers-portal/create.png new file mode 100644 index 0000000000000..aa5037e1fcbde Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/create.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/name-and-association.png b/articles/application-gateway/media/rewrite-http-headers-portal/name-and-association.png new file mode 100644 index 0000000000000..12927c5a12a59 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/name-and-association.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/rewrite-set-list.png b/articles/application-gateway/media/rewrite-http-headers-portal/rewrite-set-list.png new file mode 100644 index 0000000000000..7b82a0cd77777 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/rewrite-set-list.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers-portal/rule-name.png b/articles/application-gateway/media/rewrite-http-headers-portal/rule-name.png new file mode 100644 index 0000000000000..caa09d240ddb4 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers-portal/rule-name.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers/app-service-redirection.png b/articles/application-gateway/media/rewrite-http-headers/app-service-redirection.png new file mode 100644 index 0000000000000..d01bd8706fed9 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers/app-service-redirection.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers/remove-port.png b/articles/application-gateway/media/rewrite-http-headers/remove-port.png new file mode 100644 index 0000000000000..8d2214ca6e6ad Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers/remove-port.png differ diff --git a/articles/application-gateway/media/rewrite-http-headers/security-header.png b/articles/application-gateway/media/rewrite-http-headers/security-header.png new file mode 100644 index 0000000000000..e3f18ba106da5 Binary files /dev/null and b/articles/application-gateway/media/rewrite-http-headers/security-header.png differ diff --git a/articles/application-gateway/overview.md b/articles/application-gateway/overview.md index 23a51e4e36742..f8daa61b8921b 100644 --- a/articles/application-gateway/overview.md +++ b/articles/application-gateway/overview.md @@ -117,9 +117,12 @@ For more information, see [WebSocket support](https://docs.microsoft.com/azure/a ## Rewrite HTTP headers (public preview) -HTTP headers allow the client and the server to pass additional information with the request or the response. Rewriting these HTTP headers helps you accomplish several important scenarios such as adding Security-related header fields like HSTS/ X-XSS-Protection or removing response header fields which may reveal sensitive information like backend server name. +HTTP headers allow the client and server to pass additional information with the request or the response. Rewriting these HTTP headers helps you accomplish several important scenarios, such as: +- Adding security-related header fields like HSTS/ X-XSS-Protection. +- Removing response header fields that can reveal sensitive information. +- Stripping port information from X-Forwarded-For headers. -Application Gateway now supports the ability to rewrite headers of the incoming HTTP requests as well as the outgoing HTTP responses. You will be able to add, remove or update HTTP request and response headers while the request/response packets move between the client and backend pools. You can rewrite both standard (defined in [RFC 2616](https://www.ietf.org/rfc/rfc2616.txt)) as well as non-standard header fields. +Application Gateway supports the capability to add, remove, or update HTTP request and response headers, while the request and response packets move between the client and back-end pools. It also provides you with the capability to add conditions to ensure the specified headers are rewritten only when certain conditions are met. For more information about this public preview feature, see [Rewrite HTTP headers](rewrite-http-headers.md). diff --git a/articles/application-gateway/quick-create-cli.md b/articles/application-gateway/quick-create-cli.md index 9d421d1aa1555..819d85e572be3 100644 --- a/articles/application-gateway/quick-create-cli.md +++ b/articles/application-gateway/quick-create-cli.md @@ -12,7 +12,7 @@ ms.custom: mvc --- # Quickstart: Direct web traffic with Azure Application Gateway - Azure CLI -This quickstart shows you how to use the Azure portal to create an application gateway. After creating the application gateway, you test it to make sure it's working correctly. With Azure Application Gateway, you direct your application web traffic to specific resources by assigning listeners to ports, creating rules, and adding resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public front-end IP, a basic listener to host a single site on this application gateway, two virtual machines used for the backend pool, and a basic request routing rule. +This quickstart shows you how to use Azure CLI to create an application gateway. After creating the application gateway, you test it to make sure it's working correctly. With Azure Application Gateway, you direct your application web traffic to specific resources by assigning listeners to ports, creating rules, and adding resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public front-end IP, a basic listener to host a single site on this application gateway, two virtual machines used for the backend pool, and a basic request routing rule. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. @@ -20,7 +20,7 @@ If you don't have an Azure subscription, create a [free account](https://azure.m ## Prerequisites -### Azure PowerShell module +### Azure CLI If you choose to install and use the CLI locally, run Azure CLI version 2.0.4 or later. To find the version, run **az --version**. For information about installing or upgrading, see [Install Azure CLI]( /cli/azure/install-azure-cli). diff --git a/articles/application-gateway/quick-create-powershell.md b/articles/application-gateway/quick-create-powershell.md index 266dcfea7a0c2..9fa0c3f565337 100644 --- a/articles/application-gateway/quick-create-powershell.md +++ b/articles/application-gateway/quick-create-powershell.md @@ -12,7 +12,7 @@ ms.custom: mvc # Quickstart: Direct web traffic with Azure Application Gateway - Azure PowerShell -This quickstart shows you how to use the Azure portal to quickly create an application gateway. After creating the application gateway, you then test it to make sure it's working correctly. With Azure Application Gateway, you direct your application web traffic to specific resources by assigning listeners to ports, creating rules, and adding resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public front-end IP, a basic listener to host a single site on this application gateway, two virtual machines used for the backend pool, and a basic request routing rule. +This quickstart shows you how to use Azure PowerShell to quickly create an application gateway. After creating the application gateway, you then test it to make sure it's working correctly. With Azure Application Gateway, you direct your application web traffic to specific resources by assigning listeners to ports, creating rules, and adding resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public front-end IP, a basic listener to host a single site on this application gateway, two virtual machines used for the backend pool, and a basic request routing rule. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. diff --git a/articles/application-gateway/rewrite-http-headers-portal.md b/articles/application-gateway/rewrite-http-headers-portal.md new file mode 100644 index 0000000000000..04a714e4420ce --- /dev/null +++ b/articles/application-gateway/rewrite-http-headers-portal.md @@ -0,0 +1,126 @@ +--- +title: Rewrite HTTP request and response headers with Azure Application Gateway - Azure portal | Microsoft Docs +description: Learn how to use the Azure portal to configure an Azure Application Gateway to rewrite the HTTP headers in the requests and responses passing through the gateway +services: application-gateway +author: abshamsft +ms.service: application-gateway +ms.topic: article +ms.date: 04/10/2019 +ms.author: absha +ms.custom: mvc +--- +# Rewrite HTTP request and response headers with Azure Application Gateway - Azure portal + +This article shows you how to use the Azure portal to configure an [Application Gateway v2 SKU]() to rewrite the HTTP headers in the requests and responses. + +> [!IMPORTANT] +> The autoscaling and zone-redundant application gateway SKU is currently in public preview. This preview is provided without a service level agreement and is not recommended for production workloads. Certain features may not be supported or may have constrained capabilities. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details. + +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. + +## Before you begin + +You need to have an Application Gateway v2 SKU since the header rewrite capability is not supported for the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](https://docs.microsoft.com/azure/application-gateway/tutorial-autoscale-ps>) before you begin. + +## What is required to rewrite a header + +To configure HTTP header rewrite, you will need to: + +1. Create the new objects required to rewrite the http headers: + + - **Rewrite Action**: used to specify the request and request header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. You can choose to associate one ore more rewrite condition with a rewrite action. + + - **Rewrite Condition**: It is an optional configuration. if a rewrite condition is added, it will evaluate the content of the HTTP(S) requests and responses. The decision to execute the rewrite action associated with the rewrite condition will be based whether the HTTP(S) request or response matched with the rewrite condition. + + If more than one conditions are associated with an action, then the action will be executed only when all the conditions are met, i.e., a logical AND operation will be performed. + + - **Rewrite Rule**: rewrite rule contains multiple rewrite action - rewrite condition combinations. + + - **Rule Sequence**: helps determine the order in which the different rewrite rules get executed. This is helpful when there are multiple rewrite rules in a rewrite set. The rewrite rule with lesser rule sequence value gets executed first. If you provide the same rule sequence to two rewrite rules then the order of execution will be non-deterministic. + + - **Rewrite Set**: contains multiple rewrite rules which will be associated to a request routing rule. + +2. You will be required to attach the rewrite set with a routing rule. This is because the rewrite configuration is attached to the source listener via the routing rule. When using a basic routing rule, the header rewrite configuration is associated with a source listener and is a global header rewrite. When a path-based routing rule is used, the header rewrite configuration is defined on the URL path map. So, it only applies to the specific path area of a site. + +You can create multiple http header rewrite sets and each rewrite set can be applied to multiple listeners. However, you can apply only one rewrite set to a specific listener. + +## Sign in to Azure + +Sign in to the [Azure portal](https://portal.azure.com/) with your Azure account. + +## Configure header rewrite + +In this example, we will modify the redirection URL by rewriting the location header in the http response sent by the backend application. + +1. Select **All resources**, and then select your application gateway. + +2. Select **Rewrites** from the left menu. + +3. Click on **+Rewrite set**. + + ![Add rewrite set](media/rewrite-http-headers-portal/add-rewrite-set.png) + +4. Provide name to the rewrite set and associate it with a routing rule: + + - Enter the name of the rewrite set in the **Name** textbox. + - Select one or more rules listed in the **Associated routing rules** list. You can only select those rules which have not been associated with other rewrite sets. The rules which have already been associated with other rewrite sets will be grayed out. + - Click next. + + ![Add name and association](media/rewrite-http-headers-portal/name-and-association.png) + +5. Create a rewrite rule: + + - Click on **+Add rewrite rule**.![Add rewrite rule](media/rewrite-http-headers-portal/add-rewrite-rule.png) + - Provide a name to the rewrite rule in the Rewrite rule name textbox and Provide a rule sequence.![Add rule name](media/rewrite-http-headers-portal/rule-name.png) + +6. In this example, we will rewrite the location header only when it contains a reference to "azurewebsites.net". To do this, add a condition to evaluate whether the location header in the response contains azurewebsites.net: + + - Click on **+ Add condition** and then click on the section with the **If** instructions to expand it.![Add rule name](media/rewrite-http-headers-portal/add-condition.png) + + - Select **HTTP header** from the **Type of variable to check** dropdown. + + - Select **Header type** as **Response**. + + - Since in this example, we are evaluating the location header which happens to be a common header, select **Common header** radio button as the **Header name**. + + - Select **Location** from the **Common header** dropdown. + + - Select **No** as the **Case-sensitive** setting. + + - Select **equal (=)** from the **Operator** dropdown. + + - Enter the regular expression pattern. In this example, we will use the pattern `(https?):\/\/.*azurewebsites\.net(.*)$` . + + - Click **OK**. + + ![Modify location header](media/rewrite-http-headers-portal/condition.png) + +7. Add an action to rewrite the location header: + + - Select **Set** as the **Action type**. + + - Select **Response** as the **Header type**. + + - Select **Common header** as the **Header name**. + + - Select **Location** from the **Common header** dropdown. + + - Enter the header value. In this example, we will use `{http_resp_Location_1}://contoso.com{http_resp_Location_2}` as the header value. This will replace *azurewebsites.net* with *contoso.com* in the location header. + + - Click **OK**. + + ![Modify location header](media/rewrite-http-headers-portal/action.png) + +8. Click on **Create** to create the rewrite set. + + ![Modify location header](media/rewrite-http-headers-portal/create.png) + +9. You will be navigated to the Rewrite set view. Verify that the rewrite set you created above is present in the list of rewrite sets. + + ![Modify location header](media/rewrite-http-headers-portal/rewrite-set-list.png) + +## Next steps + +To learn more about the configuration required to accomplish some of the common use cases, see [common header rewrite scenarios](https://docs.microsoft.com/azure/application-gateway/rewrite-http-headers). + + diff --git a/articles/application-gateway/rewrite-http-headers.md b/articles/application-gateway/rewrite-http-headers.md index b9132f2e13884..d729264128935 100644 --- a/articles/application-gateway/rewrite-http-headers.md +++ b/articles/application-gateway/rewrite-http-headers.md @@ -5,7 +5,7 @@ services: application-gateway author: abshamsft ms.service: application-gateway ms.topic: article -ms.date: 12/20/2018 +ms.date: 04/11/2019 ms.author: absha --- @@ -13,90 +13,52 @@ ms.author: absha [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] -HTTP headers allow the client and the server to pass additional information with the request or the response. Rewriting these HTTP headers helps you accomplish several important scenarios such as adding Security-related header fields like HSTS/ X-XSS-Protection or removing response header fields, which may reveal sensitive information like backend server name. - -Application Gateway now supports the ability to rewrite headers of the incoming HTTP requests as well as the outgoing HTTP responses. You will be able to add, remove, or update HTTP request and response headers while the request/response packets move between the client and backend pools. You can rewrite both standard as well as non-standard header fields. - +HTTP headers allow the client and the server to pass additional information with the request or the response. Rewriting these HTTP headers helps you accomplish several important scenarios such as adding security-related header fields like HSTS/ X-XSS-Protection, removing response header fields which may reveal sensitive information, stripping port information from X-Forwarded-For headers, etc. Application gateway supports the capability to add, remove, or update HTTP request and response headers while the request and response packets move between the client and backend pools. It also provides you the capability to add conditions to ensure that the specified headers are rewritten only when certain conditions are met. > [!NOTE] -> +> > The HTTP header rewrite support is only available for the [new SKU [Standard_V2\]](https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) -Application Gateway header rewrite support offers: - -- **Global header rewrite**: You can rewrite specific headers for all the requests and responses pertaining to the site. -- **Path-based header rewrite**:This type of rewrite enables header rewrite for only those requests and responses that pertain to only on a specific site area, for example a shopping cart area denoted by /cart/\*. - -With this change, you need to: - -1. Create the new objects required to rewrite the http headers: - - **RequestHeaderConfiguration**: this object is used to specify the request header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. - - **ResponseHeaderConfiguration**: this object is used to specify the response header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. - - **ActionSet**: this object contains the configurations of the request and response headers specified above. - - **RewriteRule**: this object contains all the *actionSets* specified above. - - **RewriteRuleSet**- this object contains all the *rewriteRules* and will need to be attached to a request routing rule - basic or path-based. -2. You will then be required to attach the rewrite rule set with a routing rule. Once created, this rewrite configuration is attached to the source listener via the routing rule. When using a basic routing rule, the header rewrite configuration is associated with a source listener and is a global header rewrite. When a path-based routing rule is used, the header rewrite configuration is defined on the URL path map. So, it only applies to the specific path area of a site. - -You can create multiple http header rewrite rule sets and each rewrite rule set can be applied to multiple listeners. However, you can apply only one http rewrite rule set to a specific listener. - -You can rewrite the value in the headers to: - -- Text value. - - *Example:* - - ```azurepowershell-interactive - $responseHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "Strict-Transport-Security" - HeaderValue "max-age=31536000") - ``` +## Headers supported for rewrite -- Value from another header. +The capability allows you to rewrite all headers in the request and response barring the Host, Connection and Upgrade headers. You can also use the application gateway to create custom headers and add them to the request and responses being routed through it. - *Example 1:* +## Rewrite conditions - ```azurepowershell-interactive - $requestHeaderConfiguration= New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "X-New-RequestHeader" -HeaderValue {http_req_oldHeader} - ``` +Using the rewrite conditions you can evaluate the content of the HTTP(S) requests and responses, and perform a header rewrite only when one or more conditions are met. The following 3 types of variables are used by the application gateway to evaluate the content of the HTTP(S) requests and responses: - > [!Note] - > In order to specify a request header, you need to use the syntax: {http_req_headerName} +- HTTP headers in the request +- HTTP headers in the response +- Application gateway server variables - *Example 2*: +A condition can be used to evaluate whether the specified variable is present, whether the specified variable exactly matches a specific value, or whether the specified variable exactly matches a specific pattern. [Perl Compatible Regular Expressions (PCRE) library](https://www.pcre.org/) is used to implement regular expression pattern matching in the conditions. To learn about the regular expression syntax, see the [Perl regular expressions man page](http://perldoc.perl.org/perlre.html). - ```azurepowershell-interactive - $responseHeaderConfiguration= New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "X-New-ResponseHeader" -HeaderValue {http_resp_oldHeader} - ``` +## Rewrite actions - > [!Note] - > In order to specify a response header, you need to use the syntax: {http_resp_headerName} +Rewrite actions are used to specify the request and response headers that you intend to rewrite and the new value that the original headers need to be rewritten to. You can either create a new header, modify the value of an existing header or delete an existing header. The value of a new header or an existing header can be set to the following types of values: -- Value from supported server variables. - - *Example:* - - ```azurepowershell-interactive - $requestHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "Ciphers-Used" -HeaderValue "{var_ciphers_used}" - ``` - - > [!Note] - > In order to specify a server variable, you need to use the syntax: {var_serverVariable} - -- A combination of the above. +- Text +- Request header: In order to specify a request header, you need to use the syntax {http_req_*headerName*} +- Response header: In order to specify a response header, you need to use the syntax {http_resp_*headerName*} +- Server variable: In order to specify a server variable, you need to use the syntax {var_*serverVariable*} +- Combination of text, request header, response header and a server variable. ## Server variables -Server variables store useful information on a web server. These variables provide information about the server, the connection with the client, and the current request on the connection, such as the client’s IP address or web browser type. They change dynamically, such as when a new page is loaded or a form is posted. Using these variables users can set request headers as well as response headers. +Application gateway uses server variables to store useful information about the server, the connection with the client, and the current request on the connection, such as the client’s IP address or web browser type. These variables change dynamically, such as when a new page is loaded or a form is posted. You can use these server variables to evaluate rewrite conditions and rewrite headers. -This capability supports rewriting headers to the following server variables: +Application gateway supports the following server variables: | Supported server variables | Description | | -------------------------- | :----------------------------------------------------------- | +| add_x_forwarded_for_proxy | Contains the “X-Forwarded-For” client request header field with the `client_ip` (explained in this table below) variable appended to it in the format (IP1, IP2, IP3,...). If the “X-Forwarded-For” field is not present in the client request header, the `add_x_forwarded_for_proxy` variable is equal to the `$client_ip` variable. This variable is particularly useful in scenarios where customers intend to rewrite the X-Forwarded-For header set by Application Gateway, such that the header contains only the IP address without the port information. | | ciphers_supported | returns the list of ciphers supported by the client | | ciphers_used | returns the string of ciphers used for an established SSL connection | -| client_ip | IP address of the client from which the application gateway received the request. If there is a reverse proxy before the application gateway and the originating client, then *client_ip* will return the IP adress of the reverse proxy. This variable is particularly useful in scenarios where customers intend to rewrite the X-Forwarded-For header set by Application Gateway, so that the header contains only the IP address without the port information. | +| client_ip | IP address of the client from which the application gateway received the request. If there is a reverse proxy before the application gateway and the originating client, then *client_ip* will return the IP address of the reverse proxy. | | client_port | client port | | client_tcp_rtt | information about the client TCP connection; available on systems that support the TCP_INFO socket option | | client_user | when using HTTP authentication, the username supplied for authentication | | host | in this order of precedence: host name from the request line, or host name from the “Host” request header field, or the server name matching a request | -| cookie_*name* | the *name* cookie | +| cookie_*name* | the *name* cookie | | http_method | the method used to make the URL request. For example GET, POST etc. | | http_status | session status, eg: 200, 400, 403 etc. | | http_version | request protocol, usually “HTTP/1.0”, “HTTP/1.1”, or “HTTP/2.0” | @@ -110,15 +72,57 @@ This capability supports rewriting headers to the following server variables: | ssl_connection_protocol | returns the protocol of an established SSL connection | | ssl_enabled | “on” if connection operates in SSL mode, or an empty string otherwise | -## Limitations +## Rewrite configuration -- This capability to rewrite HTTP headers is currently only available through Azure PowerShell, Azure API and Azure SDK. Support through portal and Azure CLI will be available soon. +To configure HTTP header rewrite, you will need to: -- The HTTP header rewrite support is only supported on the new SKU [Standard_V2](https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant). The capability will not be supported on the old SKU. +1. Create the new objects required to rewrite the http headers: -- Rewriting the Connection, Upgrade and Host headers is not supported yet. + - **Rewrite Action**: used to specify the request and request header fields that you intend to rewrite and the new value that the original headers need to be rewritten to. You can choose to associate one ore more rewrite condition with a rewrite action. + + - **Rewrite Condition**: It is an optional configuration. if a rewrite condition is added, it will evaluate the content of the HTTP(S) requests and responses. The decision to execute the rewrite action associated with the rewrite condition will be based whether the HTTP(S) request or response matched with the rewrite condition. + + If more than one conditions are associated with an action, then the action will be executed only when all the conditions are met, i.e., a logical AND operation will be performed. + + - **Rewrite Rule**: rewrite rule contains multiple rewrite action - rewrite condition combinations. + + - **Rule Sequence**: helps determine the order in which the different rewrite rules get executed. This is helpful when there are multiple rewrite rules in a rewrite set. The rewrite rule with lesser rule sequence value gets executed first. If you provide the same rule sequence to two rewrite rules then the order of execution will be non-deterministic. -- The capability to conditionally rewrite the http headers will be available soon. + - **Rewrite Set**: contains multiple rewrite rules which will be associated to a request routing rule. + +2. You will be required to attach the rewrite set (*rewriteRuleSet*) with a routing rule. This is because the rewrite configuration is attached to the source listener via the routing rule. When using a basic routing rule, the header rewrite configuration is associated with a source listener and is a global header rewrite. When a path-based routing rule is used, the header rewrite configuration is defined on the URL path map. So, it only applies to the specific path area of a site. + +You can create multiple http header rewrite sets and each rewrite set can be applied to multiple listeners. However, you can apply only one rewrite set to a specific listener. + +## Common scenarios + +Some of the common scenarios which require header rewrite are mentioned below. + +### Remove port information from the X-Forwarded-For header + +Application gateway inserts X-Forwarded-For header to all requests before it forwards the requests to the backend. The format for this header is a comma-separated list of IP:port. However, there may be scenarios where the backend servers require the header to only contain IP addresses. For accomplishing such scenarios, header rewrite can be used to remove the port information from the X-Forwarded-For header. One way to do this is to set the header to add_x_forwarded_for_proxy server variable. + +![Remove port](media/rewrite-http-headers/remove-port.png) + +### Modify the redirection URL + +When a backend application sends a redirection response, you may want to redirect the client to a different URL than the one specified by the backend application. One such scenario is when an app service is hosted behind an application gateway and requires the client to do a redirection to its relative path (redirect from contoso.azurewebsites.net/path1 to contoso.azurewebsites.net/path2). + +Since app service is a multi-tenant service, it uses the host header in the request to route to the correct endpoint. App services have a default domain name of *.azurewebsites.net (say contoso.azurewebsites.net) which is different from the application gateway's domain name (say contoso.com). Since the original request from the client has application gateway's domain name contoso.com as the host name, the application gateway changes the hostname to contoso.azurewebsites.net, so that the app-service can route it to the correct endpoint. When the app service sends a redirection response, it uses the same hostname in the location header of its response as the one in the request it receives from the application gateway. Therefore, the client will make the request directly to contoso.azurewebsites.net/path2, instead of going through the application gateway (contoso.com/path2). Bypassing the application gateway is not desirable. + +This issue can be resolved by setting the hostname in the location header to the application gateway's domain name. To do this, you can create a rewrite rule with a condition that evaluates if the location header in the response contains azurewebsites.net by entering `(https?):\/\/.*azurewebsites\.net(.*)$` as the pattern and performs an action to rewrite the location header to have application gateway's hostname by entering `{http_resp_Location_1}://contoso.com{http_resp_Location_2}` as the header value. + +![Modify location header](media/rewrite-http-headers/app-service-redirection.png) + +### Implement security HTTP headers to prevent vulnerabilities + +Several security vulnerabilities can be fixed by implementing necessary headers in the application response. Some of these security headers are X-XSS-Protection, Strict-Transport-Security, Content-Security-Policy, etc. You can use application gateway to set these headers for all responses. + +![Security header](media/rewrite-http-headers/security-header.png) + +## Limitations + +- Rewriting the Connection, Upgrade and Host headers is not supported yet. - Header names can contain any alphanumeric character and specific symbols as defined in [RFC 7230](https://tools.ietf.org/html/rfc7230#page-27). However, we currently don't support the "underscore"(\_) special character in the Header name. @@ -128,4 +132,7 @@ Contact us at [AGHeaderRewriteHelp@microsoft.com](mailto:AGHeaderRewriteHelp@mic ## Next steps -After learning about the capability to rewrite HTTP headers, go to [Create an autoscaling and zone-redundant application gateway that rewrites HTTP headers](tutorial-http-header-rewrite-powershell.md) or [Rewrite HTTP headers in existing autoscaling and zone-redundant application gateway](add-http-header-rewrite-rule-powershell.md) +To learn how to rewrite HTTP headers, see: + +- [Rewrite HTTP headers using Azure portal](https://docs.microsoft.com/azure/application-gateway/rewrite-http-headers-portal) +- [Rewrite HTTP headers using Azure PowerShell](add-http-header-rewrite-rule-powershell.md) \ No newline at end of file diff --git a/articles/application-gateway/toc.yml b/articles/application-gateway/toc.yml index b42a6cf10fd25..541d6249ee34a 100644 --- a/articles/application-gateway/toc.yml +++ b/articles/application-gateway/toc.yml @@ -17,8 +17,6 @@ href: quick-create-cli.md - name: Tutorials items: - - name: Host single site - href: quick-create-portal.md - name: Enable web application firewall href: application-gateway-web-application-firewall-portal.md - name: Secure with SSL @@ -31,8 +29,6 @@ href: tutorial-url-redirect-cli.md - name: Autoscaling and zone redundant href: tutorial-autoscale-ps.md - - name: Rewrite HTTP headers - href: tutorial-http-header-rewrite-powershell.md - name: Samples items: - name: Azure PowerShell @@ -177,8 +173,10 @@ href: redirect-internal-site-cli.md - name: Redirect web traffic using Azure PowerShell href: tutorial-url-redirect-powershell.md - - name: Rewrite HTTP headers in existing gateway + - name: Rewrite HTTP headers items: + - name: Azure portal + href: rewrite-http-headers-portal.md - name: Azure PowerShell href: add-http-header-rewrite-rule-powershell.md - name: Configure App service webapp and multi-tenant service diff --git a/articles/application-gateway/troubleshoot-app-service-redirection-app-service-url.md b/articles/application-gateway/troubleshoot-app-service-redirection-app-service-url.md index 8b82d07094084..8c869be3fd0ce 100644 --- a/articles/application-gateway/troubleshoot-app-service-redirection-app-service-url.md +++ b/articles/application-gateway/troubleshoot-app-service-redirection-app-service-url.md @@ -9,12 +9,18 @@ ms.date: 02/22/2019 ms.author: absha --- -# Troubleshoot Application Gateway with App Service – Redirection to App Service’s URL +# Troubleshoot Application Gateway with App Service - Learn how to diagnose and resolve redirection issues with Application Gateway where the App Service’s URL is getting exposed. +Learn how to diagnose and resolve issues encountered with Application Gateway and App Service as the backend server. ## Overview +In this article, you will learn how to troubleshoot the following issues: + +> [!div class="checklist"] +> * App Service's URL getting exposed in the browser when there is a redirection +> * App Service's ARRAffinity Cookie domain set to App Service hostname (example.azurewebsites.net) instead of original host + When you configure a public facing App Service in the backend pool of Application Gateway and if you have a redirection configured in your Application code, you might see that when you access Application Gateway, you will be redirected by the browser directly to the App Service URL. This issue may happen due to the following main reasons: @@ -24,6 +30,8 @@ This issue may happen due to the following main reasons: - You have enabled “Pick Host Name from Backend Address” switch in the HTTP settings of Application Gateway. - You don’t have your custom domain registered with your App Service. +Also, when you are using App Services behind Application Gateway and you are using a custom domain to access Application Gateway, you may see the domain value for the ARRAffinity cookie set by the App Service will carry the "example.azurewebsites.net" domain name. If you want your original hostname to be the cookie domain as well, follow the solution in this article. + ## Sample configuration - HTTP Listener: Basic or Multi-site @@ -89,6 +97,16 @@ To achieve this, you must own a custom domain and follow the process mentioned b - Associate the custom probe back to the backend HTTP settings and verify the backend health if it is healthy. - Once this is done, Application Gateway should now forward the same hostname “www.contoso.com” to the App Service and the redirection will happen on the same hostname. You can check the example request and response headers below. + +To implement the steps mentioned above using PowerShell for an existing setup, follow the sample PowerShell script below. Note how we have not used the -PickHostname switches in the Probe and HTTP Settings configuration. + +```azurepowershell-interactive +$gw=Get-AzApplicationGateway -Name AppGw1 -ResourceGroupName AppGwRG +Set-AzApplicationGatewayProbeConfig -ApplicationGateway $gw -Name AppServiceProbe -Protocol Http -HostName "example.azurewebsites.net" -Path "/" -Interval 30 -Timeout 30 -UnhealthyThreshold 3 +$probe=Get-AzApplicationGatewayProbeConfig -Name AppServiceProbe -ApplicationGateway $gw +Set-AzApplicationGatewayBackendHttpSettings -Name appgwhttpsettings -ApplicationGateway $gw -Port 80 -Protocol Http -CookieBasedAffinity Disabled -Probe $probe -RequestTimeout 30 +Set-AzApplicationGateway -ApplicationGateway $gw +``` ``` ## Request headers to Application Gateway: diff --git a/articles/asc-for-iot/how-to-deploy-edge.md b/articles/asc-for-iot/how-to-deploy-edge.md index 3f7d7f7ffab33..6617e2679f6f4 100644 --- a/articles/asc-for-iot/how-to-deploy-edge.md +++ b/articles/asc-for-iot/how-to-deploy-edge.md @@ -74,8 +74,25 @@ There are three steps to create an IoT Edge deployment for Azure Security Center 1. From the **Add Modules** tab, **Deployment Modules** area, click **AzureSecurityCenterforIoT**. 1. Change the **name** to **azureiotsecurity**. -1. Change the name of **Image URI** to **mcr.microsoft.com/ascforiot/azureiotsecurity:0.0.1** - +1. Change the **Image URI** to **mcr.microsoft.com/ascforiot/azureiotsecurity:0.0.3**. +1. Verify the **Container Create Options** value is set to: + ``` json + { + "NetworkingConfig": { + "EndpointsConfig": { + "host": {} + } + }, + "HostConfig": { + "Privileged": true, + "NetworkMode": "host", + "PidMode": "host", + "Binds": [ + "/:/host" + ] + } + } + ``` 1. Verify that **Set module twin's desired properties** is selected, and change the configuration object to: ``` json @@ -88,12 +105,16 @@ There are three steps to create an IoT Edge deployment for Azure Security Center 1. Click **Save**. 1. Scroll to the bottom of the tab and select **Configure advanced Edge Runtime settings**. - >[!Note] - > Do **not** disable AMQP communication for the IoT Edge Hub. - > Azure Security Center for IoT module requires AMQP communication with the IoT Edge Hub. + >[!Note] + > Do **not** disable AMQP communication for the IoT Edge Hub. + > Azure Security Center for IoT module requires AMQP communication with the IoT Edge Hub. -1. Change the **Image** under **Edge Hub** to **mcr.microsoft.com/ascforiot/edgehub:1.05-preview**. - +1. Change the **Image** under **Edge Hub** to **mcr.microsoft.com/ascforiot/edgehub:1.0.9-preview**. + + >[!Note] + > Azure Security Center for IoT module requires a forked version of IoT Edge Hub, based on SDK version 1.20. + > By changing IoT Edge Hub image, you are instructing your IoT Edge device to replace the latest stable release with the forked version of IoT Edge Hub, which is not officially supported by the IoT Edge service. + 1. Verify **Create Options** is set to: ``` json @@ -136,8 +157,8 @@ If you encounter an issue, container logs are the best way to learn about the st | Name | IMAGE | | --- | --- | - | azureIoTSecurity | mcr.microsoft.com/ascforiot/azureiotsecurity:0.0.1 | - | edgeHub | asotcontainerregistry.azurecr.io/edgehub:1.04-preview | + | azureIoTSecurity | mcr.microsoft.com/ascforiot/azureiotsecurity:0.0.3 | + | edgeHub | mcr.microsoft.com/ascforiot/edgehub:1.0.9-preview | | edgeAgent | mcr.microsoft.com/azureiotedge-agent:1.0 | If the minimum required containers are not present, check if your IoT Edge deployment manifest is aligned with the recommended settings. For more information, see [Deploy IoT Edge module](#deployment-using-azure-portal). diff --git a/articles/asc-for-iot/how-to-deploy-windows-cs.md b/articles/asc-for-iot/how-to-deploy-windows-cs.md index 3c7bce0764ca7..55ddbba98e10d 100644 --- a/articles/asc-for-iot/how-to-deploy-windows-cs.md +++ b/articles/asc-for-iot/how-to-deploy-windows-cs.md @@ -86,7 +86,7 @@ For additional help, use the Get-Help command in PowerShell
Get-Help example ### Verify deployment status - Check the agent deployment status by running:
- ```sc.exe query "ASC IoT Agent" ``` + ```sc.exe query "ASC IoT Agent"``` ### Uninstall the agent diff --git a/articles/automation/TOC.yml b/articles/automation/TOC.yml index f3ab4f371613f..cdb9d40ecdf3a 100644 --- a/articles/automation/TOC.yml +++ b/articles/automation/TOC.yml @@ -181,7 +181,7 @@ - name: Manage Python 2 packages href: python-packages.md - name: Credentials - href: automation-credentials.md + href: shared-resources/credentials.md - name: Connections href: automation-connections.md - name: Certificates diff --git a/articles/automation/automation-config-aws-account.md b/articles/automation/automation-config-aws-account.md index a1959e2504d31..02a1eb3a42717 100644 --- a/articles/automation/automation-config-aws-account.md +++ b/articles/automation/automation-config-aws-account.md @@ -24,7 +24,7 @@ To authenticate with AWS, you must specify a set of AWS credentials to authentic For Azure Automation to communicate with AWS, you first need to retrieve your AWS credentials and store them as assets in Azure Automation. Perform the following steps documented in the AWS document [Managing Access Keys for your AWS Account](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) to create an Access Key and copy the **Access Key ID** and **Secret Access Key** (optionally download your key file to store it somewhere safe). -After you have created and copied your AWS security keys, you need to create a Credential asset with an Azure Automation account to securely store them and reference them with your runbooks. Follow the steps in the section: **To create a new credential** in the [Credential assets in Azure Automation](automation-credentials.md#to-create-a-new-credential-asset-with-the-azure-portal) article and enter the following information: +After you have created and copied your AWS security keys, you need to create a Credential asset with an Azure Automation account to securely store them and reference them with your runbooks. Follow the steps in the section: **To create a new credential** in the [Credential assets in Azure Automation](/shared-resources/credentials.md#to-create-a-new-credential-asset-with-the-azure-portal) article and enter the following information: 1. In the **Name** box, enter **AWScred** or an appropriate value following your naming standards. 2. In the **User name** box, type your **Access ID** and your **Secret Access Key** in the **Password** and **Confirm password** box. diff --git a/articles/automation/automation-credentials.md b/articles/automation/automation-credentials.md deleted file mode 100644 index 42aa37aaf933e..0000000000000 --- a/articles/automation/automation-credentials.md +++ /dev/null @@ -1,150 +0,0 @@ ---- -title: Credential assets in Azure Automation -description: Credential assets in Azure Automation contain security credentials that can be used to authenticate to resources accessed by the runbook or DSC configuration. This article describes how to create credential assets and use them in a runbook or DSC configuration. -services: automation -ms.service: automation -ms.subservice: shared-capabilities -author: georgewallace -ms.author: gwallace -ms.date: 05/08/2018 -ms.topic: conceptual -manager: carmonm ---- -# Credential assets in Azure Automation - -An Automation credential asset holds an object, which contains security credentials such as a username and password. Runbooks and DSC configurations may use cmdlets that accept a PSCredential object for authentication, or they may extract the username and password of the PSCredential object to provide to some application or service requiring authentication. The properties for a credential are stored securely in Azure Automation and can be accessed in the runbook or DSC configuration with the [Get-AutomationPSCredential](#activities) activity. - -[!INCLUDE [gdpr-dsr-and-stp-note.md](../../includes/gdpr-dsr-and-stp-note.md)] - -> [!NOTE] -> Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. These assets are encrypted and stored in Azure Automation using a unique key that is generated for each automation account. This key is stored in Key Vault. Before storing a secure asset, the key is loaded from Key Vault and then used to encrypt the asset. - -## Azure Classic PowerShell cmdlets - -The cmdlets in the following table are used to create and manage automation credential assets with Windows PowerShell. They ship as part of the [Azure PowerShell module](/powershell/azure/overview), which is available for use in Automation runbooks and DSC configurations. - -| Cmdlets | Description | -|:--- |:--- | -| [Get-AzureAutomationCredential](/powershell/module/servicemanagement/azure/get-azureautomationcredential) |Retrieves information about a credential asset. You can only retrieve the credential itself from **Get-AutomationPSCredential** activity. | -| [New-AzureAutomationCredential](/powershell/module/servicemanagement/azure/new-azureautomationcredential) |Creates a new Automation credential. | -| [Remove-AzureAutomationCredential](/powershell/module/servicemanagement/azure/new-azureautomationcredential) |Removes an Automation credential. | -| [Set-AzureAutomationCredential](/powershell/module/servicemanagement/azure/new-azureautomationcredential) |Sets the properties for an existing Automation credential. | - -## AzureRM PowerShell cmdlets - -For AzureRM, the cmdlets in the following table are used to create and manage automation credential assets with Windows PowerShell. They ship as part of the [AzureRM.Automation module](/powershell/azure/overview), which is available for use in Automation runbooks and DSC configurations. - -| Cmdlets | Description | -|:--- |:--- | -| [Get-AzureRmAutomationCredential](/powershell/module/azurerm.automation/get-azurermautomationcredential) |Retrieves information about a credential asset. | -| [New-AzureRmAutomationCredential](/powershell/module/azurerm.automation/new-azurermautomationcredential) |Creates a new Automation credential. | -| [Remove-AzureRmAutomationCredential](/powershell/module/azurerm.automation/remove-azurermautomationcredential) |Removes an Automation credential. | -| [Set-AzureRmAutomationCredential](/powershell/module/azurerm.automation/set-azurermautomationcredential) |Sets the properties for an existing Automation credential. | - -## Activities - -The activities in the following table are used to access credentials in a runbook and DSC configurations. - -| Activities | Description | -|:--- |:--- | -| Get-AutomationPSCredential |Gets a credential to use in a runbook or DSC configuration. Returns a [System.Management.Automation.PSCredential](/dotnet/api/system.management.automation.pscredential) object. | - -> [!NOTE] -> You should avoid using variables in the –Name parameter of Get-AutomationPSCredential since this can complicate discovering dependencies between runbooks or DSC configurations, and credential assets at design time. - -## Python2 functions - -The function in the following table is used to access credentials in a Python2 runbook. - -| Function | Description | -|:---|:---| -| automationassets.get_automation_credential | Retrieves information about a credential asset. | - -> [!NOTE] -> You must import the "automationassets" module at the top of your Python runbook in order to access the asset functions. - -## Creating a new credential asset - -### To create a new credential asset with the Azure portal - -1. From your automation account, select **Credentials** under **Shared Resources**. -1. Click **+ Add a credential**. -1. Complete the form and click **Create** to save the new credential. - -> [!NOTE] -> User accounts that use multi-factor authentication are not supported for use in Azure Automation. - -### To create a new credential asset with Windows PowerShell - -The following sample commands show how to create a new automation credential. A PSCredential object is first created with the name and password and then used to create the credential asset. Alternatively, you could use the **Get-Credential** cmdlet to be prompted to type in a name and password. - -```powershell -$user = "MyDomain\MyUser" -$pw = ConvertTo-SecureString "PassWord!" -AsPlainText -Force -$cred = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $user, $pw -New-AzureAutomationCredential -AutomationAccountName "MyAutomationAccount" -Name "MyCredential" -Value $cred -``` - -## Using a PowerShell credential - -You retrieve a credential asset in a runbook or DSC configuration with the **Get-AutomationPSCredential** activity. This returns a [PSCredential object](/dotnet/api/system.management.automation.pscredential) that you can use with an activity or cmdlet that requires a PSCredential parameter. You can also retrieve the properties of the credential object to use individually. The object has a property for the username and the secure password, or you can use the **GetNetworkCredential** method to return a [NetworkCredential](/dotnet/api/system.net.networkcredential) object that will provide an unsecured version of the password. - -### Textual runbook sample - -The following sample commands show how to use a PowerShell credential in a runbook. In this example, the credential is retrieved and its username and password assigned to variables. - -```azurepowershell -$myCredential = Get-AutomationPSCredential -Name 'MyCredential' -$userName = $myCredential.UserName -$securePassword = $myCredential.Password -$password = $myCredential.GetNetworkCredential().Password -``` - -You can also use a credential to authenticate to Azure with [Connect-AzureRmAccount](/powershell/module/azurerm.profile/connect-azurermaccount). Under most circumstances, you should use a [Run As account](manage-runas-account.md) and retrieve it with [Get-AutomationConnection](automation-connections.md). - -```azurepowershell -$myCred = Get-AutomationPSCredential -Name 'MyCredential` -$userName = $myCred.UserName -$securePassword = $myCred.Password -$password = $myCred.GetNetworkCredential().Password - -$myPsCred = New-Object System.Management.Automation.PSCredential ($userName,$password) - -Connect-AzureRmAccount -Credential $myPsCred -``` - -### Graphical runbook sample - -You add a **Get-AutomationPSCredential** activity to a graphical runbook by right-clicking on the credential in the Library pane of the graphical editor and selecting **Add to canvas**. - -![Add credential to canvas](media/automation-credentials/credential-add-canvas.png) - -The following image shows an example of using a credential in a graphical runbook. In this case, it's being used to provide authentication for a runbook to Azure resources as described in [Authenticate Runbooks with Azure AD User account](automation-create-aduser-account.md). The first activity retrieves the credential that has access to the Azure subscription. The **Add-AzureAccount** activity then uses this credential to provide authentication for any activities that come after it. A [pipeline link](automation-graphical-authoring-intro.md#links-and-workflow) is here since **Get-AutomationPSCredential** is expecting a single object. - -![Add credential to canvas](media/automation-credentials/get-credential.png) - -## Using a PowerShell credential in DSC - -While DSC configurations in Azure Automation can reference credential assets using **Get-AutomationPSCredential**, credential assets can also be passed in via parameters, if wanted. For more information, see [Compiling configurations in Azure Automation DSC](automation-dsc-compile.md#credential-assets). - -## Using credentials in Python2 - -The following sample shows an example of accessing credentials in Python2 runbooks. - -```python -import automationassets -from automationassets import AutomationAssetNotFound - -# get a credential -cred = automationassets.get_automation_credential("credtest") -print cred["username"] -print cred["password"] -``` - -## Next steps - -* To learn more about links in graphical authoring, see [Links in graphical authoring](automation-graphical-authoring-intro.md#links-and-workflow) -* To understand the different authentication methods with Automation, see [Azure Automation Security](automation-security-overview.md) -* To get started with Graphical runbooks, see [My first graphical runbook](automation-first-runbook-graphical.md) -* To get started with PowerShell workflow runbooks, see [My first PowerShell workflow runbook](automation-first-runbook-textual.md) -* To get started with Python2 runbooks, see [My first Python2 runbook](automation-first-runbook-textual-python2.md) diff --git a/articles/automation/automation-dsc-getting-started.md b/articles/automation/automation-dsc-getting-started.md index 79c3993c4725c..a332137817a9c 100644 --- a/articles/automation/automation-dsc-getting-started.md +++ b/articles/automation/automation-dsc-getting-started.md @@ -6,7 +6,7 @@ ms.service: automation ms.subservice: dsc author: bobbytreed ms.author: robreed -ms.date: 08/08/2018 +ms.date: 04/15/2019 ms.topic: conceptual manager: carmonm --- @@ -25,7 +25,7 @@ Automation State Configuration. To complete the examples in this article, the following are required: - An Azure Automation account. For instructions on creating an Azure Automation Run As account, see [Azure Run As Account](automation-sec-configure-azure-runas-account.md). -- An Azure Resource Manager VM (not Classic) running Windows Server 2008 R2 or later. For instructions on creating a VM, see [Create your first Windows virtual machine in the Azure portal](../virtual-machines/virtual-machines-windows-hero-tutorial.md) +- An Azure Resource Manager VM (not Classic) running a [supported operating system](automation-dsc-overview.md#operating-system-requirements). For instructions on creating a VM, see [Create your first Windows virtual machine in the Azure portal](../virtual-machines/virtual-machines-windows-hero-tutorial.md) ## Creating a DSC configuration @@ -165,9 +165,9 @@ State Configuration](automation-dsc-onboarding.md). 1. On the **Virtual machine** detail page, click **+ Connect**. > [!IMPORTANT] - > This must be an Azure Resource Manager VM running Windows Server 2008 R2 or later. + > This must be an Azure Resource Manager VM running a [supported operating system](automation-dsc-overview.md#operating-system-requirements). -1. In the **Registration** page, select the name of the node configuration you want to apply to the VM in the **Node configuration name** box. Providing a name at this point is optional. You can change the assigned node configuration after onboarding the node. +2. In the **Registration** page, select the name of the node configuration you want to apply to the VM in the **Node configuration name** box. Providing a name at this point is optional. You can change the assigned node configuration after onboarding the node. Check **Reboot Node if Needed**, then click **OK**. ![Screenshot of the Registration blade](./media/automation-dsc-getting-started/RegisterVM.png) diff --git a/articles/automation/automation-dsc-overview.md b/articles/automation/automation-dsc-overview.md index 2c2f4e63d74df..66b1132aea5c9 100644 --- a/articles/automation/automation-dsc-overview.md +++ b/articles/automation/automation-dsc-overview.md @@ -134,7 +134,7 @@ State Configuration was first announced. > Configuration has progressed a lot since this video was recorded. It is now generally available, > has a much more extensive UI in the Azure portal, and supports many additional capabilities. - +> [!VIDEO https://channel9.msdn.com/Events/Ignite/2015/BRK3467/player] ## Next steps diff --git a/articles/automation/automation-first-runbook-textual.md b/articles/automation/automation-first-runbook-textual.md index ded21b424852e..ce3a93a92ee4f 100644 --- a/articles/automation/automation-first-runbook-textual.md +++ b/articles/automation/automation-first-runbook-textual.md @@ -132,7 +132,7 @@ You've tested and published your runbook, but so far it doesn't do anything usef Connect-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID ` -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint - $AzureContext = Select-AzureRmSubscription -SubscriptionId $ServicePrincipalConnection.SubscriptionID + $AzureContext = Select-AzureRmSubscription -SubscriptionId $Conn.SubscriptionID ``` > [!IMPORTANT] @@ -161,7 +161,7 @@ Now that your runbook is authenticating to your Azure subscription, you can mana $Conn = Get-AutomationConnection -Name AzureRunAsConnection Connect-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint - $AzureContext = Select-AzureRmSubscription -SubscriptionId $ServicePrincipalConnection.SubscriptionID + $AzureContext = Select-AzureRmSubscription -SubscriptionId $Conn.SubscriptionID Start-AzureRmVM -Name 'VMName' -ResourceGroupName 'ResourceGroupName' -AzureRmContext $AzureContext } diff --git a/articles/automation/automation-hybrid-runbook-worker.md b/articles/automation/automation-hybrid-runbook-worker.md index c3b7b6ea84234..a69f213eb1048 100644 --- a/articles/automation/automation-hybrid-runbook-worker.md +++ b/articles/automation/automation-hybrid-runbook-worker.md @@ -6,7 +6,7 @@ ms.service: automation ms.subservice: process-automation author: georgewallace ms.author: gwallace -ms.date: 01/31/2019 +ms.date: 04/05/2019 ms.topic: conceptual manager: carmonm --- @@ -91,11 +91,11 @@ To remove a group, you first need to remove the Hybrid Runbook Worker from every ### Hybrid Worker role -For the Hybrid Runbook Worker to connect to and register with Azure Monitor logs, it must have access to the port number and the URLs that are described in this section. This access is on top to the [ports and URLs required for Microsoft Monitoring Agent](../azure-monitor/platform/agent-windows.md) to connect to Azure Monitor logs. +For the Hybrid Runbook Worker to connect to and register with Azure Automation, it must have access to the port number and the URLs that are described in this section. This access is on top to the [ports and URLs required for Microsoft Monitoring Agent](../azure-monitor/platform/agent-windows.md) to connect to Azure Monitor logs. [!INCLUDE [azure-monitor-log-analytics-rebrand](../../includes/azure-monitor-log-analytics-rebrand.md)] -If you use a proxy server for communication between the agent and the Azure Monitor service, ensure that the appropriate resources are accessible. If you use a firewall to restrict access to the internet, you must configure your firewall to permit access. If you use the Log Analytics gateway as a proxy, ensure it is configured for hybrid workers. For instructions on how to do this, see [Configure the Log Analytics gateway for Automation Hybrid Workers](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). +If you use a proxy server for communication between the agent and the Azure Automation service, ensure that the appropriate resources are accessible. The timeout for requests from the Hybrid Runbook Worker and the Automation services is 30 seconds. After 3 attempts the request will fail. If you use a firewall to restrict access to the internet, you must configure your firewall to permit access. If you use the Log Analytics gateway as a proxy, ensure it is configured for hybrid workers. For instructions on how to do this, see [Configure the Log Analytics gateway for Automation Hybrid Workers](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). The following port and URLs are required for the Hybrid Runbook Worker role to communicate with Automation: @@ -120,6 +120,7 @@ If you have an Automation account that's defined for a specific region, you can | South East Asia |sea-jobruntimedata-prod-su1.azure-automation.net
sea-agentservice-prod-1.azure-automation.net| | Central India |cid-jobruntimedata-prod-su1.azure-automation.net
cid-agentservice-prod-1.azure-automation.net | | Japan East |jpe-jobruntimedata-prod-su1.azure-automation.net
jpe-agentservice-prod-1.azure-automation.net | +| Australia East |ae-jobruntimedata-prod-su1.azure-automation.net
ae-agentservice-prod-1.azure-automation.net | | Australia South East |ase-jobruntimedata-prod-su1.azure-automation.net
ase-agentservice-prod-1.azure-automation.net | | UK South | uks-jobruntimedata-prod-su1.azure-automation.net
uks-agentservice-prod-1.azure-automation.net | | US Gov Virginia | usge-jobruntimedata-prod-su1.azure-automation.us
usge-agentservice-prod-1.azure-automation.us | diff --git a/articles/automation/automation-manage-send-joblogs-log-analytics.md b/articles/automation/automation-manage-send-joblogs-log-analytics.md index f7411623412ec..9ea9865f80df3 100644 --- a/articles/automation/automation-manage-send-joblogs-log-analytics.md +++ b/articles/automation/automation-manage-send-joblogs-log-analytics.md @@ -27,7 +27,7 @@ Automation can send runbook job status and job streams to your Log Analytics wor To start sending your Automation logs to Azure Monitor logs, you need: -* The November 2016 or later release of [Azure PowerShell](https://docs.microsoft.com/powershell/azureps-cmdlets-docs/) (v2.3.0). +* The latest release of [Azure PowerShell](https://docs.microsoft.com/powershell/azureps-cmdlets-docs/). * A Log Analytics workspace. For more information, see [Get started with Azure Monitor logs](../log-analytics/log-analytics-get-started.md). * The ResourceId for your Azure Automation account. @@ -35,14 +35,14 @@ To find the ResourceId for your Azure Automation account: ```powershell-interactive # Find the ResourceId for the Automation Account -Get-AzureRmResource -ResourceType "Microsoft.Automation/automationAccounts" +Get-AzResource -ResourceType "Microsoft.Automation/automationAccounts" ``` To find the ResourceId for your Log Analytics workspace, run the following PowerShell: ```powershell-interactive # Find the ResourceId for the Log Analytics workspace -Get-AzureRmResource -ResourceType "Microsoft.OperationalInsights/workspaces" +Get-AzResource -ResourceType "Microsoft.OperationalInsights/workspaces" ``` If you have more than one Automation accounts, or workspaces, in the output of the preceding commands, find the *Name* you need to configure and copy the value for *ResourceId*. @@ -58,7 +58,7 @@ If you need to find the *Name* of your Automation account, in the Azure portal s $workspaceId = "[resource id of the log analytics workspace]" $automationAccountId = "[resource id of your automation account]" - Set-AzureRmDiagnosticSetting -ResourceId $automationAccountId -WorkspaceId $workspaceId -Enabled 1 + Set-AzDiagnosticSetting -ResourceId $automationAccountId -WorkspaceId $workspaceId -Enabled 1 ``` After running this script, it may take an hour before you start to see records in Azure Monitor logs of new JobLogs or JobStreams being written. @@ -71,7 +71,7 @@ To see the logs, run the following query in log analytics log search: To confirm that your Automation account is sending logs to your Log Analytics workspace, check that diagnostics are correctly configured on the Automation account by using the following PowerShell: ```powershell-interactive -Get-AzureRmDiagnosticSetting -ResourceId $automationAccountId +Get-AzDiagnosticSetting -ResourceId $automationAccountId ``` In the output ensure that: @@ -170,7 +170,7 @@ To remove the diagnostic setting from the Automation Account, run the following ```powershell-interactive $automationAccountId = "[resource id of your automation account]" -Remove-AzureRmDiagnosticSetting -ResourceId $automationAccountId +Remove-AzDiagnosticSetting -ResourceId $automationAccountId ``` ## Summary diff --git a/articles/automation/automation-onboard-solutions-from-automation-account.md b/articles/automation/automation-onboard-solutions-from-automation-account.md index 092bd1cc240a2..ba70b214695c8 100644 --- a/articles/automation/automation-onboard-solutions-from-automation-account.md +++ b/articles/automation/automation-onboard-solutions-from-automation-account.md @@ -5,7 +5,7 @@ services: automation ms.service: automation author: georgewallace ms.author: gwallace -ms.date: 10/16/2018 +ms.date: 4/11/2019 ms.topic: conceptual manager: carmonm ms.custom: mvc @@ -38,7 +38,7 @@ The following table shows the supported mappings: |EastUS1|EastUS2| |JapanEast|JapanEast| |SoutheastAsia|SoutheastAsia| -|WestCentralUS|WestCentralUS| +|WestCentralUS2|WestCentralUS2| |WestEurope|WestEurope| |UKSouth|UKSouth| |USGovVirginia|USGovVirginia| @@ -46,8 +46,7 @@ The following table shows the supported mappings: 1 EastUS2EUAP and EastUS mappings for Log Analytics workspaces to Automation Accounts are not an exact region to region mapping but is the correct mapping. -> [!NOTE] -> Due to demand, a region may not be available when creating your Automation Account or Log Analytics workspace. If that is the case, ensure you are using a region in the preceding table that you can create resources in. +2 Due to capacity restraints the region is not available when creating new resources. This includes Automation Accounts and Log Analytics workspaces. However, preexisting linked resources in the region should continue to work. The Change Tracking and Inventory solution provides the ability to [track changes](automation-vm-change-tracking.md) and [inventory](automation-vm-inventory.md) on your virtual machines. In this step, you enable the solution on a virtual machine. diff --git a/articles/automation/automation-onboard-solutions-from-browse.md b/articles/automation/automation-onboard-solutions-from-browse.md index 5097c51dbb503..ddc7bdf05af1d 100644 --- a/articles/automation/automation-onboard-solutions-from-browse.md +++ b/articles/automation/automation-onboard-solutions-from-browse.md @@ -5,7 +5,7 @@ services: automation ms.service: automation author: georgewallace ms.author: gwallace -ms.date: 06/06/2018 +ms.date: 04/11/2019 ms.topic: article manager: carmonm ms.custom: mvc @@ -65,7 +65,7 @@ The following table shows the supported mappings: |EastUS1|EastUS2| |JapanEast|JapanEast| |SoutheastAsia|SoutheastAsia| -|WestCentralUS|WestCentralUS| +|WestCentralUS2|WestCentralUS2| |WestEurope|WestEurope| |UKSouth|UKSouth| |USGovVirginia|USGovVirginia| @@ -73,8 +73,7 @@ The following table shows the supported mappings: 1 EastUS2EUAP and EastUS mappings for Log Analytics workspaces to Automation Accounts are not an exact region to region mapping but is the correct mapping. -> [!NOTE] -> Due to demand, a region may not be available when creating your Automation Account or Log Analytics workspace. If that is the case, ensure you are using a region in the preceding table that you can create resources in. +2 Due to capacity restraints the region is not available when creating new resources. This includes Automation Accounts and Log Analytics workspaces. However, preexisting linked resources in the region should continue to work. Deselect the checkbox next to any virtual machine that you don't want to enable. Virtual machines that can't be enabled are already deselected. diff --git a/articles/automation/automation-quickstart-create-account.md b/articles/automation/automation-quickstart-create-account.md index 3b417df22d467..661e93c522366 100644 --- a/articles/automation/automation-quickstart-create-account.md +++ b/articles/automation/automation-quickstart-create-account.md @@ -4,7 +4,7 @@ description: Learn how to create an Azure Automation account and run a runbook services: automation author: csand-msft ms.author: csand -ms.date: 01/15/2019 +ms.date: 04/04/2019 ms.topic: quickstart ms.service: automation ms.subservice: process-automation @@ -56,10 +56,6 @@ Run one of the tutorial runbooks. 1. After the **Job status** becomes **Running**, click **Output** or **All Logs** to view the runbook job output. For this tutorial runbook, the output is a list of your Azure resources. -## Clean up resources - -When no longer needed, delete the resource group, Automation account, and all related resources. To do so, select the resource group for the Automation account and click **Delete**. - ## Next steps In this quickstart, you’ve deployed an Automation account, started a runbook job, and viewed the job results. To learn more about Azure Automation, continue to the quickstart for creating your first runbook. diff --git a/articles/automation/automation-runbook-execution.md b/articles/automation/automation-runbook-execution.md index 30d6f16cf346a..9ff8b7ef92508 100644 --- a/articles/automation/automation-runbook-execution.md +++ b/articles/automation/automation-runbook-execution.md @@ -6,7 +6,7 @@ ms.service: automation ms.subservice: process-automation author: georgewallace ms.author: gwallace -ms.date: 03/18/2019 +ms.date: 04/04/2019 ms.topic: conceptual manager: carmonm --- @@ -37,15 +37,17 @@ Runbooks in Azure Automation can run on either a sandbox in Azure or a [Hybrid R |Monitor a file or folder with a runbook|Hybrid Runbook Worker|Use a [Watcher task](automation-watchers-tutorial.md) on a Hybrid Runbook worker| |Resource intensive script|Hybrid Runbook Worker| Azure sandboxes have [limitation on resources](../azure-subscription-service-limits.md#automation-limits)| |Using modules with specific requirements| Hybrid Runbook Worker|Some examples are:
**WinSCP** - dependency on winscp.exe
**IISAdministration** - Needs IIS to be enabled| -|Install module that requires installer|Hybrid Runbook Worker|Modules for sandbox must be xcopyable| +|Install module that requires installer|Hybrid Runbook Worker|Modules for sandbox must be copiable| |Using runbooks or modules that require .NET Framework different from 4.7.2|Hybrid Runbook Worker|Automation sandboxes have .NET Framework 4.7.2, and there is no way to upgrade it| |Scripts that require elevation|Hybrid Runbook Worker|Sandboxes do not allow elevation. To solve this, use a Hybrid Runbook Worker and you can turn off UAC and use `Invoke-Command` when running the command that requires elevation| -|Scripts that require access to WMI|Hybrid Runbook Worker|Jobs running in sandboxes the cloud [do not have access the WMI](#device-and-application-characteristics)| +|Scripts that require access to WMI|Hybrid Runbook Worker|Jobs running in sandboxes in the cloud [do not have access to the WMI](#device-and-application-characteristics)| ## Runbook behavior Runbooks execute based on the logic that is defined inside them. If a runbook is interrupted, the runbook restarts at the beginning. This behavior requires runbooks to be written in a way where they support being restarted if there were transient issues. +PowerShell jobs started from a Runbook ran in an Azure sandbox may not run in the Full language mode. To learn more about PowerShell language modes, see [PowerShell language modes](/powershell/module/microsoft.powershell.core/about/about_language_modes). For additional details on how to interact with jobs in Azure Automation, see [Retrieving job status with PowerShell](#retrieving-job-status-using-powershell) + ### Creating resources If your script creates resources, you should check to see if the resource already exists before attempting to create it again. A basic example is shown in the following example: @@ -184,7 +186,7 @@ Runbooks run in Azure sandboxes do not support calling processes (such as an .ex ### Device and application characteristics -Runbook jobs run in Azure sandboxes do not have access to any device or application characteristics. The most common API used to query performance metrics on Windows is WMI. Some of these common metrics are memory and CPU usage. However, it does not matter what API is used. Jobs running in the cloud do not have access the Microsoft implementation of Web Based Enterprise Management (WBEM), which is built on the Common Information Model (CIM), which are the industry standards for defining device and application characteristics. +Runbook jobs run in Azure sandboxes do not have access to any device or application characteristics. The most common API used to query performance metrics on Windows is WMI. Some of these common metrics are memory and CPU usage. However, it does not matter what API is used. Jobs running in the cloud do not have access to the Microsoft implementation of Web Based Enterprise Management (WBEM), which is built on the Common Information Model (CIM), which are the industry standards for defining device and application characteristics. ## Job statuses @@ -240,9 +242,9 @@ You can use the following steps to view the jobs for a runbook. 3. On the page for the selected runbook, click the **Jobs** tile. 4. Click one of the jobs in the list and on the runbook job details page you can view its detail and output. -## Retrieving job status using Windows PowerShell +## Retrieving job status using PowerShell -You can use the [Get-AzureRmAutomationJob](https://docs.microsoft.com/powershell/module/azurerm.automation/get-azurermautomationjob) to retrieve the jobs created for a runbook and the details of a particular job. If you start a runbook with Windows PowerShell using [Start-AzureRmAutomationRunbook](https://docs.microsoft.com/powershell/module/azurerm.automation/start-azurermautomationrunbook), then it returns the resulting job. Use [Get-AzureRmAutomationJobOutput](https://docs.microsoft.com/powershell/module/azurerm.automation/get-azurermautomationjoboutput) to get a job’s output. +You can use the [Get-AzureRmAutomationJob](https://docs.microsoft.com/powershell/module/azurerm.automation/get-azurermautomationjob) to retrieve the jobs created for a runbook and the details of a particular job. If you start a runbook with PowerShell using [Start-AzureRmAutomationRunbook](https://docs.microsoft.com/powershell/module/azurerm.automation/start-azurermautomationrunbook), then it returns the resulting job. Use [Get-AzureRmAutomationJobOutput](https://docs.microsoft.com/powershell/module/azurerm.automation/get-azurermautomationjoboutput) to get a job’s output. The following sample commands retrieve the last job for a sample runbook and display its status, the values provided for the runbook parameters, and the output from the job. @@ -279,11 +281,30 @@ Other details such as the person or account that started the runbook can be retr ```powershell-interactive $SubID = "00000000-0000-0000-0000-000000000000" -$rg = "ResourceGroup01" -$AutomationAccount = "MyAutomationAccount" -$JobResourceID = "/subscriptions/$subid/resourcegroups/$rg/providers/Microsoft.Automation/automationAccounts/$AutomationAccount/jobs" +$AutomationResourceGroupName = "MyResourceGroup" +$AutomationAccountName = "MyAutomationAccount" +$RunbookName = "MyRunbook" +$StartTime = (Get-Date).AddDays(-1) +$JobActivityLogs = Get-AzureRmLog -ResourceGroupName $AutomationResourceGroupName -StartTime $StartTime ` + | Where-Object {$_.Authorization.Action -eq "Microsoft.Automation/automationAccounts/jobs/write"} + +$JobInfo = @{} +foreach ($log in $JobActivityLogs) +{ + # Get job resource + $JobResource = Get-AzureRmResource -ResourceId $log.ResourceId + + if ($JobInfo[$log.SubmissionTimestamp] -eq $null -and $JobResource.Properties.runbook.name -eq $RunbookName) + { + # Get runbook + $Runbook = Get-AzureRmAutomationJob -ResourceGroupName $AutomationResourceGroupName -AutomationAccountName $AutomationAccountName ` + -Id $JobResource.Properties.jobId | ? {$_.RunbookName -eq $RunbookName} -Get-AzureRmLog -ResourceId $JobResourceID -MaxRecord 1 | Select Caller + # Add job information to hash table + $JobInfo.Add($log.SubmissionTimestamp, @($Runbook.RunbookName,$Log.Caller, $JobResource.Properties.jobId)) + } +} +$JobInfo.GetEnumerator() | sort key -Descending | Select-Object -First 1 ``` ## Fair share diff --git a/articles/automation/automation-update-management.md b/articles/automation/automation-update-management.md index c3433645e9add..8c7dac74dd3e9 100644 --- a/articles/automation/automation-update-management.md +++ b/articles/automation/automation-update-management.md @@ -6,7 +6,7 @@ ms.service: automation ms.subservice: update-management author: georgewallace ms.author: gwallace -ms.date: 04/02/2019 +ms.date: 04/09/2019 ms.topic: conceptual manager: carmonm --- @@ -559,7 +559,7 @@ Update | project-away ClassificationWeight, InformationId, InformationUrl ``` -## Using dynamic groups (preview) +## Using dynamic groups Update Management provides the ability to target a dynamic group of Azure VMs for update deployments. These groups are defined by a query, when an update deployment begins, the members of that group are evaluated. Dynamic groups do not work with classic VMs. When defining your query, the following items can be used together to populate the dynamic group diff --git a/articles/automation/compose-configurationwithcompositeresources.md b/articles/automation/compose-configurationwithcompositeresources.md index 612b7285335d5..d77a3f1b69503 100644 --- a/articles/automation/compose-configurationwithcompositeresources.md +++ b/articles/automation/compose-configurationwithcompositeresources.md @@ -5,8 +5,8 @@ keywords: powershell dsc, desired state configuration, powershell dsc azure, com services: automation ms.service: automation ms.subservice: dsc -author: DCtheGeek -ms.author: dacoulte +author: bobbytreed +ms.author: robreed ms.date: 08/21/2018 ms.topic: conceptual manager: carmonm diff --git a/articles/automation/media/automation-update-management/select-groups.png b/articles/automation/media/automation-update-management/select-groups.png index 108e9dfc0a381..e82cf2ef6c456 100644 Binary files a/articles/automation/media/automation-update-management/select-groups.png and b/articles/automation/media/automation-update-management/select-groups.png differ diff --git a/articles/automation/media/automation-credentials/credential-add-canvas.png b/articles/automation/media/credentials/credential-add-canvas.png similarity index 100% rename from articles/automation/media/automation-credentials/credential-add-canvas.png rename to articles/automation/media/credentials/credential-add-canvas.png diff --git a/articles/automation/media/automation-credentials/get-credential.png b/articles/automation/media/credentials/get-credential.png similarity index 100% rename from articles/automation/media/automation-credentials/get-credential.png rename to articles/automation/media/credentials/get-credential.png diff --git a/articles/automation/pre-post-scripts.md b/articles/automation/pre-post-scripts.md index b071c0d58c7f5..a5164566563de 100644 --- a/articles/automation/pre-post-scripts.md +++ b/articles/automation/pre-post-scripts.md @@ -6,7 +6,7 @@ ms.service: automation ms.subservice: update-management author: georgewallace ms.author: gwallace -ms.date: 04/01/2019 +ms.date: 04/04/2019 ms.topic: conceptual manager: carmonm --- @@ -62,6 +62,23 @@ If you need another object type, you can cast it to another type with your own l In addition to your standard runbook parameters, an additional parameter is provided. This parameter is **SoftwareUpdateConfigurationRunContext**. This parameter is a JSON string, and if you define the parameter in your pre or post script, it is automatically passed in by the update deployment. The parameter contains information about the update deployment, which is a subset of information returned by the [SoftwareUpdateconfigurations API](/rest/api/automation/softwareupdateconfigurations/getbyname#updateconfiguration) The following table shows you the properties that are provided in the variable: +## Stopping a deployment + +If you want to stop a deployment based on a Pre script you must [throw](automation-runbook-execution.md#throw) an exception. If you do not throw an exception, the deployment and Post script will still run. The [example runbook](https://gallery.technet.microsoft.com/Update-Management-Run-6949cc44?redir=0) in the gallery shows how you can do this. The following is a snippet from that runbook. + +```powershell +#In this case, we want to terminate the patch job if any run fails. +#This logic might not hold for all cases - you might want to allow success as long as at least 1 run succeeds +foreach($summary in $finalStatus) +{ + if ($summary.Type -eq "Error") + { + #We must throw in order to fail the patch deployment. + throw $summary.Summary + } +} +``` + ### SoftwareUpdateConfigurationRunContext properties |Property |Description | @@ -225,6 +242,17 @@ if ($summary.Type -eq "Error") } ``` +## Abort patch deployment + +If your pre script returns an error, you may want to abort your deployment. To do this, you must [throw](/powershell/module/microsoft.powershell.core/about/about_throw) an error in your script for any logic that would constitute a failure. + +```powershell +if () +{ + #Throw an error to fail the patch deployment. + throw "There was an error, abort deployment" +} +``` ## Known issues * You can't pass objects or arrays to parameters when using pre and post scripts. The runbook will fail. diff --git a/articles/automation/shared-resources/credentials.md b/articles/automation/shared-resources/credentials.md new file mode 100644 index 0000000000000..5176ceede93a2 --- /dev/null +++ b/articles/automation/shared-resources/credentials.md @@ -0,0 +1,153 @@ +--- +title: Credential assets in Azure Automation +description: Credential assets in Azure Automation contain security credentials that can be used to authenticate to resources accessed by the runbook or DSC configuration. This article describes how to create credential assets and use them in a runbook or DSC configuration. +services: automation +ms.service: automation +ms.subservice: shared-capabilities +author: georgewallace +ms.author: gwallace +ms.date: 04/12/2019 +ms.topic: conceptual +manager: carmonm +--- +# Credential assets in Azure Automation + +An Automation credential asset holds an object, which contains security credentials such as a username and password. Runbooks and DSC configurations may use cmdlets that accept a PSCredential object for authentication, or they may extract the username and password of the PSCredential object to provide to some application or service requiring authentication. The properties for a credential are stored securely in Azure Automation and can be accessed in the runbook or DSC configuration with the [Get-AutomationPSCredential](#activities) activity. + +[!INCLUDE [gdpr-dsr-and-stp-note.md](../../../includes/gdpr-dsr-and-stp-note.md)] + +> [!NOTE] +> Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. These assets are encrypted and stored in Azure Automation using a unique key that is generated for each automation account. This key is stored in Key Vault. Before storing a secure asset, the key is loaded from Key Vault and then used to encrypt the asset. + +## Azure Classic PowerShell cmdlets + +The cmdlets in the following table are used to create and manage automation credential assets with Windows PowerShell. They ship as part of the [Azure PowerShell module](/powershell/azure/overview), which is available for use in Automation runbooks and DSC configurations. + +| Cmdlets | Description | +|:--- |:--- | +| [Get-AzureAutomationCredential](/powershell/module/servicemanagement/azure/get-azureautomationcredential) |Retrieves information about a credential asset. You can only retrieve the credential itself from **Get-AutomationPSCredential** activity. | +| [New-AzureAutomationCredential](/powershell/module/servicemanagement/azure/new-azureautomationcredential) |Creates a new Automation credential. | +| [Remove-AzureAutomationCredential](/powershell/module/servicemanagement/azure/new-azureautomationcredential) |Removes an Automation credential. | +| [Set-AzureAutomationCredential](/powershell/module/servicemanagement/azure/new-azureautomationcredential) |Sets the properties for an existing Automation credential. | + +## AzureRM PowerShell cmdlets + +For AzureRM, the cmdlets in the following table are used to create and manage automation credential assets with Windows PowerShell. They ship as part of the [AzureRM.Automation module](/powershell/azure/overview), which is available for use in Automation runbooks and DSC configurations. + +| Cmdlets | Description | +|:--- |:--- | +| [Get-AzureRmAutomationCredential](/powershell/module/azurerm.automation/get-azurermautomationcredential) |Retrieves information about a credential asset. This does not return a PSCredential object. | +| [New-AzureRmAutomationCredential](/powershell/module/azurerm.automation/new-azurermautomationcredential) |Creates a new Automation credential. | +| [Remove-AzureRmAutomationCredential](/powershell/module/azurerm.automation/remove-azurermautomationcredential) |Removes an Automation credential. | +| [Set-AzureRmAutomationCredential](/powershell/module/azurerm.automation/set-azurermautomationcredential) |Sets the properties for an existing Automation credential. | + +## Activities + +The activities in the following table are used to access credentials in a runbook and DSC configurations. + +| Activities | Description | +|:--- |:--- | +| Get-AutomationPSCredential |Gets a credential to use in a runbook or DSC configuration. Returns a [System.Management.Automation.PSCredential](/dotnet/api/system.management.automation.pscredential) object. | + +> [!NOTE] +> You should avoid using variables in the –Name parameter of Get-AutomationPSCredential since this can complicate discovering dependencies between runbooks or DSC configurations, and credential assets at design time. + +## Python2 functions + +The function in the following table is used to access credentials in a Python2 runbook. + +| Function | Description | +|:---|:---| +| automationassets.get_automation_credential | Retrieves information about a credential asset. | + +> [!NOTE] +> You must import the "automationassets" module at the top of your Python runbook in order to access the asset functions. + +## Creating a new credential asset + +### To create a new credential asset with the Azure portal + +1. From your automation account, select **Credentials** under **Shared Resources**. +1. Click **+ Add a credential**. +1. Complete the form and click **Create** to save the new credential. + +> [!NOTE] +> User accounts that use multi-factor authentication are not supported for use in Azure Automation. + +### To create a new credential asset with Windows PowerShell + +The following sample commands show how to create a new automation credential. A PSCredential object is first created with the name and password and then used to create the credential asset. Alternatively, you could use the **Get-Credential** cmdlet to be prompted to type in a name and password. + +```powershell +$user = "MyDomain\MyUser" +$pw = ConvertTo-SecureString "PassWord!" -AsPlainText -Force +$cred = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $user, $pw +New-AzureAutomationCredential -AutomationAccountName "MyAutomationAccount" -Name "MyCredential" -Value $cred +``` + +## Using a PowerShell credential + +You retrieve a credential asset in a runbook or DSC configuration with the **Get-AutomationPSCredential** activity. This returns a [PSCredential object](/dotnet/api/system.management.automation.pscredential) that you can use with an activity or cmdlet that requires a PSCredential parameter. You can also retrieve the properties of the credential object to use individually. The object has a property for the username and the secure password, or you can use the **GetNetworkCredential** method to return a [NetworkCredential](/dotnet/api/system.net.networkcredential) object that will provide an unsecured version of the password. + +> [!NOTE] +> **Get-AzureRmAutomationCredential** does not return a **PSCredential** that can be used for authentication. It only provides information about the credential. If you need to use a credential in a runbook you must use the **Get-AutomationPSCredential** to retrieve the **PSCredential** object. + +### Textual runbook sample + +The following sample commands show how to use a PowerShell credential in a runbook. In this example, the credential is retrieved and its username and password assigned to variables. + +```azurepowershell +$myCredential = Get-AutomationPSCredential -Name 'MyCredential' +$userName = $myCredential.UserName +$securePassword = $myCredential.Password +$password = $myCredential.GetNetworkCredential().Password +``` + +You can also use a credential to authenticate to Azure with [Connect-AzureRmAccount](/powershell/module/azurerm.profile/connect-azurermaccount). Under most circumstances, you should use a [Run As account](../manage-runas-account.md) and retrieve it with [Get-AutomationConnection](../automation-connections.md). + +```azurepowershell +$myCred = Get-AutomationPSCredential -Name 'MyCredential` +$userName = $myCred.UserName +$securePassword = $myCred.Password +$password = $myCred.GetNetworkCredential().Password + +$myPsCred = New-Object System.Management.Automation.PSCredential ($userName,$password) + +Connect-AzureRmAccount -Credential $myPsCred +``` + +### Graphical runbook sample + +You add a **Get-AutomationPSCredential** activity to a graphical runbook by right-clicking on the credential in the Library pane of the graphical editor and selecting **Add to canvas**. + +![Add credential to canvas](../media/credentials/credential-add-canvas.png) + +The following image shows an example of using a credential in a graphical runbook. In this case, it's being used to provide authentication for a runbook to Azure resources as described in [Authenticate Runbooks with Azure AD User account](../automation-create-aduser-account.md). The first activity retrieves the credential that has access to the Azure subscription. The **Add-AzureAccount** activity then uses this credential to provide authentication for any activities that come after it. A [pipeline link](../automation-graphical-authoring-intro.md#links-and-workflow) is here since **Get-AutomationPSCredential** is expecting a single object. + +![Add credential to canvas](../media/credentials/get-credential.png) + +## Using a PowerShell credential in DSC + +While DSC configurations in Azure Automation can reference credential assets using **Get-AutomationPSCredential**, credential assets can also be passed in via parameters, if wanted. For more information, see [Compiling configurations in Azure Automation DSC](../automation-dsc-compile.md#credential-assets). + +## Using credentials in Python2 + +The following sample shows an example of accessing credentials in Python2 runbooks. + +```python +import automationassets +from automationassets import AutomationAssetNotFound + +# get a credential +cred = automationassets.get_automation_credential("credtest") +print cred["username"] +print cred["password"] +``` + +## Next steps + +* To learn more about links in graphical authoring, see [Links in graphical authoring](../automation-graphical-authoring-intro.md#links-and-workflow) +* To understand the different authentication methods with Automation, see [Azure Automation Security](../automation-security-overview.md) +* To get started with Graphical runbooks, see [My first graphical runbook](../automation-first-runbook-graphical.md) +* To get started with PowerShell workflow runbooks, see [My first PowerShell workflow runbook](../automation-first-runbook-textual.md) +* To get started with Python2 runbooks, see [My first Python2 runbook](../automation-first-runbook-textual-python2.md) diff --git a/articles/automation/shared-resources/schedules.md b/articles/automation/shared-resources/schedules.md index ee3baba862896..a7a9904f3ac9a 100644 --- a/articles/automation/shared-resources/schedules.md +++ b/articles/automation/shared-resources/schedules.md @@ -6,7 +6,7 @@ ms.service: automation ms.subservice: shared-capabilities author: georgewallace ms.author: gwallace -ms.date: 03/22/2019 +ms.date: 04/04/2019 ms.topic: conceptual manager: carmonm --- @@ -152,6 +152,9 @@ When you disable a schedule, any runbook linked to it no longer runs on that sch 2. Click the name of a schedule to open the details pane. 3. Change **Enabled** to **No**. +> [!NOTE] +> If you want to disable a schedule that has a start time in the past, you must change the start date to a time in the future before saving it. + ### To disable a schedule with PowerShell You can use the [Set-AzureRmAutomationSchedule](/powershell/module/azurerm.automation/set-azurermautomationschedule) cmdlet to change the properties of an existing schedule. To disable the schedule, specify **false** for the **IsEnabled** parameter. diff --git a/articles/automation/troubleshoot/runbooks.md b/articles/automation/troubleshoot/runbooks.md index e2df90c4a4bb5..0bbc2f1ffc439 100644 --- a/articles/automation/troubleshoot/runbooks.md +++ b/articles/automation/troubleshoot/runbooks.md @@ -132,7 +132,7 @@ To use a certificate with the Azure classic deployment model cmdlets, refer to [ #### Issue -You receive the following error when invoking a childrunbook with the `-Wait` switch and the output stream contains and object: +You receive the following error when invoking a child runbook with the `-Wait` switch and the output stream contains and object: ```error Object reference not set to an instance of an object @@ -479,6 +479,29 @@ There are two ways to resolve this error: * Edit the runbook, and reduce the number of job streams that it emits​. * Reduce the number of streams to be retrieved when running the cmdlet. To follow this behavior, you can specify the `-Stream Output` parameter to the `Get-AzureRmAutomationJobOutput` cmdlet to retrieve only output streams. ​ +### Scenario: PowerShell job fails with error: Cannot invoke method + +#### Issue + +You receive the following error message when starting a PowerShell Job in a runbook running in Azure: + +```error +Exception was thrown - Cannot invoke method. Method invocation is supported only on core types in this language mode. +``` + +#### Cause + +This error may occur when you start a PowerShell job in a runbook ran in Azure. This behavior may occur because runbooks ran in an Azure sandbox may not run in the [Full language mode](/powershell/module/microsoft.powershell.core/about/about_language_modes)). + +#### Resolution + +There are two ways to resolve this error: + +* Instead of using `Start-Job`, use `Start-AzureRmAutomationRunbook` to start a runbook +* If your runbook has this error message, run it on a Hybrid Runbook Worker + +To learn more about this behavior and other behaviors of Azure Automation Runbooks, see [Runbook behavior](../automation-runbook-execution.md#runbook-behavior). + ## Next steps If you didn't see your problem or are unable to solve your issue, visit one of the following channels for more support: diff --git a/articles/automation/troubleshoot/start-stop-vm.md b/articles/automation/troubleshoot/start-stop-vm.md index 8431b0a43f5a9..d95c4a4952caf 100644 --- a/articles/automation/troubleshoot/start-stop-vm.md +++ b/articles/automation/troubleshoot/start-stop-vm.md @@ -6,7 +6,7 @@ ms.service: automation ms.subservice: process-automation author: georgewallace ms.author: gwallace -ms.date: 02/13/2019 +ms.date: 04/04/2019 ms.topic: conceptual manager: carmonm --- @@ -82,7 +82,7 @@ Review the following list for potential solutions to your problem or places to l * Check that you've properly configured a schedule for the Start/Stop VM solution. To learn how to configure a schedule, see the [Schedules](../automation-schedules.md) article. -* Check the job streams for the runbooks to look for any errors. In the portal, go to your Automation Account and select **Jobs** under **Process Automation**. From the **Jobs** page look for jobs from one of the following runbooks: +* Check the [job streams](../automation-runbook-execution.md#viewing-job-status-from-the-azure-portal) to look for any errors. In the portal, go to your Automation Account and select **Jobs** under **Process Automation**. From the **Jobs** page look for jobs from one of the following runbooks: * AutoStop_CreateAlert_Child * AutoStop_CreateAlert_Parent @@ -137,6 +137,8 @@ Review the following list for potential solutions to your problem or places to l * If the VM is having a problem starting or deallocating, this behavior can be caused by an issue on the VM itself. Some examples or potential problems are, an update is being applied when trying to shutdown, a service hangs, and more). Navigate to your VM resource and check the **Activity Logs** to see if there are any errors in the logs. You may also attempt to log into the VM to see if there are any errors in the Event logs. To learn more about troubleshooting your VM, see [Troubleshooting Azure virtual machines](../../virtual-machines/troubleshooting/index.md) +* Check the [job streams](../automation-runbook-execution.md#viewing-job-status-from-the-azure-portal) to look for any errors. In the portal, go to your Automation Account and select **Jobs** under **Process Automation**. + ## Scenario: My custom runbook fails to start or stop my VMs ### Issue @@ -149,7 +151,7 @@ The cause for the failure could be one of many things. Go to your Automation Acc ### Resolution -It's recommended to use the [Start/Stop VMs during off hours solution](../automation-solution-vm-management.md) to start and stop VMs in Azure Automation. This solution is authored by Microsoft. Custom runbooks are not supported by Microsoft. You might find a solution for your custom runbook by visiting the [runbook troubleshooting](runbooks.md) article. This article provides general guidance and troubleshooting for runbooks of all types. +It's recommended to use the [Start/Stop VMs during off hours solution](../automation-solution-vm-management.md) to start and stop VMs in Azure Automation. This solution is authored by Microsoft. Custom runbooks are not supported by Microsoft. You might find a solution for your custom runbook by visiting the [runbook troubleshooting](runbooks.md) article. This article provides general guidance and troubleshooting for runbooks of all types. Check the [job streams](../automation-runbook-execution.md#viewing-job-status-from-the-azure-portal) to look for any errors. In the portal, go to your Automation Account and select **Jobs** under **Process Automation**. ## Scenario: VMs don't start or stop in the correct sequence @@ -203,7 +205,7 @@ Many times errors can be caused by using an old and outdated version of the solu ### Resolution -To resolve many errors, it's recommended to remove and update the solution. To learn how to update the solution, see [Update the Start/Stop VMs during off hours solution](../automation-solution-vm-management.md#update-the-solution). +To resolve many errors, it's recommended to remove and update the solution. To learn how to update the solution, see [Update the Start/Stop VMs during off hours solution](../automation-solution-vm-management.md#update-the-solution). Additionally, you can check the [job streams](../automation-runbook-execution.md#viewing-job-status-from-the-azure-portal) to look for any errors. In the portal, go to your Automation Account and select **Jobs** under **Process Automation**. ## Next steps diff --git a/articles/automation/troubleshoot/update-management.md b/articles/automation/troubleshoot/update-management.md index bb72c4463727f..b57cebc231ae2 100644 --- a/articles/automation/troubleshoot/update-management.md +++ b/articles/automation/troubleshoot/update-management.md @@ -4,7 +4,7 @@ description: Learn how to troubleshoot issues with Update Management services: automation author: georgewallace ms.author: gwallace -ms.date: 12/05/2018 +ms.date: 04/05/2019 ms.topic: conceptual ms.service: automation manager: carmonm @@ -176,6 +176,8 @@ Double-click on the exception displayed in red to see the entire exception messa |`The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (Exception from HRESULT: 0x80070422)` | Make sure the Windows Update service (wuauserv) is running and is not disabled. | |Any other generic exception | Do a search the internet for the possible solutions and work with your local IT support. | +Reviewing the `windowsupdate.log` can help you try to determine the possible cause as well. For more information on how to read the log, see [How to read the Windowsupdate.log file](https://support.microsoft.com/en-ca/help/902093/how-to-read-the-windowsupdate-log-file). + Additionally you can download and run the [Windows Update troubleshooter](https://support.microsoft.com/help/4027322/windows-update-troubleshooter) to check if there are any issues with Windows Update on the machine. > [!NOTE] diff --git a/articles/availability-zones/az-overview.md b/articles/availability-zones/az-overview.md index f81507acea579..f48132555c16b 100644 --- a/articles/availability-zones/az-overview.md +++ b/articles/availability-zones/az-overview.md @@ -13,7 +13,7 @@ ms.devlang: na ms.topic: article ms.tgt_pltfrm: na ms.workload: na -ms.date: 03/19/2019 +ms.date: 04/02/2019 ms.author: cynthn ms.custom: mvc I am an ITPro and application developer, and I want to protect (use Availability Zones) my applications and data against data center failure (to build Highly Available applications). --- @@ -40,6 +40,7 @@ To achieve comprehensive business continuity on Azure, build your application ar - France Central - North Europe - Southeast Asia +- UK South * - West Europe - West US 2 @@ -52,8 +53,8 @@ The Azure services that support Availability Zones are: - Windows Virtual Machines - Virtual Machine Scale Sets - Managed Disks -- Load Balancer -- Public IP address +- Standard Load Balancer * +- Standard public IP address * - Zone-redundant storage - SQL Database - Event Hubs @@ -62,6 +63,8 @@ The Azure services that support Availability Zones are: - ExpressRoute - Application Gateway (preview) +* Resources created in UK South before March 25, 2019 will soon be converted to be zone-redundant. Resources created after March 25, 2019 will be zone-redundant immediately. + ## Services resiliency All Azure management services are architected to be resilient from region-level failures. In the spectrum of failures, one or more Availability Zone failures within a region have a smaller failure radius compared to an entire region failure. Azure can recover from a zone-level failure of management services within the region or from another Azure region. Azure performs critical maintenance one zone at a time within a region, to prevent any failures impacting customer resources deployed across Availability Zones within a region. diff --git a/articles/avere-vfxt/avere-vfxt-controller-role.md b/articles/avere-vfxt/avere-vfxt-controller-role.md deleted file mode 100644 index a8db612798341..0000000000000 --- a/articles/avere-vfxt/avere-vfxt-controller-role.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: Customized controller access role - Avere vFXT for Azure -description: How to create a custom access role for the Avere vFXT cluster controller -author: ekpgh -ms.service: avere-vfxt -ms.topic: conceptual -ms.date: 01/29/2019 -ms.author: v-erkell ---- - -# Customized controller access role - -The Avere vFXT for Azure cluster controller uses a managed identity and role-based access control (RBAC) to allow it to create and manage the cluster. - -By default, the cluster controller is assigned the [built-in Owner role](../role-based-access-control/built-in-roles.md#owner). Also, the controller's access is scoped to its resource group - it can't modify elements outside the cluster's resource group. - -This article explains how to create your own access role for the cluster controller instead of using the default setting. - -## Edit the role prototype - -Start from the prototype role available at . - -```json -{ - "AssignableScopes": [ - "/subscriptions/YOUR SUBSCRIPTION ID HERE" - ], - "Name": "Avere custom contributor", - "IsCustom": true, - "Description": "Can create and manage an Avere vFXT cluster.", - "NotActions": [], - "Actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Compute/*/read", - "Microsoft.Compute/availabilitySets/*", - "Microsoft.Compute/virtualMachines/*", - "Microsoft.Compute/disks/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/*/read", - "Microsoft.Network/networkInterfaces/*", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Network/virtualNetworks/subnets/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/resourceGroups/resources/read", - "Microsoft.Storage/*/read", - "Microsoft.Storage/storageAccounts/listKeys/action", - "Microsoft.Support/*" - ], - "DataActions": [] -} -``` - -Add the subscription ID for the Avere vFXT for Azure deployment in the AssignableScopes statement. Customize the name and add or alter definitions as needed. - -Be careful if you restrict privileges. Cluster creation can fail if the controller does not have sufficient access. - -For help understanding what privileges the cluster controller needs to create a cluster, [open a support ticket](avere-vfxt-open-ticket.md#open-a-support-ticket-for-your-avere-vfxt). - -Save your custom role definition as a .json file. - -## Define the role - -Follow these steps to add the custom role definition to your subscription. - -1. Open the Azure Cloud Shell in the Azure portal or browse to [https://shell.azure.com](https://shell.azure.com). - -1. Use the Azure CLI command to switch to your vFXT subscription: - - ```azurecli - az account set --subscription YOUR_SUBSCRIPTION_ID - ``` - -1. Create the role: - - ```azurecli - az role definition create --role-definition /avere-contributor-custom.json - ``` - - Use your filename and path in place of ```/avere-contributor-custom.json``` in this example. - -Save the output of the role definition command - it contains the role identifier that you need to supply to the cluster creation template. - -## Find the role ID - -The Avere vFXT deployment template needs the role's globally unique identifier (GUID) to assign the controller a custom role. - -The role GUID is a 32-character string in this form: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 - -To look up your role's GUID, use this command with your role name in the ```--name``` parameter. - -```azurecli -az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'YOUR ROLE NAME' -``` -Enter this string in the **Avere cluster create role ID** field when deploying the Avere vFXT for Azure. - -## Next steps - -Read how to deploy the Avere vFXT for Azure in [Deploy the vFXT cluster](avere-vfxt-deploy.md) diff --git a/articles/avere-vfxt/avere-vfxt-deploy-overview.md b/articles/avere-vfxt/avere-vfxt-deploy-overview.md index 7689ada536761..2679a3fe0da67 100644 --- a/articles/avere-vfxt/avere-vfxt-deploy-overview.md +++ b/articles/avere-vfxt/avere-vfxt-deploy-overview.md @@ -28,14 +28,6 @@ Here is an overview of all of the steps. Before creating a VM, you must create a new subscription for the Avere vFXT project, configure subscription ownership, check quotas and request an increase if needed, and accept terms for using the Avere vFXT software. Read [Prepare to create the Avere vFXT](avere-vfxt-prereqs.md) for detailed instructions. -1. Create an access role for the cluster nodes - - Azure uses [role-based access control](../role-based-access-control/index.yml) (RBAC) to authorize the cluster node VMs to perform certain tasks. For example, the cluster nodes need to be able to assigning or reassign IP addresses to other cluster nodes. Before you create the cluster, you must define a role that gives them adequate permissions. - - Read [Create the cluster node access role](avere-vfxt-prereqs.md#create-the-cluster-node-access-role) for instructions. - - The cluster controller also uses an access role, but you can accept the default role, Owner, instead of creating your own. If you want to create a custom role for the cluster controller, read [Customized controller access role](avere-vfxt-controller-role.md). - 1. Create the Avere vFXT cluster Use the Azure Marketplace to create the Avere vFXT for Azure cluster. A template collects the required information and executes scripts to create the final product. diff --git a/articles/avere-vfxt/avere-vfxt-deploy-plan.md b/articles/avere-vfxt/avere-vfxt-deploy-plan.md index cbb5254bb81fb..eaf61b7430b74 100644 --- a/articles/avere-vfxt/avere-vfxt-deploy-plan.md +++ b/articles/avere-vfxt/avere-vfxt-deploy-plan.md @@ -126,6 +126,17 @@ When creating the cluster, you can choose whether or not to create a public IP a * If you create a new vnet or a new subnet, the cluster controller will be assigned a public IP address. * If you select an existing vnet and subnet, the cluster controller will have only private IP addresses. +## VM access roles + +Azure uses [role-based access control](../role-based-access-control/index.yml) (RBAC) to authorize the cluster VMs to perform certain tasks. For example, the cluster controller needs authorization to create and configure the cluster node VMs. The cluster nodes need to be able to assign or reassign IP addresses to other cluster nodes. + +Two built-in Azure roles are used for the Avere vFXT virtual machines: + +* The cluster controller uses the built-in role [Avere Contributor](../role-based-access-control/built-in-roles.md#avere-contributor). +* Cluster nodes use the built-in role [Avere Operator](../role-based-access-control/built-in-roles.md#avere-operator) + +If you need to customize access roles for Avere vFXT components, you must define your own role and then assign it to the VMs at the time they are created. You cannot use the deployment template in the Azure Marketplace. Consult Microsoft Customer Service and Support by opening a ticket in the Azure portal as described in [Get help with your system](avere-vfxt-open-ticket.md). + ## Next step: Understand the deployment process [Deployment overview](avere-vfxt-deploy-overview.md) gives the big picture of all of the steps needed to create an Avere vFXT for Azure system and get it ready to serve data. \ No newline at end of file diff --git a/articles/avere-vfxt/avere-vfxt-deploy.md b/articles/avere-vfxt/avere-vfxt-deploy.md index 607e42269df63..6e7b1df98cdd9 100644 --- a/articles/avere-vfxt/avere-vfxt-deploy.md +++ b/articles/avere-vfxt/avere-vfxt-deploy.md @@ -4,7 +4,7 @@ description: Steps to deploy the Avere vFXT cluster in Azure author: ekpgh ms.service: avere-vfxt ms.topic: conceptual -ms.date: 02/20/2019 +ms.date: 04/05/2019 ms.author: v-erkell --- @@ -26,18 +26,17 @@ Before using the creation template, make sure you have addressed these prerequis 1. [New subscription](avere-vfxt-prereqs.md#create-a-new-subscription) 1. [Subscription owner permissions](avere-vfxt-prereqs.md#configure-subscription-owner-permissions) 1. [Quota for the vFXT cluster](avere-vfxt-prereqs.md#quota-for-the-vfxt-cluster) -1. [Custom access roles](avere-vfxt-prereqs.md#create-access-roles) - You must create a role-based access control role to assign to the cluster nodes. You have the option to also create a custom access role for the cluster controller, but most users will take the default Owner role, which gives the controller privileges corresponding to a resource group owner. Read [Built-in roles for Azure resources](../role-based-access-control/built-in-roles.md#owner) for more detail. 1. [Storage service endpoint (if needed)](avere-vfxt-prereqs.md#create-a-storage-service-endpoint-in-your-virtual-network-if-needed) - Required for deploys using an existing virtual network and creating blob storage For more information about cluster deployment steps and planning, read [Plan your Avere vFXT system](avere-vfxt-deploy-plan.md) and [Deployment overview](avere-vfxt-deploy-overview.md). ## Create the Avere vFXT for Azure -Access the creation template in the Azure portal by searching for Avere and selecting "Avere vFXT ARM Deployment". +Access the creation template in the Azure portal by searching for Avere and selecting "Avere vFXT for Azure ARM Template". -![Browser window showing the Azure portal with bread crumbs "New > Marketplace > Everything". In the Everything page, the search field has the term "avere" and the second result, "Avere vFXT ARM Deployment" is outlined in red to highlight it.](media/avere-vfxt-template-choose.png) +![Browser window showing the Azure portal with bread crumbs "New > Marketplace > Everything". In the Everything page, the search field has the term "avere" and the second result, "Avere vFXT for Azure ARM Template" is outlined in red to highlight it.](media/avere-vfxt-template-choose.png) -After reading the details on the Avere vFXT ARM Deployment page, click **Create** to begin. +After reading the details on the Avere vFXT for Azure ARM Template page, click **Create** to begin. ![Azure marketplace with the first page of the deployment template showing](media/avere-vfxt-deploy-first.png) @@ -64,14 +63,6 @@ Fill in the following information: * **Password** or **SSH public key** - Depending on the authentication type you selected, you must provide an RSA public key or a password in the next fields. This credential is used with the username provided earlier. -* **Avere cluster create role ID** - Use this field to specify the access control role for the cluster controller. The default value is the built-in role [Owner](../role-based-access-control/built-in-roles.md#owner). Owner privileges for the cluster controller are restricted to the cluster's resource group. - - You must use the globally unique identifier that corresponds to the role. For the default value (Owner), the GUID is 8e3af657-a8ff-443c-a75c-2fe8c4bcb635. To find the GUID for a custom role, use this command: - - ```azurecli - az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'YOUR ROLE NAME' - ``` - * **Subscription** - Select the subscription for the Avere vFXT. * **Resource group** - Select an existing empty resource group for the Avere vFXT cluster, or click "Create new" and enter a new resource group name. @@ -93,10 +84,6 @@ The second page of the deployment template allows you to set the cluster size, n * **Cluster administration password** - Create the password for cluster administration. This password will be used with the username ```admin``` to sign in to the cluster control panel to monitor the cluster and to configure settings. -* **Avere cluster operations role** - Specify the name of the access control role for the cluster nodes. This is a custom role that was created as a prerequisite step. - - The example described in [Create the cluster node access role](avere-vfxt-prereqs.md#create-the-cluster-node-access-role) saves the file as ```avere-operator.json``` and the corresponding role name is ```avere-operator```. - * **Avere vFXT cluster name** - Give the cluster a unique name. * **Size** - This section shows the VM type that will be used for the cluster nodes. Although there is only one recommended option, the **Change size** link opens a table with details about this instance type and a link to a pricing calculator. @@ -133,7 +120,7 @@ Page three summarizes the configuration and validates the parameters. After vali ![Third page of the deployment template - validation](media/avere-vfxt-deploy-3.png) -On page four, click the **Create** button to accept the terms and create the Avere vFXT for Azure cluster. +On page four, enter any required contact information and click the **Create** button to accept the terms and create the Avere vFXT for Azure cluster. ![Fourth page of the deployment template - terms and conditions, create button](media/avere-vfxt-deploy-4.png) diff --git a/articles/avere-vfxt/avere-vfxt-faq.md b/articles/avere-vfxt/avere-vfxt-faq.md index 80d16e4da72da..137567eb73986 100644 --- a/articles/avere-vfxt/avere-vfxt-faq.md +++ b/articles/avere-vfxt/avere-vfxt-faq.md @@ -196,6 +196,14 @@ For latency-sensitive environments, you should use a fiber solution with a minim No, Avere vFXT is meant to be operated in a network environment secured through best practices. +### Can I restrict internet access from my cluster's virtual network? + +In general, you can configure additional security on your vnet as needed, but some restrictions can interfere with the operation of the cluster. + +For example, restricting outbound internet access from your vnet causes problems for the cluster unless you also add rules that explicitly allow access to AzureConnectors and to AzureCloud. This situation is described in [supplemental documentation on GitHub](https://github.com/Azure/Avere/tree/master/src/vfxt/internet_access.md). + +For help with customized security, contact support as described in [Get help with your system](avere-vfxt-open-ticket.md#open-a-support-ticket-for-your-avere-vfxt). + ## Technical: Back-end storage (core filers) ### How many core filers does a single Avere vFXT environment support? diff --git a/articles/avere-vfxt/avere-vfxt-manage-cluster.md b/articles/avere-vfxt/avere-vfxt-manage-cluster.md index 2922eb5be7021..91d1ea7fc7166 100644 --- a/articles/avere-vfxt/avere-vfxt-manage-cluster.md +++ b/articles/avere-vfxt/avere-vfxt-manage-cluster.md @@ -93,7 +93,7 @@ Supply the following values: * Resource group name for the cluster, and also for network and storage resources if they are not the same as the cluster * Cluster location * Cluster network and subnet -* Cluster node access role +* Cluster node access role (use the built-in role [Avere Operator](../role-based-access-control/built-in-roles.md#avere-operator)) * Cluster management IP address and administrative password * Number of nodes to add (1, 2, or 3) * Node instance type and cache size values @@ -108,7 +108,7 @@ If you are not using the prototype, you must construct a command like the follow --add-nodes --nodes NODE_COUNT \ --management-address CLUSTER_IP --admin-password ADMIN_PASSWORD \ --instance-type TYPE --node-cache-size SIZE \ - --azure-role ROLE_NAME \ + --azure-role "Avere Operator" \ --log ~/vfxt.log ``` @@ -182,7 +182,7 @@ You can destroy node instances permanently by deleting them in the Azure portal. ### Delete additional cluster resources from the Azure portal -If you created additional resources specifically for the vFXT cluster, you might want to remove them as part of tearing down the cluster. You should not destroy elements that contain data you need, or any items that are shared with other projects. +If you created additional resources specifically for the vFXT cluster, you might want to remove them as part of tearing down the cluster. Do not destroy elements that contain data you need, or any items that are shared with other projects. In addition to deleting the cluster nodes, consider removing these components: diff --git a/articles/avere-vfxt/avere-vfxt-prereqs.md b/articles/avere-vfxt/avere-vfxt-prereqs.md index 704bf67907031..d978bbc15f60f 100644 --- a/articles/avere-vfxt/avere-vfxt-prereqs.md +++ b/articles/avere-vfxt/avere-vfxt-prereqs.md @@ -25,23 +25,16 @@ To create a new Azure subscription in the Azure portal: ## Configure subscription owner permissions -A user with owner permissions for the subscription should create the vFXT cluster. Subscription owner permissions are needed for these actions, among others: +A user with owner permissions for the subscription should create the vFXT cluster. Subscription owner permissions are needed to accept the software terms of service and perform other actions. -* Accept terms for the Avere vFXT software -* Create the cluster node access role +There are some workaround scenarios that allow a non-owner to create an Avere vFTX for Azure cluster. These scenarios involve restricting resources and assigning additional roles to the creator. In both of these cases, a subscription owner also must [accept the Avere vFXT software terms](#accept-software-terms) ahead of time. -There are two workarounds if you do not want to give owner access to the users who create the vFXT: - -* A resource group owner can create a cluster if these conditions are met: - - * A subscription owner must [accept the Avere vFXT software terms](#accept-software-terms) and [create the cluster node access role](#create-the-cluster-node-access-role). - * All Avere vFXT resources must be deployed inside the resource group, including: - * Cluster controller - * Cluster nodes - * Blob storage - * Network elements +| Scenario | Restrictions | Access roles required to create the Avere vFXT cluster | +|----------|--------|-------| +| Resource group administrator | The virtual network, cluster controller, and cluster nodes must be created within the resource group | [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) and [Contributor](../role-based-access-control/built-in-roles.md#contributor) roles, both scoped to the target resource group | +| External vnet | The cluster controller and cluster nodes are created within the resource group but an existing virtual network in a different resource group is used | (1) [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) and [Contributor](../role-based-access-control/built-in-roles.md#contributor) roles scoped to the vFXT resource group; and (2) [Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor), [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator), and [Avere Contributor](../role-based-access-control/built-in-roles.md#avere-contributor) roles scoped to the VNET resource group. | -* A user with no owner privileges can create vFXT clusters by using role-based access control (RBAC) ahead of time to assign privileges to the user. This method gives significant permissions to these users. [This article](avere-vfxt-non-owner.md) explains how to create an access role to authorize non-owners to create clusters. +An alternative is to create a custom role-based access control (RBAC) role ahead of time and assign privileges to the user, as explained in [this article](avere-vfxt-non-owner.md). This method gives significant permissions to these users. ## Quota for the vFXT cluster @@ -79,75 +72,6 @@ To accept the software terms in advance: az vm image accept-terms --urn microsoft-avere:vfxt:avere-vfxt-controller:latest ``` -## Create access roles - -[Role-based access control](../role-based-access-control/index.yml) (RBAC) gives the vFXT cluster controller and cluster nodes authorization to perform necessary tasks. - -* The cluster controller needs permission to create and modify VMs in order to create the cluster. - -* Individual vFXT nodes need to do things like read Azure resource properties, manage storage, and control other nodes' network interface settings as part of normal cluster operation. - -Before you can create your Avere vFXT cluster, you must define a custom role to use with the cluster nodes. - -For the cluster controller, you can accept the default role from the template. The default gives the cluster controller resource group owner privileges. If you prefer to create a custom role for the controller, see [Customized controller access role](avere-vfxt-controller-role.md). - -> [!NOTE] -> Only a subscription owner, or a user with the role Owner or User Access Administrator, can create roles. The roles can be created ahead of time. - -### Create the cluster node access role - - - -You must create the cluster node role before you can create the Avere vFXT for Azure cluster. - -> [!TIP] -> Microsoft internal users should use the existing role named "Avere Cluster Runtime Operator" instead of attempting to create one. - -1. Copy this file. Add your subscription ID in the AssignableScopes line. - - (The current version of this file is stored in the github.com/Azure/Avere repository as [AvereOperator.txt](https://github.com/Azure/Avere/blob/master/src/vfxt/src/roles/AvereOperator.txt).) - - ```json - { - "AssignableScopes": [ - "/subscriptions/PUT_YOUR_SUBSCRIPTION_ID_HERE" - ], - "Name": "Avere Operator", - "IsCustom": "true", - "Description": "Used by the Avere vFXT cluster to manage the cluster", - "NotActions": [], - "Actions": [ - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/networkInterfaces/write", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/read", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Network/networkSecurityGroups/join/action", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/write" - ], - "DataActions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" - ] - } - ``` - -1. Save the file as ``avere-operator.json`` or a similar memorable file name. - - -1. Open an Azure Cloud shell and sign in with your subscription ID (described [earlier in this document](#accept-software-terms)). Use this command to create the role: - - ```bash - az role definition create --role-definition /avere-operator.json - ``` - -The role name is used when creating the cluster. In this example, the name is ``avere-operator``. - ## Create a storage service endpoint in your virtual network (if needed) A [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) keeps Azure Blob traffic local instead of routing it outside the virtual network. It is recommended for any Avere vFXT for Azure cluster that uses Azure Blob for back-end data storage. diff --git a/articles/avere-vfxt/avere-vfxt-whitepapers.md b/articles/avere-vfxt/avere-vfxt-whitepapers.md index a2457ff2351ea..e87149db5e501 100644 --- a/articles/avere-vfxt/avere-vfxt-whitepapers.md +++ b/articles/avere-vfxt/avere-vfxt-whitepapers.md @@ -20,7 +20,7 @@ This guide provides step-by-step guidance for installing Agisoft PhotoScan photo ## Datasheet: Avere vFXT for Azure -**Link:** [Avere vFXT for Azure datasheet](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2NIlv) +**Link:** [Avere vFXT for Azure datasheet](https://azure.microsoft.com/resources/avere-vfxt-for-azure-data-sheet/) This two-page brief has basic information and diagrams that explain how to use Avere vFXT for Azure in several use case scenarios. diff --git a/articles/avere-vfxt/media/avere-vfxt-deploy-1.png b/articles/avere-vfxt/media/avere-vfxt-deploy-1.png index 2d9cbea341bd7..a41dbacf124bd 100644 Binary files a/articles/avere-vfxt/media/avere-vfxt-deploy-1.png and b/articles/avere-vfxt/media/avere-vfxt-deploy-1.png differ diff --git a/articles/avere-vfxt/media/avere-vfxt-deploy-2.png b/articles/avere-vfxt/media/avere-vfxt-deploy-2.png index 304bc54ecc624..32721682e1630 100644 Binary files a/articles/avere-vfxt/media/avere-vfxt-deploy-2.png and b/articles/avere-vfxt/media/avere-vfxt-deploy-2.png differ diff --git a/articles/avere-vfxt/media/avere-vfxt-deploy-3.png b/articles/avere-vfxt/media/avere-vfxt-deploy-3.png index 13ccdbb398790..db2d778c04b10 100644 Binary files a/articles/avere-vfxt/media/avere-vfxt-deploy-3.png and b/articles/avere-vfxt/media/avere-vfxt-deploy-3.png differ diff --git a/articles/avere-vfxt/media/avere-vfxt-deploy-4.png b/articles/avere-vfxt/media/avere-vfxt-deploy-4.png index 924a03299d944..881dc2322cff7 100644 Binary files a/articles/avere-vfxt/media/avere-vfxt-deploy-4.png and b/articles/avere-vfxt/media/avere-vfxt-deploy-4.png differ diff --git a/articles/avere-vfxt/media/avere-vfxt-deploy-first.png b/articles/avere-vfxt/media/avere-vfxt-deploy-first.png index 474eed01621a2..1d2b76ac0ba55 100644 Binary files a/articles/avere-vfxt/media/avere-vfxt-deploy-first.png and b/articles/avere-vfxt/media/avere-vfxt-deploy-first.png differ diff --git a/articles/avere-vfxt/toc.yml b/articles/avere-vfxt/toc.yml index 2d9c80c1cb963..7fc50d78fd805 100644 --- a/articles/avere-vfxt/toc.yml +++ b/articles/avere-vfxt/toc.yml @@ -42,8 +42,6 @@ items: - name: Supplemental documentation href: avere-vfxt-additional-resources.md - - name: Customized controller access role - href: avere-vfxt-controller-role.md - name: Avere cluster DNS configuration href: avere-vfxt-configure-dns.md - name: Authorize non-owners to deploy Avere vFXT diff --git a/articles/azure-app-configuration/integrate-azure-managed-service-identity.md b/articles/azure-app-configuration/integrate-azure-managed-service-identity.md index b5e50354231ac..16607a0629acd 100644 --- a/articles/azure-app-configuration/integrate-azure-managed-service-identity.md +++ b/articles/azure-app-configuration/integrate-azure-managed-service-identity.md @@ -72,7 +72,7 @@ To set up a managed identity in the portal, you first create an application as n ## Use a managed identity -1. Open *appsettings.json*, and add the following script. Replace **, including the brackets, with the URL to your app configuration store: +1. Open *appsettings.json*, and add the following script. Replace *\*, including the brackets, with the URL to your app configuration store: ```json "AppConfig": { diff --git a/articles/azure-app-configuration/quickstart-aspnet-core-app.md b/articles/azure-app-configuration/quickstart-aspnet-core-app.md index 3514367b515c6..44f1c72432c8c 100644 --- a/articles/azure-app-configuration/quickstart-aspnet-core-app.md +++ b/articles/azure-app-configuration/quickstart-aspnet-core-app.md @@ -84,7 +84,7 @@ Add the [Secret Manager tool](https://docs.microsoft.com/aspnet/core/security/ap This command must be executed in the same directory as the *.csproj* file. - dotnet user-secrets set ConnectionStrings:AppConfig "Endpoint=;Id=;Secret=" + dotnet user-secrets set ConnectionStrings:AppConfig Secret Manager is used only to test the web app locally. When the app is deployed, for example, to [Azure App Service](https://azure.microsoft.com/services/app-service/web), you use an application setting, for example, **Connection Strings** in App Service. You use this setting instead of storing the connection string with Secret Manager. diff --git a/articles/azure-app-configuration/quickstart-java-spring-app.md b/articles/azure-app-configuration/quickstart-java-spring-app.md index ef652275312ea..e6211d2fb2549 100644 --- a/articles/azure-app-configuration/quickstart-java-spring-app.md +++ b/articles/azure-app-configuration/quickstart-java-spring-app.md @@ -51,11 +51,7 @@ To do this quickstart, install a supported [Java Development Kit (JDK)](https:// 4. Select **Create**. The deployment might take a few minutes to finish. -5. After the deployment is finished, select **Settings** > **Access Keys**. Make a note of either the primary read-only or primary read-write key connection string. You use this connection string later to configure your application to communicate with the app configuration store you created. The connection string has the following form: - - Endpoint=;Id=;Secret= - - Use the entire string in your application. +5. After the deployment is finished, select **Settings** > **Access Keys**. Make a note of either the primary read-only or primary read-write key connection string. You use this connection string later to configure your application to communicate with the app configuration store you created. 6. Select **Key/Value Explorer** > **+ Create** to add the following key-value pairs: diff --git a/articles/azure-cache-for-redis/cache-how-to-troubleshoot.md b/articles/azure-cache-for-redis/cache-how-to-troubleshoot.md index 21219693b3341..400a42a4ac26e 100644 --- a/articles/azure-cache-for-redis/cache-how-to-troubleshoot.md +++ b/articles/azure-cache-for-redis/cache-how-to-troubleshoot.md @@ -246,6 +246,7 @@ This error message contains metrics that can help point you to the cause and pos 1. Was there a large request preceding several small requests to the cache that timed out? The parameter `qs` in the error message tells you how many requests were sent from the client to the server, but haven't processed a response. This value can keep growing because StackExchange.Redis uses a single TCP connection and can only read one response at a time. Even though the first operation timed out, it doesn't stop more data from being sent to or from the server. Other requests will be blocked until the large request is finished and can cause time outs. One solution is to minimize the chance of timeouts by ensuring that your cache is large enough for your workload and splitting large values into smaller chunks. Another possible solution is to use a pool of `ConnectionMultiplexer` objects in your client, and choose the least loaded `ConnectionMultiplexer` when sending a new request. Loading across multiple connection objects should prevent a single timeout from causing other requests to also time out. 1. If you're using `RedisSessionStateProvider`, ensure you have set the retry timeout correctly. `retryTimeoutInMilliseconds` should be higher than `operationTimeoutInMilliseconds`, otherwise no retries occur. In the following example `retryTimeoutInMilliseconds` is set to 3000. For more information, see [ASP.NET Session State Provider for Azure Cache for Redis](cache-aspnet-session-state-provider.md) and [How to use the configuration parameters of Session State Provider and Output Cache Provider](https://github.com/Azure/aspnet-redis-providers/wiki/Configuration). + ```xml + ``` 1. Check memory usage on the Azure Cache for Redis server by [monitoring](cache-how-to-monitor.md#available-metrics-and-reporting-intervals) `Used Memory RSS` and `Used Memory`. If an eviction policy is in place, Redis starts evicting keys when `Used_Memory` reaches the cache size. Ideally, `Used Memory RSS` should be only slightly higher than `Used memory`. A large difference means there's memory fragmentation (internal or external). When `Used Memory RSS` is less than `Used Memory`, it means part of the cache memory has been swapped by the operating system. If this swapping occurs, you can expect some significant latencies. Because Redis doesn't have control over how its allocations are mapped to memory pages, high `Used Memory RSS` is often the result of a spike in memory usage. When Redis server frees memory, the allocator takes the memory but it may or may not give the memory back to the system. There may be a discrepancy between the `Used Memory` value and memory consumption as reported by the operating system. Memory may have been used and released by Redis but not given back to the system. To help mitigate memory issues, you can do the following steps: diff --git a/articles/azure-databricks/TOC.yml b/articles/azure-databricks/TOC.yml index 68b2f51322db5..b3498c4b0a863 100644 --- a/articles/azure-databricks/TOC.yml +++ b/articles/azure-databricks/TOC.yml @@ -11,8 +11,12 @@ href: quickstart-create-databricks-workspace-portal.md - name: Create Databricks workspace - Resource Manager template href: quickstart-create-databricks-workspace-resource-manager-template.md + - name: Create Databricks workspace - Virtual network + href: quickstart-create-databricks-workspace-vnet-injection.md - name: Tutorials items: + - name: Query SQL Server running in Docker container + href: vnet-injection-sql-server.md - name: Perform ETL operations href: databricks-extract-load-sql-data-warehouse.md - name: Stream data using Event Hubs diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/add-address-space.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/add-address-space.png new file mode 100644 index 0000000000000..f1c14766b753d Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/add-address-space.png differ diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-cluster.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-cluster.png new file mode 100644 index 0000000000000..ce3ab9f766ae6 Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-cluster.png differ diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-databricks-workspace.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-databricks-workspace.png new file mode 100644 index 0000000000000..f49f498f6893a Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-databricks-workspace.png differ diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-virtual-network.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-virtual-network.png new file mode 100644 index 0000000000000..1b51cd71507fd Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/create-virtual-network.png differ diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/databricks-overview-portal.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/databricks-overview-portal.png new file mode 100644 index 0000000000000..48a2bdcf570f7 Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/databricks-overview-portal.png differ diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/databricks-sparkui-executors.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/databricks-sparkui-executors.png new file mode 100644 index 0000000000000..6b7905f7629a7 Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/databricks-sparkui-executors.png differ diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group.png new file mode 100644 index 0000000000000..855679596f862 Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group.png differ diff --git a/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group2.png b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group2.png new file mode 100644 index 0000000000000..1fa5630b54070 Binary files /dev/null and b/articles/azure-databricks/media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group2.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/add-virtual-machine.png b/articles/azure-databricks/media/vnet-injection-sql-server/add-virtual-machine.png new file mode 100644 index 0000000000000..1edc191876270 Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/add-virtual-machine.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/create-database.png b/articles/azure-databricks/media/vnet-injection-sql-server/create-database.png new file mode 100644 index 0000000000000..949080cce195e Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/create-database.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/create-notebook.png b/articles/azure-databricks/media/vnet-injection-sql-server/create-notebook.png new file mode 100644 index 0000000000000..879c75d37d3a0 Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/create-notebook.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/create-virtual-machine-basics.png b/articles/azure-databricks/media/vnet-injection-sql-server/create-virtual-machine-basics.png new file mode 100644 index 0000000000000..458e6c93b2aa2 Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/create-virtual-machine-basics.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/create-virtual-machine-networking.png b/articles/azure-databricks/media/vnet-injection-sql-server/create-virtual-machine-networking.png new file mode 100644 index 0000000000000..a9d6173f7f43f Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/create-virtual-machine-networking.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/open-port.png b/articles/azure-databricks/media/vnet-injection-sql-server/open-port.png new file mode 100644 index 0000000000000..f73d7af136179 Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/open-port.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/open-port2.png b/articles/azure-databricks/media/vnet-injection-sql-server/open-port2.png new file mode 100644 index 0000000000000..992b58f170dba Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/open-port2.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/ssms-login.png b/articles/azure-databricks/media/vnet-injection-sql-server/ssms-login.png new file mode 100644 index 0000000000000..b8f8a787b3c5a Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/ssms-login.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/virtual-machine-overview.png b/articles/azure-databricks/media/vnet-injection-sql-server/virtual-machine-overview.png new file mode 100644 index 0000000000000..febfc27984b57 Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/virtual-machine-overview.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/virtual-machine-staticip.png b/articles/azure-databricks/media/vnet-injection-sql-server/virtual-machine-staticip.png new file mode 100644 index 0000000000000..6e6257feb61cf Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/virtual-machine-staticip.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/vm-login-terminal.png b/articles/azure-databricks/media/vnet-injection-sql-server/vm-login-terminal.png new file mode 100644 index 0000000000000..571dd15501da4 Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/vm-login-terminal.png differ diff --git a/articles/azure-databricks/media/vnet-injection-sql-server/vm-ssh-connect.png b/articles/azure-databricks/media/vnet-injection-sql-server/vm-ssh-connect.png new file mode 100644 index 0000000000000..f2a48325246ad Binary files /dev/null and b/articles/azure-databricks/media/vnet-injection-sql-server/vm-ssh-connect.png differ diff --git a/articles/azure-databricks/quickstart-create-databricks-workspace-vnet-injection.md b/articles/azure-databricks/quickstart-create-databricks-workspace-vnet-injection.md new file mode 100644 index 0000000000000..5c4b2f5e60bf1 --- /dev/null +++ b/articles/azure-databricks/quickstart-create-databricks-workspace-vnet-injection.md @@ -0,0 +1,107 @@ +--- +title: Create an Azure Databricks workspace in a Virtual Network +description: This article describes how to deploy Azure Databricks to your virtual network. +services: azure-databricks +author: mamccrea +ms.author: mamccrea +ms.reviewer: jasonh +ms.service: azure-databricks +ms.topic: conceptual +ms.date: 04/02/2019 +--- + +# Quickstart: Create an Azure Databricks workspace in a Virtual Network + +This quickstart shows how to create an Azure Databricks workspace in a virtual network. You will also create an Apache Spark cluster within that workspace. + +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/). + +## Sign in to the Azure portal + +Sign in to the [Azure portal](https://portal.azure.com/). + +## Create a virtual network + +1. In the Azure portal, select **Create a resource** > **Networking** > **Virtual network**. + +2. Under **Create virtual network**, apply the following settings: + + |Setting|Suggested value|Description| + |-------|---------------|-----------| + |Name|databricks-quickstart|Select a name for your virtual network.| + |Address space|10.1.0.0/16|The virtual network's address range in CIDR notation.| + |Subscription|\|Select the Azure subscription that you want to use.| + |Resource group|databricks-quickstart|Select **Create New** and enter a new resource group name for your account.| + |Location|\|Choose the same location as your virtual network.| + |Pricing Tier|Choose between Standard or Premium.|For more information on pricing tiers, see the [Databricks pricing page](https://azure.microsoft.com/pricing/details/databricks/).| + |Deploy Azure Databricks workspace in your Virtual Network|Yes|This setting allows you to deploy an Azure Databricks workspace in your virtual network.| + |Virtual Network|databricks-quickstart|Select the virtual network you created in the previous section.| + |Public Subnet Name|public-subnet|Use the default public subnet name.| + |Public Subnet CIDR Range|10.179.64.0/18|CIDR range for this subnet should be between /18 and /26.| + |Private Subnet Name|private-subnet|Use the default private subnet name.| + |Private Subnet CIDR Range|10.179.0.0/18|CIDR range for this subnet should be between /18 and /26.| + + ![Create an Azure Databricks workspace on Azure portal](./media/quickstart-create-databricks-workspace-vnet-injection/create-databricks-workspace.png) + +3. Once the deployment is complete, navigate to the Azure Databricks resource. Notice that virtual network peering is disabled. Also notice the resource group and managed resource group in the overview page. + + ![Azure Databricks overview in Azure portal](./media/quickstart-create-databricks-workspace-vnet-injection/databricks-overview-portal.png) + + The managed resource group contains the physical location of the storage account (DBFS), worker-sg (network security group), workers-vnet (virtual network). It is also the location where virtual machines, disk, IP Address, and network interface will be created. This resource group is locked by default; however when a cluster is started in the virtual network, a Network Interface is created between the workers-vnet in the managed resource group and the "hub" virtual network. + + ![Azure Databricks managed resource group](./media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group.png) + +## Create a cluster + +> [!NOTE] +> To use a free account to create the Azure Databricks cluster, before creating the cluster, go to your profile and change your subscription to **pay-as-you-go**. For more information, see [Azure free account](https://azure.microsoft.com/free/). + +1. Return to your Azure Databricks service and select **Launch Workspace** on the **Overview** page. + +2. Select **Clusters** > **+ Create Cluster**. Then create a cluster name, like *databricks-quickstart-cluster*, and accept the remaining default settings. Select **Create Cluster**. + + ![Create Azure Databricks cluster](./media/quickstart-create-databricks-workspace-vnet-injection/create-cluster.png) + +3. Once the cluster is running, return to the managed resource group in the Azure portal. Notice the new virtual machines, disks, IP Address, and network interfaces. A network interface is created in each of the public and private subnets with IP addresses. + + ![Azure Databricks managed resource group after cluster creation](./media/quickstart-create-databricks-workspace-vnet-injection/managed-resource-group2.png) + +4. Return to your Azure Databricks workspace and select the cluster you created. Then navigate to the **Executors** tab on the **Spark UI** page. Notice that the addresses for the driver and the executors are in the private subnet range. In this example, the driver is 10.179.0.6 and executors are 10.179.0.4 and 10.179.0.5. Your IP addresses could be different. + + ![Azure Databricks Spark UI executors](./media/quickstart-create-databricks-workspace-vnet-injection/databricks-sparkui-executors.png) + +## Clean up resources + +After you have finished the article, you can terminate the cluster. To do so, from the Azure Databricks workspace, from the left pane, select **Clusters**. For the cluster you want to terminate, move the cursor over the ellipsis under **Actions** column, and select the **Terminate** icon. This stops the cluster. + +If you do not manually terminate the cluster it will automatically stop, provided you selected the **Terminate after \_\_ minutes of inactivity** checkbox while creating the cluster. In such a case, the cluster automatically stops, if it has been inactive for the specified time. + +If you do not wish to reuse the cluster, you can delete the resource group you created in the Azure portal. + +## Next steps + +In this article, you created a Spark cluster in Azure Databricks that you deployed to a virtual network. Advance to the next article to learn how to query a SQL Server Linux Docker container in the virtual network using JDBC from an Azure Databricks notebook. + +> [!div class="nextstepaction"] +>[Query a SQL Server Linux Docker container in a virtual network from an Azure Databricks notebook](vnet-injection-sql-server.md) diff --git a/articles/azure-databricks/vnet-injection-sql-server.md b/articles/azure-databricks/vnet-injection-sql-server.md new file mode 100644 index 0000000000000..6780e29086ed1 --- /dev/null +++ b/articles/azure-databricks/vnet-injection-sql-server.md @@ -0,0 +1,203 @@ +--- +title: Query a SQL Server Linux Docker container in a virtual network from an Azure Databricks notebook +description: This article describes how to deploy Azure Databricks to your virtual network, also known as VNet injection. +services: azure-databricks +author: mamccrea +ms.author: mamccrea +ms.reviewer: jasonh +ms.service: azure-databricks +ms.topic: conceptual +ms.date: 04/02/2019 +--- + +# Tutorial: Query a SQL Server Linux Docker container in a virtual network from an Azure Databricks notebook + +This tutorial teaches you how to integrate Azure Databricks with a SQL Server Linux Docker container in a virtual network. + +In this tutorial, you learn how to: + +> [!div class="checklist"] +> * Deploy an Azure Databricks workspace to a virtual network +> * Install a Linux virtual machine in a public network +> * Install Docker +> * Install Microsoft SQL Server on Linux docker container +> * Query the SQL Server using JDBC from a Databricks notebook + +## Prerequisites + +* Create a [Databricks workspace in a virtual network](quickstart-create-databricks-workspace-vnet-injection.md). + +* Install [Ubuntu for Windows](https://www.microsoft.com/p/ubuntu/9nblggh4msv6?activetab=pivot:overviewtab). + +* Download [SQL Server Management Studio](https://docs.microsoft.com/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-2017). + +## Create a Linux virtual machine + +1. In the Azure portal, select the icon for **Virtual Machines**. Then, select **+ Add**. + + ![Add new Azure virtual machine](./media/vnet-injection-sql-server/add-virtual-machine.png) + +2. On the **Basics** tab, Choose Ubuntu Server 16.04 LTS. Change the VM size to B1ms, which has one VCPUS and 2-GB RAM. The minimum requirement for a Linux SQL Server Docker container is 2 GB. Choose an administrator username and password. + + ![Basics tab of new virtual machine configuration](./media/vnet-injection-sql-server/create-virtual-machine-basics.png) + +3. Navigate to the **Networking** tab. Choose the virtual network and the public subnet that includes your Azure Databricks cluster. Select **Review + create**, then **Create** to deploy the virtual machine. + + ![Networking tab of new virtual machine configuration](./media/vnet-injection-sql-server/create-virtual-machine-networking.png) + +4. When the deployment is complete, navigate to the virtual machine. Notice the Public IP address and Virtual network/subnet in the **Overview**. Select the **Public IP Address** + + ![Virtual machine overview](./media/vnet-injection-sql-server/virtual-machine-overview.png) + +5. Change the **Assignment** to **Static** and enter a **DNS name label**. Select **Save**, and restart the virtual machine. + + ![Public IP Address configuration](./media/vnet-injection-sql-server/virtual-machine-staticip.png) + +6. Select the **Networking** tab under **Settings**. Notice that the network security group that was created during the Azure Databricks deployment is associated with the virtual machine. Select **Add inbound port rule**. + +7. Add a rule to open port 22 for SSH. Use the following settings: + + |Setting|Suggested value|Description| + |-------|---------------|-----------| + |Source|IP Addresses|IP Addresses specifies that incoming traffic from a specific source IP Address will be allowed or denied by this rule.| + |Source IP addresses||Enter the your public IP address. You can find your public IP address by visiting [bing.com](https://www.bing.com/) and searching for **"my IP"**.| + |Source port ranges|*|Allow traffic from any port.| + |Destination|IP Addresses|IP Addresses specifies that outgoing traffic for a specific source IP Address will be allowed or denied by this rule.| + |Destination IP addresses||Enter your virtual machine's public IP address. You can find this on the **Overview** page of your virtual machine.| + |Destination port ranges|22|Open port 22 for SSH.| + |Priority|290|Give the rule a priority.| + |Name|ssh-databricks-tutorial-vm|Give the rule a name.| + + + ![Add inbound security rule for port 22](./media/vnet-injection-sql-server/open-port.png) + +8. Add a rule to open port 1433 for SQL with the following settings: + + |Setting|Suggested value|Description| + |-------|---------------|-----------| + |Source|IP Addresses|IP Addresses specifies that incoming traffic from a specific source IP Address will be allowed or denied by this rule.| + |Source IP addresses|10.179.0.0/16|Enter the address range for your virtual network.| + |Source port ranges|*|Allow traffic from any port.| + |Destination|IP Addresses|IP Addresses specifies that outgoing traffic for a specific source IP Address will be allowed or denied by this rule.| + |Destination IP addresses||Enter your virtual machine's public IP address. You can find this on the **Overview** page of your virtual machine.| + |Destination port ranges|1433|Open port 22 for SQL Server.| + |Priority|300|Give the rule a priority.| + |Name|sql-databricks-tutorial-vm|Give the rule a name.| + + ![Add inbound security rule for port 1433](./media/vnet-injection-sql-server/open-port2.png) + +## Run SQL Server in a Docker container + +1. Open [Ubuntu for Windows](https://www.microsoft.com/p/ubuntu/9nblggh4msv6?activetab=pivot:overviewtab), or any other tool that will allow you to SSH into the virtual machine. Navigate to your virtual machine in the Azure portal and select **Connect** to get the SSH command you need to connect. + + ![Connect to virtual machine](./media/vnet-injection-sql-server/vm-ssh-connect.png) + +2. Enter the command in your Ubuntu terminal and enter the admin password you created when you configured the virtual machine. + + ![Ubuntu terminal SSH sign in](./media/vnet-injection-sql-server/vm-login-terminal.png) + +3. Use the following command to install Docker on the virtual machine. + + ```bash + sudo apt-get install docker.io + ``` + + Verify the install of Docker with the following command: + + ```bash + sudo docker --version + ``` + +4. Install the image. + + ```bash + sudo docker pull mcr.microsoft.com/mssql/server:2017-latest + ``` + + Check the images. + + ```bash + sudo docker images + ``` + +5. Run the container from the image. + + ```bash + sudo docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=Password1234' -p 1433:1433 --name sql1 -d mcr.microsoft.com/mssql/server:2017-latest + ``` + + Verify that the container is running. + + ```bash + sudo docker ps -a + ``` + +## Create a SQL database + +1. Open SQL Server Management Studio and connect to the server using the server name and SQL Authentication. The sign in username is **SA** and the password is the password set in the Docker command. The password in the example command is `Password1234`. + + ![Connect to SQL Server using SQL Server Management Studio](./media/vnet-injection-sql-server/ssms-login.png) + +2. Once you've successfully connected, select **New Query** and enter the following code snippet to create a database, a table, and insert some records in the table. + + ```SQL + CREATE DATABASE MYDB; + GO + USE MYDB; + CREATE TABLE states(Name VARCHAR(20), Capitol VARCHAR(20)); + INSERT INTO states VALUES ('Delaware','Dover'); + INSERT INTO states VALUES ('South Carolina','Columbia'); + INSERT INTO states VALUES ('Texas','Austin'); + SELECT * FROM states + GO + ``` + + ![Query to create a SQL Server database](./media/vnet-injection-sql-server/create-database.png) + +## Query SQL Server from Azure Databricks + +1. Navigate to your Azure Databricks workspace and verify that you created a cluster as part of the prerequisites. Then, select **Create a Notebook**. Give the notebook a name, select *Python* as the language, and select the cluster you created. + + ![New Databricks notebook settings](./media/vnet-injection-sql-server/create-notebook.png) + +2. Use the following command to ping the internal IP Address of the SQL Server virtual machine. This ping should be successful. If not, verify that the container is running, and review the network security group (NSG) configuration. + + ```python + %sh + ping 10.179.64.4 + ``` + + You can also use the nslookup command to review. + + ```python + %sh + nslookup databricks-tutorial-vm.westus2.cloudapp.azure.com + ``` + +3. Once you've successfully pinged the SQL Server, you can query the database and tables. Run the following python code: + + ```python + jdbcHostname = "10.179.64.4" + jdbcDatabase = "MYDB" + userName = 'SA' + password = 'Password1234' + jdbcPort = 1433 + jdbcUrl = "jdbc:sqlserver://{0}:{1};database={2};user={3};password={4}".format(jdbcHostname, jdbcPort, jdbcDatabase, userName, password) + + df = spark.read.jdbc(url=jdbcUrl, table='states') + display(df) + ``` + +## Clean up resources + +When no longer needed, delete the resource group, the Azure Databricks workspace, and all related resources. Deleting the job avoids unnecessary billing. If you're planning to use the Azure Databricks workspace in future, you can stop the cluster and restart it later. If you are not going to continue to use this Azure Databricks workspace, delete all resources you created in this tutorial by using the following steps: + +1. From the left-hand menu in the Azure portal, click **Resource groups** and then click the name of the resource group you created. + +2. On your resource group page, select **Delete**, type the name of the resource to delete in the text box, and then select **Delete** again. + +## Next steps + +Advance to the next article to learn how to extract, transform, and load data using Azure Databricks. +> [!div class="nextstepaction"] +> [Tutorial: Extract, transform, and load data by using Azure Databricks](databricks-extract-load-sql-data-warehouse.md) diff --git a/articles/azure-functions/TOC.yml b/articles/azure-functions/TOC.yml index b927ccfa09bdc..4028e5e661ad3 100644 --- a/articles/azure-functions/TOC.yml +++ b/articles/azure-functions/TOC.yml @@ -1,306 +1,302 @@ -metadata: - experimental: true - experiment_id: "80e4ff38-5174-43" -items: - - name: Functions Documentation - href: index.yml - - name: Overview +- name: Functions Documentation + href: index.yml +- name: Overview + items: + - name: About Azure Functions + href: functions-overview.md + - name: Durable Functions + href: durable/durable-functions-overview.md + - name: Serverless comparison + href: functions-compare-logic-apps-ms-flow-webjobs.md +- name: Quickstarts + expanded: true + items: + - name: Create function - Visual Studio + href: functions-create-your-first-function-visual-studio.md + - name: Create function - Visual Studio Code + href: functions-create-first-function-vs-code.md + - name: Create function - Java/Maven + href: functions-create-first-java-maven.md + - name: Create function - Python + href: functions-create-first-function-python.md + - name: Create function - Azure CLI + href: functions-create-first-azure-function-azure-cli.md + - name: Create function - portal + href: functions-create-first-azure-function.md + - name: Create function - Linux + href: functions-create-first-azure-function-azure-cli-linux.md + - name: Triggers items: - - name: About Azure Functions - href: functions-overview.md - - name: Durable Functions - href: durable/durable-functions-overview.md - - name: Serverless comparison - href: functions-compare-logic-apps-ms-flow-webjobs.md - - name: Quickstarts - expanded: true + - name: Azure Cosmos DB + href: functions-create-cosmos-db-triggered-function.md + - name: Blob storage + href: functions-create-storage-blob-triggered-function.md + - name: Queue storage + href: functions-create-storage-queue-triggered-function.md + - name: Timer + href: functions-create-scheduled-function.md + - name: Integrate items: - - name: Create function - Visual Studio - href: functions-create-your-first-function-visual-studio.md - - name: Create function - Visual Studio Code - href: functions-create-first-function-vs-code.md - - name: Create function - Java/Maven - href: functions-create-first-java-maven.md - - name: Create function - Python - href: functions-create-first-function-python.md - - name: Create function - Azure CLI - href: functions-create-first-azure-function-azure-cli.md - - name: Create function - portal - href: functions-create-first-azure-function.md - - name: Create function - Linux - href: functions-create-first-azure-function-azure-cli-linux.md - - name: Triggers - items: - - name: Azure Cosmos DB - href: functions-create-cosmos-db-triggered-function.md - - name: Blob storage - href: functions-create-storage-blob-triggered-function.md - - name: Queue storage - href: functions-create-storage-queue-triggered-function.md - - name: Timer - href: functions-create-scheduled-function.md - - name: Integrate - items: - - name: Azure Cosmos DB - href: functions-integrate-store-unstructured-data-cosmosdb.md - - name: Storage - href: functions-integrate-storage-queue-output-binding.md - - name: Tutorials + - name: Azure Cosmos DB + href: functions-integrate-store-unstructured-data-cosmosdb.md + - name: Storage + href: functions-integrate-storage-queue-output-binding.md +- name: Tutorials + items: + - name: Functions with Logic Apps + href: functions-twitter-email.md + - name: Create a serverless API + href: functions-create-serverless-api.md + - name: Create an OpenAPI definition + href: functions-openapi-definition.md + - name: Image resize with Event Grid + href: ../event-grid/resize-images-on-storage-blob-upload-event.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Create a serverless web app + href: https://docs.microsoft.com/azure/functions/tutorial-static-website-serverless-api-with-database + - name: Create a custom Linux image + href: functions-create-function-linux-custom-image.md + - name: Functions on IoT Edge device + href: ../iot-edge/tutorial-deploy-function.md?toc=%2fazure%2fazure-functions%2ftoc.json +- name: Samples + items: + - name: Code samples + href: https://azure.microsoft.com/resources/samples/?service=functions + - name: Azure CLI + href: functions-cli-samples.md +- name: Concepts + items: + - name: Compare versions 1.x and 2.x + href: functions-versions.md + displayName: migrate, migration + - name: Premium plan + href: functions-premium-plan.md + - name: Scale and hosting + href: functions-scale.md + - name: Triggers and bindings items: - - name: Functions with Logic Apps - href: functions-twitter-email.md - - name: Create a serverless API - href: functions-create-serverless-api.md - - name: Create an OpenAPI definition - href: functions-openapi-definition.md - - name: Image resize with Event Grid - href: ../event-grid/resize-images-on-storage-blob-upload-event.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Create a serverless web app - href: https://docs.microsoft.com/azure/functions/tutorial-static-website-serverless-api-with-database - - name: Create a custom Linux image - href: functions-create-function-linux-custom-image.md - - name: Functions on IoT Edge device - href: ../iot-edge/tutorial-deploy-function.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Samples + - name: About triggers and bindings + href: functions-triggers-bindings.md + - name: Binding example + href: functions-bindings-example.md + - name: Register binding extensions + href: functions-bindings-register.md + - name: Binding expression patterns + href: functions-bindings-expressions-patterns.md + - name: Use binding return values + href: functions-bindings-return-value.md + - name: Handle binding errors + href: functions-bindings-errors.md + - name: Languages items: - - name: Code samples - href: https://azure.microsoft.com/resources/samples/?service=functions - - name: Azure CLI - href: functions-cli-samples.md - - name: Concepts + - name: Supported languages + href: supported-languages.md + - name: C# (class library) + href: functions-dotnet-class-library.md + - name: C# script (.csx) + href: functions-reference-csharp.md + - name: F# + href: functions-reference-fsharp.md + - name: JavaScript + href: functions-reference-node.md + - name: Java + href: functions-reference-java.md + - name: Python + href: functions-reference-python.md + - name: Diagnostics + href: ../app-service/overview-diagnostics.md + - name: Performance considerations + href: functions-best-practices.md + - name: Functions Proxies + href: functions-proxies.md + - name: Networking options + href: functions-networking-options.md + - name: IP addresses + href: ip-addresses.md + - name: On-premises functions + href: functions-runtime-overview.md +- name: How-to guides + items: + - name: Develop + items: + - name: Developer guide + href: functions-reference.md + - name: Testing functions + href: functions-test-a-function.md + - name: Develop and debug locally + href: functions-develop-local.md + - name: Visual Studio development + href: functions-develop-vs.md + - name: Core Tools development + href: functions-run-local.md + - name: IntelliJ IDEA development + href: functions-create-maven-intellij.md + - name: Eclipse development + href: functions-create-maven-eclipse.md + - name: Create Linux function app + href: create-function-app-linux-app-service-plan.md + - name: Manage connections + href: manage-connections.md + - name: Error handling + href: functions-bindings-error-pages.md + - name: Manually run a non HTTP-triggered function + href: functions-manually-run-non-http.md + - name: Debug Event Grid trigger locally + href: functions-debug-event-grid-trigger-local.md + - name: Azure for Students Starter + href: functions-create-student-starter.md + - name: Deploy items: - - name: Compare versions 1.x and 2.x - href: functions-versions.md - displayName: migrate, migration - - name: Premium plan - href: functions-premium-plan.md - - name: Scale and hosting - href: functions-scale.md - - name: Triggers and bindings - items: - - name: About triggers and bindings - href: functions-triggers-bindings.md - - name: Binding example - href: functions-bindings-example.md - - name: Register binding extensions - href: functions-bindings-register.md - - name: Binding expression patterns - href: functions-bindings-expressions-patterns.md - - name: Use binding return values - href: functions-bindings-return-value.md - - name: Handle binding errors - href: functions-bindings-errors.md - - name: Languages - items: - - name: Supported languages - href: supported-languages.md - - name: C# (class library) - href: functions-dotnet-class-library.md - - name: C# script (.csx) - href: functions-reference-csharp.md - - name: F# - href: functions-reference-fsharp.md - - name: JavaScript - href: functions-reference-node.md - - name: Java - href: functions-reference-java.md - - name: Python - href: functions-reference-python.md - - name: Diagnostics - href: ../app-service/overview-diagnostics.md - - name: Performance considerations - href: functions-best-practices.md - - name: Functions Proxies - href: functions-proxies.md - - name: Networking options - href: functions-networking-options.md - - name: IP addresses - href: ip-addresses.md + - name: Continuous deployment + href: functions-continuous-deployment.md + - name: Zip deployment + href: deployment-zip-push.md + - name: Run from package + href: run-functions-from-deployment-package.md + - name: Automate resource deployment + href: functions-infrastructure-as-code.md - name: On-premises functions - href: functions-runtime-overview.md - - name: How-to guides + href: functions-runtime-install.md + - name: Deploy using the Jenkins plugin + href: /azure/jenkins/jenkins-azure-functions-deploy + maintainContext: true + - name: Configure items: - - name: Develop - items: - - name: Developer guide - href: functions-reference.md - - name: Testing functions - href: functions-test-a-function.md - - name: Develop and debug locally - href: functions-develop-local.md - - name: Visual Studio development - href: functions-develop-vs.md - - name: Core Tools development - href: functions-run-local.md - - name: IntelliJ IDEA development - href: functions-create-maven-intellij.md - - name: Eclipse development - href: functions-create-maven-eclipse.md - - name: Create Linux function app - href: create-function-app-linux-app-service-plan.md - - name: Manage connections - href: manage-connections.md - - name: Error handling - href: functions-bindings-error-pages.md - - name: Manually run a non HTTP-triggered function - href: functions-manually-run-non-http.md - - name: Debug Event Grid trigger locally - href: functions-debug-event-grid-trigger-local.md - - name: Azure for Students Starter - href: functions-create-student-starter.md - - name: Deploy - items: - - name: Continuous deployment - href: functions-continuous-deployment.md - - name: Zip deployment - href: deployment-zip-push.md - - name: Run from package - href: run-functions-from-deployment-package.md - - name: Automate resource deployment - href: functions-infrastructure-as-code.md - - name: On-premises functions - href: functions-runtime-install.md - - name: Deploy using the Jenkins plugin - href: /azure/jenkins/jenkins-azure-functions-deploy - maintainContext: true - - name: Configure - items: - - name: Manage a function app - href: functions-how-to-use-azure-function-app-settings.md - - name: Set the runtime version - href: set-runtime-version.md - - name: Manually register an extension - href: install-update-binding-extensions-manual.md - - name: Disable a function - href: disable-function.md - - name: Monitor - href: functions-monitoring.md - - name: Secure - items: - - name: Buy SSL cert - href: ../app-service/web-sites-purchase-ssl-web-site.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Authenticate users - items: - - name: Authenticate with Azure AD - href: ../app-service/configure-authentication-provider-aad.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Authenticate with Facebook - href: ../app-service/configure-authentication-provider-facebook.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Authenticate with Google - href: ../app-service/configure-authentication-provider-google.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Authenticate with Microsoft account - href: ../app-service/configure-authentication-provider-microsoft.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Authenticate with Twitter - href: ../app-service/configure-authentication-provider-twitter.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Advanced auth - href: ../app-service/app-service-authentication-how-to.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Restrict IPs - href: ../app-service/app-service-ip-restrictions.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Use a managed identity - href: ../app-service/overview-managed-identity.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Reference secrets from Key Vault - href: ../app-service/app-service-key-vault-references.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Integrate - items: - - name: Connect to SQL Database - href: functions-scenario-database-table-cleanup.md - - name: Connect to a Virtual Network - href: functions-create-vnet.md - - name: Create an Open API 2.0 definition - href: functions-api-definition-getting-started.md - - name: Export to PowerApps and Microsoft Flow - href: app-service-export-api-to-powerapps-and-flow.md - - name: Call a function from PowerApps - href: functions-powerapps-scenario.md - - name: Call a function from Microsoft Flow - href: functions-flow-scenario.md - - name: Use a managed identity - href: ../app-service/overview-managed-identity.md?toc=%2fazure%2fazure-functions%2ftoc.json - - name: Troubleshoot - items: - - name: Troubleshoot storage - href: functions-recover-storage-account.md - - name: Reference + - name: Manage a function app + href: functions-how-to-use-azure-function-app-settings.md + - name: Set the runtime version + href: set-runtime-version.md + - name: Manually register an extension + href: install-update-binding-extensions-manual.md + - name: Disable a function + href: disable-function.md + - name: Monitor + href: functions-monitoring.md + - name: Secure items: - - name: API references + - name: Buy SSL cert + href: ../app-service/web-sites-purchase-ssl-web-site.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Authenticate users items: - - name: Java - href: https://docs.microsoft.com/java/api/overview/azure/functions/runtime?view=azure-java-stable - - name: Python - href: https://docs.microsoft.com/python/api/azure-functions/azure.functions?view=azure-python - - name: App settings reference - href: functions-app-settings.md - - name: Bindings - items: - - name: Blob storage - href: functions-bindings-storage-blob.md - - name: Azure Cosmos DB - items: - - name: Functions 1.x - href: functions-bindings-cosmosdb.md - - name: Functions 2.x - href: functions-bindings-cosmosdb-v2.md - - name: Event Grid - href: functions-bindings-event-grid.md - - name: Event Hubs - href: functions-bindings-event-hubs.md - - name: IoT Hub - href: functions-bindings-event-iot.md - - name: HTTP and webhooks - href: functions-bindings-http-webhook.md - - name: Microsoft Graph - href: functions-bindings-microsoft-graph.md - - name: Mobile Apps - href: functions-bindings-mobile-apps.md - - name: Notification Hubs - href: functions-bindings-notification-hubs.md - - name: Queue storage - href: functions-bindings-storage-queue.md - - name: SendGrid - href: functions-bindings-sendgrid.md - - name: Service Bus - href: functions-bindings-service-bus.md - - name: SignalR Service - href: functions-bindings-signalr-service.md - - name: Table storage - href: functions-bindings-storage-table.md - - name: Timer - href: functions-bindings-timer.md - - name: Twilio - href: functions-bindings-twilio.md - - name: host.json reference - href: functions-host-json.md - items: - - name: Functions 2.x - href: functions-host-json.md + - name: Authenticate with Azure AD + href: ../app-service/configure-authentication-provider-aad.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Authenticate with Facebook + href: ../app-service/configure-authentication-provider-facebook.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Authenticate with Google + href: ../app-service/configure-authentication-provider-google.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Authenticate with Microsoft account + href: ../app-service/configure-authentication-provider-microsoft.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Authenticate with Twitter + href: ../app-service/configure-authentication-provider-twitter.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Advanced auth + href: ../app-service/app-service-authentication-how-to.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Restrict IPs + href: ../app-service/app-service-ip-restrictions.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Use a managed identity + href: ../app-service/overview-managed-identity.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Reference secrets from Key Vault + href: ../app-service/app-service-key-vault-references.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Integrate + items: + - name: Connect to SQL Database + href: functions-scenario-database-table-cleanup.md + - name: Connect to a Virtual Network + href: functions-create-vnet.md + - name: Create an Open API 2.0 definition + href: functions-api-definition-getting-started.md + - name: Export to PowerApps and Microsoft Flow + href: app-service-export-api-to-powerapps-and-flow.md + - name: Call a function from PowerApps + href: functions-powerapps-scenario.md + - name: Call a function from Microsoft Flow + href: functions-flow-scenario.md + - name: Use a managed identity + href: ../app-service/overview-managed-identity.md?toc=%2fazure%2fazure-functions%2ftoc.json + - name: Troubleshoot + items: + - name: Troubleshoot storage + href: functions-recover-storage-account.md +- name: Reference + items: + - name: API references + items: + - name: Java + href: https://docs.microsoft.com/java/api/overview/azure/functions/runtime?view=azure-java-stable + - name: Python + href: https://docs.microsoft.com/python/api/azure-functions/azure.functions?view=azure-python + - name: App settings reference + href: functions-app-settings.md + - name: Bindings + items: + - name: Blob storage + href: functions-bindings-storage-blob.md + - name: Azure Cosmos DB + items: - name: Functions 1.x - href: functions-host-json-v1.md - - name: Networking FAQ - href: functions-networking-faq.md - - name: OpenAPI reference - href: functions-api-definition.md - - name: Resources + href: functions-bindings-cosmosdb.md + - name: Functions 2.x + href: functions-bindings-cosmosdb-v2.md + - name: Event Grid + href: functions-bindings-event-grid.md + - name: Event Hubs + href: functions-bindings-event-hubs.md + - name: IoT Hub + href: functions-bindings-event-iot.md + - name: HTTP and webhooks + href: functions-bindings-http-webhook.md + - name: Microsoft Graph + href: functions-bindings-microsoft-graph.md + - name: Mobile Apps + href: functions-bindings-mobile-apps.md + - name: Notification Hubs + href: functions-bindings-notification-hubs.md + - name: Queue storage + href: functions-bindings-storage-queue.md + - name: SendGrid + href: functions-bindings-sendgrid.md + - name: Service Bus + href: functions-bindings-service-bus.md + - name: SignalR Service + href: functions-bindings-signalr-service.md + - name: Table storage + href: functions-bindings-storage-table.md + - name: Timer + href: functions-bindings-timer.md + - name: Twilio + href: functions-bindings-twilio.md + - name: host.json reference + href: functions-host-json.md items: - - name: Build your skills with Microsoft Learn - href: /learn/browse/?products=azure-functions - - name: Azure Roadmap - href: https://azure.microsoft.com/roadmap/?category=compute - - name: Pricing - href: https://azure.microsoft.com/pricing/details/functions/ - - name: Pricing calculator - href: https://azure.microsoft.com/pricing/calculator/ - - name: Regional availability - href: https://azure.microsoft.com/regions/services/ - - name: Videos - href: https://www.youtube.com/c/AzureFunctions - - name: MSDN forum - href: https://social.msdn.microsoft.com/Forums/en-US/home?forum=AzureFunctions - - name: Stack Overflow - href: https://stackoverflow.com/questions/tagged/azure-functions - - name: Twitter - href: https://twitter.com/azurefunctions - - name: Provide product feedback - href: https://feedback.azure.com/forums/355860-azure-functions - - name: Azure Functions GitHub repository - href: https://github.com/Azure/Azure-Functions/ - - name: Service updates - href: https://azure.microsoft.com/updates/?product=functions&updatetype=&platform= + - name: Functions 2.x + href: functions-host-json.md + - name: Functions 1.x + href: functions-host-json-v1.md + - name: Networking FAQ + href: functions-networking-faq.md + - name: OpenAPI reference + href: functions-api-definition.md +- name: Resources + items: + - name: Build your skills with Microsoft Learn + href: /learn/browse/?products=azure-functions + - name: Azure Roadmap + href: https://azure.microsoft.com/roadmap/?category=compute + - name: Pricing + href: https://azure.microsoft.com/pricing/details/functions/ + - name: Pricing calculator + href: https://azure.microsoft.com/pricing/calculator/ + - name: Regional availability + href: https://azure.microsoft.com/regions/services/ + - name: Videos + href: https://www.youtube.com/c/AzureFunctions + - name: MSDN forum + href: https://social.msdn.microsoft.com/Forums/en-US/home?forum=AzureFunctions + - name: Stack Overflow + href: https://stackoverflow.com/questions/tagged/azure-functions + - name: Twitter + href: https://twitter.com/azurefunctions + - name: Provide product feedback + href: https://feedback.azure.com/forums/355860-azure-functions + - name: Azure Functions GitHub repository + href: https://github.com/Azure/Azure-Functions/ + - name: Service updates + href: https://azure.microsoft.com/updates/?product=functions&updatetype=&platform= \ No newline at end of file diff --git a/articles/azure-functions/durable/durable-functions-versioning.md b/articles/azure-functions/durable/durable-functions-versioning.md index e39ad18948807..1e84f41310f4b 100644 --- a/articles/azure-functions/durable/durable-functions-versioning.md +++ b/articles/azure-functions/durable/durable-functions-versioning.md @@ -135,7 +135,7 @@ All Azure Storage entities are named based on the `HubName` configuration value. We recommend that you deploy the new version of the function app to a new [Deployment Slot](https://blogs.msdn.microsoft.com/appserviceteam/2017/06/13/deployment-slots-preview-for-azure-functions/). Deployment slots allow you to run multiple copies of your function app side-by-side with only one of them as the active *production* slot. When you are ready to expose the new orchestration logic to your existing infrastructure, it can be as simple as swapping the new version into the production slot. > [!NOTE] -> This strategy works best when you use HTTP and webhook triggers for orchestrator functions. For non-HTTP triggers, such as queues or Event Hubs, the trigger definition should derive from an app setting that gets updated as part of the swap operation. +> This strategy works best when you use HTTP and webhook triggers for orchestrator functions. For non-HTTP triggers, such as queues or Event Hubs, the trigger definition should [derive from an app setting](../functions-bindings-expressions-patterns.md#binding-expressions---app-settings) that gets updated as part of the swap operation. ## Next steps diff --git a/articles/azure-functions/durable/quickstart-js-vscode.md b/articles/azure-functions/durable/quickstart-js-vscode.md index 318b54c318aea..8757958a78625 100644 --- a/articles/azure-functions/durable/quickstart-js-vscode.md +++ b/articles/azure-functions/durable/quickstart-js-vscode.md @@ -106,7 +106,9 @@ We've now added all components needed to start off an orchestration and chain to Azure Functions Core Tools lets you run an Azure Functions project on your local development computer. You're prompted to install these tools the first time you start a function from Visual Studio Code. -1. On a Windows computer, start the Azure Storage Emulator and make sure that the **AzureWebJobsStorage** property of local.settings.json is set to `UseDevelopmentStorage=true`. On a Mac or Linux computer, you must set the **AzureWebJobsStorage** property to the connection string of an existing Azure storage account. You create a storage account later in this article. +1. On a Windows computer, start the Azure Storage Emulator and make sure that the **AzureWebJobsStorage** property of local.settings.json is set to `UseDevelopmentStorage=true`. + + For Storage Emulator 5.8 make sure that the **AzureWebJobsSecretStorageType** property of local.settings.json is set to `files`. On a Mac or Linux computer, you must set the **AzureWebJobsStorage** property to the connection string of an existing Azure storage account. You create a storage account later in this article. 2. To test your function, set a breakpoint in the function code and press F5 to start the function app project. Output from Core Tools is displayed in the **Terminal** panel. If this is your first time using Durable Functions, the Durable Functions extension is installed and the build might take a few seconds. @@ -121,7 +123,29 @@ Azure Functions Core Tools lets you run an Azure Functions project on your local 5. Using a tool like [Postman](https://www.getpostman.com/) or [cURL](https://curl.haxx.se/), send a HTTP POST request to the URL endpoint. -6. To stop debugging, press Shift + F1 in VS Code. + The response is the initial result from the HTTP function letting us know the durable orchestration has started successfully. It is not yet the end result of the orchestration. The response includes a few useful URLs. For now, let's query the status of the orchestration. + +6. Copy the URL value for `statusQueryGetUri` and paste it in the browser's address bar and execute the request. Alternatively you can also continue to use Postman to issue the GET request. + + The request will query the orchestration instance for the status. You should get an eventual response which shows us the instance has completed, and includes the outputs or results of the durable function. It looks like: + + ```json + { + "instanceId": "d495cb0ac10d4e13b22729c37e335190", + "runtimeStatus": "Completed", + "input": null, + "customStatus": null, + "output": [ + "Hello Tokyo!", + "Hello Seattle!", + "Hello London!" + ], + "createdTime": "2018-11-08T07:07:40Z", + "lastUpdatedTime": "2018-11-08T07:07:52Z" + } + ``` + +7. To stop debugging, press **Shift + F5** in VS Code. After you've verified that the function runs correctly on your local computer, it's time to publish the project to Azure. @@ -142,4 +166,4 @@ After you've verified that the function runs correctly on your local computer, i You have used Visual Studio Code to create and publish a JavaScript durable function app. > [!div class="nextstepaction"] -> [Learn about common durable function patterns](durable-functions-concepts.md) \ No newline at end of file +> [Learn about common durable function patterns](durable-functions-concepts.md) diff --git a/articles/azure-functions/functions-app-settings.md b/articles/azure-functions/functions-app-settings.md index 7b0cbe2b0bb74..d45bb7d219aa1 100644 --- a/articles/azure-functions/functions-app-settings.md +++ b/articles/azure-functions/functions-app-settings.md @@ -101,7 +101,7 @@ Path to the compiler used for TypeScript. Allows you to override the default if ## FUNCTION\_APP\_EDIT\_MODE -Valid values are "readwrite" and "readonly". +Dictates whether editing in the Azure portal is enabled. Valid values are "readwrite" and "readonly". |Key|Sample value| |---|------------| diff --git a/articles/azure-functions/functions-bindings-event-iot.md b/articles/azure-functions/functions-bindings-event-iot.md index 8b5c22ae98e72..c94ec7c18ab85 100644 --- a/articles/azure-functions/functions-bindings-event-iot.md +++ b/articles/azure-functions/functions-bindings-event-iot.md @@ -16,7 +16,7 @@ ms.author: cshoe --- # Azure IoT Hub bindings for Azure Functions -This article explains how to work with Azure Functions bindings for IoT Hub. The IoT Hub support is based on the [Azure Event Hubs Binding](link to event hub doc). +This article explains how to work with Azure Functions bindings for IoT Hub. The IoT Hub support is based on the [Azure Event Hubs Binding](functions-bindings-event-hubs.md). [!INCLUDE [intro](../../includes/functions-bindings-intro.md)] diff --git a/articles/azure-functions/functions-bindings-http-webhook.md b/articles/azure-functions/functions-bindings-http-webhook.md index ad9b9c1ab6f52..71028a6ecfd18 100644 --- a/articles/azure-functions/functions-bindings-http-webhook.md +++ b/articles/azure-functions/functions-bindings-http-webhook.md @@ -113,6 +113,8 @@ The [configuration](#trigger---configuration) section explains these properties. Here's C# script code that binds to `HttpRequest`: ```cs +#r "Newtonsoft.Json" + using System.Net; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Primitives; diff --git a/articles/azure-functions/functions-bindings-notification-hubs.md b/articles/azure-functions/functions-bindings-notification-hubs.md index a60b33c4cc02d..0267eec123749 100644 --- a/articles/azure-functions/functions-bindings-notification-hubs.md +++ b/articles/azure-functions/functions-bindings-notification-hubs.md @@ -22,6 +22,9 @@ Azure Notification Hubs must be configured for the Platform Notifications Servic [!INCLUDE [intro](../../includes/functions-bindings-intro.md)] +> [!IMPORTANT] +> Google has [deprecated Google Cloud Messaging (GCM) in favor of Firebase Cloud Messaging (FCM)](https://developers.google.com/cloud-messaging/faq). This output binding doesn't support FCM. To send notifications using FCM, use the [Firebase API](https://firebase.google.com/docs/cloud-messaging/server#choosing-a-server-option) directly in your function or use [template notifications](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md). + ## Packages - Functions 1.x The Notification Hubs bindings are provided in the [Microsoft.Azure.WebJobs.Extensions.NotificationHubs](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.NotificationHubs) NuGet package, version 1.x. Source code for the package is in the [azure-webjobs-sdk-extensions](https://github.com/Azure/azure-webjobs-sdk-extensions/tree/v2.x/src/WebJobs.Extensions.NotificationHubs) GitHub repository. @@ -193,37 +196,6 @@ public static async Task Run(string myQueueItem, IAsyncCollector n } ``` -## Example - GCM native - -This C# script example shows how to send a native GCM notification. - -```cs -#r "Microsoft.Azure.NotificationHubs" -#r "Newtonsoft.Json" - -using System; -using Microsoft.Azure.NotificationHubs; -using Newtonsoft.Json; - -public static async Task Run(string myQueueItem, IAsyncCollector notification, TraceWriter log) -{ - log.Info($"C# Queue trigger function processed: {myQueueItem}"); - - // In this example the queue item is a new user to be processed in the form of a JSON string with - // a "name" value. - // - // The JSON format for a native GCM notification is ... - // { "data": { "message": "notification message" }} - - log.Info($"Sending GCM notification of a new user"); - dynamic user = JsonConvert.DeserializeObject(myQueueItem); - string gcmNotificationPayload = "{\"data\": {\"message\": \"A new user wants to be added (" + - user.name + ")\" }}"; - log.Info($"{gcmNotificationPayload}"); - await notification.AddAsync(new GcmNotification(gcmNotificationPayload)); -} -``` - ## Example - WNS native This C# script example shows how to use types defined in the [Microsoft Azure Notification Hubs Library](https://www.nuget.org/packages/Microsoft.Azure.NotificationHubs/) to send a native WNS toast notification. @@ -285,7 +257,7 @@ The following table explains the binding configuration properties that you set i |**tagExpression** |**TagExpression** | Tag expressions allow you to specify that notifications be delivered to a set of devices that have registered to receive notifications that match the tag expression. For more information, see [Routing and tag expressions](../notification-hubs/notification-hubs-tags-segment-push-message.md). | |**hubName** | **HubName** | Name of the notification hub resource in the Azure portal. | |**connection** | **ConnectionStringSetting** | The name of an app setting that contains a Notification Hubs connection string. The connection string must be set to the *DefaultFullSharedAccessSignature* value for your notification hub. See [Connection string setup](#connection-string-setup) later in this article.| -|**platform** | **Platform** | The platform property indicates the client platform your notification targets. By default, if the platform property is omitted from the output binding, template notifications can be used to target any platform configured on the Azure Notification Hub. For more information on using templates in general to send cross platform notifications with an Azure Notification Hub, see [Templates](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md). When set, **platform** must be one of the following values:
  • apns—Apple Push Notification Service. For more information on configuring the notification hub for APNS and receiving the notification in a client app, see [Sending push notifications to iOS with Azure Notification Hubs](../notification-hubs/notification-hubs-ios-apple-push-notification-apns-get-started.md).
  • adm—[Amazon Device Messaging](https://developer.amazon.com/device-messaging). For more information on configuring the notification hub for ADM and receiving the notification in a Kindle app, see [Getting Started with Notification Hubs for Kindle apps](../notification-hubs/notification-hubs-kindle-amazon-adm-push-notification.md).
  • gcm—[Google Cloud Messaging](https://developers.google.com/cloud-messaging/). Firebase Cloud Messaging, which is the new version of GCM, is also supported. For more information, see [Sending push notifications to Android with Azure Notification Hubs](../notification-hubs/notification-hubs-android-push-notification-google-fcm-get-started.md).
  • wns—[Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview) targeting Windows platforms. Windows Phone 8.1 and later is also supported by WNS. For more information, see [Getting started with Notification Hubs for Windows Universal Platform Apps](../notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification.md).
  • mpns—[Microsoft Push Notification Service](/previous-versions/windows/apps/ff402558(v=vs.105)). This platform supports Windows Phone 8 and earlier Windows Phone platforms. For more information, see [Sending push notifications with Azure Notification Hubs on Windows Phone](../notification-hubs/notification-hubs-windows-mobile-push-notifications-mpns.md).
| +|**platform** | **Platform** | The platform property indicates the client platform your notification targets. By default, if the platform property is omitted from the output binding, template notifications can be used to target any platform configured on the Azure Notification Hub. For more information on using templates in general to send cross platform notifications with an Azure Notification Hub, see [Templates](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md). When set, **platform** must be one of the following values:
  • apns—Apple Push Notification Service. For more information on configuring the notification hub for APNS and receiving the notification in a client app, see [Sending push notifications to iOS with Azure Notification Hubs](../notification-hubs/notification-hubs-ios-apple-push-notification-apns-get-started.md).
  • adm—[Amazon Device Messaging](https://developer.amazon.com/device-messaging). For more information on configuring the notification hub for ADM and receiving the notification in a Kindle app, see [Getting Started with Notification Hubs for Kindle apps](../notification-hubs/notification-hubs-kindle-amazon-adm-push-notification.md).
  • wns—[Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview) targeting Windows platforms. Windows Phone 8.1 and later is also supported by WNS. For more information, see [Getting started with Notification Hubs for Windows Universal Platform Apps](../notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification.md).
  • mpns—[Microsoft Push Notification Service](/previous-versions/windows/apps/ff402558(v=vs.105)). This platform supports Windows Phone 8 and earlier Windows Phone platforms. For more information, see [Sending push notifications with Azure Notification Hubs on Windows Phone](../notification-hubs/notification-hubs-windows-mobile-push-notifications-mpns.md).
| [!INCLUDE [app settings to local.settings.json](../../includes/functions-app-settings-local.md)] @@ -303,7 +275,7 @@ Here's an example of a Notification Hubs binding in a *function.json* file. "tagExpression": "", "hubName": "my-notification-hub", "connection": "MyHubConnectionString", - "platform": "gcm" + "platform": "apns" } ], "disabled": false diff --git a/articles/azure-functions/functions-bindings-service-bus.md b/articles/azure-functions/functions-bindings-service-bus.md index cf5129cfc1d23..fd6febb6efb18 100644 --- a/articles/azure-functions/functions-bindings-service-bus.md +++ b/articles/azure-functions/functions-bindings-service-bus.md @@ -280,7 +280,7 @@ The following table explains the binding configuration properties that you set i |**queueName**|**QueueName**|Name of the queue to monitor. Set only if monitoring a queue, not for a topic. |**topicName**|**TopicName**|Name of the topic to monitor. Set only if monitoring a topic, not for a queue.| |**subscriptionName**|**SubscriptionName**|Name of the subscription to monitor. Set only if monitoring a topic, not for a queue.| -|**connection**|**Connection**|The name of an app setting that contains the Service Bus connection string to use for this binding. If the app setting name begins with "AzureWebJobs", you can specify only the remainder of the name. For example, if you set `connection` to "MyServiceBus", the Functions runtime looks for an app setting that is named "AzureWebJobsMyServiceBus." If you leave `connection` empty, the Functions runtime uses the default Service Bus connection string in the app setting that is named "AzureWebJobsServiceBus".

To obtain a connection string, follow the steps shown at [Get the management credentials](../service-bus-messaging/service-bus-dotnet-get-started-with-queues.md#get-the-connection-string). The connection string must be for a Service Bus namespace, not limited to a specific queue or topic. | +|**connection**|**Connection**|The name of an app setting that contains the Service Bus connection string to use for this binding. If the app setting name begins with "AzureWebJobs", you can specify only the remainder of the name. For example, if you set `connection` to "MyServiceBus", the Functions runtime looks for an app setting that is named "AzureWebJobsMyServiceBus." If you leave `connection` empty, the Functions runtime uses the default Service Bus connection string in the app setting that is named "AzureWebJobsServiceBus".

To obtain a connection string, follow the steps shown at [Get the management credentials](../service-bus-messaging/service-bus-quickstart-portal.md#get-the-connection-string). The connection string must be for a Service Bus namespace, not limited to a specific queue or topic. | |**accessRights**|**Access**|Access rights for the connection string. Available values are `manage` and `listen`. The default is `manage`, which indicates that the `connection` has the **Manage** permission. If you use a connection string that does not have the **Manage** permission, set `accessRights` to "listen". Otherwise, the Functions runtime might fail trying to do operations that require manage rights. In Azure Functions version 2.x, this property is not available because the latest version of the Storage SDK doesn't support manage operations.| [!INCLUDE [app settings to local.settings.json](../../includes/functions-app-settings-local.md)] @@ -326,7 +326,6 @@ The Service Bus trigger provides several [metadata properties](./functions-bindi |`To`|`string`|The send to address.| |`Label`|`string`|The application specific label.| |`CorrelationId`|`string`|The correlation ID.| -|`UserProperties`|`IDictionary`|The application specific message properties.| > [!NOTE] > Currently, trigger only works with queues and subscriptions that don't use sessions. Please track [this feature item](https://github.com/Azure/azure-functions-host/issues/563) for any further updates regarding this feature. @@ -597,7 +596,7 @@ The following table explains the binding configuration properties that you set i |**name** | n/a | The name of the variable that represents the queue or topic in function code. Set to "$return" to reference the function return value. | |**queueName**|**QueueName**|Name of the queue. Set only if sending queue messages, not for a topic. |**topicName**|**TopicName**|Name of the topic to monitor. Set only if sending topic messages, not for a queue.| -|**connection**|**Connection**|The name of an app setting that contains the Service Bus connection string to use for this binding. If the app setting name begins with "AzureWebJobs", you can specify only the remainder of the name. For example, if you set `connection` to "MyServiceBus", the Functions runtime looks for an app setting that is named "AzureWebJobsMyServiceBus." If you leave `connection` empty, the Functions runtime uses the default Service Bus connection string in the app setting that is named "AzureWebJobsServiceBus".

To obtain a connection string, follow the steps shown at [Get the management credentials](../service-bus-messaging/service-bus-dotnet-get-started-with-queues.md#get-the-connection-string). The connection string must be for a Service Bus namespace, not limited to a specific queue or topic.| +|**connection**|**Connection**|The name of an app setting that contains the Service Bus connection string to use for this binding. If the app setting name begins with "AzureWebJobs", you can specify only the remainder of the name. For example, if you set `connection` to "MyServiceBus", the Functions runtime looks for an app setting that is named "AzureWebJobsMyServiceBus." If you leave `connection` empty, the Functions runtime uses the default Service Bus connection string in the app setting that is named "AzureWebJobsServiceBus".

To obtain a connection string, follow the steps shown at [Get the management credentials](../service-bus-messaging/service-bus-quickstart-portal.md#get-the-connection-string). The connection string must be for a Service Bus namespace, not limited to a specific queue or topic.| |**accessRights**|**Access**|Access rights for the connection string. Available values are `manage` and `listen`. The default is `manage`, which indicates that the `connection` has the **Manage** permission. If you use a connection string that does not have the **Manage** permission, set `accessRights` to "listen". Otherwise, the Functions runtime might fail trying to do operations that require manage rights. In Azure Functions version 2.x, this property is not available because the latest version of the Storage SDK doesn't support manage operations.| [!INCLUDE [app settings to local.settings.json](../../includes/functions-app-settings-local.md)] diff --git a/articles/azure-functions/functions-create-first-function-vs-code.md b/articles/azure-functions/functions-create-first-function-vs-code.md index 174dc463302f2..5cbb1a290ce45 100644 --- a/articles/azure-functions/functions-create-first-function-vs-code.md +++ b/articles/azure-functions/functions-create-first-function-vs-code.md @@ -111,12 +111,10 @@ After you've verified that the function runs correctly on your local computer, i ## Next steps -You have used Visual Studio Code to create a function app with a simple HTTP-triggered function. To learn more about developing functions in a specific language, see the language reference guides for [JavaScript](functions-reference-node.md), [.NET](functions-dotnet-class-library.md), or [Java](functions-reference-java.md). - -Next you may want to learn more about local testing and debugging from the Terminal or command prompt using the Azure Functions Core Tools. +You have used Visual Studio Code to create a function app with a simple HTTP-triggered function. You may also want to learn more about [local testing and debugging from the Terminal or command prompt](functions-run-local.md) using the Azure Functions Core Tools. > [!div class="nextstepaction"] -> [Code and test locally](functions-run-local.md) +> [Enable Application Insights integration](functions-monitoring.md#manually-connect-an-app-insights-resource) [Azure Functions Core Tools]: functions-run-local.md [Azure Functions extension for Visual Studio Code]: https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions diff --git a/articles/azure-functions/functions-create-function-linux-custom-image.md b/articles/azure-functions/functions-create-function-linux-custom-image.md index 82b4abcfe86e8..8e8d84747268c 100644 --- a/articles/azure-functions/functions-create-function-linux-custom-image.md +++ b/articles/azure-functions/functions-create-function-linux-custom-image.md @@ -251,6 +251,16 @@ You can now test your functions running on Linux in Azure. [!INCLUDE [functions-test-function-code](../../includes/functions-test-function-code.md)] +## Enable Application Insights + +The recommended way to monitor the execution of your functions is by integrating your function app with Azure Application Insights. When you create a function app in the Azure portal, this integration is done for you by default. However, when you create your function app by using the Azure CLI, the integration in your function app in Azure isn't done. + +To enable Application Insights for your function app: + +[!INCLUDE [functions-connect-new-app-insights.md](../../includes/functions-connect-new-app-insights.md)] + +To learn more, see [Monitor Azure Functions](functions-monitoring.md). + ## Enable continuous deployment One of the benefits of using containers is being able to automatically deploy updates when containers are updated in the registry. Enable continuous deployment with the [az functionapp deployment container config](/cli/azure/functionapp/deployment/container#az-functionapp-deployment-container-config) command. diff --git a/articles/azure-functions/functions-create-vnet.md b/articles/azure-functions/functions-create-vnet.md index 0543502129891..f0505023fc9c8 100644 --- a/articles/azure-functions/functions-create-vnet.md +++ b/articles/azure-functions/functions-create-vnet.md @@ -6,7 +6,7 @@ author: alexkarcher-msft manager: jehollan ms.service: azure-functions ms.topic: article -ms.date: 12/03/2018 +ms.date: 4/11/2019 ms.author: alkarche --- @@ -106,13 +106,14 @@ Your Function App is connected to both the Internet and your VNET. The proxy is ## Next Steps -Functions running in a Premium plan share the same underlying App Service infrastructure as Web Apps. This means that all of the documentation for Web Apps applies to your Premium plan functions. +Functions running in a Premium plan share the same underlying App Service infrastructure as Web Apps on PV2 plans. This means that all of the documentation for Web Apps applies to your Premium plan functions. -1. [Learn more about VNET integration with App Service / Functions here](https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet) -1. [Learn more about VNETs in Azure](https://azure.microsoft.com/documentation/articles/virtual-networks-overview/) -1. [Enable for networking features and control with App Service Environments](https://docs.microsoft.com/azure/app-service/environment/intro) -1. [Connect to individual on-premises resources without firewall changes using Hybrid Connections](https://docs.microsoft.com/azure/app-service/app-service-hybrid-connections) -1. [Learn more about Function Proxies](https://review.docs.microsoft.com/azure/azure-functions/functions-proxies) +1. [Learn more about the networking options in functions here](./functions-networking-options.md) +1. [Read the Functions networking FAQ here](./functions-networking-faq.md) +1. [Learn more about VNETs in Azure](../virtual-network/virtual-networks-overview.md) +1. [Enable more networking features and control with App Service Environments](../app-service/environment/intro.md) +1. [Connect to individual on-premises resources without firewall changes using Hybrid Connections](../app-service/app-service-hybrid-connections.md) +1. [Learn more about Function Proxies](./functions-proxies.md) [1]: ./media/functions-create-vnet/topology.png diff --git a/articles/azure-functions/functions-develop-vs.md b/articles/azure-functions/functions-develop-vs.md index e4bbbf07237db..14f3a0522a8cf 100644 --- a/articles/azure-functions/functions-develop-vs.md +++ b/articles/azure-functions/functions-develop-vs.md @@ -75,7 +75,7 @@ The project template creates a C# project, installs the `Microsoft.NET.Sdk.Funct * **host.json**: Lets you configure the Functions host. These settings apply both when running locally and in Azure. For more information, see [host.json reference](functions-host-json.md). -* **local.settings.json**: Maintains settings used when running functions locally. These settings are not used by Azure, they are used by the [Azure Functions Core Tools](functions-run-local.md). Use this file to specify app settings for variables required by your functions. Add a new item to the **Values** array for each connection required by the functions bindings in your project. For more information, see [Local settings file](functions-run-local.md#local-settings-file) in the Azure Functions Core Tools article. +* **local.settings.json**: Maintains settings used when running functions locally. These settings are not used by Azure, they are used by the [Azure Functions Core Tools](functions-run-local.md). Use this file to specify app settings for environment variables required by your functions. Add a new item to the **Values** array for each connection required by the functions bindings in your project. For more information, see [Local settings file](functions-run-local.md#local-settings-file) in the Azure Functions Core Tools article. >[!IMPORTANT] >Because the local.settings.json file can contain secrets, you must excluded it from your project source control. The **Copy to Output Directory** setting for this file should always be **Copy if newer**. @@ -202,15 +202,11 @@ You can also manage application settings in one of these other ways: ## Monitoring functions -The recommended way to monitor the execution of your function in Azure is by integrating with Azure Application Insights. When you create a function app in the Azure portal, this integration is done for you by default. However, when you create your function app during Visual Studio publishing, the integration in your function app in Azure isn't done. Instead, you get built-in logging, which isn't recommended. +The recommended way to monitor the execution of your functions is by integrating your function app with Azure Application Insights. When you create a function app in the Azure portal, this integration is done for you by default. However, when you create your function app during Visual Studio publishing, the integration in your function app in Azure isn't done. -To enable Application Insights for your function app in Azure: +To enable Application Insights for your function app: -1. Create an Application Insights instance in the [Azure portal](https://portal.azure.com) and copy its instrumentation key. To learn how, see [Manually connect an App Insights resource](functions-monitoring.md#manually-connect-an-app-insights-resource). - -1. Add an app setting named `APPINSIGHTS_INSTRUMENTATIONKEY` to the function app settings in Azure, as described in [Function app settings](#function-app-settings). This app setting contains the instrumentation key that you created in the previous step. - -1. Remove the `AzureWebJobsDashboard` app setting from the function app in Azure, which disables built-in logging. +[!INCLUDE [functions-connect-new-app-insights.md](../../includes/functions-connect-new-app-insights.md)] To learn more, see [Monitor Azure Functions](functions-monitoring.md). diff --git a/articles/azure-functions/functions-infrastructure-as-code.md b/articles/azure-functions/functions-infrastructure-as-code.md index e198c9c92bb6a..98f2b55390a07 100644 --- a/articles/azure-functions/functions-infrastructure-as-code.md +++ b/articles/azure-functions/functions-infrastructure-as-code.md @@ -12,7 +12,7 @@ ms.service: azure-functions ms.server: functions ms.devlang: multiple ms.topic: conceptual -ms.date: 05/25/2017 +ms.date: 04/03/2019 ms.author: glenga --- @@ -26,20 +26,26 @@ For sample templates, see: - [Function app on Consumption plan] - [Function app on Azure App Service plan] +> [!NOTE] +> The Premium plan for Azure Functions hosting is currently in preview. For more information, see [Azure Functions Premium plan](functions-premium-plan.md). + ## Required resources -A function app requires these resources: +An Azure Functions deployment typically consists of these resources: -* An [Azure Storage](../storage/index.yml) account -* A hosting plan (Consumption plan or App Service plan) -* A function app +| Resource | Requirement | Syntax and properties reference | | +|------------------------------------------------------------------------------------|-------------|-----------------------------------------------------------------------------------------|---| +| A function app | Required | [Microsoft.Web/sites](/azure/templates/microsoft.web/sites) | | +| An [Azure Storage](../storage/index.yml) account | Required | [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts) | | +| An [Application Insights](../azure-monitor/app/app-insights-overview.md) component | Optional | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components) | | +| A [hosting plan](./functions-scale.md) | Optional1 | [Microsoft.Web/serverfarms](/azure/templates/microsoft.web/serverfarms) | | -For JSON syntax and properties for these resources, see: +1A hosting plan is only required when you choose to run your function app on a [Premium plan](./functions-premium-plan.md) (in preview) or on an [App Service plan](../app-service/overview-hosting-plans.md). -* [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts) -* [Microsoft.Web/serverfarms](/azure/templates/microsoft.web/serverfarms) -* [Microsoft.Web/sites](/azure/templates/microsoft.web/sites) +> [!TIP] +> While not required, it is strongly recommended that you configure Application Insights for your app. + ### Storage account An Azure storage account is required for a function app. You need a general purpose account that supports blobs, tables, queues, and files. For more information, see [Azure Functions storage account requirements](functions-create-function-app-portal.md#storage-account-requirements). @@ -48,8 +54,9 @@ An Azure storage account is required for a function app. You need a general purp { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", - "apiVersion": "2015-06-15", + "apiVersion": "2018-07-01", "location": "[resourceGroup().location]", + "kind": "StorageV2", "properties": { "accountType": "[parameters('storageAccountType')]" } @@ -72,15 +79,51 @@ These properties are specified in the `appSettings` collection in the `siteConfi "name": "AzureWebJobsDashboard", "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" } -``` +] +``` + +### Application Insights + +Application Insights is recommended for monitoring your function apps. The Application Insights resource is defined with the type **Microsoft.Insights/components** and the kind **web**: + +```json + { + "apiVersion": "2015-05-01", + "name": "[variables('appInsightsName')]", + "type": "Microsoft.Insights/components", + "kind": "web", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', variables('functionAppName'))]": "Resource" + }, + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('functionAppName')]" + } + }, +``` + +In addition, the instrumentation key needs to be provided to the function app using the `APPINSIGHTS_INSTRUMENTATIONKEY` application setting. This property is specified in the `appSettings` collection in the `siteConfig` object: + +```json +"appSettings": [ + { + "name": "APPINSIGHTS_INSTRUMENTATIONKEY", + "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]" + } +] +``` ### Hosting plan -The definition of the hosting plan varies, depending on whether you use a Consumption or App Service plan. See [Deploy a function app on the Consumption plan](#consumption) and [Deploy a function app on the App Service plan](#app-service-plan). +The definition of the hosting plan varies, and can be one of the following: +* [Consumption plan](#consumption) (default) +* [Premium plan](#premium) (in preview) +* [App Service plan](#app-service-plan) ### Function app -The function app resource is defined by using a resource of type **Microsoft.Web/Site** and kind **functionapp**: +The function app resource is defined by using a resource of type **Microsoft.Web/sites** and kind **functionapp**: ```json { @@ -88,24 +131,65 @@ The function app resource is defined by using a resource of type **Microsoft.Web "type": "Microsoft.Web/sites", "name": "[variables('functionAppName')]", "location": "[resourceGroup().location]", - "kind": "functionapp", + "kind": "functionapp", "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]" ] ``` +> [!IMPORTANT] +> If you are explicitly defining a hosting plan, an additional item would be needed in the dependsOn array: `"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"` + +A function app must include these application settings: + +| Setting name | Description | Example values | +|------------------------------|-------------------------------------------------------------------------------------------|---------------------------------------| +| AzureWebJobsStorage | A connection string to a storage account that the Functions runtime for internal queueing | See [Storage account](#storage) | +| FUNCTIONS_EXTENSION_VERSION | The version of the Azure Functions runtime | `~2` | +| FUNCTIONS_WORKER_RUNTIME | The language stack to be used for functions in this app | `dotnet`, `node`, `java`, or `python` | +| WEBSITE_NODE_DEFAULT_VERSION | Only needed if using the `node` language stack, specifies the version to use | `10.14.1` | + +These properties are specified in the `appSettings` collection in the `siteConfig` property: + +```json +"properties": { + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "10.14.1" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~2" + } + ] + } +} +``` + -## Deploy a function app on the Consumption plan +## Deploy on Consumption plan -You can run a function app in two different modes: the Consumption plan and the App Service plan. The Consumption plan automatically allocates compute power when your code is running, scales out as necessary to handle load, and then scales down when code is not running. So, you don't have to pay for idle VMs, and you don't have to reserve capacity in advance. To learn more about hosting plans, see [Azure Functions Consumption and App Service plans](functions-scale.md). +The Consumption plan automatically allocates compute power when your code is running, scales out as necessary to handle load, and then scales down when code is not running. You don't have to pay for idle VMs, and you don't have to reserve capacity in advance. To learn more, see [Azure Functions scale and hosting](functions-scale.md#consumption-plan). For a sample Azure Resource Manager template, see [Function app on Consumption plan]. ### Create a Consumption plan -A Consumption plan is a special type of "serverfarm" resource. You specify it by using the `Dynamic` value for the `computeMode` and `sku` properties: +A Consumption plan does not need to be defined. One will automatically be created or selected on a per-region basis when you create the function app resource itself. + +The Consumption plan is a special type of "serverfarm" resource. For Windows, you can specify it by using the `Dynamic` value for the `computeMode` and `sku` properties: ```json { @@ -121,29 +205,144 @@ A Consumption plan is a special type of "serverfarm" resource. You specify it by } ``` +> [!NOTE] +> The Consumption plan cannot be explicitly defined for Linux. It will be created automatically. + +If you do explicitly define your consumption plan, you will need to set the `serverFarmId` property on the app so that it points to the resource ID of the plan. You should ensure that the function app has a `dependsOn` setting for the plan as well. + ### Create a function app -In addition, a Consumption plan requires two additional settings in the site configuration: `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`. These properties configure the storage account and file path where the function app code and configuration are stored. +#### Windows + +On Windows, a Consumption plan requires two additional settings in the site configuration: `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`. These properties configure the storage account and file path where the function app code and configuration are stored. ```json { - "apiVersion": "2015-08-01", + "apiVersion": "2016-03-01", "type": "Microsoft.Web/sites", "name": "[variables('functionAppName')]", "location": "[resourceGroup().location]", - "kind": "functionapp", + "kind": "functionapp", "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" ], "properties": { - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", "siteConfig": { "appSettings": [ { - "name": "AzureWebJobsDashboard", + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" + }, + { + "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" }, + { + "name": "WEBSITE_CONTENTSHARE", + "value": "[toLower(variables('functionAppName'))]" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "10.14.1" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~2" + } + ] + } + } +} +``` + +#### Linux + +On Linux, the function app must have its `kind` set to `functionapp,linux`, and it must have the `reserved` property set to `true`: + +```json +{ + "apiVersion": "2016-03-01", + "type": "Microsoft.Web/sites", + "name": "[variables('functionAppName')]", + "location": "[resourceGroup().location]", + "kind": "functionapp,linux", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "properties": { + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountName'),'2015-05-01-preview').key1)]" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "10.14.1" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~2" + } + ] + }, + "reserved": true + } +} +``` + + + + + +## Deploy on Premium plan + +The Premium plan offers the same scaling as the consumption plan but includes dedicated resources and additional capabilities. To learn more, see [Azure Functions Premium Plan (Preview)](./functions-premium-plan.md). + +### Create a Premium plan + +A Premium plan is a special type of "serverfarm" resource. You can specify it by using either `EP1`, `EP2`, or `EP3` for the `sku` property value. + +```json +{ + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2015-04-01", + "name": "[variables('hostingPlanName')]", + "location": "[resourceGroup().location]", + "properties": { + "name": "[variables('hostingPlanName')]", + "sku": "EP1" + } +} +``` + +### Create a function app + +A function app on a Premium plan must have the `serverFarmId` property set to the resource ID of the plan created earlier. In addition, a Premium plan requires two additional settings in the site configuration: `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`. These properties configure the storage account and file path where the function app code and configuration are stored. + +```json +{ + "apiVersion": "2016-03-01", + "type": "Microsoft.Web/sites", + "name": "[variables('functionAppName')]", + "location": "[resourceGroup().location]", + "kind": "functionapp", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ { "name": "AzureWebJobsStorage", "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" @@ -156,26 +355,37 @@ In addition, a Consumption plan requires two additional settings in the site con "name": "WEBSITE_CONTENTSHARE", "value": "[toLower(variables('functionAppName'))]" }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "10.14.1" + }, { "name": "FUNCTIONS_EXTENSION_VERSION", - "value": "~1" + "value": "~2" } ] } } } -``` +``` + -## Deploy a function app on the App Service plan +## Deploy on App Service plan -In the App Service plan, your function app runs on dedicated VMs on Basic, Standard, and Premium SKUs, similar to web apps. For details about how the App Service plan works, see the [Azure App Service plans in-depth overview](../app-service/overview-hosting-plans.md). +In the App Service plan, your function app runs on dedicated VMs on Basic, Standard, and Premium SKUs, similar to web apps. For details about how the App Service plan works, see the [Azure App Service plans in-depth overview](../app-service/overview-hosting-plans.md). For a sample Azure Resource Manager template, see [Function app on Azure App Service plan]. ### Create an App Service plan +An App Service plan is defined by a "serverfarm" resource. + ```json { "type": "Microsoft.Web/serverfarms", @@ -192,9 +402,169 @@ For a sample Azure Resource Manager template, see [Function app on Azure App Ser } ``` +To run your app on Linux, you must also set the `kind` to `Linux`: + +```json +{ + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2015-04-01", + "name": "[variables('hostingPlanName')]", + "location": "[resourceGroup().location]", + "kind": "Linux", + "properties": { + "name": "[variables('hostingPlanName')]", + "sku": "[parameters('sku')]", + "workerSize": "[parameters('workerSize')]", + "hostingEnvironment": "", + "numberOfWorkers": 1 + } +} +``` + ### Create a function app -After you've selected a scaling option, create a function app. The app is the container that holds all your functions. +A function app on an App Service plan must have the `serverFarmId` property set to the resource ID of the plan created earlier. + +```json +{ + "apiVersion": "2016-03-01", + "type": "Microsoft.Web/sites", + "name": "[variables('functionAppName')]", + "location": "[resourceGroup().location]", + "kind": "functionapp", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "10.14.1" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~2" + } + ] + } + } +} +``` + +Linux apps should also include a `linuxFxVersion` property under `siteConfig`. If you are just deploying code, the value for this is determined by your desired runtime stack: + +| Stack | Example value | +|------------------|-------------------------------------------------------| +| Python (Preview) | `DOCKER|microsoft/azure-functions-python3.6:2.0` | +| JavaScript | `DOCKER|microsoft/azure-functions-node8:2.0` | +| .NET | `DOCKER|microsoft/azure-functions-dotnet-core2.0:2.0` | + +```json +{ + "apiVersion": "2016-03-01", + "type": "Microsoft.Web/sites", + "name": "[variables('functionAppName')]", + "location": "[resourceGroup().location]", + "kind": "functionapp", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "10.14.1" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~2" + } + ], + "linuxFxVersion": "DOCKER|microsoft/azure-functions-node8:2.0" + } + } +} +``` + +If you are [deploying a custom container image](./functions-create-function-linux-custom-image.md), you must specify it with `linuxFxVersion` and include configuration that allows your image to be pulled, as in [Web App for Containers](/azure/app-service/containers). Also, set `WEBSITES_ENABLE_APP_SERVICE_STORAGE` to `false`, since your app content is provided in the container itself: + +```json +{ + "apiVersion": "2016-03-01", + "type": "Microsoft.Web/sites", + "name": "[variables('functionAppName')]", + "location": "[resourceGroup().location]", + "kind": "functionapp", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "10.14.1" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~2" + }, + { + "name": "DOCKER_REGISTRY_SERVER_URL", + "value": "[parameters('dockerRegistryUrl')]" + }, + { + "name": "DOCKER_REGISTRY_SERVER_USERNAME", + "value": "[parameters('dockerRegistryUsername')]" + }, + { + "name": "DOCKER_REGISTRY_SERVER_PASSWORD", + "value": "[parameters('dockerRegistryPassword')]" + }, + { + "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE", + "value": "false" + } + ], + "linuxFxVersion": "DOCKER|myacr.azurecr.io/myimage:mytag" + } + } +} +``` + +## Customizing a deployment A function app has many child resources that you can use in your deployment, including app settings and source control options. You also might choose to remove the **sourcecontrols** child resource, and use a different [deployment option](functions-continuous-deployment.md) instead. @@ -217,8 +587,14 @@ A function app has many child resources that you can use in your deployment, inc "siteConfig": { "alwaysOn": true, "appSettings": [ - { "name": "FUNCTIONS_EXTENSION_VERSION", "value": "~1" }, - { "name": "Project", "value": "src" } + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~2" + }, + { + "name": "Project", + "value": "src" + } ] } }, @@ -234,7 +610,10 @@ A function app has many child resources that you can use in your deployment, inc ], "properties": { "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]", - "AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]" + "AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]", + "FUNCTIONS_EXTENSION_VERSION": "~2", + "FUNCTIONS_WORKER_RUNTIME": "dotnet", + "Project": "src" } }, { diff --git a/articles/azure-functions/functions-monitoring.md b/articles/azure-functions/functions-monitoring.md index 7d5dc57326f3e..5d4f8c196fd07 100644 --- a/articles/azure-functions/functions-monitoring.md +++ b/articles/azure-functions/functions-monitoring.md @@ -9,18 +9,18 @@ ms.assetid: 501722c3-f2f7-4224-a220-6d59da08a320 ms.service: azure-functions ms.devlang: multiple ms.topic: conceptual -ms.date: 11/15/2018 +ms.date: 04/04/2019 ms.author: glenga -#Customer intent: As a developer, I want to monitor the status of my functions, so that I can respond to any errors that occur and make improvements to my applications. +# Customer intent: As a developer, I want to be able to monitor my functions so that I can know if they are running correctly. --- # Monitor Azure Functions [Azure Functions](functions-overview.md) offers built-in integration with [Azure Application Insights](../azure-monitor/app/app-insights-overview.md) to monitor functions. This article shows you how to configure Azure Functions to send system-generated log files to Application Insights. -![Application Insights Metrics Explorer](media/functions-monitoring/metrics-explorer.png) +We recommend using Application Insights because it collects log, performance, and error data. It automatically detects performance anomalies and includes powerful analytics tools to help you diagnose issues and to understand how your functions are used. It's designed to help you continuously improve performance and usability. You can even use Application Insights during local function app project development. For more information, see [What is Application Insights?](../azure-monitor/app/app-insights-overview.md) -Azure Functions also has built-in monitoring that doesn't use Application Insights. We recommend Application Insights because it offers more data and better ways to analyze the data. +As the required Application Insights instrumentation is built into Azure Functions, all you need is a valid instrumentation key to connect your function app to an Application Insights resource. ## Application Insights pricing and limits @@ -30,56 +30,28 @@ You can try out Application Insights integration with Function Apps for free. Th For a function app to send data to Application Insights, it needs to know the instrumentation key of an Application Insights resource. The key must be in an app setting named **APPINSIGHTS_INSTRUMENTATIONKEY**. -You can set up this connection in the [Azure portal](https://portal.azure.com): +### New function app in the portal -* [Automatically connect a new function app](#new-function-app) -* [Manually connect an Application Insights resource](#manually-connect-an-app-insights-resource) +When you [create your function app in the Azure portal](functions-create-first-azure-function.md), Application Insights integration is enabled by default. The Application Insights resource has the same name as your function app, and it's created either in the same region or in nearest region. -### New function app - +To review the Application Insights resource being created, select it to expand the **Application Insights** window. You can change the **New resource name** or choose a different **Location** in an [Azure geography](https://azure.microsoft.com/global-infrastructure/geographies/) where you want to store your data. -1. Go to the function app **Create** page. - -1. Set the **Application Insights** switch **On**. - -1. Select an **Application Insights Location**. Choose the region that's closest to your function app's region and in an [Azure geography](https://azure.microsoft.com/global-infrastructure/geographies/) where you want to store your data. - - ![Enable Application Insights while creating a function app](media/functions-monitoring/enable-ai-new-function-app.png) - -1. Enter the other required information and select **Create**. - -The next step is to [disable built-in logging](#disable-built-in-logging). +![Enable Application Insights while creating a function app](media/functions-monitoring/enable-ai-new-function-app.png) +When you choose **Create**, an Application Insights resource is created with your function app, which has the `APPINSIGHTS_INSTRUMENTATIONKEY` set in application settings. Everything is ready to go. -### Application Insights resource - - -1. Create the Application Insights resource. Set application type to **General**. - - ![Create an Application Insights resource of type General](media/functions-monitoring/ai-general.png) - -1. Copy the instrumentation key from the **Essentials** page of the Application Insights resource. Point to the end of the displayed key value to get a **Click to copy** button. - - ![Copy the Application Insights instrumentation key](media/functions-monitoring/copy-ai-key.png) - -1. In the function app's **Application settings** page, [add an app setting](functions-how-to-use-azure-function-app-settings.md#settings) by selecting **Add new setting**. Name the new setting **APPINSIGHTS_INSTRUMENTATIONKEY** and paste the copied instrumentation key. +### Add to an existing function app - ![Add instrumentation key to app settings](media/functions-monitoring/add-ai-key.png) +When you create a function app using the [Azure CLI](functions-create-first-azure-function-azure-cli.md), [Visual Studio](functions-create-your-first-function-visual-studio.md), or [Visual Studio Code](functions-create-first-function-vs-code.md), you must create the Application Insights resource. You can then add the instrumentation key from that resource as an application setting in your function app. -1. Select **Save**. +[!INCLUDE [functions-connect-new-app-insights.md](../../includes/functions-connect-new-app-insights.md)] - - -## Disable built-in logging - -When you enable Application Insights, disable the built-in logging that uses Azure Storage. The built-in logging is useful for testing with light workloads, but isn't intended for high-load production use. For production monitoring, we recommend Application Insights. If built-in logging is used in production, the logging record might be incomplete because of throttling on Azure Storage. - -To disable built-in logging, delete the `AzureWebJobsDashboard` app setting. For information about how to delete app settings in the Azure portal, see the **Application settings** section of [How to manage a function app](functions-how-to-use-azure-function-app-settings.md#settings). Before you delete the app setting, make sure no existing functions in the same function app use the setting for Azure Storage triggers or bindings. +Early versions of Functions used built-in monitoring, which is no longer recommended. When enabling Application Insights integration for such a function app, you must also [disable built-in logging](#disable-built-in-logging). ## View telemetry in Monitor tab -After you set up Application Insights integration as shown in the previous sections, you can view telemetry data in the **Monitor** tab. +With [Application Insights integration enabled](#enable-application-insights-integration), you can view telemetry data in the **Monitor** tab. 1. In the function app page, select a function that has run at least once after Application Insights was configured. Then select the **Monitor** tab. @@ -99,13 +71,13 @@ After you set up Application Insights integration as shown in the previous secti ![Invocation details](media/functions-monitoring/invocation-details-ai.png) -Both pages (invocation list and invocation details) link to the Application Insights Analytics query that retrieves the data: +You can see that both pages have a **Run in Application Insights** link to the Application Insights Analytics query that retrieves the data. ![Run in Application Insights](media/functions-monitoring/run-in-ai.png) -![Application Insights Analytics invocation list](media/functions-monitoring/ai-analytics-invocation-list.png) +The following query is displayed. You can see that the invocation list is limited to the last 30 days. The list shows no more than 20 rows (`where timestamp > ago(30d) | take 20`). The invocation details list is for the last 30 days with no limit. -From these queries, you can see that the invocation list is limited to the last 30 days. The list shows no more than 20 rows (`where timestamp > ago(30d) | take 20`). The invocation details list is for the last 30 days with no limit. +![Application Insights Analytics invocation list](media/functions-monitoring/ai-analytics-invocation-list.png) For more information, see [Query telemetry data](#query-telemetry-data) later in this article. @@ -117,25 +89,17 @@ To open Application Insights from a function app in the Azure portal, go to the For information about how to use Application Insights, see the [Application Insights documentation](https://docs.microsoft.com/azure/application-insights/). This section shows some examples of how to view data in Application Insights. If you're already familiar with Application Insights, you can go directly to [the sections about how to configure and customize the telemetry data](#configure-categories-and-log-levels). -In [Metrics Explorer](../azure-monitor/app/metrics-explorer.md), you can create charts and alerts that are based on metrics. Metrics include the number of function invocations, execution time, and success rates. - -![Metrics Explorer](media/functions-monitoring/metrics-explorer.png) - -On the [Failures](../azure-monitor/app/asp-net-exceptions.md) tab, you can create charts and alerts based on function failures and server exceptions. The **Operation Name** is the function name. Failures in dependencies aren't shown unless you implement custom telemetry for dependencies. +![Application Insights Overview tab](media/functions-monitoring/metrics-explorer.png) -![Failures](media/functions-monitoring/failures.png) +The following areas of Application Insights can be helpful when evaluating the behavior, performance, and errors in your functions: -On the [Performance](../azure-monitor/app/performance-counters.md) tab, you can analyze performance issues. - -![Performance](media/functions-monitoring/performance.png) - -The **Servers** tab shows resource utilization and throughput per server. This data can be useful for debugging scenarios where functions are bogging down your underlying resources. Servers are referred to as **Cloud role instances**. - -![Servers](media/functions-monitoring/servers.png) - -The [Live Metrics Stream](../azure-monitor/app/live-stream.md) tab shows metrics data as it's created in real time. - -![Live stream](media/functions-monitoring/live-stream.png) +| Tab | Description | +| ---- | ----------- | +| **[Failures](../azure-monitor/app/asp-net-exceptions.md)** | Create charts and alerts based on function failures and server exceptions. The **Operation Name** is the function name. Failures in dependencies aren't shown unless you implement custom telemetry for dependencies. | +| **[Performance](../azure-monitor/app/performance-counters.md)** | Analyze performance issues. | +| **Servers** | View resource utilization and throughput per server. This data can be useful for debugging scenarios where functions are bogging down your underlying resources. Servers are referred to as **Cloud role instances**. | +| **[Metrics](../azure-monitor/app/metrics-explorer.md)** | Create charts and alerts that are based on metrics. Metrics include the number of function invocations, execution time, and success rates. | +| **[Live Metrics Stream](../azure-monitor/app/live-stream.md)** | View metrics data as it's created in real time. | ## Query telemetry data @@ -156,12 +120,14 @@ requests The tables that are available are shown in the **Schema** tab on the left. You can find data generated by function invocations in the following tables: -* **traces**: Logs created by the runtime and by function code. -* **requests**: One request for each function invocation. -* **exceptions**: Any exceptions thrown by the runtime. -* **customMetrics**: The count of successful and failing invocations, success rate, and duration. -* **customEvents**: Events tracked by the runtime, for example: HTTP requests that trigger a function. -* **performanceCounters**: Information about the performance of the servers that the functions are running on. +| Table | Description | +| ----- | ----------- | +| **traces** | Logs created by the runtime and by function code. | +| **requests** | One request for each function invocation. | +| **exceptions** | Any exceptions thrown by the runtime. | +| **customMetrics** | The count of successful and failing invocations, success rate, and duration. | +| **customEvents** | Events tracked by the runtime, for example: HTTP requests that trigger a function. | +| **performanceCounters** | Information about the performance of the servers that the functions are running on. | The other tables are for availability tests, and client and browser telemetry. You can implement custom telemetry to add data to them. @@ -176,7 +142,7 @@ The runtime provides the `customDimensions.LogLevel` and `customDimensions.Categ ## Configure categories and log levels -You can use Application Insights without any custom configuration. The default configuration can result in high volumes of data. If you're using a Visual Studio Azure subscription, you might hit your data cap for Application Insights. Later in this article, you learn how to configure and customize the data that your functions send to Application Insights. +You can use Application Insights without any custom configuration. The default configuration can result in high volumes of data. If you're using a Visual Studio Azure subscription, you might hit your data cap for Application Insights. Later in this article, you learn how to configure and customize the data that your functions send to Application Insights. For a function app, logging is configured in the [host.json] file. ### Categories @@ -204,7 +170,7 @@ Log level `None` is explained in the next section. ### Log configuration in host.json -The [host.json](functions-host-json.md) file configures how much logging a function app sends to Application Insights. For each category, you indicate the minimum log level to send. There are two examples: the first example targets the [Functions version 2.x runtime](functions-versions.md#version-2x) (.NET Core) and the second example is for the version 1.x runtime. +The [host.json] file configures how much logging a function app sends to Application Insights. For each category, you indicate the minimum log level to send. There are two examples: the first example targets the [Functions version 2.x runtime](functions-versions.md#version-2x) (.NET Core) and the second example is for the version 1.x runtime. ### Version 2.x @@ -244,12 +210,12 @@ The v2.x runtime uses the [.NET Core logging filter hierarchy](https://docs.micr This example sets up the following rules: * For logs with category `Host.Results` or `Function`, send only `Error` level and above to Application Insights. Logs for `Warning` level and below are ignored. -* For logs with category `Host.Aggregator`, send all logs to Application Insights. The `Trace` log level is the same as what some loggers call `Verbose`, but use `Trace` in the [host.json](functions-host-json.md) file. +* For logs with category `Host.Aggregator`, send all logs to Application Insights. The `Trace` log level is the same as what some loggers call `Verbose`, but use `Trace` in the [host.json] file. * For all other logs, send only `Information` level and above to Application Insights. -The category value in [host.json](functions-host-json.md) controls logging for all categories that begin with the same value. `Host` in [host.json](functions-host-json.md) controls logging for `Host.General`, `Host.Executor`, `Host.Results`, and so on. +The category value in [host.json] controls logging for all categories that begin with the same value. `Host` in [host.json] controls logging for `Host.General`, `Host.Executor`, `Host.Results`, and so on. -If [host.json](functions-host-json.md) includes multiple categories that start with the same string, the longer ones are matched first. Suppose you want everything from the runtime except `Host.Aggregator` to log at `Error` level, but you want `Host.Aggregator` to log at the `Information` level: +If [host.json] includes multiple categories that start with the same string, the longer ones are matched first. Suppose you want everything from the runtime except `Host.Aggregator` to log at `Error` level, but you want `Host.Aggregator` to log at the `Information` level: ### Version 2.x @@ -318,7 +284,7 @@ Logs written by your function code have category `Function` and can be any log l ## Configure the aggregator -As noted in the previous section, the runtime aggregates data about function executions over a period of time. The default period is 30 seconds or 1,000 runs, whichever comes first. You can configure this setting in the [host.json](functions-host-json.md) file. Here's an example: +As noted in the previous section, the runtime aggregates data about function executions over a period of time. The default period is 30 seconds or 1,000 runs, whichever comes first. You can configure this setting in the [host.json] file. Here's an example: ```json { @@ -331,7 +297,7 @@ As noted in the previous section, the runtime aggregates data about function exe ## Configure sampling -Application Insights has a [sampling](../azure-monitor/app/sampling.md) feature that can protect you from producing too much telemetry data at times of peak load. When the rate of incoming telemetry exceeds a specified threshold, Application Insights starts to randomly ignore some of the incoming items. The default setting for maximum number of items per second is five. You can configure sampling in [host.json](functions-host-json.md). Here's an example: +Application Insights has a [sampling](../azure-monitor/app/sampling.md) feature that can protect you from producing too much telemetry data on completed executions at times of peak load. When the rate of incoming executions exceeds a specified threshold, Application Insights starts to randomly ignore some of the incoming executions. The default setting for maximum number of executions per second is 20 (five in version 1.x). You can configure sampling in [host.json]. Here's an example: ### Version 2.x @@ -341,7 +307,7 @@ Application Insights has a [sampling](../azure-monitor/app/sampling.md) feature "applicationInsights": { "samplingSettings": { "isEnabled": true, - "maxTelemetryItemsPerSecond" : 5 + "maxTelemetryItemsPerSecond" : 20 } } } @@ -461,18 +427,18 @@ using Microsoft.Extensions.Logging; namespace functionapp0915 { - public static class HttpTrigger2 + public class HttpTrigger2 { - // In Functions v2, TelemetryConfiguration.Active is initialized with the InstrumentationKey - // from APPINSIGHTS_INSTRUMENTATIONKEY. Creating a default TelemetryClient like this will - // automatically use that key for all telemetry. It will also enable telemetry correlation - // with the current operation. - // If you require a custom TelemetryConfiguration, create it initially with - // TelemetryConfiguration.CreateDefault() to include this automatic correlation. - private static TelemetryClient telemetryClient = new TelemetryClient(); + private readonly TelemetryClient telemetryClient; + + /// Using dependency injection will guarantee that you use the same configuration for telemetry collected automatically and manually. + public HttpTrigger2(TelemetryConfiguration telemetryConfiguration) + { + this.telemetryClient = new TelemetryClient(telemetryConfiguration); + } [FunctionName("HttpTrigger2")] - public static Task Run( + public Task Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req, ExecutionContext context, ILogger log) { @@ -487,12 +453,12 @@ namespace functionapp0915 // Track an Event var evt = new EventTelemetry("Function called"); evt.Context.User.Id = name; - telemetryClient.TrackEvent(evt); + this.telemetryClient.TrackEvent(evt); // Track a Metric var metric = new MetricTelemetry("Test Metric", DateTime.Now.Millisecond); metric.Context.User.Id = name; - telemetryClient.TrackMetric(metric); + this.telemetryClient.TrackMetric(metric); // Track a Dependency var dependency = new DependencyTelemetry @@ -505,7 +471,7 @@ namespace functionapp0915 Success = true }; dependency.Context.User.Id = name; - telemetryClient.TrackDependency(dependency); + this.telemetryClient.TrackDependency(dependency); return Task.FromResult(new OkResult()); } @@ -623,58 +589,64 @@ module.exports = function (context, req) { The `tagOverrides` parameter sets the `operation_Id` to the function's invocation ID. This setting enables you to correlate all of the automatically generated and custom telemetry for a given function invocation. -## Known issues - +## Dependencies -### Dependencies +Functions v2 automatically collects dependencies for HTTP requests, ServiceBus, and SQL. -Dependencies that the function has to other services don't show up automatically. You can write custom code to show the dependencies. For examples, see the sample code in the [C# custom telemetry section](#log-custom-telemetry-in-c-functions). The sample code results in an *application map* in Application Insights that looks like the following image: +You can write custom code to show the dependencies. For examples, see the sample code in the [C# custom telemetry section](#log-custom-telemetry-in-c-functions). The sample code results in an *application map* in Application Insights that looks like the following image: -![Application map](media/functions-monitoring/app-map.png) +![Application map](./media/functions-monitoring/app-map.png) -### Report issues +## Report issues To report an issue with Application Insights integration in Functions, or to make a suggestion or request, [create an issue in GitHub](https://github.com/Azure/Azure-Functions/issues/new). -## Monitor without Application Insights +## Streaming Logs -We recommend Application Insights for monitoring functions. It offers more data and better ways to analyze the data. But if you prefer the built-in logging system that uses Azure Storage, you can continue to use that method. +While developing an application, it is often useful to see logging information in near-real time. You can view a stream of log files being generated by your functions either in the Azure portal or in a command-line session on your local computer. -### Azure Storage account for logging +This is equivalent to the output seen when you debug your functions during [local development](functions-develop-local.md). For more information, see [How to stream logs](../app-service/troubleshoot-diagnostic-logs.md#streamlogs). -Built-in logging uses the storage account specified by the connection string in the `AzureWebJobsDashboard` app setting. In a function app page, select a function and then select the **Monitor** tab, and choose to keep it in **classic view**. +> [!NOTE] +> Streaming logs support only a single instance of the Functions host. When your function is scaled to multiple instances, data from other instances are not shown in the log stream. The [Live Metrics Stream](../azure-monitor/app/live-stream.md) in Application Insights does supported multiple instances. While also in near real time, streaming analytics are also based on [sampled data](#configure-sampling). -![Switch to classic view](media/functions-monitoring/switch-to-classic-view.png) +### Portal -You get a list of function executions. Select a function execution to review the duration, input data, errors, and associated log files. +To view streaming logs in the portal, select the **Platform features** tab in your function app. Then, under **Monitoring**, choose **Log streaming**. -If you enabled Application Insights, you can return to using built-in logging. Disable Application Insights manually and then select the **Monitor** tab. To disable Application Insights integration, delete the `APPINSIGHTS_INSTRUMENTATIONKEY` app setting. +![Enable streaming logs in the portal](./media/functions-monitoring/enable-streaming-logs-portal.png) -Even if the **Monitor** tab shows Application Insights data, you can see log data in the file system if you haven't [disabled built-in logging](#disable-built-in-logging). In the Storage resource, go to **Files**, and select the file service for the function. Then go to **LogFiles** > **Application** > **Functions** > **Function** > **your_function** to see the log file. +This connects your app to the log streaming service and application logs are displayed in the window. You can toggle between **Application logs** and **Web server logs**. -### Real-time monitoring +![View streaming logs in the portal](./media/functions-monitoring/streaming-logs-window.png) -You can stream log files to a command-line session on a local workstation. Use the [Azure Command Line Interface (CLI)](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/overview). +### Azure CLI -For the Azure CLI, use the following commands to sign in, choose your subscription, and stream log files: +You can enable streaming logs by using the [Azure Command Line Interface (CLI)](/cli/azure/install-azure-cli). For the Azure CLI, use the following commands to sign in, choose your subscription, and stream log files: ```azurecli az login az account list az account set --subscription -az webapp log tail --resource-group --name +az webapp log tail --resource-group --name ``` -For Azure PowerShell, use the following commands to add your Azure account, choose your subscription, and stream log files: +### Azure PowerShell + +You can enable streaming logs by using [Azure PowerShell](/powershell/azure/overview). For PowerShell, use the following commands to add your Azure account, choose your subscription, and stream log files: ```powershell Add-AzAccount Get-AzSubscription Get-AzSubscription -SubscriptionName "" | Select-AzSubscription -Get-AzWebSiteLog -Name -Tail +Get-AzWebSiteLog -Name -Tail ``` -For more information, see [How to stream logs](../app-service/troubleshoot-diagnostic-logs.md#streamlogs). +## Disable built-in logging + +When you enable Application Insights, disable the built-in logging that uses Azure Storage. The built-in logging is useful for testing with light workloads, but isn't intended for high-load production use. For production monitoring, we recommend Application Insights. If built-in logging is used in production, the logging record might be incomplete because of throttling on Azure Storage. + +To disable built-in logging, delete the `AzureWebJobsDashboard` app setting. For information about how to delete app settings in the Azure portal, see the **Application settings** section of [How to manage a function app](functions-how-to-use-azure-function-app-settings.md#settings). Before you delete the app setting, make sure no existing functions in the same function app use the setting for Azure Storage triggers or bindings. ## Next steps @@ -682,3 +654,5 @@ For more information, see the following resources: * [Application Insights](/azure/application-insights/) * [ASP.NET Core logging](/aspnet/core/fundamentals/logging/) + +[host.json]: functions-host-json.md diff --git a/articles/azure-functions/functions-networking-faq.md b/articles/azure-functions/functions-networking-faq.md index da4333686f655..4868669cb56ad 100644 --- a/articles/azure-functions/functions-networking-faq.md +++ b/articles/azure-functions/functions-networking-faq.md @@ -3,14 +3,14 @@ title: Frequently Asked Questions about Networking in Azure Functions description: Answers to some of the most common questions and scenarios for networking with Azure Functions. services: functions author: alexkarcher-msft -manager: jehollan +manager: jeconnoc ms.service: azure-functions ms.topic: troubleshooting -ms.date: 2/26/2019 -ms.author: alkarche +ms.date: 4/11/2019 +ms.author: alkarche, glenga --- -# Frequently Asked Questions about Networking in Azure Functions +# Frequently asked questions about networking in Azure Functions Below is a list of frequently asked networking questions. For a more comprehensive overview, read the [Functions networking options document](functions-networking-options.md) @@ -18,7 +18,7 @@ Below is a list of frequently asked networking questions. For a more comprehensi Deploying a function in an App Service Environment (ASE) is currently the only way to have a static inbound and outbound IP for your function. For details on using an ASE, start with the article here: [Creating and using an ILB ASE](../app-service/environment/create-ilb-ase.md). -## How do I restrict Internet Access to my Function? +## How do I restrict internet access to my Function? You can restrict internet access in a number of ways, listed below. @@ -49,3 +49,13 @@ You can only trigger a function from a resource in a VNET by deploying your func Deploying to an App Service Environment is the only way to create a function app that is wholly inside a VNET For details on using an ILB ASE, start with the article here: [Creating and using an ILB ASE](https://docs.microsoft.com/azure/app-service/environment/create-ilb-ase). For scenarios where you only need one-way access to VNET resources, or less comprehensive network isolation, see the [Functions networking overview](functions-networking-options.md). + +## Next Steps + +To learn more about networking and Functions: + +* [Follow our getting started VNET integration tutorial](./functions-create-vnet.md) +* [Learn more about the networking options in functions here](./functions-networking-options.md) +* [Learn more about VNET integration with App Service / Functions here](../app-service/web-sites-integrate-with-vnet.md) +* [Learn more about VNETs in Azure](../virtual-network/virtual-networks-overview.md) +* [Enable more networking features and control with App Service Environments](../app-service/environment/intro.md) diff --git a/articles/azure-functions/functions-networking-options.md b/articles/azure-functions/functions-networking-options.md index 735c171e25d08..b2d26f633a4c2 100644 --- a/articles/azure-functions/functions-networking-options.md +++ b/articles/azure-functions/functions-networking-options.md @@ -3,14 +3,14 @@ title: Azure Functions Networking Options description: An overview of all networking options available in Azure Functions services: functions author: alexkarcher-msft -manager: jehollan +manager: jeconnoc ms.service: azure-functions ms.topic: conceptual -ms.date: 1/14/2019 +ms.date: 4/11/2019 ms.author: alkarche --- -# Azure Functions Networking Options +# Azure Functions networking options This document describes the suite of networking features available across the Azure Functions hosting options. All of the following networking options provide some ability to access resources without using internet routable addresses, or restrict internet access to a Function App. The hosting models all have different levels of network isolation available, and choosing the correct one will allow you to meet your network isolation requirements. @@ -22,28 +22,28 @@ Function Apps can be hosted in several different ways. 1. The App Service Plan, which operates at a fixed scale, and offers similar network isolation to the Premium plan. * Functions can also be run on an App Service Environment (ASE) which deploys your function into your VNet and offers full network control and isolation. -## Networking Feature Matrix +## Networking feature matrix | |[Consumption Plan](functions-scale.md#consumption-plan)|⚠ [Premium Plan](functions-scale.md##premium-plan-public-preview)|[App Service Plan](functions-scale.md#app-service-plan)|[App Service Environment](../app-service/environment/intro.md)| |----------------|-----------|----------------|---------|-----------------------| |[**Inbound IP Restrictions**](#inbound-ip-restrictions)|✅Yes|✅Yes|✅Yes|✅Yes| -|[**VNET Integration**](#vnet-integration)|❌No|⚠ Yes|✅Yes|✅Yes| -|[**Preview VNET Integration (Express Route & Service Endpoints)**](#preview-vnet-integration)|❌No|⚠ Yes|⚠ Yes|✅Yes| +|[**VNET Integration**](#vnet-integration)|❌No|❌No|✅Yes|✅Yes| +|[**Preview VNET Integration (Express Route & Service Endpoints)**](#preview-vnet-integration)|❌No|⚠Yes|⚠Yes|✅Yes| |[**Hybrid Connections**](#hybrid-connections)|❌No|❌No|✅Yes|✅Yes| |[**Private Site Access**](#private-site-access)|❌No| ❌No|❌No|✅Yes| ⚠ Preview feature, not for production use -## Inbound IP Restrictions +## Inbound IP restrictions IP Restrictions allow you to define a priority ordered allow/deny list of IP addresses that are allowed to access your app. The allow list can include IPv4 and IPv6 addresses. When there are one or more entries, there is then an implicit deny all that exists at the end of the list. The IP Restrictions capability works with all function hosting options. -> ![IMPORTANT] +> [!NOTE] > To be able to use the Azure portal editor, the portal must be able to directly access your running function app, and the device you're using to access the portal must have its IP whitelisted. With network restrictions in place, you can still access any features in the **Platform features** tab. [Learn more here](https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) -## VNET Integration +## VNET integration VNET integration allows your function app to access resources inside a VNET. VNET integration is available in both the Premium plan and App Service plan. If your app is in an App Service Environment, then it's already in a VNet and doesn't require use of the VNet Integration feature to reach resources in the same VNet. @@ -53,7 +53,7 @@ VNet Integration is often used to enable access from apps to a databases and web The generally available version of VNET integration relies on a VPN gateway to connect Function Apps to a virtual network. It is available in Functions hosted in an app service plan. To learn how to configure this feature, see the [App Service document for the same feature](../app-service/web-sites-integrate-with-vnet.md#enabling-vnet-integration). -### Preview VNET Integration +### Preview VNET integration There is a new version of the VNet Integration feature that is in preview. It doesn't depend on point-to-site VPN and also supports accessing resources across ExpressRoute or Service Endpoints. This feature is available in the Premium plan, and in App Service plans scaled to PremiumV2. @@ -71,7 +71,7 @@ The new version of VNet Integration, which is currently in preview, provides the To learn more about using preview VNET integration, see [Integrate a function app with an Azure Virtual Network](functions-create-vnet.md). -## Hybrid Connections +## Hybrid connections [Hybrid Connections](../service-bus-relay/relay-hybrid-connections-protocol.md) is a feature of Azure Relay that can be used to access application resources in other networks. It provides access from your app to an application endpoint. It cannot be used to access your application. Hybrid Connections is available to functions running in an [App Service plan](functions-scale.md#app-service-plan) and an [App Service Environment](../app-service/environment/intro.md). @@ -79,8 +79,18 @@ As used in Functions, each Hybrid Connection correlates to a single TCP host and To learn more, see the [App Service documentation for Hybrid Connections](../app-service/app-service-hybrid-connections.md), which supports both Functions and Web Apps. -## Private Site Access +## Private site access Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). For details on using an ILB ASE, see [Creating and using an ILB ASE](../app-service/environment/create-ilb-ase.md). There are many ways to access VNET resources in other hosting options, but an ASE is the only way to allow triggers for a function to occur over a VNET. + +## Next steps +To learn more about networking and Functions: + +* [Follow our getting started VNET integration tutorial](./functions-create-vnet.md) +* [Read the Functions networking FAQ here](./functions-networking-faq.md) +* [Learn more about VNET integration with App Service / Functions here](../app-service/web-sites-integrate-with-vnet.md) +* [Learn more about VNETs in Azure](../virtual-network/virtual-networks-overview.md) +* [Enable more networking features and control with App Service Environments](../app-service/environment/intro.md) +* [Connect to individual on-premises resources without firewall changes using Hybrid Connections](../app-service/app-service-hybrid-connections.md) diff --git a/articles/azure-functions/functions-premium-plan.md b/articles/azure-functions/functions-premium-plan.md index b1986e66975ff..3d5a1168269c4 100644 --- a/articles/azure-functions/functions-premium-plan.md +++ b/articles/azure-functions/functions-premium-plan.md @@ -9,7 +9,7 @@ ms.assetid: ms.service: azure-functions ms.devlang: multiple ms.topic: conceptual -ms.date: 01/25/2019 +ms.date: 4/11/2019 ms.author: jehollan --- @@ -39,7 +39,7 @@ The following features are available to function apps deployed to a Premium plan If no events and executions occur today in the Consumption plan, your app may scale down to zero instances. When new events come in, a new instance needs to be specialized with your app running on it. Specializing new instances may take some time depending on the app. This additional latency on the first call is often called app cold start. -In the Premium plan, you can have your app pre-warmed on a specified number of instances. Pre-warmed instances also let you pre-scale an app before high load. As the app scales out, it first scales into the pre-warmed instances. Additional instances continue to buffer out and warm immediately in preparation for the next scale operation. By having a buffer of pre-warmed instances, you can effectively avoid cold start latencies. Pre-warmed instances is a feature of the Premium plan, and you need to keep at least one instance running and available at all times the plan is active. +In the Premium plan, you can have your app pre-warmed on a specified number of instances, up to your minimum plan size. Pre-warmed instances also let you pre-scale an app before high load. As the app scales out, it first scales into the pre-warmed instances. Additional instances continue to buffer out and warm immediately in preparation for the next scale operation. By having a buffer of pre-warmed instances, you can effectively avoid cold start latencies. Pre-warmed instances is a feature of the Premium plan, and you need to keep at least one instance running and available at all times the plan is active. You can configure the number of pre-warmed instances in the Azure portal by selecting **Scale Out** in the **Platform Features** tab. @@ -67,6 +67,8 @@ Additional compute instances are automatically added for your app using the same Azure Functions in a Consumption plan are limited to 10 minutes for a single execution. In the Premium plan, the run duration defaults to 30 minutes to prevent runaway executions. However, you can [modify the host.json configuration](./functions-host-json.md#functiontimeout) to make this unbounded for Premium plan apps. +In preview, your duration is not guaranteed past 12 minutes and will have the best chance of running beyond 30 minutes if your app is not scaled beyond its minimum worker count. + ## Plan and SKU settings When you create the plan, you configure two settings: the minimum number of instances (or plan size) and the maximum burst limit. The minimum instances for a Premium plan is 1, and the maximum burst during the preview is 20. Minimum instances are reserved and always running. @@ -101,9 +103,8 @@ Below are the currently supported regions for the public preview. |Region| |--| |Australia East| -|Australia Souteast| +|Australia Southeast| |Canada Central| -|Central India| |Central US| |East Asia| |East US 2| diff --git a/articles/azure-functions/functions-reference-node.md b/articles/azure-functions/functions-reference-node.md index d123f830ef78a..5bb2537464722 100644 --- a/articles/azure-functions/functions-reference-node.md +++ b/articles/azure-functions/functions-reference-node.md @@ -137,7 +137,7 @@ Outputs (bindings of `direction === "out"`) can be written to by a function in a You can assign data to output bindings in one of the following ways (don't combine these methods): -- **_[Recommended for multiple outputs]_ Returning an object.** If you are using a async/Promise returning function, you can return an object with assigned output data. In the example below, the output bindings are named "httpResponse" and "queueOutput" in *function.json*. +- **_[Recommended for multiple outputs]_ Returning an object.** If you are using an async/Promise returning function, you can return an object with assigned output data. In the example below, the output bindings are named "httpResponse" and "queueOutput" in *function.json*. ```javascript module.exports = async function(context) { diff --git a/articles/azure-functions/functions-run-local.experimental.md b/articles/azure-functions/functions-run-local.experimental.md index 600c0dd6b9f7f..2acaf08fa466f 100644 --- a/articles/azure-functions/functions-run-local.experimental.md +++ b/articles/azure-functions/functions-run-local.experimental.md @@ -476,6 +476,15 @@ The following custom container deployment options are available: | **`--min`** | Optionally, sets the minimum number of function app instances to deploy to. | | **`--config`** | Sets an optional deployment configuration file. | +## Monitoring functions + +The recommended way to monitor the execution of your functions is by integrating with Azure Application Insights. When you create a function app in the Azure portal, this integration is done for you by default. However, when you create your function app by using the Azure CLI, the integration in your function app in Azure isn't done. + +To enable Application Insights for your function app: + +[!INCLUDE [functions-connect-new-app-insights.md](../../includes/functions-connect-new-app-insights.md)] + +To learn more, see [Monitor Azure Functions](functions-monitoring.md). ## Next steps Azure Functions Core Tools is [open source and hosted on GitHub](https://github.com/azure/azure-functions-cli). diff --git a/articles/azure-functions/functions-run-local.md b/articles/azure-functions/functions-run-local.md index 7937cb73a2401..5111eade33f53 100644 --- a/articles/azure-functions/functions-run-local.md +++ b/articles/azure-functions/functions-run-local.md @@ -465,6 +465,16 @@ The following custom container deployment options are available: | **`--min`** | Optionally, sets the minimum number of function app instances to deploy to. | | **`--config`** | Sets an optional deployment configuration file. | +## Monitoring functions + +The recommended way to monitor the execution of your functions is by integrating with Azure Application Insights. When you create a function app in the Azure portal, this integration is done for you by default. However, when you create your function app by using the Azure CLI, the integration in your function app in Azure isn't done. + +To enable Application Insights for your function app: + +[!INCLUDE [functions-connect-new-app-insights.md](../../includes/functions-connect-new-app-insights.md)] + +To learn more, see [Monitor Azure Functions](functions-monitoring.md). + ## Next steps Azure Functions Core Tools is [open source and hosted on GitHub](https://github.com/azure/azure-functions-cli). diff --git a/articles/azure-functions/functions-runtime-install.md b/articles/azure-functions/functions-runtime-install.md index 8398416481c02..c4c1a2aed3cb8 100644 --- a/articles/azure-functions/functions-runtime-install.md +++ b/articles/azure-functions/functions-runtime-install.md @@ -15,6 +15,8 @@ ms.author: anwestg --- # Install the Azure Functions Runtime preview 2 +[!INCLUDE [intro](../../includes/functions-runtime-preview-note.md)] + If you would like to install the Azure Functions Runtime preview 2, follow these steps: 1. Ensure your machine passes the minimum requirements. @@ -98,36 +100,37 @@ To complete the Azure Functions Runtime installation, you must complete the conf To create your first function in Azure Functions Runtime preview -1. Browse to the **Azure Functions Runtime Portal** as https://. for example https://mycomputer.mydomain.com +1. Browse to the **Azure Functions Runtime Portal** as `https://.` for example `https://mycomputer.mydomain.com`. + 1. You are prompted to **Log in**, if deployed in a domain use your domain account username and password, otherwise use your local account username and password to log in to the portal. -![Azure Functions Runtime preview portal login][14] + ![Azure Functions Runtime preview portal login][14] -1. To create function apps, you must create a Subscription. In the top left-hand corner of the portal, click the **+** option next to the subscriptions +1. To create function apps, you must create a Subscription. In the top left-hand corner of the portal, click the **+** option next to the subscriptions. -![Azure Functions Runtime preview portal subscriptions][15] + ![Azure Functions Runtime preview portal subscriptions][15] 1. Choose **DefaultPlan**, enter a name for your Subscription, and click **Create**. -![Azure Functions Runtime preview portal subscription plan and name][16] + ![Azure Functions Runtime preview portal subscription plan and name][16] 1. All of your function apps are listed in the left-hand pane of the portal. To create a new Function App, select the heading **Function Apps** and click the **+** option. 1. Enter a name for your function app, select the correct Subscription, choose which version of the Azure Functions runtime you wish to program against and click **Create** -![Azure Functions Runtime preview portal new function app][17] + ![Azure Functions Runtime preview portal new function app][17] 1. Your new function app is listed in the left-hand pane of the portal. Select Functions and then click **New Function** at the top of the center pane in the portal. -![Azure Functions Runtime preview templates][18] + ![Azure Functions Runtime preview templates][18] 1. Select the Timer Trigger function, in the right-hand flyout name your function and change the Schedule to `*/5 * * * * *` (this cron expression causes your timer function to execute every five seconds), and click **Create** -![Azure Functions Runtime preview new timer function configuration][19] + ![Azure Functions Runtime preview new timer function configuration][19] 1. Your function has now been created. You can view the execution log of your Function app by expanding the **log** pane at the bottom of the portal. -![Azure Functions Runtime preview function executing][20] + ![Azure Functions Runtime preview function executing][20] [1]: ./media/functions-runtime-install/AzureFunctionsRuntime_Installer1.png diff --git a/articles/azure-functions/functions-runtime-overview.md b/articles/azure-functions/functions-runtime-overview.md index c2873e31ad347..e301e58301a96 100644 --- a/articles/azure-functions/functions-runtime-overview.md +++ b/articles/azure-functions/functions-runtime-overview.md @@ -14,6 +14,8 @@ ms.author: anwestg --- # Azure Functions Runtime Overview (preview) +[!INCLUDE [intro](../../includes/functions-runtime-preview-note.md)] + The Azure Functions Runtime (preview) provides a new way for you to take advantage of the simplicity and flexibility of the Azure Functions programming model on-premises. Built on the same open source roots as Azure Functions, Azure Functions Runtime is deployed on-premises to provide a nearly identical development experience as the cloud service. ![Azure Functions Runtime Preview Portal][1] diff --git a/articles/azure-functions/functions-scale.md b/articles/azure-functions/functions-scale.md index 6d200b4f17173..70bac6e3ce971 100644 --- a/articles/azure-functions/functions-scale.md +++ b/articles/azure-functions/functions-scale.md @@ -22,7 +22,7 @@ ms.custom: H1Hack27Feb2017 Azure Functions runs in two different plans: Consumption plan and Premium plan (public preview). The Consumption plan automatically adds compute power when your code is running. Your app is scaled out when needed to handle load, and scaled down when code stops running. You don't have to pay for idle VMs or reserve capacity in advance. The Premium plan will also automatically scale and add additional compute power when your code is running. The Premium plan comes with additional features like premium compute instances, the ability to keep instances warm indefinitely, and VNet connectivity. If you have an existing App Service Plan, you can also run your function apps within them. > [!NOTE] -> Both [Premium plan](https://azure.microsoft.com/blog/uncompromised-serverless-scale-for-enterprise-workloads-with-the-azure-functions-premium-plan/preview/) and [Consumption plan for Linux](https://azure.microsoft.com/updates/azure-functions-consumption-plan-for-linux-preview/) are currently in preview. +> Both [Premium plan](https://aka.ms/functions-premiumplan) and [Consumption plan for Linux](https://azure.microsoft.com/updates/azure-functions-consumption-plan-for-linux-preview/) are currently in preview. If you aren't familiar with Azure Functions, see the [Azure Functions overview](functions-overview.md). diff --git a/articles/azure-functions/functions-test-a-function.md b/articles/azure-functions/functions-test-a-function.md index c6c6aebb75a51..f01de93491b2f 100644 --- a/articles/azure-functions/functions-test-a-function.md +++ b/articles/azure-functions/functions-test-a-function.md @@ -10,7 +10,7 @@ keywords: azure functions, functions, event processing, webhooks, dynamic comput ms.service: azure-functions ms.devlang: multiple ms.topic: conceptual -ms.date: 030/25/2019 +ms.date: 03/25/2019 ms.author: cshoe --- @@ -249,6 +249,8 @@ The members implemented in this class are: - **Timer_should_log_message**: This test creates an instance of `ListLogger` and passes it to a timer functions. Once the function is run, then the log is checked to ensure the expected message is present. +If you want to access application settings in your tests, you can use [System.Environment.GetEnvironmentVariable](./functions-dotnet-class-library.md#environment-variables). + ### Run tests To run the tests, navigate to the **Test Explorer** and click **Run all**. diff --git a/articles/azure-functions/manage-connections.md b/articles/azure-functions/manage-connections.md index ca157dfa5018d..db82daf81f342 100644 --- a/articles/azure-functions/manage-connections.md +++ b/articles/azure-functions/manage-connections.md @@ -21,6 +21,8 @@ The number of available connections is limited partly because a function app run This limit is per instance. When the [scale controller adds function app instances](functions-scale.md#how-the-consumption-and-premium-plans-work) to handle more requests, each instance has an independent connection limit. That means there's no global connection limit, and you can have much more than 600 active connections across all active instances. +When troubleshooting, make sure that you have enabled Application Insights for your function app. Application Insights lets you view metrics for your function apps like executions. For more information, see [View telemetry in Application Insights](functions-monitoring.md#view-telemetry-in-application-insights). + ## Static clients To avoid holding more connections than necessary, reuse client instances rather than creating new ones with each function invocation. We recommend reusing client connections for any language that you might write your function in. For example, .NET clients like the [HttpClient](https://msdn.microsoft.com/library/system.net.http.httpclient(v=vs.110).aspx), [DocumentClient](https://docs.microsoft.com/dotnet/api/microsoft.azure.documents.client.documentclient diff --git a/articles/azure-functions/media/functions-create-vnet/Create-Proxy.PNG b/articles/azure-functions/media/functions-create-vnet/Create-Proxy.PNG deleted file mode 100644 index fc4c48ad9afd0..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/Create-Proxy.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/Create-VM-2.PNG b/articles/azure-functions/media/functions-create-vnet/Create-VM-2.PNG deleted file mode 100644 index fef46685f22d0..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/Create-VM-2.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/Networking-1.PNG b/articles/azure-functions/media/functions-create-vnet/Networking-1.PNG deleted file mode 100644 index abc8831342f9f..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/Networking-1.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/Networking-2.PNG b/articles/azure-functions/media/functions-create-vnet/Networking-2.PNG deleted file mode 100644 index 048e87e39e25e..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/Networking-2.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/Networking-3.PNG b/articles/azure-functions/media/functions-create-vnet/Networking-3.PNG deleted file mode 100644 index c45a285851b85..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/Networking-3.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/New-Proxy.PNG b/articles/azure-functions/media/functions-create-vnet/New-Proxy.PNG deleted file mode 100644 index 0c51dbba53ed8..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/New-Proxy.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/Plant.PNG b/articles/azure-functions/media/functions-create-vnet/Plant.PNG deleted file mode 100644 index f825b693eaec1..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/Plant.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/VM-Networking.png b/articles/azure-functions/media/functions-create-vnet/VM-Networking.png deleted file mode 100644 index 32ffb01fad506..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/VM-Networking.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/configure-VNET.PNG b/articles/azure-functions/media/functions-create-vnet/configure-VNET.PNG deleted file mode 100644 index c83380d47297c..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/configure-VNET.PNG and /dev/null differ diff --git a/articles/azure-functions/media/functions-create-vnet/create-VM-1.png b/articles/azure-functions/media/functions-create-vnet/create-VM-1.png deleted file mode 100644 index 8781f9e9bb8a4..0000000000000 Binary files a/articles/azure-functions/media/functions-create-vnet/create-VM-1.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/add-ai-key.png b/articles/azure-functions/media/functions-monitoring/add-ai-key.png deleted file mode 100644 index 8bc28c8df0855..0000000000000 Binary files a/articles/azure-functions/media/functions-monitoring/add-ai-key.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/ai-analytics-invocation-list.png b/articles/azure-functions/media/functions-monitoring/ai-analytics-invocation-list.png index 5c31aea242416..9f62933c50b37 100644 Binary files a/articles/azure-functions/media/functions-monitoring/ai-analytics-invocation-list.png and b/articles/azure-functions/media/functions-monitoring/ai-analytics-invocation-list.png differ diff --git a/articles/azure-functions/media/functions-monitoring/ai-general.png b/articles/azure-functions/media/functions-monitoring/ai-general.png deleted file mode 100644 index e92722c8bb9f2..0000000000000 Binary files a/articles/azure-functions/media/functions-monitoring/ai-general.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/copy-ai-key.png b/articles/azure-functions/media/functions-monitoring/copy-ai-key.png deleted file mode 100644 index abca5ee4c9eab..0000000000000 Binary files a/articles/azure-functions/media/functions-monitoring/copy-ai-key.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/enable-ai-new-function-app.png b/articles/azure-functions/media/functions-monitoring/enable-ai-new-function-app.png index 0b1ac93d8acbe..048c722f2c76f 100644 Binary files a/articles/azure-functions/media/functions-monitoring/enable-ai-new-function-app.png and b/articles/azure-functions/media/functions-monitoring/enable-ai-new-function-app.png differ diff --git a/articles/azure-functions/media/functions-monitoring/enable-streaming-logs-portal.png b/articles/azure-functions/media/functions-monitoring/enable-streaming-logs-portal.png new file mode 100644 index 0000000000000..3e7a369c43ab6 Binary files /dev/null and b/articles/azure-functions/media/functions-monitoring/enable-streaming-logs-portal.png differ diff --git a/articles/azure-functions/media/functions-monitoring/failures.png b/articles/azure-functions/media/functions-monitoring/failures.png deleted file mode 100644 index 8dd011ba84daf..0000000000000 Binary files a/articles/azure-functions/media/functions-monitoring/failures.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/live-stream.png b/articles/azure-functions/media/functions-monitoring/live-stream.png deleted file mode 100644 index 7cdbcabff6f8f..0000000000000 Binary files a/articles/azure-functions/media/functions-monitoring/live-stream.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/metrics-explorer.png b/articles/azure-functions/media/functions-monitoring/metrics-explorer.png index 06021a2a27174..fd561135c64a5 100644 Binary files a/articles/azure-functions/media/functions-monitoring/metrics-explorer.png and b/articles/azure-functions/media/functions-monitoring/metrics-explorer.png differ diff --git a/articles/azure-functions/media/functions-monitoring/performance.png b/articles/azure-functions/media/functions-monitoring/performance.png deleted file mode 100644 index 37de53266d3cf..0000000000000 Binary files a/articles/azure-functions/media/functions-monitoring/performance.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/run-in-ai.png b/articles/azure-functions/media/functions-monitoring/run-in-ai.png index 888cf41f03659..ebfb72b5e9c1b 100644 Binary files a/articles/azure-functions/media/functions-monitoring/run-in-ai.png and b/articles/azure-functions/media/functions-monitoring/run-in-ai.png differ diff --git a/articles/azure-functions/media/functions-monitoring/servers.png b/articles/azure-functions/media/functions-monitoring/servers.png deleted file mode 100644 index f2095825d270e..0000000000000 Binary files a/articles/azure-functions/media/functions-monitoring/servers.png and /dev/null differ diff --git a/articles/azure-functions/media/functions-monitoring/streaming-logs-window.png b/articles/azure-functions/media/functions-monitoring/streaming-logs-window.png new file mode 100644 index 0000000000000..946aa378e9494 Binary files /dev/null and b/articles/azure-functions/media/functions-monitoring/streaming-logs-window.png differ diff --git a/articles/azure-government/connect-with-azure-pipelines.md b/articles/azure-government/connect-with-azure-pipelines.md index e2f8f6945f92e..393e516f42ba3 100644 --- a/articles/azure-government/connect-with-azure-pipelines.md +++ b/articles/azure-government/connect-with-azure-pipelines.md @@ -25,13 +25,15 @@ This article helps you use Azure Pipelines to set up continuous integration (CI) [Azure Pipelines](https://docs.microsoft.com/azure/devops/pipelines/get-started/?view=vsts) is used by teams to configure continuous deployment for applications hosted in Azure subscriptions. We can use this service for applications running in Azure Government by defining [service connections](https://docs.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=vsts) for Azure Government. +[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] + ## Prerequisites Before starting this tutorial, you must have the following: + [Create an organization in Azure DevOps](https://docs.microsoft.com/azure/devops/organizations/accounts/create-organization?view=vsts) + [Create and add a project to the Azure DevOps organization](https://docs.microsoft.com/azure/devops/organizations/projects/create-project?toc=%2Fazure%2Fdevops%2Fuser-guide%2Ftoc.json&%3Bbc=%2Fazure%2Fdevops%2Fuser-guide%2Fbreadcrumb%2Ftoc.json&view=vsts&tabs=new-nav) -+ Install and set up [Azure Powershell](https://docs.microsoft.com/powershell/azure/azurerm/install-azurerm-ps) ++ Install and set up [Azure Powershell](https://docs.microsoft.com/powershell/azure/install-az-ps) If you don't have an active Azure Government subscription, create a [free account](https://azure.microsoft.com/overview/clouds/government/) before you begin. @@ -62,7 +64,7 @@ AzureUSGovernment." This sets the service principal to be created in Azure Gover 4. Navigate to the directory that has the edited script above. 5. Edit the following command with the name of your script and run: `./` -6. The "subscriptionName" parameter can be found by logging into your Azure Government subscription with `Connect-AzureRmAccount -EnvironmentName AzureUSGovernment` and then running `Get-AzureSubscription`. +6. The "subscriptionName" parameter can be found by logging into your Azure Government subscription with `Connect-AzAccount -EnvironmentName AzureUSGovernment` and then running `Get-AzureSubscription`. 7. When prompted for the "password" parameter, enter your desired password. 8. After providing your Azure Government subscription credentials, you should see the following: diff --git a/articles/azure-government/documentation-government-aad-auth-qs.md b/articles/azure-government/documentation-government-aad-auth-qs.md index 3a8735a41ffa4..549d1f9a5be0d 100644 --- a/articles/azure-government/documentation-government-aad-auth-qs.md +++ b/articles/azure-government/documentation-government-aad-auth-qs.md @@ -51,7 +51,7 @@ This section shows how to integrate Azure AD using the OpenID Connect protocol f ### Step 2: Configure your app to use your Azure AD tenant #### Azure Government Variations The only variation when setting up Azure AD Authorization on the Azure Government cloud is in the Azure AD Instance: -- "https:\//login.microsoftonline.us" +- "https:\//login.microsoftonline.us" #### Configure the InventoryApp project 1. Open your application in Visual Studio 2017. @@ -76,7 +76,7 @@ The only variation when setting up Azure AD Authorization on the Azure Governmen ``` 4. Fill out the `ClientId` property with the Client ID for your app from the Azure Government portal. You can find the Client ID by navigating to Azure AD -> App Registrations -> Your Application -> Application ID. 5. Fill out the `TenantId` property with the Tenant ID for your app from the Azure Government portal. You can find the Tenant ID by navigating to Azure AD -> Properties -> Directory ID. -6. Fill out the `Domain` property with ".onmicrosoft.com." +6. Fill out the `Domain` property with `.onmicrosoft.com`. 7. Open the `startup.cs` file. 8. In your `ConfigureServices` method, add the following code: diff --git a/articles/azure-government/documentation-government-cognitiveservices.md b/articles/azure-government/documentation-government-cognitiveservices.md index 0ac79116cac7c..cb7258894337d 100644 --- a/articles/azure-government/documentation-government-cognitiveservices.md +++ b/articles/azure-government/documentation-government-cognitiveservices.md @@ -26,7 +26,10 @@ To see an overview of Cognitive Services on Azure Government, [click here](docum > Billing for the Computer Vision API, Face API, and Translator Text API will begin on 11/1/2018. ## Prerequisites -* Install and Configure [Azure PowerShell](https://docs.microsoft.com/powershell/azure/azurerm/install-azurerm-ps) + +[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] + +* Install and Configure [Azure PowerShell](/powershell/azure/install-az-ps) * Connect [PowerShell with Azure Government](documentation-government-get-started-connect-with-ps.md) ## Part 1: Provision Cognitive Services Accounts @@ -43,11 +46,11 @@ In order to access any of the Cognitive Services APIs, you must first provision You can do this by **running the following PowerShell command:** ```powershell - Get-AzureRmResourceProvider + Get-AzResourceProvider ``` If you do **not see `Microsoft.CognitiveServices`**, you have to register the resource provider by **running the following command**: ```powershell - Register-AzureRmResourceProvider -ProviderNamespace Microsoft.CognitiveServices + Register-AzResourceProvider -ProviderNamespace Microsoft.CognitiveServices ``` 2. In the PowerShell command below, replace "rg-name", "name-of-your-api", and "location-of-resourcegroup" with your relevant account information. @@ -57,12 +60,12 @@ In order to access any of the Cognitive Services APIs, you must first provision * TextTranslation ```powershell - New-AzureRmCognitiveServicesAccount -ResourceGroupName 'rg-name' -name 'name-of-your-api' -Type -SkuName S0 -Location 'location-of-resourcegroup' + New-AzCognitiveServicesAccount -ResourceGroupName 'rg-name' -name 'name-of-your-api' -Type -SkuName S0 -Location 'location-of-resourcegroup' ``` Example: ```powershell - New-AzureRmCognitiveServicesAccount -ResourceGroupName 'resourcegrouptest' -name 'myFaceAPI' -Type Face -SkuName S0 -Location 'usgovvirginia' + New-AzCognitiveServicesAccount -ResourceGroupName 'resourcegrouptest' -name 'myFaceAPI' -Type Face -SkuName S0 -Location 'usgovvirginia' ``` After you run the command, you should see something like this: @@ -78,12 +81,12 @@ You must retrieve an account key to access the specific API. In the PowerShell command below, replace the "youraccountname" tag with the name that you gave the Account that you created above. Replace the 'rg-name' tag with the name of your resource group. ```powershell -Get-AzureRmCognitiveServicesAccountKey -Name -ResourceGroupName 'rg-name' +Get-AzCognitiveServicesAccountKey -Name -ResourceGroupName 'rg-name' ``` Example: ```powershell -Get-AzureRmCognitiveServicesAccountKey -Name myFaceAPI -ResourceGroupName 'resourcegrouptest' +Get-AzCognitiveServicesAccountKey -Name myFaceAPI -ResourceGroupName 'resourcegrouptest' ``` Copy and save the first key somewhere as you will need it to make calls to the API. diff --git a/articles/azure-government/documentation-government-extension.md b/articles/azure-government/documentation-government-extension.md index b92961b93f02d..ae3ecd50ca524 100644 --- a/articles/azure-government/documentation-government-extension.md +++ b/articles/azure-government/documentation-government-extension.md @@ -20,15 +20,17 @@ ms.author: gsacavdm # Azure Government virtual machine extensions This document contains a list of available [virtual machine extensions](../virtual-machines/windows/extensions-features.md) in Azure Government. If you'd like to see other extensions in Azure Government, please request them via the [Azure Government Feedback Forum](https://feedback.azure.com/forums/558487-azure-government). +[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] + ## Virtual machine extensions The list of virtual machine extensions available in Azure Government can be obtained by [connecting to Azure Government via PowerShell](documentation-government-get-started-connect-with-ps.md) and running the following commands: ```powershell -Connect-AzureRmAccount -Environment AzureUSGovernment +Connect-AzAccount -Environment AzureUSGovernment -Get-AzureRmVmImagePublisher -Location USGovVirginia | ` -Get-AzureRmVMExtensionImageType | ` -Get-AzureRmVMExtensionImage | Select Type, Version +Get-AzVmImagePublisher -Location USGovVirginia | ` +Get-AzVMExtensionImageType | ` +Get-AzVMExtensionImage | Select Type, Version ``` - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/articles/biztalk-services/media/index/azuredefaultblack.svg b/articles/biztalk-services/media/index/azuredefaultblack.svg deleted file mode 100644 index c7575a9aa6e93..0000000000000 --- a/articles/biztalk-services/media/index/azuredefaultblack.svg +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - diff --git a/articles/biztalk-services/media/index/biztalk-services.svg b/articles/biztalk-services/media/index/biztalk-services.svg deleted file mode 100644 index db1052a102b53..0000000000000 --- a/articles/biztalk-services/media/index/biztalk-services.svg +++ /dev/null @@ -1,15 +0,0 @@ - - - - - - - - - diff --git a/articles/biztalk-services/media/index/deploy.svg b/articles/biztalk-services/media/index/deploy.svg deleted file mode 100644 index 92d9010ae30d9..0000000000000 --- a/articles/biztalk-services/media/index/deploy.svg +++ /dev/null @@ -1,46 +0,0 @@ - - - - - - - - - - - - - - - - - - - - diff --git a/articles/biztalk-services/media/index/gear.svg b/articles/biztalk-services/media/index/gear.svg deleted file mode 100644 index 419fbce9c9c37..0000000000000 --- a/articles/biztalk-services/media/index/gear.svg +++ /dev/null @@ -1,63 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/articles/biztalk-services/media/index/get-started.svg b/articles/biztalk-services/media/index/get-started.svg deleted file mode 100644 index 03646c34c1dfe..0000000000000 --- a/articles/biztalk-services/media/index/get-started.svg +++ /dev/null @@ -1,53 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/articles/biztalk-services/media/index/guide.svg b/articles/biztalk-services/media/index/guide.svg deleted file mode 100644 index ba1f476a0193a..0000000000000 --- a/articles/biztalk-services/media/index/guide.svg +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - diff --git a/articles/biztalk-services/media/index/placeholder.svg b/articles/biztalk-services/media/index/placeholder.svg deleted file mode 100644 index a482e7e3d44e1..0000000000000 --- a/articles/biztalk-services/media/index/placeholder.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/articles/biztalk-services/media/index/tutorial.svg b/articles/biztalk-services/media/index/tutorial.svg deleted file mode 100644 index fb824bf6365fc..0000000000000 --- a/articles/biztalk-services/media/index/tutorial.svg +++ /dev/null @@ -1,54 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/articles/biztalk-services/media/index/video-library.svg b/articles/biztalk-services/media/index/video-library.svg deleted file mode 100644 index 45f0d2e45195e..0000000000000 --- a/articles/biztalk-services/media/index/video-library.svg +++ /dev/null @@ -1,67 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionManageConn.png b/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionManageConn.png deleted file mode 100644 index b8b3403d855b3..0000000000000 Binary files a/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionManageConn.png and /dev/null differ diff --git a/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionOnPremSetup.png b/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionOnPremSetup.png deleted file mode 100644 index a0ca4ad89aa39..0000000000000 Binary files a/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionOnPremSetup.png and /dev/null differ diff --git a/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionTab.png b/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionTab.png deleted file mode 100644 index 0bae8fd246fec..0000000000000 Binary files a/articles/biztalk-services/media/integration-hybrid-connection-create-manage/WABS_HybridConnectionTab.png and /dev/null differ diff --git a/articles/biztalk-services/media/integration-hybrid-connection-overview/WABS_HybridConnectionImage.png b/articles/biztalk-services/media/integration-hybrid-connection-overview/WABS_HybridConnectionImage.png deleted file mode 100644 index 01a1f180e9809..0000000000000 Binary files a/articles/biztalk-services/media/integration-hybrid-connection-overview/WABS_HybridConnectionImage.png and /dev/null differ diff --git a/articles/blockchain/templates/ethereum-poa-deployment.md b/articles/blockchain/templates/ethereum-poa-deployment.md index b0142e37b280d..8cc34db43b64c 100644 --- a/articles/blockchain/templates/ethereum-poa-deployment.md +++ b/articles/blockchain/templates/ethereum-poa-deployment.md @@ -5,7 +5,7 @@ services: azure-blockchain keywords: author: CodyBorn ms.author: coborn -ms.date: 8/2/2018 +ms.date: 04/08/2019 ms.topic: article ms.service: azure-blockchain ms.reviewer: brendal @@ -402,7 +402,7 @@ Network ID|The network ID for the consortium Ethereum network being deployed. E Admin Ethereum Address|Ethereum account address that is used for participating in PoA governance. We recommend using MetaMask for generating an Ethereum address.|42 alphanumeric characters starting with 0x|NA Advanced Options|Advanced options for Ethereum settings|Enable or Disable|Disable Public IP (Advanced Options = Enable)|Deploys the network behind a VNet Gateway and removes peering access. If this option is selected, all members must use a VNet Gateway for the connection to be compatible.|Public IP Private VNet|Public IP -Block Gas Limit (Advanced Options = Enable)|The starting block gas limit of the network|Any numeric|50,000,00 +Block Gas Limit (Advanced Options = Enable)|The starting block gas limit of the network|Any numeric|50000000 Block Reseal Period (sec)|The frequency at which empty blocks will be created when there are no transactions on the network. A higher frequency will have faster finality but increased storage costs.|Any numeric|15 Transaction Permission Contract (Advanced Options = Enable)|Bytecode for the Transaction Permissioning contract. Restricts smart contract deployment and execution to a permitted list of Ethereum accounts.|Contract bytecode|NA diff --git a/articles/blockchain/workbench/configuration.md b/articles/blockchain/workbench/configuration.md index 5bb1ff6aacdb0..1860e6b46297b 100644 --- a/articles/blockchain/workbench/configuration.md +++ b/articles/blockchain/workbench/configuration.md @@ -5,7 +5,7 @@ services: azure-blockchain keywords: author: PatAltimore ms.author: patricka -ms.date: 01/08/2019 +ms.date: 04/15/2019 ms.topic: article ms.service: azure-blockchain ms.reviewer: brendal @@ -13,7 +13,7 @@ manager: femila --- # Azure Blockchain Workbench configuration reference - Azure Blockchain Workbench applications are multi-party workflows defined by configuration metadata and smart contract code. Configuration metadata defines the high-level workflows and interaction model of the blockchain application. Smart contracts define the business logic of the blockchain application. Workbench uses configuration and smart contract code to generate blockchain application user experiences. +Azure Blockchain Workbench applications are multi-party workflows defined by configuration metadata and smart contract code. Configuration metadata defines the high-level workflows and interaction model of the blockchain application. Smart contracts define the business logic of the blockchain application. Workbench uses configuration and smart contract code to generate blockchain application user experiences. Configuration metadata specifies the following information for each blockchain application: diff --git a/articles/blockchain/workbench/create-app.md b/articles/blockchain/workbench/create-app.md index 8b03da9492bbf..6a1eb2f919612 100644 --- a/articles/blockchain/workbench/create-app.md +++ b/articles/blockchain/workbench/create-app.md @@ -5,7 +5,7 @@ services: azure-blockchain keywords: author: PatAltimore ms.author: patricka -ms.date: 01/08/2019 +ms.date: 04/15/2019 ms.topic: tutorial ms.service: azure-blockchain ms.reviewer: brendal diff --git a/articles/blockchain/workbench/deploy.md b/articles/blockchain/workbench/deploy.md index 4d348c8ea1829..d57f7af798ae7 100644 --- a/articles/blockchain/workbench/deploy.md +++ b/articles/blockchain/workbench/deploy.md @@ -5,7 +5,7 @@ services: azure-blockchain keywords: author: PatAltimore ms.author: patricka -ms.date: 1/8/2019 +ms.date: 04/15/2019 ms.topic: article ms.service: azure-blockchain ms.reviewer: brendal diff --git a/articles/blockchain/workbench/use-api.md b/articles/blockchain/workbench/use-api.md index d0e8ef724811f..ffd2cd56e3bb5 100644 --- a/articles/blockchain/workbench/use-api.md +++ b/articles/blockchain/workbench/use-api.md @@ -5,7 +5,7 @@ services: azure-blockchain keywords: author: PatAltimore ms.author: patricka -ms.date: 02/21/2019 +ms.date: 04/15/2019 ms.topic: article ms.service: azure-blockchain ms.reviewer: zeyadr diff --git a/articles/blockchain/workbench/use.md b/articles/blockchain/workbench/use.md index 35ae72b86dab7..74a9b0221a1a6 100644 --- a/articles/blockchain/workbench/use.md +++ b/articles/blockchain/workbench/use.md @@ -5,7 +5,7 @@ services: azure-blockchain keywords: author: PatAltimore ms.author: patricka -ms.date: 01/08/2019 +ms.date: 04/15/2019 ms.topic: tutorial ms.service: azure-blockchain ms.reviewer: brendal @@ -36,9 +36,9 @@ You'll learn how to: You need to sign in as a member of the Blockchain Workbench. If there are no applications listed, you are a member of Blockchain Workbench but not a member of any applications. The Blockchain Workbench administrator can assign members to applications. -## Create new contract +## Create new contract -To create a new contract, you need to be a member specified as an contract **initiator**. For information defining application roles and initiators for the contract, see [workflows in the configuration overview](configuration.md#workflows). For information on assigning members to application roles, see [add a member to application](manage-users.md#add-member-to-application). +To create a new contract, you need to be a member specified as a contract **initiator**. For information defining application roles and initiators for the contract, see [workflows in the configuration overview](configuration.md#workflows). For information on assigning members to application roles, see [add a member to application](manage-users.md#add-member-to-application). 1. In Blockchain Workbench application section, select the application tile that contains the contract you want to create. A list of active contracts is displayed. diff --git a/articles/blockchain/workbench/version-app.md b/articles/blockchain/workbench/version-app.md index f8a5cd3417c29..e2b56264b8d5e 100644 --- a/articles/blockchain/workbench/version-app.md +++ b/articles/blockchain/workbench/version-app.md @@ -5,7 +5,7 @@ services: azure-blockchain keywords: author: PatAltimore ms.author: patricka -ms.date: 1/8/2019 +ms.date: 04/15/2019 ms.topic: article ms.service: azure-blockchain ms.reviewer: brendal diff --git a/articles/cdn/cdn-cors.md b/articles/cdn/cdn-cors.md index 9a9c4ca246861..99beb46858d38 100644 --- a/articles/cdn/cdn-cors.md +++ b/articles/cdn/cdn-cors.md @@ -28,7 +28,7 @@ There are two types of CORS requests, *simple requests* and *complex requests.* 1. The browser sends the CORS request with an additional **Origin** HTTP request header. The value of this header is the origin that served the parent page, which is defined as the combination of *protocol,* *domain,* and *port.* When a page from https://www.contoso.com attempts to access a user's data in the fabrikam.com origin, the following request header would be sent to fabrikam.com: - `Origin: https://www.contoso.com` + `Origin: https:\//www.contoso.com` 2. The server may respond with any of the following: diff --git a/articles/cdn/cdn-create-endpoint-how-to.md b/articles/cdn/cdn-create-endpoint-how-to.md index d34478b8a8710..f9e69c6605dc4 100644 --- a/articles/cdn/cdn-create-endpoint-how-to.md +++ b/articles/cdn/cdn-create-endpoint-how-to.md @@ -40,7 +40,7 @@ Log in to the [Azure portal](https://portal.azure.com) with your Azure account. ![Add endpoint page](./media/cdn-create-endpoint-how-to/cdn-add-endpoint-page.png) -3. For **Name**, enter a unique name for the new CDN endpoint. This name is used to access your cached resources at the domain __.azureedge.net. +3. For **Name**, enter a unique name for the new CDN endpoint. This name is used to access your cached resources at the domain _\_.azureedge.net. 4. For **Origin type**, choose one of the following origin types: - **Storage** for Azure Storage @@ -58,7 +58,7 @@ Log in to the [Azure portal](https://portal.azure.com) with your Azure account. > Some types of origins, such as Azure Storage and Web Apps, require the host header to match the domain of the origin. Unless you have an origin that requires a host header different from its domain, you should leave the default value. > -8. For **Protocol** and **Origin port**, specify the protocols and ports to use to access your resources at the origin server. At least one protocol (HTTP or HTTPS) must be selected. Use the CDN-provided domain (__.azureedge.net) to access HTTPS content. +8. For **Protocol** and **Origin port**, specify the protocols and ports to use to access your resources at the origin server. At least one protocol (HTTP or HTTPS) must be selected. Use the CDN-provided domain (_\_.azureedge.net) to access HTTPS content. > [!NOTE] > The **Origin port** value determines only the port the endpoint uses to retrieve information from the origin server. The endpoint itself is available only to end clients on the default HTTP and HTTPS ports (80 and 443), regardless of the **Origin port** value. diff --git a/articles/cdn/cdn-http-variables.md b/articles/cdn/cdn-http-variables.md index bb6baa6c53bff..4779036c97650 100644 --- a/articles/cdn/cdn-http-variables.md +++ b/articles/cdn/cdn-http-variables.md @@ -35,7 +35,7 @@ The following table describes the supported HTTP variables. A blank value is ret | ---- | -------- | ----------- | ------------ | | ASN (Requester) | %{geo_asnum} | Indicates the requester's AS number.

**Deprecated:** %{virt_dst_asnum}.
This variable has been deprecated in favor of %{geo_asnum}. Although a rule that uses this deprecated variable will continue to work, you should update it to use the new variable. | AS15133 | | City (Requester) | %{geo_city} | Indicates the requester's city. | Los Angeles | -| Continent (Requester) | %{geo_continent} | Indicates the requester's continent through its abbreviation.
Valid values are:
AF: Africa
AS: Asia
EU: Europe
NA: North America
OC: Oceania
SA: South America

**Deprecated:** %{virt_dst_continent}. This variable has been deprecated in favor of %{geo_continent}.
Although a rule that uses this deprecated variable will continue to work, you should update it to use the new variable.| N/A | +| Continent (Requester) | %{geo_continent} | Indicates the requester's continent through its abbreviation.
Valid values are:
AF: Africa
AS: Asia
EU: Europe
NA: North America
OC: Oceania
SA: South America

**Deprecated:** %{virt_dst_continent}.
This variable has been deprecated in favor of %{geo_continent}.
Although a rule that uses this deprecated variable will continue to work, you should update it to use the new variable.| N/A | | Cookie Value | %{cookie_Cookie} | Returns the value corresponding to the cookie key identified by the Cookie term. | Sample Usage:
%{cookie__utma}

Sample Value:
111662281.2.10.1222100123 | | Country (Requester) | %{geo_country} | Indicates the requester's country of origin through its country code.
**Deprecated:** %{virt_dst_country}.

This variable has been deprecated in favor of %{geo_country}. Although a rule that uses this deprecated variable will continue to work, you should update it to use the new variable. | US | | Designated Market Area (Requester) | %{geo_dma_code} |Indicates the requester's media market by its region code.

This field is only applicable to requests that originate from the United States.| 745 | diff --git a/articles/cdn/cdn-manage-expiration-of-cloud-service-content.md b/articles/cdn/cdn-manage-expiration-of-cloud-service-content.md index fd4f492358556..6fbf09142484d 100644 --- a/articles/cdn/cdn-manage-expiration-of-cloud-service-content.md +++ b/articles/cdn/cdn-manage-expiration-of-cloud-service-content.md @@ -102,7 +102,7 @@ The following XML configuration file example shows how to set the ` ``` -To use the **cacheControlMaxAge** attribute, you must set the value of the **cacheControlMode** attribute to `UseMaxAge`. This setting caused the HTTP header and directive, `Cache-Control: max-age=`, to be added to the response. The format of the timespan value for the **cacheControlMaxAge** attribute is `.::`. Its value is converted to seconds and is used as the value of the `Cache-Control` `max-age` directive. For more information about the `` element, see [Client Cache ](https://www.iis.net/ConfigReference/system.webServer/staticContent/clientCache). +To use the **cacheControlMaxAge** attribute, you must set the value of the **cacheControlMode** attribute to `UseMaxAge`. This setting caused the HTTP header and directive, `Cache-Control: max-age=`, to be added to the response. The format of the timespan value for the **cacheControlMaxAge** attribute is `.::`. Its value is converted to seconds and is used as the value of the `Cache-Control` `max-age` directive. For more information about the `` element, see [Client Cache \](https://www.iis.net/ConfigReference/system.webServer/staticContent/clientCache). ## Setting Cache-Control headers programmatically For ASP.NET applications, you control the CDN caching behavior programmatically by setting the **HttpResponse.Cache** property of the .NET API. For information about the **HttpResponse.Cache** property, see [HttpResponse.Cache Property](/dotnet/api/system.web.httpresponse.cache#System_Web_HttpResponse_Cache) and [HttpCachePolicy Class](/dotnet/api/system.web.httpcachepolicy). diff --git a/articles/cdn/cdn-map-content-to-custom-domain.md b/articles/cdn/cdn-map-content-to-custom-domain.md index 333655a268ce6..73e1cf3873ba8 100644 --- a/articles/cdn/cdn-map-content-to-custom-domain.md +++ b/articles/cdn/cdn-map-content-to-custom-domain.md @@ -47,7 +47,7 @@ Before you can use a custom domain with an Azure CDN endpoint, you must first cr A custom domain and its subdomain can be associated with only a single endpoint at a time. However, you can use different subdomains from the same custom domain for different Azure service endpoints by using multiple CNAME records. You can also map a custom domain with different subdomains to the same CDN endpoint. > [!NOTE] -> Any alias record type can be used for Custom domains if you are using Azure DNS as your domain provider. This walkthrough uses the CNAME record type. If you are using A or AAAA record types just follow the same steps below while replacing CNAME with the record type of your choice. If you're using an alias record to add a root domain as a custom domain and you want to enable SSL, you must use manual validation as described [here](https://docs.microsoft.com/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate#custom-domain-is-not-mapped-to-your-cdn-endpoint) +> Any alias record type can be used for Custom domains if you're using Azure DNS as your domain provider. This walkthrough uses the CNAME record type. If you're using A or AAAA record types, follow the same steps below and replace CNAME with the record type of your choice. If you're using an alias record to add a root domain as a custom domain and you want to enable SSL, you must use manual validation as described in [this article](https://docs.microsoft.com/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate#custom-domain-is-not-mapped-to-your-cdn-endpoint). For more information, see [Point zone apex to Azure CDN endpoints](https://docs.microsoft.com/azure/dns/dns-alias#point-zone-apex-to-azure-cdn-endpoints). ## Map the temporary cdnverify subdomain diff --git a/articles/cdn/cdn-restrict-access-by-country.md b/articles/cdn/cdn-restrict-access-by-country.md index 53d174cdc016a..a7aa4ead00bcf 100644 --- a/articles/cdn/cdn-restrict-access-by-country.md +++ b/articles/cdn/cdn-restrict-access-by-country.md @@ -55,8 +55,8 @@ From the **ACTION** list, select **Allow** or **Block**: - **Block**: Users from the specified countries are denied access to the assets requested from the recursive path. If no other country filtering options have been configured for that location, then all other users will be allowed access. For example, a geo-filtering rule for blocking the path */Photos/Strasbourg/* filters the following files: -*http://.azureedge.net/Photos/Strasbourg/1000.jpg* -*http://.azureedge.net/Photos/Strasbourg/Cathedral/1000.jpg* +*http:\//\.azureedge.net/Photos/Strasbourg/1000.jpg* +*http:\//\.azureedge.net/Photos/Strasbourg/Cathedral/1000.jpg* ### Define the countries From the **COUNTRY CODES** list, select the countries that you want to block or allow for the path. diff --git a/articles/cdn/cdn-rules-engine-reference-match-conditions.md b/articles/cdn/cdn-rules-engine-reference-match-conditions.md index 1a417f844cd13..0a38b9d68b71b 100644 --- a/articles/cdn/cdn-rules-engine-reference-match-conditions.md +++ b/articles/cdn/cdn-rules-engine-reference-match-conditions.md @@ -98,7 +98,7 @@ Name | Purpose ## Reference for rules engine match conditions - + --- ### Always diff --git a/articles/china/china-get-started-developer-guide.md b/articles/china/china-get-started-developer-guide.md index f81148b2eb881..0a9b2d21a244a 100644 --- a/articles/china/china-get-started-developer-guide.md +++ b/articles/china/china-get-started-developer-guide.md @@ -48,7 +48,7 @@ The following table shows the endpoints to change. See also: - [Developer Notes for Azure in China Applications](https://msdn.microsoft.com/library/azure/dn578439.aspx) -- [Azure Datacenter IP Ranges in China](https://www.microsoft.com/download/details.aspx?id=42064) +- [Azure Datacenter IP Ranges in China](https://www.microsoft.com/en-us/download/confirmation.aspx?id=57062) - [Developers Guide](https://www.azure.cn/documentation/articles/developerdifferences/#dev-guide) (in Chinese). | Service category | Global Azure URI | Azure URI (in China) | @@ -77,6 +77,6 @@ See also: ## Next steps - [Developers Guide](https://www.azure.cn/documentation/articles/developerdifferences/#dev-guide) (in Chinese) -- [Azure Datacenter IP Ranges in China](https://www.microsoft.com/download/details.aspx?id=42064) +- [Azure Datacenter IP Ranges in China](https://www.microsoft.com/en-us/download/confirmation.aspx?id=57062) - [Manage performance and connectivity](/azure/china/china-how-to-manage-performance) - [Azure Architecture Center](https://docs.microsoft.com/azure/architecture/) diff --git a/articles/china/index.md b/articles/china/index.md index 1a1bd3e85b073..08cc416ec43dd 100644 --- a/articles/china/index.md +++ b/articles/china/index.md @@ -2,8 +2,8 @@ title: Azure China 21Vianet documentation - Tutorials, API Reference | Microsoft Docs description: Microsoft Azure operated by 21Vianet (Azure China 21Vianet), also known as Mooncake, is a cloud platform operated by a data trustee in China containing a growing collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications. Azure China 21Vianet is a sovereign cloud—that is, a physically separated instance of cloud services located in mainland China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"). services: china -author: czeumault -manager: carolz +author: juliako +manager: femila layout: LandingPage ms.assetid: ms.service: china @@ -11,7 +11,7 @@ ms.tgt_pltfrm: na ms.devlang: na ms.topic: landing-page ms.date: 10/19/2017 -ms.author: carolz +ms.author: juliako --- # Azure China 21Vianet diff --git a/articles/cloud-services/cloud-services-custom-domain-name-portal.md b/articles/cloud-services/cloud-services-custom-domain-name-portal.md index 551aac22fd7d4..a474bad51cd0b 100644 --- a/articles/cloud-services/cloud-services-custom-domain-name-portal.md +++ b/articles/cloud-services/cloud-services-custom-domain-name-portal.md @@ -60,7 +60,7 @@ To create a CNAME record, you must add a new entry in the DNS table for your cus 1. Use one of these methods to find the **.cloudapp.net** domain name assigned to your cloud service. - * Login to the [Azure portal], select your cloud service, look at the **Essentials** section and then find the **Site URL** entry. + * Login to the [Azure portal], select your cloud service, look at the **Overview** section and then find the **Site URL** entry. ![quick glance section showing the site URL][csurl] @@ -95,7 +95,7 @@ To create an A record, you must first find the virtual IP address of your cloud 1. Use one of the following methods to get the IP address of your cloud service. - * Login to the [Azure portal], select your cloud service, look at the **Essentials** section and then find the **Public IP addresses** entry. + * Login to the [Azure portal], select your cloud service, look at the **Overview** section and then find the **Public IP addresses** entry. ![quick glance section showing the VIP][vip] diff --git a/articles/cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md b/articles/cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md index 05e8f439274bb..13e97379cec36 100644 --- a/articles/cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md +++ b/articles/cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md @@ -65,7 +65,7 @@ For more information about listeners, see [Trace Listeners](/dotnet/framework/de After you complete the steps to add the listener, you can add trace statements to your code. ### To add trace statement to your code -1. Open a source file for your application. For example, the .cs file for the worker role or web role. +1. Open a source file for your application. For example, the \.cs file for the worker role or web role. 2. Add the following using statement if it has not already been added: ``` using System.Diagnostics; diff --git a/articles/cloud-services/cloud-services-sizes-specs.md b/articles/cloud-services/cloud-services-sizes-specs.md index 44ed603b40b90..a62b241386251 100644 --- a/articles/cloud-services/cloud-services-sizes-specs.md +++ b/articles/cloud-services/cloud-services-sizes-specs.md @@ -201,7 +201,7 @@ Here is an example for setting the role size to be Standard_D2 for a Web Role in ## Changing the size of an existing role -As the nature of your workload changes or new VM sizes become available, you may want to change the size of your role. To do so, you must change the VM size in your service definition file (as shown above), repackage your Cloud Service, and deploy it. It is not possible to change VM sizes directly from the portal or PowerShell. +As the nature of your workload changes or new VM sizes become available, you may want to change the size of your role. To do so, you must change the VM size in your service definition file (as shown above), repackage your Cloud Service, and deploy it. >[!TIP] > You may want to use different VM sizes for your role in different environments (eg. test vs production). One way to do this is to create multiple service definition (.csdef) files in your project, then create different cloud service packages per environment during your automated build using the CSPack tool. To learn more about the elements of a cloud services package and how to create them, see [What is the cloud services model and how do I package it?](cloud-services-model-and-package.md) diff --git a/articles/cloud-shell/features.md b/articles/cloud-shell/features.md index 6259f18ac5e3a..6419753742dac 100644 --- a/articles/cloud-shell/features.md +++ b/articles/cloud-shell/features.md @@ -13,7 +13,7 @@ ms.workload: infrastructure-services ms.tgt_pltfrm: vm-linux ms.devlang: na ms.topic: article -ms.date: 07/13/2018 +ms.date: 04/10/2019 ms.author: damaerte --- @@ -72,7 +72,7 @@ Cloud Shell includes pre-configured authentication for open-source tools such as |Go |1.9 | |Java |1.8 | |Node.js |8.9.4 | -|PowerShell |[6.1.2](https://github.com/PowerShell/powershell/releases) | +|PowerShell |[6.2.0](https://github.com/PowerShell/powershell/releases) | |Python |2.7 and 3.5 (default)| ## Next steps diff --git a/articles/cognitive-services/Acoustics/bake-resolution.md b/articles/cognitive-services/Acoustics/bake-resolution.md new file mode 100644 index 0000000000000..0adfe47e88aec --- /dev/null +++ b/articles/cognitive-services/Acoustics/bake-resolution.md @@ -0,0 +1,35 @@ +--- +title: Project Acoustics Bake Resolution +titlesuffix: Azure Cognitive Services +description: This conceptual overview describes the difference between coarse and fine resolutions while baking acoustics. +services: cognitive-services +author: KyleStorck +manager: nitinme + +ms.service: cognitive-services +ms.subservice: acoustics +ms.topic: how-to +ms.date: 04/05/2019 +ms.author: KyleStorck +--- +# Project Acoustics Bake Resolution +This conceptual overview describes the difference between coarse and fine resolutions while baking acoustics. You choose this setting during the Probes step of the baking workflow. + +## Coarse vs fine resolution + +The only difference between the coarse and fine resolution settings is the frequency at which the simulation is performed. Fine uses a frequency twice as high as coarse. This has a number of implications on the acoustic simulation: + +* The wavelength for coarse is twice as long as fine, and therefore the voxels are twice as large. +* The simulation time is directly related to the voxel size, making a coarse bake about 16 times faster than a fine bake. +* Portals (for example, doors or windows) smaller than the voxel size can't be simulated. The coarse setting may cause some of these smaller portals to not be simulated; therefore, they won't pass sound through at runtime. You can see if this is happening by viewing the voxels. +* The lower simulation frequency results in less diffraction around corners and edges. +* Sound sources can't be located inside "filled" voxels (i.e. voxels that contain geometry). This results in no sound. It's more difficult to place sound sources so they are not inside the larger voxels of coarse than it is when using the fine setting. +* The larger voxels will intrude more into portals, as shown below. The first image was created using coarse, while the second is the same doorway using fine resolution. As indicated by the red markings, there is much less intrusion into the doorway using the fine setting. The blue line is the doorway as defined by the geometry, while the red line is the effective acoustic portal defined by the voxel size. How this intrusion plays out in a given situation depends completely on how the voxels line up with the geometry of the portal, which is determined by the size and locations of your objects in the scene. + +![Screenshot of coarse voxels filling a doorway in Unreal](media/unreal-coarse-bake.png) + +![Screenshot of fine voxels in a doorway in Unreal](media/unreal-fine-bake.png) + +## Next steps + +Try out the coarse and fine resolution settings yourself using our [Unreal](unreal-baking.md) or [Unity](unity-baking.md) plugins. \ No newline at end of file diff --git a/articles/cognitive-services/Acoustics/media/unreal-acoustics-volume-exclude.png b/articles/cognitive-services/Acoustics/media/unreal-acoustics-volume-exclude.png new file mode 100644 index 0000000000000..22dfb263d5478 Binary files /dev/null and b/articles/cognitive-services/Acoustics/media/unreal-acoustics-volume-exclude.png differ diff --git a/articles/cognitive-services/Acoustics/media/unreal-acoustics-volume-properties.png b/articles/cognitive-services/Acoustics/media/unreal-acoustics-volume-properties.png new file mode 100644 index 0000000000000..4c3057a091bf0 Binary files /dev/null and b/articles/cognitive-services/Acoustics/media/unreal-acoustics-volume-properties.png differ diff --git a/articles/cognitive-services/Acoustics/media/wwise-post-mixer-eq.png b/articles/cognitive-services/Acoustics/media/wwise-post-mixer-eq.png new file mode 100644 index 0000000000000..24c9faeaa4154 Binary files /dev/null and b/articles/cognitive-services/Acoustics/media/wwise-post-mixer-eq.png differ diff --git a/articles/cognitive-services/Acoustics/toc.yml b/articles/cognitive-services/Acoustics/toc.yml index 1fd1da2a433ba..063c63662d1e1 100644 --- a/articles/cognitive-services/Acoustics/toc.yml +++ b/articles/cognitive-services/Acoustics/toc.yml @@ -11,18 +11,24 @@ href: unreal-quickstart.md - name: Tutorials items: - - name: Unity Design Workflow - href: unity-workflow.md - - name: Unreal/Wwise Design Workflow - href: unreal-workflow.md - - name: Bake Acoustics with Unity - href: unity-baking.md - - name: Bake Acoustics with Unreal/Wwise - href: unreal-baking.md + - name: Unity + items: + - name: Bake Acoustics with Unity + href: unity-baking.md + - name: Unity Design Workflow + href: unity-workflow.md + - name: Unreal/Wwise + items: + - name: Bake Acoustics with Unreal/Wwise + href: unreal-baking.md + - name: Unreal/Wwise Design Workflow + href: unreal-workflow.md - name: Concepts items: - name: Design Concepts with Acoustics Simulation href: design-process.md + - name: Bake Resolution + href: bake-resolution.md - name: How-tos items: - name: Create an Azure Batch Account diff --git a/articles/cognitive-services/Acoustics/unity-baking.md b/articles/cognitive-services/Acoustics/unity-baking.md index 8f087d74d4df1..cf0a7f27157fd 100644 --- a/articles/cognitive-services/Acoustics/unity-baking.md +++ b/articles/cognitive-services/Acoustics/unity-baking.md @@ -132,7 +132,7 @@ The scene name is used to connect the scene to files storing the probe point pla 1. The **Probes** tab button used to bring up this page 2. A brief description of what you need to do using this page -3. Use these to choose a coarse or fine simulation resolution. Coarse is faster, but has certain tradeoffs. See [Choosing coarse vs fine resolution](#Coarse-vs-Fine-Resolution) below for details. +3. Use these to choose a coarse or fine simulation resolution. Coarse is faster, but has certain tradeoffs. See [Bake Resolution](bake-resolution.md) below for details. 4. Choose the location where the acoustics data files should be placed using this field. Click the button with "..." to use a folder picker. The default is **Assets/AcousticsData**. An **Editor** subfolder will also be created under this location. For more information about data files, see [Data Files](#Data-Files) below. 5. The data files for this scene will be named using the prefix provided here. The default is "Acoustics_[Scene Name]". 6. After the probes have been calculated, the controls above will be disabled. Click the **Clear** button to erase the calculations and enable the controls so that you can recalculate using new settings. @@ -140,21 +140,7 @@ The scene name is used to connect the scene to files storing the probe point pla In this version of Project Acoustics, probes can't be placed manually and must be placed through the automated process provided in the **Probes** tab. -### Choosing coarse vs. fine resolution - -The only difference between the coarse and fine resolution settings is the frequency at which the simulation is performed. Fine uses a frequency twice as high as coarse. -While this may seem simple, it has a number of implications on the acoustic simulation: - -* The wavelength for coarse is twice as long as fine, and therefore the voxels are twice as large. -* The simulation time is directly related to the voxel size, making a coarse bake about 16 times faster than a fine bake. -* Portals (for example, doors or windows) smaller than the voxel size cannot be simulated. The coarse setting may cause some of these smaller portals to not be simulated; therefore, they will not pass sound through at runtime. You can see if this is happening by viewing the voxels. -* The lower simulation frequency results in less diffraction around corners and edges. -* Sound sources cannot be located inside "filled" voxels, that is voxels that contain geometry - this results in no sound. It is more difficult to locate sound sources so they are not inside the larger voxels of coarse than it is using the fine setting. -* The larger voxels will intrude more into portals, as shown below. The first image was created using coarse, while the second is the same doorway using fine resolution. As indicated by the red markings, there is much less intrusion into the doorway using the fine setting. The blue line is the doorway as defined by the geometry, while the red line is the effective acoustic portal defined by the voxel size. How this intrusion plays out in a given situation depends completely on how the voxels line up with the geometry of the portal, which is determined by the size and locations of your objects in the scene. - -![Screenshot of coarse voxels in doorway](media/coarse-voxel-doorway.png) - -![Screenshot of fine voxels in doorway](media/fine-voxel-doorway.png) +See [Bake Resolution](bake-resolution.md) for more details on coarse vs fine resolution. ## Bake your scene using Azure Batch You can bake your scene with a compute cluster in the cloud using the Azure Batch service. The Project Acoustics Unity plugin connects directly to Azure Batch to instantiate, manage, and tear down an Azure Batch cluster for each bake. On the **Bake** tab, enter your Azure credentials, select a cluster machine type and size, and click **Bake**. @@ -205,7 +191,7 @@ As an example, in our testing on an 8 core machine with Intel Xeon E5-1660 @ 3 G Install and configure Docker on the PC that will process the simulation - 1. Install the [Docker toolset](https://www.docker.com/products/docker-desktop). 2. Launch Docker settings, navigate to the "Advanced" options and configure resources to have at least 8GB RAM. The more CPUs you can allocate to Docker, the faster the bake will complete. ![Screenshot of example Docker settings](media/docker-settings.png) -3. Navigate to "Shared Drives" and turn on sharing for the drive used for processing.![Screnshot of Docker shared drive options](media/docker-shared-drives.png) +3. Navigate to "Shared Drives" and turn on sharing for the drive used for processing.![Screenshot of Docker shared drive options](media/docker-shared-drives.png) ### Run local bake 1. Click on "Prepare Local Bake" button on the **Bake** tab and select a folder where the input files and execution scripts will be saved. You can then run the bake on any machine as long as it meets the minimum hardware requirements and has Docker installed by copying the folder to that machine. diff --git a/articles/cognitive-services/Acoustics/unreal-baking.md b/articles/cognitive-services/Acoustics/unreal-baking.md index 25ec08d20b8c9..be71541a70ec2 100644 --- a/articles/cognitive-services/Acoustics/unreal-baking.md +++ b/articles/cognitive-services/Acoustics/unreal-baking.md @@ -35,6 +35,8 @@ The objects tab is the first tab that gets displayed when you open the Acoustics Select one or more objects in the World Outliner, or use the **Bulk Selection** section to help select all objects of a specific category. Once objects are selected, use the **Tagging** section to apply the desired tag to the selected objects. +If something has neither **AcousticsGeometry** nor **AcousticsNavigation** tag, it will be ignored in the simulation. Only static meshes, nav meshes and landscapes are supported. If you tag anything else, it will be ignored. + ### For reference: The Objects tab parts ![Screenshot of Acoustics Objects tab in Unreal](media/unreal-objects-tab-details.png) @@ -58,9 +60,23 @@ Don't include things that shouldn't affect the acoustics, such as invisible coll An object's transform at the time of the probe calculation (via the Probes tab, below) is fixed in the bake results. Moving any of the marked objects in the scene will require redoing the probe calculation and rebaking the scene. -## Create or tag a navigation mesh +### Create or tag a navigation mesh + +A navigation mesh is used to place probe points for simulation. You can use Unreal's [Nav Mesh Bounds Volume](https://api.unrealengine.com/INT/Engine/AI/BehaviorTrees/QuickStart/2/index.html), or you can specify your own navigation mesh. You must tag at least one object as **Acoustics Navigation**. If you use Unreal's Navigation mesh, make sure you have it built first. + +### Acoustics Volumes ### + +There is further, advanced customization you can make on your navigation areas with **Acoustics Volumes**. **Acoustics Volumes** are actors you can add to your scene that allow you to select areas to include and ignore from the navigation mesh. The actor exposes a property that can be switched between "Include" and "Exclude". "Include" volumes ensure only areas of the navigation mesh inside them are considered and "Exclude" volumes mark those areas to be ignored. "Exclude" volumes are always applied after "Include" volumes. Make sure to tag **Acoustics Volumes** as **Acoustics Navigation** through the usual process in the Objects tab. These actors are ***not*** automatically tagged. + +![Screenshot of Acoustics Volume properties in Unreal](media/unreal-acoustics-volume-properties.png) + +"Exclude" volumes are mainly meant to give fine-grained control on where not to place probes for tightening resource usage. -A navigation mesh is used to place probe points for simulation. You can use Unreal's [Nav Mesh Bounds Volume](https://api.unrealengine.com/INT/Engine/AI/BehaviorTrees/QuickStart/2/index.html), or you can specify your own navigation mesh. You must tag at least one object as **Acoustics Navigation**. +![Screenshot of Exclude Acoustics Volume in Unreal](media/unreal-acoustics-volume-exclude.png) + +"Include" volumes are useful for creating manual sections of a scene, such as if you want to break up your scene into multiple acoustic zones. For example, if you have a large scene, many kilometers squared, and you have two areas of interest you want to bake acoustics on. You can draw two big "Include" volumes in the scene and produce ACE files for each of them one at a time. Then in game, you can use trigger volumes combined with blueprint calls to load the appropriate ACE file when the player approaches each tile. + +**Acoustics Volumes** only restrict the navigation and ***not*** the geometry. Each probe inside an "Include" **Acoustics Volume** will still pull in all the necessary geometry outside of the volume when performing wave simulations. Therefore, there shouldn't be any discontinuities in occlusion or other acoustics resulting from the player crossing from one section to another. ## Select acoustic materials @@ -82,6 +98,7 @@ The reverberation time of a given material in a room is inversely related to its 4. Shows the acoustic material that the scene material has been assigned to. Click a dropdown to reassign a scene material to a different acoustic material. 5. Shows the acoustic absorption coefficient of the material selected in the previous column. A value of zero means perfectly reflective (no absorption), while a value of 1 means perfectly absorptive (no reflection). Changing this value will update the Acoustics Material (step #4) to **Custom**. +If you make changes to the materials in your scene, you will need to switch tabs in the Project Acoustics plugin to see those changes reflected in the **Materials** tab. ## Calculate and review listener probe locations @@ -93,7 +110,7 @@ After assigning the materials, switch to the **Probes** tab. 1. The **Probes** tab button used to bring up this page 2. A brief description of what you need to do using this page -3. Use this to choose a coarse or fine simulation resolution. Coarse is faster, but has certain tradeoffs. See [Coarse vs fine resolution](#Coarse-vs-Fine-Resolution) below for details. +3. Use this to choose a coarse or fine simulation resolution. Coarse is faster, but has certain tradeoffs. See [Bake Resolution](bake-resolution.md) below for details. 4. Choose the location where the acoustics data files should be placed using this field. Click the button with "..." to use a folder picker. For more information about data files, see [Data Files](#Data-Files) below. 5. The data files for this scene will be named using the prefix provided here. The default is "[Level Name]_AcousticsData". 6. Click the **Calculate** button to voxelize the scene and calculate the probe point locations. This is done locally on your machine, and must be done prior to doing a bake. After the probes have been calculated, the controls above will be disabled, and this button will change to say **Clear**. Click the **Clear** button to erase the calculations and enable the controls so that you can recalculate using new settings. @@ -140,23 +157,9 @@ Probe points are synonymous with possible player (listener) locations. When baki It's important to check that probe points exist anywhere the player is expected to travel in the scene. Probe points are placed on the navigation mesh by the Project Acoustics engine and can't be moved or edited, so ensure the navigation mesh covers all possible player locations by inspecting the probe points. -![SCreenshot of Acoustics probes preview in Unreal](media/unreal-probes-preview.png) - -### Coarse vs fine resolution - -The only difference between the coarse and fine resolution settings is the frequency at which the simulation is performed. Fine uses a frequency twice as high as coarse. -While this may seem simple, it has a number of implications on the acoustic simulation: - -* The wavelength for coarse is twice as long as fine, and therefore the voxels are twice as large. -* The simulation time is directly related to the voxel size, making a coarse bake about 16 times faster than a fine bake. -* Portals (for example, doors or windows) smaller than the voxel size cannot be simulated. The coarse setting may cause some of these smaller portals to not be simulated; therefore, they will not pass sound through at runtime. You can see if this is happening by viewing the voxels. -* The lower simulation frequency results in less diffraction around corners and edges. -* Sound sources cannot be located inside "filled" voxels, that is voxels that contain geometry - this results in no sound. It is more difficult to place sound sources so they are not inside the larger voxels of coarse than it is when using the fine setting. -* The larger voxels will intrude more into portals, as shown below. The first image was created using coarse, while the second is the same doorway using fine resolution. As indicated by the red markings, there is much less intrusion into the doorway using the fine setting. The blue line is the doorway as defined by the geometry, while the red line is the effective acoustic portal defined by the voxel size. How this intrusion plays out in a given situation depends completely on how the voxels line up with the geometry of the portal, which is determined by the size and locations of your objects in the scene. - -![Screenshot of coarse voxels filling a doorway in Unreal](media/unreal-coarse-bake.png) +![Screenshot of Acoustics probes preview in Unreal](media/unreal-probes-preview.png) -![Screenshot of fine voxels in a doorway in Unreal](media/unreal-fine-bake.png) +See [Bake Resolution](bake-resolution.md) for more details on coarse vs fine resolution. ## Bake your level using Azure Batch diff --git a/articles/cognitive-services/Acoustics/unreal-integration.md b/articles/cognitive-services/Acoustics/unreal-integration.md index ccee13c3bc8d5..f0585175dc461 100644 --- a/articles/cognitive-services/Acoustics/unreal-integration.md +++ b/articles/cognitive-services/Acoustics/unreal-integration.md @@ -17,8 +17,8 @@ ms.author: kegodin This how-to provides detailed integration steps of the Project Acoustics plugin package into your existing Unreal and Wwise game project. Software requirements: -* [Unreal Engine](https://www.unrealengine.com/) 4.21 -* [AudioKinetic Wwise](https://www.audiokinetic.com/products/wwise/) 2018.1.+ +* [Unreal Engine](https://www.unrealengine.com/) 4.20 or 4.21 +* [AudioKinetic Wwise](https://www.audiokinetic.com/products/wwise/) 2018.1.\* * [Wwise plugin for Unreal](https://www.audiokinetic.com/library/?source=UE4&id=index.html) * If you're using a direct integration of the Wwise SDK instead of using the Wwise Unreal plugins, consult the Project Acoustics Unreal plugin and adjust Wwise API calls. diff --git a/articles/cognitive-services/Acoustics/unreal-quickstart.md b/articles/cognitive-services/Acoustics/unreal-quickstart.md index 9b11e607fc540..aa6f93e8ccd70 100644 --- a/articles/cognitive-services/Acoustics/unreal-quickstart.md +++ b/articles/cognitive-services/Acoustics/unreal-quickstart.md @@ -17,8 +17,8 @@ ms.author: kegodin In this quickstart, you'll experiment with Project Acoustics design controls using provided sample content for the Unreal Engine and Wwise. Software requirements: -* [Unreal Engine 4.21](https://www.unrealengine.com/) -* [Wwise 2018.1.6](https://www.audiokinetic.com/products/wwise/) +* [Unreal Engine](https://www.unrealengine.com/) 4.21 +* [AudioKinetic Wwise](https://www.audiokinetic.com/products/wwise/) 2018.1.6 ## Download the sample package Download the [Project Acoustics Unreal + Wwise sample package](https://www.microsoft.com/download/details.aspx?id=58090). The sample package contains an Unreal Engine project, the Wwise project for that Unreal project, and the Project Acoustics Wwise plugin. diff --git a/articles/cognitive-services/Acoustics/unreal-workflow.md b/articles/cognitive-services/Acoustics/unreal-workflow.md index 83d095e3f66a1..0bf920273cfd2 100644 --- a/articles/cognitive-services/Acoustics/unreal-workflow.md +++ b/articles/cognitive-services/Acoustics/unreal-workflow.md @@ -58,12 +58,19 @@ Remember that the required actor-mixer setup interchanges the usual dry and wet ![Screenshot of Wwise editor showing voice design guidelines for Project Acoustics](media/voice-design-guidelines.png) ### Set up distance attenuation curves -Ensure any attenuation curve used by actor-mixers using Project Acoustics have user-defined aux send set to "output bus volume." Wwise does this by default for newly created attenuation curves. If you're migrating an existing project, check your curve settings. +Ensure any attenuation curve used by actor-mixers using Project Acoustics have user-defined aux send set to "output bus volume." Wwise does this by default for newly created attenuation curves. If you're migrating an existing project, check your curve settings. By default, the Project Acoustics simulation has a radius of 45 meters around the player location. We generally recommend setting your attenuation curve to -200 dB around that distance. This distance isn't a hard constraint. For some sounds like weapons you might want a larger radius. In such cases, the caveat is that only geometry within 45 m of the player location will participate. If the player is in a room and a sound source is outside the room and 100m away, it will be properly occluded. If the source is in a room and the player is outside and 100 m away, it won't be properly occluded. ![Screenshot of Wwise attenuation curves](media/atten-curve.png) +### Post Mixer Equalization ### + One other thing you may want to do is add a post mixer equalizer. You can treat the Project Acoustics bus as a typical reverb bus (in default reverb mode) and put a filter on it to do equalization. You can see a sample of this in the Project Acoustics Wwise Sample Project. + +![Screenshot of Wwise post-mixer EQ](media/wwise-post-mixer-eq.png) + +For example, a high pass filter can help handle the bass from near-field recordings that yield boomy, unrealistic reverb. You can also achieve more post-bake control by adjusting the EQ through RTPCs, allowing you to alter the color of reverb at game-time. + ## Set up scene-wide Project Acoustics properties The Acoustics Space actor exposes many controls that modify the behavior of the system and are useful in debugging. @@ -76,7 +83,7 @@ The Acoustics Space actor exposes many controls that modify the behavior of the * **Cache Scale:** controls the size of the cache used for acoustic queries. A smaller cache uses less RAM, but may increase CPU usage for each query. * **Acoustics Enabled:** A debug control to enable quick A/B toggling of the Acoustics simulation. This control is ignored in shipping configurations. The control is useful for finding if a particular audio bug originates in the acoustics calculations or some other issue in the Wwise project. * **Update Distances:** Use this option if you'd like to use the pre-baked acoustics information for distance queries. These queries are similar to ray casts, but they have been pre-computed so take much less CPU. An example usage is for discrete reflections off the closest surface to the listener. To fully leverage this, you'll need to use code or Blueprints to query distances. -* **Draw Stats:** While UE's `stat Acoustics` can provide you with CPU information, this status display will show the currently loaded map, RAM usage, and other status information in the top left of the screen. +* **Draw Stats:** While UE's `stat Acoustics` can provide you with CPU information, this status display will show the currently loaded ACE file, RAM usage, and other status information in the top left of the screen. * **Draw Voxels:** Overlay voxels close to the listener showing the voxel grid used during runtime interpolation. If an emitter is inside a runtime voxel, it will fail acoustic queries. * **Draw Probes:** Show all the probes for this scene. They will be different colors depending on their load state. * **Draw Distances:** If Update Distances is enabled, this will show a box on the closest surface to the listener in quantized directions around the listener. @@ -92,6 +99,7 @@ These design controls are scoped to an individual audio component in Unreal. * **Outdoorness Adjustment:** Controls how outdoors the reverberation is. Values closer to 0 are more indoors, closer to 1 are more outdoors. This adjustment is additive, so setting it to -1 will enforce indoors, setting it to +1 will enforce outdoors. * **Transmission Db:** Render an additional through-the-wall sound with this loudness combined with line-of-sight based distance attenuation. * **Wet Ratio Distance Warp:** Adjusts the reverberation characteristics on the source as if it were closer/further away, without affecting the direct path. +* **Play on Start:** Toggle to specify whether the sound should automatically play on scene start. Enabled by default. * **Show Acoustic Parameters:** Display debug information directly on top of the component in-game. (only for non-shipping configurations) ## Blueprint functionality diff --git a/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-csharp.md b/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-csharp.md index 18104fb47dbd7..bfac11ce9610a 100644 --- a/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-csharp.md +++ b/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-csharp.md @@ -76,24 +76,19 @@ Use this quickstart to start using the Anomaly Detector API's two detection mode 1. Create a new async function called `Request` that takes the variables created above. 2. Set the client's security protocol and header information using an `HttpClient` object. Be sure to add your subscription key to the `Ocp-Apim-Subscription-Key` header. Then create a `StringContent` object for the request. - -3. Send the request with `PostAsync()`. If the request is successful, return the response. + +3. Send the request with `PostAsync()`, and then return the response. ```csharp -static async Task Request(string baseAddress, string endpoint, string subscriptionKey, string requestData){ - using (HttpClient client = new HttpClient { BaseAddress = new Uri(baseAddress) }){ +static async Task Request(string apiAddress, string endpoint, string subscriptionKey, string requestData){ + using (HttpClient client = new HttpClient { BaseAddress = new Uri(apiAddress) }){ System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls; client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); client.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", subscriptionKey); var content = new StringContent(requestData, Encoding.UTF8, "application/json"); var res = await client.PostAsync(endpoint, content); - if (res.IsSuccessStatusCode){ - return await res.Content.ReadAsStringAsync(); - } - else{ - return $"ErrorCode: {res.StatusCode}"; - } + return await res.Content.ReadAsStringAsync(); } } ``` @@ -104,9 +99,9 @@ static async Task Request(string baseAddress, string endpoint, string su 2. Deserialize the JSON object, and write it to the console. -3. Find the positions of anomalies in the data set. The response's `isAnomaly` field contains an array of boolean values, each of which indicates whether a data point is an anomaly. Convert this to a string array with the response object's `ToObject()` function. +3. If the response contains `code` field, print the error code and error message. -4. Iterate through the array, and print the index of any `true` values. These values correspond to the index of anomalous data points, if any were found. +4. Otherwise, find the positions of anomalies in the data set. The response's `isAnomaly` field contains an array of boolean values, each of which indicates whether a data point is an anomaly. Convert this to a string array with the response object's `ToObject()` function. Iterate through the array, and print the index of any `true` values. These values correspond to the index of anomalous data points, if any were found. ```csharp static void detectAnomaliesBatch(string requestData){ @@ -121,11 +116,17 @@ static void detectAnomaliesBatch(string requestData){ dynamic jsonObj = Newtonsoft.Json.JsonConvert.DeserializeObject(result); System.Console.WriteLine(jsonObj); - bool[] anomalies = jsonObj["isAnomaly"].ToObject(); - System.Console.WriteLine("\n Anomalies detected in the following data positions:"); - for (var i = 0; i < anomalies.Length; i++) { - if (anomalies[i]) { - System.Console.Write(i + ", "); + if (jsonObj["code"] != null){ + System.Console.WriteLine($"Detection failed. ErrorCode:{jsonObj["code"]}, ErrorMessage:{jsonObj["message"]}"); + } + else{ + bool[] anomalies = jsonObj["isAnomaly"].ToObject(); + System.Console.WriteLine("\nAnomalies detected in the following data positions:"); + for (var i = 0; i < anomalies.Length; i++){ + if (anomalies[i]) + { + System.Console.Write(i + ", "); + } } } } @@ -135,11 +136,11 @@ static void detectAnomaliesBatch(string requestData){ 1. Create a new function called `detectAnomaliesLatest()`. Construct the request and send it by calling the `Request()` function with your endpoint, subscription key, the URL for latest point anomaly detection, and the time series data. -2. Deserialize the JSON object, and write it to the console. +2. Deserialize the JSON object, and write it to the console. ```csharp static void detectAnomaliesLatest(string requestData){ - System.Console.WriteLine("\n\n Determining if latest data point is an anomaly"); + System.Console.WriteLine("\n\nDetermining if latest data point is an anomaly"); var result = Request( endpoint, latestPointDetectionUrl, diff --git a/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-java.md b/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-java.md index a208968f396ec..76c8c1040ac44 100644 --- a/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-java.md +++ b/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-java.md @@ -77,7 +77,7 @@ Use this quickstart to start using the Anomaly Detector API's two detection mode 3. Read in the JSON data file ```java - String requestData = new String(Files.readAllBytes(Paths.get(dataPath)), "UTF-8"); + String requestData = new String(Files.readAllBytes(Paths.get(dataPath)), "utf-8"); ``` ## Create a function to send requests @@ -88,9 +88,9 @@ Use this quickstart to start using the Anomaly Detector API's two detection mode 3. Use the request's `setHeader()` function to set the `Content-Type` header to `application/json`, and add your subscription key to the `Ocp-Apim-Subscription-Key` header. -4. Use the request's `setEntity()` function to the data to be sent. +4. Use the request's `setEntity()` function to the data to be sent. -5. Use the client's `execute()` function to send the request, and save it to a `CloseableHttpResponse` object. +5. Use the client's `execute()` function to send the request, and save it to a `CloseableHttpResponse` object. 6. Create an `HttpEntity` object to store the response content. Get the content with `getEntity()`. If the response isn't empty, return it. @@ -122,16 +122,20 @@ static String sendRequest(String apiAddress, String endpoint, String subscriptio 1. Create a method called `detectAnomaliesBatch()` to detect anomalies throughout the data as a batch. Call the `sendRequest()` method created above with your endpoint, url, subscription key, and json data. Get the result, and print it to the console. -2. Find the positions of anomalies in the data set. The response's `isAnomaly` field contains a boolean value relating to whether a given data point is an anomaly. Get the JSON array, and iterate through it, printing the index of any `true` values. These values correspond to the index of anomalous data points, if any were found. +2. If the response contains `code` field, print the error code and error message. - - ```java - static void detectAnomaliesBatch(String requestData) { - System.out.println("Detecting anomalies as a batch"); - String result = sendRequest(batchDetectionUrl, endpoint, subscriptionKey, requestData); - if (result != null) { - System.out.println(result); - JSONObject jsonObj = new JSONObject(result); +3. Otherwise, find the positions of anomalies in the data set. The response's `isAnomaly` field contains a boolean value relating to whether a given data point is an anomaly. Get the JSON array, and iterate through it, printing the index of any `true` values. These values correspond to the index of anomalous data points, if any were found. + +```java +static void detectAnomaliesBatch(String requestData) { + System.out.println("Detecting anomalies as a batch"); + String result = sendRequest(batchDetectionUrl, endpoint, subscriptionKey, requestData); + if (result != null) { + System.out.println(result); + JSONObject jsonObj = new JSONObject(result); + if (jsonObj.has("code")) { + System.out.println(String.format("Detection failed. ErrorCode:%s, ErrorMessage:%s", jsonObj.getString("code"), jsonObj.getString("message"))); + } else { JSONArray jsonArray = jsonObj.getJSONArray("isAnomaly"); System.out.println("Anomalies found in the following data positions:"); for (int i = 0; i < jsonArray.length(); ++i) { @@ -141,7 +145,8 @@ static String sendRequest(String apiAddress, String endpoint, String subscriptio System.out.println(); } } - ``` +} +``` ## Detect the anomaly status of the latest data point @@ -160,14 +165,14 @@ static void detectAnomaliesLatest(String requestData) { 1. In the main method of your application, read in the JSON file containing the data that will be added to the requests. 2. Call the two anomaly detection functions created above. - - ```java - public static void main(String[] args) throws Exception { - String requestData = new String(Files.readAllBytes(Paths.get(dataPath)), "UTF-8"); - detectAnomaliesBatch(requestData); - detectAnomaliesLatest(requestData); - } - ``` + +```java +public static void main(String[] args) throws Exception { + String requestData = new String(Files.readAllBytes(Paths.get(dataPath)), "utf-8"); + detectAnomaliesBatch(requestData); + detectAnomaliesLatest(requestData); +} +``` ### Example response diff --git a/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-python.md b/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-python.md index 5996df348a4d7..5bb07d7ea926c 100644 --- a/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-python.md +++ b/articles/cognitive-services/Anomaly-Detector/quickstarts/detect-data-anomalies-python.md @@ -60,7 +60,7 @@ Use this quickstart to start using the Anomaly Detector API's two detection mode data_location = "[PATH_TO_TIME_SERIES_DATA]" ``` -3. Read in the JSON data file by opening it, and using `json.load()`. +3. Read in the JSON data file by opening it, and using `json.load()`. ```python file_handler = open(data_location) @@ -73,28 +73,24 @@ Use this quickstart to start using the Anomaly Detector API's two detection mode 2. Create a dictionary for the request headers. Set the `Content-Type` to `application/json`, and add your subscription key to the `Ocp-Apim-Subscription-Key` header. -3. Send the request using `requests.post()`. Combine your endpoint and anomaly detection URL for the full request URL, and include your headers, and json request data. +3. Send the request using `requests.post()`. Combine your endpoint and anomaly detection URL for the full request URL, and include your headers, and json request data. And then return the response. -4. If the request is successful, return the response. - - ```python - def send_request(endpoint, url, subscription_key, request_data): - headers = {'Content-Type': 'application/json', 'Ocp-Apim-Subscription-Key': subscription_key} - response = requests.post(endpoint+url, data=json.dumps(request_data), headers=headers) - if response.status_code == 200: - return json.loads(response.content.decode("utf-8")) - else: - print(response.status_code) - raise Exception(response.text) - ``` +```python +def send_request(endpoint, url, subscription_key, request_data): + headers = {'Content-Type': 'application/json', 'Ocp-Apim-Subscription-Key': subscription_key} + response = requests.post(endpoint+url, data=json.dumps(request_data), headers=headers) + return json.loads(response.content.decode("utf-8")) +``` ## Detect anomalies as a batch -1. Create a method called `detect_batch()` to detect anomalies throughout the data as a batch. Call the `send_request()` method created above with your endpoint, url, subscription key, and json data. +1. Create a method called `detect_batch()` to detect anomalies throughout the data as a batch. Call the `send_request()` method created above with your endpoint, url, subscription key, and json data. 2. Call `json.dumps()` on the result to format it, and print it to the console. -3. Find the positions of anomalies in the data set. The response's `isAnomaly` field contains a boolean value relating to whether a given data point is an anomaly. Iterate through the list, and print the index of any `True` values. These values correspond to the index of anomalous data points, if any were found. +3. If the response contains `code` field, print the error code and error message. + +4. Otherwise, find the positions of anomalies in the data set. The response's `isAnomaly` field contains a boolean value relating to whether a given data point is an anomaly. Iterate through the list, and print the index of any `True` values. These values correspond to the index of anomalous data points, if any were found. ```python def detect_batch(request_data): @@ -102,12 +98,15 @@ def detect_batch(request_data): result = send_request(endpoint, batch_detection_url, subscription_key, request_data) print(json.dumps(result, indent=4)) - # Find and display the positions of anomalies in the data set - anomalies = result["isAnomaly"] - print("Anomalies detected in the following data positions:") - for x in range(len(anomalies)): - if anomalies[x] == True: - print (x) + if result.get('code') != None: + print("Detection failed. ErrorCode:{}, ErrorMessage:{}".format(result['code'], result['message'])) + else: + # Find and display the positions of anomalies in the data set + anomalies = result["isAnomaly"] + print("Anomalies detected in the following data positions:") + for x in range(len(anomalies)): + if anomalies[x] == True: + print (x) ``` ## Detect the anomaly status of the latest data point @@ -127,14 +126,14 @@ def detect_latest(request_data): ## Load your time series data and send the request 1. Load your JSON time series data opening a file handler, and using `json.load()` on it. Then call the anomaly detection methods created above. - - ```python - file_handler = open (data_location) - json_data = json.load(file_handler) - - detect_batch(json_data) - detect_latest(json_data) - ``` + +```python +file_handler = open(data_location) +json_data = json.load(file_handler) + +detect_batch(json_data) +detect_latest(json_data) +``` ### Example response diff --git a/articles/cognitive-services/Anomaly-Detector/toc.yml b/articles/cognitive-services/Anomaly-Detector/toc.yml index 7e67ee9cfe173..1c79e6fef788b 100644 --- a/articles/cognitive-services/Anomaly-Detector/toc.yml +++ b/articles/cognitive-services/Anomaly-Detector/toc.yml @@ -37,4 +37,8 @@ - name: Pricing href: https://aka.ms/anomaly-detector-pricing - name: Regional availability - href: https://aka.ms/anomaly-detector-region \ No newline at end of file + href: https://aka.ms/anomaly-detector-region + - name: Reference solution architecture + href: https://azure.microsoft.com/solutions/architecture/anomaly-detector-process/ + - name: Stack Overflow + href: https://stackoverflow.com/questions/tagged/azure-anomaly-detection \ No newline at end of file diff --git a/articles/cognitive-services/Bing-Entities-Search/quickstarts/csharp.md b/articles/cognitive-services/Bing-Entities-Search/quickstarts/csharp.md index 6d078a392d57f..eda245cb6a94f 100644 --- a/articles/cognitive-services/Bing-Entities-Search/quickstarts/csharp.md +++ b/articles/cognitive-services/Bing-Entities-Search/quickstarts/csharp.md @@ -25,7 +25,7 @@ While this application is written in C#, the API is a RESTful Web service compat * Any edition of [Visual Studio 2017](https://www.visualstudio.com/downloads/). * The [Json.NET](https://www.newtonsoft.com/json) framework, available as a NuGet package. * To install the NuGet package in Visual studio: - 1. Right click in the Solution Manager + 1. Right click in the Solution Explorer 2. Click **Manage NuGet Packages...** 3. Search for **newtonsoft.json** and install the package diff --git a/articles/cognitive-services/Bing-Image-Search/bing-image-search-resource-faq.md b/articles/cognitive-services/Bing-Image-Search/bing-image-search-resource-faq.md index 1f54988784c38..13a56f7047dbb 100644 --- a/articles/cognitive-services/Bing-Image-Search/bing-image-search-resource-faq.md +++ b/articles/cognitive-services/Bing-Image-Search/bing-image-search-resource-faq.md @@ -20,11 +20,11 @@ Find answers to commonly asked questions about concepts, code, and scenarios rel The following headers may occur in responses from the Bing Image Search API. -||| -|-|-| -|`X-MSEdge-ClientID`|The unique ID that Bing has assigned to the user| -|`BingAPIs-Market`|The market that was used to fulfill the request| -|`BingAPIs-TraceId`|The log entry on the Bing API server for this request (for support)| +| `Attribute` | `Description` | +| ------------------- | ------------- | +| `X-MSEdge-ClientID` |The unique ID that Bing has assigned to the user | +| `BingAPIs-Market` |The market that was used to fulfill the request | +| `BingAPIs-TraceId` |The log entry on the Bing API server for this request (for support) | It is particularly important to persist the client ID and return it with subsequent requests. When you do this, the search will use past context in ranking search results and also provide a consistent user experience. diff --git a/articles/cognitive-services/Bing-Image-Search/quickstarts/php.md b/articles/cognitive-services/Bing-Image-Search/quickstarts/php.md index e3bcdf54b50a2..82cbcfa18681d 100644 --- a/articles/cognitive-services/Bing-Image-Search/quickstarts/php.md +++ b/articles/cognitive-services/Bing-Image-Search/quickstarts/php.md @@ -19,7 +19,7 @@ Use this quickstart to make your first call to the Bing Image Search API and rec While this application is written in PHP, the API is a RESTful Web service compatible with any programming language that can make HTTP requests and parse JSON. -The source code for this sample is available [on GitHub](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/java/Search/BingImageSearchv7.java). +The source code for this sample is available [on GitHub]https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/php/Search/BingWebSearchv7.php). ## Prerequisites diff --git a/articles/cognitive-services/Bing-News-Search/news-search-sdk-quickstart.md b/articles/cognitive-services/Bing-News-Search/news-search-sdk-quickstart.md index 446149f09721a..5f447e70ea75c 100644 --- a/articles/cognitive-services/Bing-News-Search/news-search-sdk-quickstart.md +++ b/articles/cognitive-services/Bing-News-Search/news-search-sdk-quickstart.md @@ -1,7 +1,7 @@ --- title: "Quickstart: Perform a news search - Bing News Search SDK for C#" titleSuffix: Azure Cognitive Services -description: Use this quickstart to search for news using the Bing News Search SDK for Python, and process the response. +description: Use this quickstart to search for news using the Bing News Search SDK for C#, and process the response. services: cognitive-services author: mikedodaro manager: nitinme diff --git a/articles/cognitive-services/Bing-Spell-Check/quickstarts/nodejs.md b/articles/cognitive-services/Bing-Spell-Check/quickstarts/nodejs.md index 1b3b76154bc30..c0dbbcfec8bf7 100644 --- a/articles/cognitive-services/Bing-Spell-Check/quickstarts/nodejs.md +++ b/articles/cognitive-services/Bing-Spell-Check/quickstarts/nodejs.md @@ -9,13 +9,13 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-spell-check ms.topic: quickstart -ms.date: 02/20/2019 -ms.author: aahi +ms.date: 04/02/2019 +ms.author: aahill --- # Quickstart: Check spelling with the Bing Spell Check REST API and Node.js -Use this quickstart to make your first call to the Bing Spell Check REST API. This simple Python application sends a request to the API and returns a list of words it didn't recognize, followed by suggested corrections. While this application is written in Python, the API is a RESTful Web service compatible with most programming languages. The source code for this application is available on [GitHub](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/nodejs/Search/BingSpellCheckv7.js). +Use this quickstart to make your first call to the Bing Spell Check REST API. This simple Node application sends a request to the API and returns a list of words it didn't recognize, followed by suggested corrections. While this application is written in Node.js, the API is a RESTful Web service compatible with most programming languages. The source code for this application is available on [GitHub](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/nodejs/Search/BingSpellCheckv7.js). ## Prerequisites @@ -26,18 +26,18 @@ Use this quickstart to make your first call to the Bing Spell Check REST API. Th ## Create and initialize a project -1. Create a new JavaScript file in your favorite IDE or editor. Set the strictness, and require https. Then create variables for your API endpoint's host, path, and your subscription key. +1. Create a new JavaScript file in your favorite IDE or editor. Set the strictness, and require `https`. Then create variables for your API endpoint's host, path, and your subscription key. ```javascript 'use strict'; let https = require ('https'); - + let host = 'api.cognitive.microsoft.com'; let path = '/bing/v7.0/spellcheck'; - let key = 'ENTER KEY HERE'; + let key = ''; ``` -2. Create variables for your market, spell-check mode, and the text you want to check. Then create a string that appends the `?mkt=` parameter to your market, and `&mode=` to your mode. +2. Create variables for your search parameters and the text you want to check. Append your market code after `mkt=`. The market code is the country you make the request from. Also, append your spell-check mode after `&mode=`. Mode is either `proof` (catches most spelling/grammar errors) or `spell` (catches most spelling but not as many grammar errors). ```javascript let mkt = "en-US"; @@ -74,7 +74,8 @@ let response_handler = function (response) { body += d; }); response.on ('end', function () { - console.log (body); + let body_ = JSON.parse (body); + console.log (body_); }); response.on ('error', function (e) { console.log ('Error: ' + e.message); @@ -94,7 +95,7 @@ req.end (); ## Example JSON response -A successful response is returned in JSON, as shown in the following example: +A successful response is returned in JSON, as shown in the following example: ```json { diff --git a/articles/cognitive-services/Bing-Spell-Check/quickstarts/python.md b/articles/cognitive-services/Bing-Spell-Check/quickstarts/python.md index 2ad83ac2814a7..448eb0cea5edb 100644 --- a/articles/cognitive-services/Bing-Spell-Check/quickstarts/python.md +++ b/articles/cognitive-services/Bing-Spell-Check/quickstarts/python.md @@ -22,7 +22,6 @@ Use this quickstart to make your first call to the Bing Spell Check REST API. Th [!INCLUDE [cognitive-services-bing-spell-check-signup-requirements](../../../../includes/cognitive-services-bing-spell-check-signup-requirements.md)] - ## Initialize the application 1. Create a new Python file in your favorite IDE or editor, and add the following import statement. @@ -35,7 +34,7 @@ Use this quickstart to make your first call to the Bing Spell Check REST API. Th 2. Create variables for the text you want to spell check, your subscription key, and your Bing Spell Check endpoint. ```python - api_key = "enter-your-key-here" + api_key = "" example_text = "Hollo, wrld" # the text to be spell-checked endpoint = "https://api.cognitive.microsoft.com/bing/v7.0/SpellCheck" ``` @@ -48,7 +47,7 @@ Use this quickstart to make your first call to the Bing Spell Check REST API. Th data = {'text': example_text} ``` -2. Add the parameters for your request. Set the `mkt` parameter to your market, and `mode` to `proof`. +2. Add the parameters for your request. Append your market code after `mkt=`. The market code is the country you make the request from. Also, append your spell-check mode after `&mode=`. Mode is either `proof` (catches most spelling/grammar errors) or `spell` (catches most spelling but not as many grammar errors). ```python params = { @@ -75,7 +74,7 @@ Use this quickstart to make your first call to the Bing Spell Check REST API. Th ``` 2. Get the JSON response, and print it. - + ```python json_response = response.json() print(json.dumps(json_response, indent=4)) @@ -83,7 +82,7 @@ Use this quickstart to make your first call to the Bing Spell Check REST API. Th ## Example JSON response -A successful response is returned in JSON, as shown in the following example: +A successful response is returned in JSON, as shown in the following example: ```json { diff --git a/articles/cognitive-services/Computer-vision/Vision-API-How-to-Topics/HowToCallVisionAPI.md b/articles/cognitive-services/Computer-vision/Vision-API-How-to-Topics/HowToCallVisionAPI.md index 449e219dc26dd..0083549576051 100644 --- a/articles/cognitive-services/Computer-vision/Vision-API-How-to-Topics/HowToCallVisionAPI.md +++ b/articles/cognitive-services/Computer-vision/Vision-API-How-to-Topics/HowToCallVisionAPI.md @@ -163,13 +163,13 @@ Here's an example: Field | Type | Content ------|------|------| -Tags | object | Top-level object for array of tags -tags[].Name | string | Keyword from tags classifier -tags[].Score | number | Confidence score, between 0 and 1. -description | object | Top-level object for a description. -description.tags[] | string | List of tags. If there insufficient confidence in the ability to produce a caption, the tags maybe the only information available to the caller. -description.captions[].text | string | A phrase describing the image. -description.captions[].confidence | number | Confidence for the phrase. +Tags | `object` | Top-level object for array of tags +tags[].Name | `string` | Keyword from tags classifier +tags[].Score | `number` | Confidence score, between 0 and 1. +description | `object` | Top-level object for a description. +description.tags[] | `string` | List of tags. If there insufficient confidence in the ability to produce a caption, the tags maybe the only information available to the caller. +description.captions[].text | `string` | A phrase describing the image. +description.captions[].confidence | `number` | Confidence for the phrase. ## Retrieve and understand the JSON output of domain-specific models @@ -225,10 +225,10 @@ The categories field is a list of one or more of the [86-categories](../Category Field | Type | Content ------|------|------| -categories | object | Top-level object -categories[].name | string | Name from 86-category taxonomy -categories[].score | number | Confidence score, between 0 and 1 -categories[].detail | object? | Optional detail object +categories | `object` | Top-level object +categories[].name | `string` | Name from 86-category taxonomy +categories[].score | `number` | Confidence score, between 0 and 1 +categories[].detail | `object?` | Optional detail object Note that if multiple categories match (for example, 86-category classifier returns a score for both people_ and people_young when model=celebrities), the details are attached to the most general level match (people_ in that example.) @@ -238,4 +238,4 @@ These are identical to vision.analyze, with the additional error of NotSupported ## Next steps -To use the REST API, go to [Computer Vision API Reference](https://westus.dev.cognitive.microsoft.com/docs/services/5adf991815e1060e6355ad44). \ No newline at end of file +To use the REST API, go to [Computer Vision API Reference](https://westus.dev.cognitive.microsoft.com/docs/services/5adf991815e1060e6355ad44). diff --git a/articles/cognitive-services/Computer-vision/quickstarts-sdk/python-sdk.md b/articles/cognitive-services/Computer-vision/quickstarts-sdk/python-sdk.md index c260a5bdb67ba..d78139055840f 100644 --- a/articles/cognitive-services/Computer-vision/quickstarts-sdk/python-sdk.md +++ b/articles/cognitive-services/Computer-vision/quickstarts-sdk/python-sdk.md @@ -9,7 +9,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: computer-vision ms.topic: quickstart -ms.date: 02/28/2019 +ms.date: 04/10/2019 ms.author: pafarley --- # Azure Cognitive Services Computer Vision SDK for Python @@ -211,12 +211,13 @@ for caption in analysis.captions: ### Get text from image -You can get any handwritten or printed text from an image. This requires two calls to the SDK: [`recognize_text`][ref_computervisionclient_recognize_text] and [`get_text_operation_result`][ref_computervisionclient_get_text_operation_result]. The call to recognize_text is asynchronous. In the results of the get_text_operation_result call, you need to check if the first call completed with [`TextOperationStatusCodes`][ref_computervision_model_textoperationstatuscodes] before extracting the text data. The results include the text as well as the bounding box coordinates for the text. +You can get any handwritten or printed text from an image. This requires two calls to the SDK: [`batch_read_file`](https://docs.microsoft.com/en-us/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.computervisionclient?view=azure-python#batch-read-file-url--mode--custom-headers-none--raw-false----operation-config-) and [`get_read_operation_result`](https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.computervisionclient?view=azure-python#get-read-operation-result-operation-id--custom-headers-none--raw-false----operation-config-). The call to `batch_read_file` is asynchronous. In the results of the `get_read_operation_result` call, you need to check if the first call completed with [`TextOperationStatusCodes`][ref_computervision_model_textoperationstatuscodes] before extracting the text data. The results include the text as well as the bounding box coordinates for the text. ```Python # import models from azure.cognitiveservices.vision.computervision.models import TextRecognitionMode from azure.cognitiveservices.vision.computervision.models import TextOperationStatusCodes +import time url = "https://azurecomcdn.azureedge.net/cvt-1979217d3d0d31c5c87cbd991bccfee2d184b55eeb4081200012bdaf6a65601a/images/shared/cognitive-services-demos/read-text/read-1-thumbnail.png" mode = TextRecognitionMode.handwritten @@ -225,7 +226,7 @@ custom_headers = None numberOfCharsInOperationId = 36 # Async SDK call -rawHttpResponse = client.recognize_text(url, mode, custom_headers, raw) +rawHttpResponse = client.batch_read_file(url, mode, custom_headers, raw) # Get ID from returned headers operationLocation = rawHttpResponse.headers["Operation-Location"] @@ -234,16 +235,17 @@ operationId = operationLocation[idLocation:] # SDK call while True: - result = client.get_text_operation_result(operationId) + result = client.get_read_operation_result(operationId) if result.status not in ['NotStarted', 'Running']: break time.sleep(1) # Get data if result.status == TextOperationStatusCodes.succeeded: - for line in result.recognition_result.lines: - print(line.text) - print(line.bounding_box) + for textResult in result.recognition_results: + for line in textResult.lines: + print(line.text) + print(line.bounding_box) ``` ### Generate thumbnail @@ -309,12 +311,6 @@ except HTTPFailure as e: While working with the [ComputerVisionClient][ref_computervisionclient] client, you might encounter transient failures caused by [rate limits][computervision_request_units] enforced by the service, or other transient problems like network outages. For information about handling these types of failures, see [Retry pattern][azure_pattern_retry] in the Cloud Design Patterns guide, and the related [Circuit Breaker pattern][azure_pattern_circuit_breaker]. -### More sample code - -Several Computer Vision Python SDK samples are available to you in the SDK's GitHub repository. These samples provide example code for additional scenarios commonly encountered while working with Computer Vision: - -* [recognize_text][recognize-text] - ## Next steps > [!div class="nextstepaction"] @@ -324,7 +320,7 @@ Several Computer Vision Python SDK samples are available to you in the SDK's Git [pip]: https://pypi.org/project/pip/ [python]: https://www.python.org/downloads/ -[azure_cli]: https://docs.microsoft.com/en-us/cli/azure/cognitiveservices/account?view=azure-cli-latest#az-cognitiveservices-account-create +[azure_cli]: https://docs.microsoft.com/cli/azure/cognitiveservices/account?view=azure-cli-latest#az-cognitiveservices-account-create [azure_pattern_circuit_breaker]: https://docs.microsoft.com/azure/architecture/patterns/circuit-breaker [azure_pattern_retry]: https://docs.microsoft.com/azure/architecture/patterns/retry [azure_portal]: https://portal.azure.com @@ -345,7 +341,7 @@ Several Computer Vision Python SDK samples are available to you in the SDK's Git [ref_httpfailure]: https://docs.microsoft.com/python/api/msrest/msrest.exceptions.httpoperationerror?view=azure-python -[computervision_resource]: https://azure.microsoft.com/en-us/try/cognitive-services/? +[computervision_resource]: https://azure.microsoft.com/try/cognitive-services/? [computervision_docs]: https://docs.microsoft.com/azure/cognitive-services/computer-vision/home @@ -359,8 +355,6 @@ Several Computer Vision Python SDK samples are available to you in the SDK's Git [ref_computervisionclient_describe_image]:https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.computervisionclient?view=azure-python -[ref_computervisionclient_recognize_text]:https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.computervisionclient?view=azure-python - [ref_computervisionclient_get_text_operation_result]:https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.computervisionclient?view=azure-python [ref_computervisionclient_generate_thumbnail]:https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.computervisionclient?view=azure-python @@ -370,7 +364,4 @@ Several Computer Vision Python SDK samples are available to you in the SDK's Git [ref_computervision_model_textoperationstatuscodes]:https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.models.textoperationstatuscodes?view=azure-python -[computervision_request_units]:https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/ - -[recognize-text]:https://github.com/Azure-Samples/cognitive-services-python-sdk-samples/blob/master/samples/vision/computer_vision_samples.py - +[computervision_request_units]:https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/ \ No newline at end of file diff --git a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/Workflows.md b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/Workflows.md index c800b47094f12..db0ca2d938e16 100644 --- a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/Workflows.md +++ b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/Workflows.md @@ -9,7 +9,7 @@ manager: mikemcca ms.service: cognitive-services ms.subservice: content-moderator ms.topic: article -ms.date: 03/14/2019 +ms.date: 04/04/2019 ms.author: sajagtap #Customer intent: use workflows from the Review tool --- @@ -62,9 +62,9 @@ Now that you have defined a custom workflow, test it with sample content. Go to ![Workflow test](images/image-workflow-execute.PNG) -Save this [sample image](https://moderatorsampleimages.blob.core.windows.net/samples/sample3.png) to your local drive. Then select **Choose File(s)** and upload the image to the workflow. +Save this [sample image](https://moderatorsampleimages.blob.core.windows.net/samples/sample2.jpg) to your local drive. Then select **Choose File(s)** and upload the image to the workflow. -![a woman in a bathing suit](images/sample-racy.PNG) +![A runner with a quote superimposed on the image](images/sample-text.jpg) ### Track progress diff --git a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-action.png b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-action.png index 716bf755827d6..11b144a1cc673 100644 Binary files a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-action.png and b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-action.png differ diff --git a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-condition.png b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-condition.png index 5c60dae66b857..2952a4b6f2fd1 100644 Binary files a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-condition.png and b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-condition.png differ diff --git a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-job.png b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-job.png index bf38956737221..6f50e1c2e69b8 100644 Binary files a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-job.png and b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-job.png differ diff --git a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-review.png b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-review.png index 5971f74ed892c..ead8875c55779 100644 Binary files a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-review.png and b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/image-workflow-review.png differ diff --git a/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/sample-text.jpg b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/sample-text.jpg new file mode 100644 index 0000000000000..ac32c0b4ed4b6 Binary files /dev/null and b/articles/cognitive-services/Content-Moderator/Review-Tool-User-Guide/images/sample-text.jpg differ diff --git a/articles/cognitive-services/Content-Moderator/video-reviews-quickstart-dotnet.md b/articles/cognitive-services/Content-Moderator/video-reviews-quickstart-dotnet.md index e22cee2ecc98e..f992110de53a2 100644 --- a/articles/cognitive-services/Content-Moderator/video-reviews-quickstart-dotnet.md +++ b/articles/cognitive-services/Content-Moderator/video-reviews-quickstart-dotnet.md @@ -164,7 +164,7 @@ Create a video review with **ContentModeratorClient.Reviews.CreateVideoReviews** **CreateVideoReviews** has the following required parameters: 1. A string that contains a MIME type, which should be "application/json." 1. Your Content Moderator team name. -1. An **IList** object. Each **CreateVideoReviewsBodyItem** object represents a video review. This quickstart creates one review at a time. +1. An **IList\** object. Each **CreateVideoReviewsBodyItem** object represents a video review. This quickstart creates one review at a time. **CreateVideoReviewsBodyItem** has several properties. At a minimum, you set the following properties: - **Content**. The URL of the video to be reviewed. @@ -222,18 +222,18 @@ You add video frames to a video review with **ContentModeratorClient.Reviews.Add 1. A string that contains a MIME type, which should be "application/json." 1. Your Content Moderator team name. 1. The video review ID returned by **CreateVideoReviews**. -1. An **IList** object. Each **VideoFrameBodyItem** object represents a video frame. +1. An **IList\** object. Each **VideoFrameBodyItem** object represents a video frame. **VideoFrameBodyItem** has the following properties: - **Timestamp**. A string that contains, in seconds, the time in the video from which the video frame was taken. - **FrameImage**. The URL of the video frame. -- **Metadata**. An IList. **VideoFrameBodyItemMetadataItem** is simply a key/value pair. Valid keys include: +- **Metadata**. An IList\. **VideoFrameBodyItemMetadataItem** is simply a key/value pair. Valid keys include: - **reviewRecommended**. True if a human review of the video frame is recommended. - **adultScore**. A value from 0 to 1 that rates the severity of adult content in the video frame. - **a**. True if the video contains adult content. - **racyScore**. A value from 0 to 1 that rates the severity of racy content in the video frame. - **r**. True if the video frame contains racy content. -- **ReviewerResultTags**. An IList. **VideoFrameBodyItemReviewerResultTagsItem** is simply a key/value pair. An application can use these tags to organize video frames. +- **ReviewerResultTags**. An IList\. **VideoFrameBodyItemReviewerResultTagsItem** is simply a key/value pair. An application can use these tags to organize video frames. > [!NOTE] > This quickstart generates random values for the **adultScore** and **racyScore** properties. In a production application, you would obtain these values from the [video moderation service](video-moderation-api.md), deployed as an Azure Media Service. diff --git a/articles/cognitive-services/Content-Moderator/video-transcript-reviews-quickstart-dotnet.md b/articles/cognitive-services/Content-Moderator/video-transcript-reviews-quickstart-dotnet.md index 4441ea26d19ef..54f52d68bdcff 100644 --- a/articles/cognitive-services/Content-Moderator/video-transcript-reviews-quickstart-dotnet.md +++ b/articles/cognitive-services/Content-Moderator/video-transcript-reviews-quickstart-dotnet.md @@ -151,7 +151,7 @@ Create a video review with **ContentModeratorClient.Reviews.CreateVideoReviews** **CreateVideoReviews** has the following required parameters: 1. A string that contains a MIME type, which should be "application/json." 1. Your Content Moderator team name. -1. An **IList** object. Each **CreateVideoReviewsBodyItem** object represents a video review. This quickstart creates one review at a time. +1. An **IList\** object. Each **CreateVideoReviewsBodyItem** object represents a video review. This quickstart creates one review at a time. **CreateVideoReviewsBodyItem** has several properties. At a minimum, you set the following properties: - **Content**. The URL of the video to be reviewed. @@ -241,15 +241,15 @@ In addition to adding a transcript to a video review, you also add the result of 1. A string that contains a MIME type, which should be "application/json." 1. Your Content Moderator team name. 1. The video review ID returned by **CreateVideoReviews**. -1. An IList. A **TranscriptModerationBodyItem** has the following properties: -1. **Terms**. An IList. A **TranscriptModerationBodyItemTermsItem** has the following properties: +1. An IList\. A **TranscriptModerationBodyItem** has the following properties: +1. **Terms**. An IList\. A **TranscriptModerationBodyItemTermsItem** has the following properties: 1. **Index**. The zero-based index of the term. 1. **Term**. A string that contains the term. 1. **Timestamp**. A string that contains, in seconds, the time in the transcript at which the terms are found. The transcript must be in the WebVTT format. For more information, see [WebVTT: The Web Video Text Tracks Format](https://www.w3.org/TR/webvtt1/). -Add the following method definition to namespace VideoTranscriptReviews, class Program. This method submits a transcript to the **ContentModeratorClient.TextModeration.ScreenText** method. It also translates the result into an IList, and submits to **AddVideoTranscriptModerationResult**. +Add the following method definition to namespace VideoTranscriptReviews, class Program. This method submits a transcript to the **ContentModeratorClient.TextModeration.ScreenText** method. It also translates the result into an IList\, and submits to **AddVideoTranscriptModerationResult**. ```csharp /// diff --git a/articles/cognitive-services/Custom-Vision-Service/getting-started-build-a-classifier.md b/articles/cognitive-services/Custom-Vision-Service/getting-started-build-a-classifier.md index 6bd8d9aaac56b..005e6c9334416 100644 --- a/articles/cognitive-services/Custom-Vision-Service/getting-started-build-a-classifier.md +++ b/articles/cognitive-services/Custom-Vision-Service/getting-started-build-a-classifier.md @@ -9,7 +9,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: custom-vision ms.topic: conceptual -ms.date: 01/10/2019 +ms.date: 04/03/2019 ms.author: anroth --- @@ -52,9 +52,8 @@ In your web browser, navigate to the [Custom Vision web page](https://customvisi |__Food__|Optimized for photographs of dishes as you would see them on a restaurant menu. If you want to classify photographs of individual fruits or vegetables, use the Food domain.| |__Landmarks__|Optimized for recognizable landmarks, both natural and artificial. This domain works best when the landmark is clearly visible in the photograph. This domain works even if the landmark is slightly obstructed by people in front of it.| |__Retail__|Optimized for images that are found in a shopping catalog or shopping website. If you want high precision classifying between dresses, pants, and shirts, use this domain.| - |__Adult__|Optimized to better define adult content and non-adult content. For example, if you want to block images of people in bathing suits, this domain allows you to build a custom classifier to do that.| |__Compact domains__| Optimized for the constraints of real-time classification on mobile devices. The models generated by compact domains can be exported to run locally.| - + 1. Finally, select __Create project__. ## Choose training images diff --git a/articles/cognitive-services/Custom-Vision-Service/glossary-of-terms.md b/articles/cognitive-services/Custom-Vision-Service/glossary-of-terms.md index 4d23d5165db42..727568d022dfc 100644 --- a/articles/cognitive-services/Custom-Vision-Service/glossary-of-terms.md +++ b/articles/cognitive-services/Custom-Vision-Service/glossary-of-terms.md @@ -9,7 +9,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: custom-vision ms.topic: conceptual -ms.date: 03/21/2019 +ms.date: 04/03/2019 ms.author: anroth --- # Glossary of terms for Custom Vision Service @@ -27,7 +27,6 @@ When you create a project, you select a "domain" for that project. The domain op - **The Food domain.** Optimized for dishes you would see on a restaurant menu. It was not optimized for recognizing individual fruit or vegetables. If you want to classify photographs of individual fruits or vegetables, use the Generic domain for that purpose. - **The Landmark domain.** Optimized for recognizable landmarks, both natural and artificial. This domain works best when the landmark is clearly visible in the photograph, even if the landmark is slightly obstructed by a group of people posing in front of it. - **The Retail domain.** Optimized for classifying images in a shopping catalog or shopping website. If you want high precision when classifying dresses, pants, shirts, etc., then use the Retail domain. -- **The Adult domain.** Optimized to better define between adult content and non-adult content. For example, if you want to block images of people in bathing suits, this domain allows you to build a custom classifier to do that. - **The General domain.** Well suited for a broad variety of image classification tasks. The models generated by **compact domains** can be exported with the iteration export functionality. They are optimized for the constraints of real-time classification on mobile devices. Classifiers built with a compact domain may be slightly less accurate a standard domain with the same amount of training data. The tradeoff is that they are small enough to be run locally in near real time. diff --git a/articles/cognitive-services/Custom-Vision-Service/media/update-application-to-3.0-sdk/prediction-id.png b/articles/cognitive-services/Custom-Vision-Service/media/update-application-to-3.0-sdk/prediction-id.png new file mode 100644 index 0000000000000..c1d6cbbfa3aea Binary files /dev/null and b/articles/cognitive-services/Custom-Vision-Service/media/update-application-to-3.0-sdk/prediction-id.png differ diff --git a/articles/cognitive-services/Custom-Vision-Service/move-your-project-to-azure.md b/articles/cognitive-services/Custom-Vision-Service/move-your-project-to-azure.md index 1ad9a0bbbd491..41b7560a235d8 100644 --- a/articles/cognitive-services/Custom-Vision-Service/move-your-project-to-azure.md +++ b/articles/cognitive-services/Custom-Vision-Service/move-your-project-to-azure.md @@ -13,83 +13,45 @@ ms.date: 02/19/2019 ms.author: anroth --- +# How to move your Limited Trial project to Azure +As Custom Vision Service completes its move to Azure, support for Limited Trial projects outside of Azure is ending. This document will show you how to use the Custom Vision APIs to copy your Limited Trial project to an Azure resource. -# How to move your Limited Trial project to Azure using the CustomVision.ai site +Support for viewing Limited Trial projects on the [Custom Vision website](https://customvision.ai) ended on March 25, 2019. This document now shows you how to use the Custom Vision APIs with a [migration python script](https://github.com/Azure-Samples/custom-vision-move-project) on GitHub) to duplicate your project to an Azure resource. +For more details, including key deadlines in the limited trial deprecation process, please refer to the [release notes](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/release-notes#february-25-2019) or to email communications sent to owners of limited trial projects. -As Custom Vision Service is now in [Azure Preview](https://azure.microsoft.com/services/preview/), support for Limited Trial projects outside of Azure is ending. This document will teach you how to use the [Custom Vision website](https://customvision.ai) to move your Limited Trial project to be associated with an Azure resource. - -> [!NOTE] -> When you move your Custom Vision projects to an Azure resource, they the inherit underlying [permissions]( https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal) of that Azure resource. If other users in your organization are Owners of the Azure resource your project is in, they will be able to access your project on the [Custom Vision website](https://customvision.ai). Similarly, deleting your resources will delete your projects. - - -For an introduction to the Azure concepts of subscriptions and resources, refer to the [Azure developer guide.](https://docs.microsoft.com/azure/guides/developer/azure-developer-guide#manage-your-subscriptions) - +The [migration script](https://github.com/Azure-Samples/custom-vision-move-project) allows you to recreate a project by downloading and then uploading all of the tags, regions, and images in your current iteration. It will leave you with a new project in your new subscription which you can then train. ## Prerequisites -You will need a valid Azure subscription associated with the same Microsoft account or Azure Active Directory (AAD) account you use to log into the [Custom Vision website](https://customvision.ai). - -If you do not have an Azure account, [create an account](https://azure.microsoft.com/free/) for free. - +- You will need a valid Azure subscription associated with the Microsoft account or Azure Active Directory (AAD) account you wish to use to log into the [Custom Vision website](https://customvision.ai). + - If you do not have an Azure account, [create an account](https://azure.microsoft.com/free/) for free. + - For an introduction to the Azure concepts of subscriptions and resources, refer to the [Azure developer guide.](https://docs.microsoft.com/azure/guides/developer/azure-developer-guide#manage-your-subscriptions). +- [Python](https://www.python.org/downloads/) +- [Pip](https://pip.pypa.io/en/stable/installing/) ## Create Custom Vision resources in the Azure portal -To use Custom Vision Service with Azure, you will need to create Custom Vision Training and Prediction resources in the [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=microsoft_azure_cognitiveservices_customvision#create/Microsoft.CognitiveServicesCustomVision). - To move your project using this [Custom Vision website](https://customvision.ai) experience, you must create your resources in the South Central US region, because all Limited Trial projects are hosted in South Central US. +To use Custom Vision Service with Azure, you will need to create Custom Vision Training and Prediction resources in the [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=microsoft_azure_cognitiveservices_customvision#create/Microsoft.CognitiveServicesCustomVision). Multiple projects can be associated to a single resource. More detail about [Pricing and Limits](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/limits-and-quotas) is available. To continue to use Custom Vision Service for free, you can select the F0 tier in the Azure portal. - -## Move your Limited Trial project to an Azure resource - -1. In your web browser, navigate to the [Custom Vision website](https://customvision.ai) and select __Sign in__. Open the project you wish to migrate to an Azure account. -2. Open the Settings page for your project by clicking on the gear icon on the top-right-hand corner of the screen. - - ![Project settings is the gear icon at the top-right of the project page.](./media/move-your-project-to-azure/settings-icon.png) - - -3. Click on __Move to Azure__. - - ![Move to Azure button is on the bottom left of the Project Settings page.](./media/move-your-project-to-azure/move-to-azure.jpg) - - -4. From the dropdown on the __Move to Azure__ button, select the Azure resource you wish to move your project to. Click __Move__. - -5. If you do not see the Azure resource you created earlier for Custom Vision Service, it may be in another directory. To move your project to a resource in another directory, follow the instructions below. - - ![Project Migration window.](./media/move-your-project-to-azure/Project_Migration_Window.jpg) - - -## Move project to another Azure directory - > [!NOTE] -> In both the Azure portal and CustomVision.ai, you can select your directory from the drop-down User menu at the top-right corner of the screen. - - -1. Identify which directory your Azure resource is in. You can find the directory listed under your username at the top-right of the Azure portal menu bar. +> When you move your Custom Vision project to an Azure resource, it inherits the underlying [permissions]( https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal) of that Azure resource. If other users in your organization are owners of the Azure resource your project is in, they will be able to access your project on the [Custom Vision website](https://customvision.ai). Similarly, deleting your resources will delete your projects. - ![Your directory is listed under your username at the top-right of the Azure portal menu bar. .](./media/move-your-project-to-azure/identify_directory.jpg) +## Find your limited trial project information -2. Find the Resource ID of your Custom Vision Training resource. You can find this in the Azure portal by opening your Custom Vision Training resource and selecting “Properties” under the “Resource Management” section. Your Resource ID will be there. +To move your project, you will need the _project ID_ and _training key_ for the project you are trying to migrate. If you do not have this information, visit [https://limitedtrial.customvision.ai/projects](https://limitedtrial.customvision.ai/projects) to obtain the ID and key for each of your projects. - ![Find your Resource ID in the Azure portal by opening your Custom Vision Training resource and selecting “Properties” under the “Resource Management” section.](./media/move-your-project-to-azure/resource_ID_azure_portal.jpg) +## Use the Python sample code to copy your project to Azure +Follow the [sample code instructions](https://github.com/Azure-Samples/custom-vision-move-project), using your limited trial key and project ID as the "source" materials, and the key from the new Azure resource you created as the "destination". -3. Alternatively, you can find the Resource ID of your Custom Vision Resource directly in the Custom Vision website [Settings page]( https://www.customvision.ai/projects#/settings). You will need to switch to the same directory your Azure resource is in. - - ![Your Resource ID is listed for each resource on your settings page on the Custom Vision website.](./media/move-your-project-to-azure/resource_ID_CVS_portal.jpg) - -4. Now that you have your resource ID, return to the Custom Vision project you are trying to move from a Limited Trial to an Azure resource. Reminder, you may need to switch back to your original directory to find it. Follow the instructions provided [above](#move-your-limited-trial-project-to-an-azure-resource) to open your project settings page and select __Move to Azure__. - - -5. In the Move to Azure window, check the box for “Move to a different Azure directory?”. Select the directory you want to move your project to and enter the Resource ID of the resource you are moving your project to. Click __Move__. - - - -5. Remember, your project is now in a different directory. To find your project, you will need to switch to the same directory on the Custom Vision web portal that your project is in. In both the Azure portal and the [Custom Vision website](https://customvision.ai), you can select your directory from the drop-down account menu at the top-right corner of the screen. +By default, all Limited Trial projects are hosted in South Central US Azure region. ## Next steps Your project has now been moved to an Azure resource. You will need to update your Training and Prediction keys in any applications you have written. + +To view your project on the [Custom Vision website](https://customvision.ai), sign in with the same account you used to sign into the Azure portal. If you do not see your project, please confirm that you are in the same directory in the [Custom Vision website](https://customvision.ai) as the directory where your resources are located in the Azure portal. In both the Azure portal and CustomVision.ai, you can select your directory from the drop-down User menu at the top-right corner of the screen. \ No newline at end of file diff --git a/articles/cognitive-services/Custom-Vision-Service/release-notes.md b/articles/cognitive-services/Custom-Vision-Service/release-notes.md index 444588135f1d8..92188c1836e3d 100644 --- a/articles/cognitive-services/Custom-Vision-Service/release-notes.md +++ b/articles/cognitive-services/Custom-Vision-Service/release-notes.md @@ -8,69 +8,79 @@ manager: nitinme ms.service: cognitive-services ms.subservice: custom-vision ms.topic: conceptual -ms.date: 03/21/2019 +ms.date: 04/03/2019 ms.author: anroth --- # Custom Vision Service Release Notes ## March 26, 2019 -- Custom Vision Service has entered General Availability on Azure! -- Added Advanced Training feature with a new machine learning backend for improved performance, especially on challenging datasets and fine-grained classification. With advanced training, you can specify a compute time budget for training and Custom Vision will experimentally identify the best training and augmentation settings. For quick iterations, you can continue to use the existing fast training. -- Introduced 3.0 APIs. Announced coming deprecation of pre-3.0 APIs on October 1, 2019. See the documentation Quickstarts for [.Net](https://docs.microsoft.com/en-us/azure/cognitive-services/custom-vision-service/csharp-tutorial), [Python](https://docs.microsoft.com/en-us/azure/cognitive-services/custom-vision-service/python-tutorial), [Node](https://docs.microsoft.com/en-us/azure/cognitive-services/custom-vision-service/node-tutorial), [Java](https://docs.microsoft.com/en-us/azure/cognitive-services/custom-vision-service/java-tutorial), or [Go](https://docs.microsoft.com/en-us/azure/cognitive-services/custom-vision-service/go-tutorial) for examples on how to get started. -- Replaced “Default Iterations” with Publish/Unpublish in the 3.0 APIs. -- New model export targets have been added. Dockerfile export has been upgraded to support ARM for Raspberry Pi 3. Export support has been added to the [Vision AI Dev Kit.](https://visionaidevkit.com/) -- Increased limit of Tags per project to 500 for S0 tier. Increased limit of Images per project to 100,000 for S0 tier. -- Removed Adult domain. General domain is reccomended instead. -- Announced [pricing](https://azure.microsoft.com/en-us/pricing/details/cognitive-services/custom-vision-service/) for General Availability. +- Custom Vision Service has entered General Availability on Azure! +- Added Advanced Training feature with a new machine learning backend for improved performance, especially on challenging datasets and fine-grained classification. With advanced training, you can specify a compute time budget for training and Custom Vision will experimentally identify the best training and augmentation settings. For quick iterations, you can continue to use the existing fast training. +- Introduced 3.0 APIs. Announced coming deprecation of pre-3.0 APIs on October 1, 2019. See the documentation quickstarts for [.Net](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/csharp-tutorial), [Python](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/python-tutorial), [Node](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/node-tutorial), [Java](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/java-tutorial), or [Go](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/go-tutorial) for examples on how to get started. +- Replaced "Default Iterations" with Publish/Unpublish in the 3.0 APIs. +- New model export targets have been added. Dockerfile export has been upgraded to support ARM for Raspberry Pi 3. Export support has been added to the [Vision AI Dev Kit.](https://visionaidevkit.com/). +- Increased limit of Tags per project to 500 for S0 tier. Increased limit of Images per project to 100,000 for S0 tier. +- Removed Adult domain. General domain is recommended instead. +- Announced [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/custom-vision-service/) for General Availability. ## February 25, 2019 -- Announced the end of Limited Trial projects (projects not associated with an Azure resource), as Custom Vision nears completion of its move to Azure public preview. Beginning March 25, 2019, the CustomVision.ai site will only support viewing projects associated with an Azure resource, such as the free Custom Vision resource. Through October 1, 2019, you’ll still be able to access your existing limited trial projects via the Custom Vision APIs. This will give you time to update API keys for any apps you’ve written with Custom Vision. After October 1, 2019, any limited trial projects you haven’t moved to Azure will be deleted. + +- Announced the end of Limited Trial projects (projects not associated with an Azure resource), as Custom Vision nears completion of its move to Azure public preview. Beginning March 25, 2019, the CustomVision.ai site will only support viewing projects associated with an Azure resource, such as the free Custom Vision resource. Through October 1, 2019, you'll still be able to access your existing limited trial projects via the Custom Vision APIs. This will give you time to update API keys for any apps you've written with Custom Vision. After October 1, 2019, any limited trial projects you haven't moved to Azure will be deleted. ## January 22, 2019 -- Support added for new Azure regions: West US 2, East US, East US 2, West Europe, North Europe, Southeast Asia, Australia East, Central India, UK South, Japan East, and North Central US. Support continues for South Central US. + +- Support added for new Azure regions: West US 2, East US, East US 2, West Europe, North Europe, Southeast Asia, Australia East, Central India, UK South, Japan East, and North Central US. Support continues for South Central US. ## December 12, 2018 + - Support export for Object Detection models (introduced Object Detection Compact Domain). -- Fixed a number of accessibility issues for improved screen reader and keyboard navigation support. +- Fixed a number of accessibility issues for improved screen reader and keyboard navigation support. - UX updates for image viewer and improved object detection tagging experience for faster tagging. -- Updated base model for Object Detection Domain for better quality object detection. -- Bugfixes. +- Updated base model for Object Detection Domain for better quality object detection. +- Bug fixes. ## November 6, 2018 + - Added support for Logo Domain in Object Detection. ## October 9, 2018 + - Object Detection enters paid preview. You can now create Object Detection projects with an Azure resource. - Added "Move to Azure" feature to website, to make it easier to upgrade a Limited Trial project to link to an Azure. resource linked project (F0 or S0.) You can find this on the Settings page for your product. - Added export to ONNX 1.2, to support Windows 2018 October Update version of Windows ML. -Bugfixes, including for ONNX export with special characters. +Bug fixes, including for ONNX export with special characters. ## August 14, 2018 -- Added "Get Started" widget to customvision.ai site to guide users through project training. + +- Added "Get Started" widget to customvision.ai site to guide users through project training. - Further improvements to the machine learning pipeline to benefit multilabel projects (new loss layer). ## June 28, 2018 -- Bugfixes & backend improvements. -- Enabled Multiclass classification, for projects where images have exactly one label. In Predictions for multiclass mode, Probabilities will sum to one (all images are classified among your specified Tags). + +- Bug fixes & backend improvements. +- Enabled multiclass classification, for projects where images have exactly one label. In Predictions for multiclass mode, probabilities will sum to one (all images are classified among your specified Tags). ## June 13, 2018 -- UX refresh, focused on ease of use and accessibility. + +- UX refresh, focused on ease of use and accessibility. - Improvements to the machine learning pipeline to benefit multilabel projects with a large number of tags. -- Fixed bug in TensorFlow export. Enabled exported model versioning, so iterations can be exported more than once. +- Fixed bug in TensorFlow export. Enabled exported model versioning, so iterations can be exported more than once. ## May 7, 2018 + - Introduced preview Object Detection feature for Limited Trial projects. - Upgrade to 2.0 APIs -- S0 tier expanded to up to 250 tags and 50,000 images. +- S0 tier expanded to up to 250 tags and 50,000 images. - Significant backend improvements to the machine learning pipeline for image classification projects. Projects trained after April 27, 2018 will benefit from these updates. - Added model export to ONNX, for use with Windows ML. -- Added model export to Dockerfile. This allows you to download the artifacts to build your own Windows or Linux containers, including a DockerFile, TensorFlow model, and service code. -- For newly trained models exported to TensorFlow in the General (Compact) and Landmark (Compact) Domains, [Mean Values are now (0,0,0)](https://github.com/azure-samples/cognitive-services-android-customvision-sample), for consistency across all projects. +- Added model export to Dockerfile. This allows you to download the artifacts to build your own Windows or Linux containers, including a DockerFile, TensorFlow model, and service code. +- For newly trained models exported to TensorFlow in the General (Compact) and Landmark (Compact) Domains, [Mean Values are now (0,0,0)](https://github.com/azure-samples/cognitive-services-android-customvision-sample), for consistency across all projects. ## March 1, 2018 -- Entered paid preview and onboarded onto the Azure Portal. Projects can now be attached to Azure resources with an F0 (Free) or S0 (Standard) tier. Introduced S0 tier projects, which allow up to 100 tags and 25,000 images. + +- Entered paid preview and onboarded onto the Azure portal. Projects can now be attached to Azure resources with an F0 (Free) or S0 (Standard) tier. Introduced S0 tier projects, which allow up to 100 tags and 25,000 images. - Backend changes to the machine learning pipeline/normalization parameter. This will give customers better control of precision-recall tradeoffs when adjusting the Probability Threshold. As a part of these changes, the default Probability Threshold in the CustomVision.ai portal was set to be 50%. ## December 19, 2017 @@ -79,5 +89,4 @@ Bugfixes, including for ONNX export with special characters. - Added Retail and Landmark "compact" domains to enable model export for these domains. - Released version [1.2 Training API](https://southcentralus.dev.cognitive.microsoft.com/docs/services/f2d62aa3b93843d79e948fe87fa89554/operations/5a3044ee08fa5e06b890f11f) and [1.1 Prediction API](https://southcentralus.dev.cognitive.microsoft.com/docs/services/57982f59b5964e36841e22dfbfe78fc1/operations/5a3044f608fa5e06b890f164). Updated APIs support model export, new Prediction operation that does not save images to "Predictions," and introduced batch operations to the Training API. - UX tweaks, including the ability to see which domain was used to train an iteration. -- Updated [C# SDK and sample](https://github.com/Microsoft/Cognitive-CustomVision-Windows). - +- Updated [C# SDK and sample](https://github.com/Microsoft/Cognitive-CustomVision-Windows). \ No newline at end of file diff --git a/articles/cognitive-services/Custom-Vision-Service/toc.yml b/articles/cognitive-services/Custom-Vision-Service/toc.yml index f61d0bfa77d54..b9e1c5446c580 100644 --- a/articles/cognitive-services/Custom-Vision-Service/toc.yml +++ b/articles/cognitive-services/Custom-Vision-Service/toc.yml @@ -50,16 +50,20 @@ href: getting-started-improving-your-classifier.md - name: Use the prediction API href: use-prediction-api.md - - name: Export your model to mobile - href: export-your-model.md - - name: Use ONNX model with Windows ML - href: custom-vision-onnx-windows-ml.md - - name: Run TensorFlow model in Python - href: export-model-python.md + - name: Export models + items: + - name: Export your model to mobile + href: export-your-model.md + - name: Use ONNX model with Windows ML + href: custom-vision-onnx-windows-ml.md + - name: Run TensorFlow model in Python + href: export-model-python.md - name: Export or delete account data href: ./export-delete-data.md - name: Move your Limited Trial project to Azure href: ./move-your-project-to-azure.md + - name: Update your app to the 3.0 API + href: ./update-application-to-3.0-sdk.md - name: Reference items: - name: Custom Vision Training API diff --git a/articles/cognitive-services/Custom-Vision-Service/update-application-to-3.0-sdk.md b/articles/cognitive-services/Custom-Vision-Service/update-application-to-3.0-sdk.md new file mode 100644 index 0000000000000..36e553a9b84fe --- /dev/null +++ b/articles/cognitive-services/Custom-Vision-Service/update-application-to-3.0-sdk.md @@ -0,0 +1,62 @@ +--- +title: How to migrate your project to the 3.0 API +titlesuffix: Azure Cognitive Services +description: Learn how to migrate Custom Vision projects from the previous version of the API to the 3.0 API. +services: cognitive-services +author: areddish +manager: nitinme + +ms.service: cognitive-services +ms.subservice: custom-vision +ms.topic: conceptual +ms.date: 04/04/2019 +ms.author: areddish +--- + +# Migrate to the 3.0 API + +Custom Vision has now reached General Availability and has undergone an API update. +This update includes a few new features and, importantly, a few breaking changes: + +* The Prediction API is now split into two based on the project type. +* The Vision AI Developer Kit (VAIDK) export option requires creating a project in a specific way. +* Default iterations have been removed in favor of a publish / unpublish a named iteration. + +This guide will show you how to update your projects to work with the new API version. See the [Release notes](release-notes.md) for a full list of the changes. + +## Use the updated Prediction API + +The 2.x APIs used the same prediction call for both image classifiers and object detector projects. Both project types were acceptable to the **PredictImage** and **PredictImageUrl** calls. Starting with 3.0, we have split this API so that you need to match the project type to the call: + +* Use **[ClassifyImage](https://southcentralus.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Prediction_3.0/operations/5c82db60bf6a2b11a8247c15)** and **[ClassifyImageUrl](https://southcentralus.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Prediction_3.0/operations/5c82db60bf6a2b11a8247c14)** to get predictions for image classification projects. +* Use **[DetectImage](https://southcentralus.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Prediction_3.0/operations/5c82db60bf6a2b11a8247c19)** and **[DetectImageUrl](https://southcentralus.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Prediction_3.0/operations/5c82db60bf6a2b11a8247c18)** to get predictions for object detection projects. + +## Use the new iteration publishing workflow + +The 2.x APIs used the default iteration or a specified iteration ID to choose the iteration to use for prediction. Starting in 3.0, we have adopted a publishing flow whereby you first publish an iteration under a specified name from the training API. You then pass the name to the prediction methods to specify which iteration to use. + +> [!IMPORTANT] +> The 3.0 APIs do not use the default iteration feature. Until we deprecate the older APIs, you can continue to use the 2.x APIs to toggle an iteration as the default. These APIs will be maintained for a period of time, and you can call the **[UpdateIteration](https://southcentralus.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Training_3.0/operations/5c771cdcbf6a2b18a0c3b818)** method to mark an iteration as default. + +### Publish an iteration + +Once an iteration is trained, you can make it available for prediction using the **[PublishIteration](https://southcentralus.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Training_3.0/operations/5c82db28bf6a2b11a8247bbc)** method. To publish an iteration, you'll need the prediction resource ID, which is available on the CustomVision website's settings page. + +![The Custom Vision website settings page with the prediction resource ID outlined.](./media/update-application-to-3.0-sdk/prediction-id.png) + +> [!TIP] +> You can also get this information from the [Azure Portal](https://portal.azure.com) by going to the Custom Vision Prediction resource and selecting **Properties**. + +Once your iteration is published, apps can use it for prediction by specifying the name in their prediction API call. To make an iteration unavailable for prediction calls, use the **[UnpublishIteration](https://southcentralus.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Training_3.0/operations/5c771cdcbf6a2b18a0c3b81a)** API. + +## Additional export options + +With the 3.0 APIs we are exposing two additional export targets: ARM architecture and Vision AI Developer Kit. + +* To use ARM, you just need to pick a Compact domain and then choose DockerFile and then ARM as the export options. +* For Vision AI Dev Kit, the project must be created with the __General (Compact)__ domain as well as specifying VAIDK in the target export platforms argument. + +## Next steps + +* [Training API reference documentation (REST)](https://go.microsoft.com/fwlink/?linkid=865446) +* [Prediction API reference documentation (REST)](https://go.microsoft.com/fwlink/?linkid=865445) \ No newline at end of file diff --git a/articles/cognitive-services/Custom-Vision-Service/use-prediction-api.md b/articles/cognitive-services/Custom-Vision-Service/use-prediction-api.md index 47841c037a8f6..d42ec7c1f6196 100644 --- a/articles/cognitive-services/Custom-Vision-Service/use-prediction-api.md +++ b/articles/cognitive-services/Custom-Vision-Service/use-prediction-api.md @@ -41,7 +41,7 @@ Once your model has been published, you can retrieve the required information by ![The performance tab is shown with a red rectangle surrounding the Prediction URL value for using an image file and the Prediction-Key value.](./media/use-prediction-api/prediction-api-info.png) > [!TIP] -> Your __Prediction-Key__ can also be found in the [Azure Portal](https://portal.azure.com) page for the Custom Vision Azure Resource associated with your project, under the __Keys__ blade. +> Your __Prediction-Key__ can also be found in the [Azure portal](https://portal.azure.com) page for the Custom Vision Azure Resource associated with your project, under the __Keys__ blade. In this guide, you will use a local image, so copy the URL under **If you have an image file** to a temporary location. Copy the corresponding __Prediction-Key__ value as well. diff --git a/articles/cognitive-services/Face/APIReference.md b/articles/cognitive-services/Face/APIReference.md index a208172316d3a..ae09a35f8530a 100644 --- a/articles/cognitive-services/Face/APIReference.md +++ b/articles/cognitive-services/Face/APIReference.md @@ -1,7 +1,7 @@ --- title: API Reference - Face API titleSuffix: Azure Cognitive Services -description: API reference provides information about the Person Management, LargePersonGroup/PersonGroup Management, LargeFaceList/FaceList Management, and Face Algorithms APIs. +description: API reference provides information about the Person, LargePersonGroup/PersonGroup, LargeFaceList/FaceList, and Face Algorithms APIs. services: cognitive-services author: SteveMSFT manager: nitinme @@ -17,13 +17,11 @@ ms.author: sbowles The Azure Face API is a cloud-based API that provides algorithms for face detection and recognition. The Face APIs comprise the following categories: -- [Face Algorithm APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/face): Covers core functions such as [Detection](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/detectwithstream), [Find Similar](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/findsimilar), [Verification](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/verifyfacetoface), [Identification](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/identify), and [Group](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/group). -- [FaceList Management APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/facelist): Used to manage a FaceList for [Find Similar](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/findsimilar). -- [LargePersonGroup Person Management APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/largepersongroupperson): Used to manage LargePersonGroup Person Faces for [Identification](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/identify). -- [LargePersonGroup Management APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/largepersongroup): Used to manage a LargePersonGroup dataset for [Identification](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/identify). -- [LargeFaceList Management APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/largefacelist): Used to manage a LargeFaceList for [Find Similar](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/findsimilar). -- [PersonGroup Person Management APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/persongroupperson): Used to manage PersonGroup Person Faces for [Identification](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/identify). -- [PersonGroup Management APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/persongroup): Used to manage a PersonGroup dataset for [Identification](https://docs.microsoft.com/rest/api/cognitiveservices/face/face/identify). -- [Snapshot Management APIs](https://docs.microsoft.com/rest/api/cognitiveservices/face/snapshot): Used to manage a Snapshot for data migration across subscriptions. - - +- Face Algorithm APIs: Cover core functions such as [Detection](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [Find Similar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237), [Verification](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523a), [Identification](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239), and [Group](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395238). +- [FaceList APIs](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039524b): Used to manage a FaceList for [Find Similar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237). +- [LargePersonGroup Person APIs](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599adcba3a7b9412a4d53f40): Used to manage LargePersonGroup Person Faces for [Identification](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239). +- [LargePersonGroup APIs](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599acdee6ac60f11b48b5a9d): Used to manage a LargePersonGroup dataset for [Identification](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239). +- [LargeFaceList APIs](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a157b68d2de3616c086f2cc): Used to manage a LargeFaceList for [Find Similar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237). +- [PersonGroup Person APIs](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523c): Used to manage PersonGroup Person Faces for [Identification](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239). +- [PersonGroup APIs](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395244): Used to manage a PersonGroup dataset for [Identification](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239). +- [Snapshot APIs](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/snapshot-take): Used to manage a Snapshot for data migration across subscriptions. diff --git a/articles/cognitive-services/Face/Face-API-How-to-Topics/how-to-migrate-face-data.md b/articles/cognitive-services/Face/Face-API-How-to-Topics/how-to-migrate-face-data.md index 03c251ebadf25..11ac685226859 100644 --- a/articles/cognitive-services/Face/Face-API-How-to-Topics/how-to-migrate-face-data.md +++ b/articles/cognitive-services/Face/Face-API-How-to-Topics/how-to-migrate-face-data.md @@ -75,7 +75,7 @@ var takeSnapshotResult = await FaceClientEastAsia.Snapshot.TakeAsync( ``` > [!NOTE] -> The process of taking and applying snapshots will not disrupt any regular calls to the source or target **PersonGroup**s (or **FaceList**s). However, we do not recommend making simultaneous calls that change the source object ([Face List management calls](https://docs.microsoft.com/rest/api/cognitiveservices/face/facelist) or the [Person Group - Train](https://docs.microsoft.com/rest/api/cognitiveservices/face/persongroup/train) call, for example), because the snapshot operation may execute before or after those operations or may encounter errors. +> The process of taking and applying snapshots will not disrupt any regular calls to the source or target **PersonGroup**s (or **FaceList**s). However, we do not recommend making simultaneous calls that change the source object ([FaceList management calls](https://docs.microsoft.com/dotnet/api/microsoft.azure.cognitiveservices.vision.face.facelistoperations?view=azure-dotnet) or the [PersonGroup Train](https://docs.microsoft.com/dotnet/api/microsoft.azure.cognitiveservices.vision.face.persongroupoperations?view=azure-dotnet) call, for example), because the snapshot operation may execute before or after those operations or may encounter errors. ## Retrieve the Snapshot ID diff --git a/articles/cognitive-services/Face/QuickStarts/PHP.md b/articles/cognitive-services/Face/QuickStarts/PHP.md index 3584e8a3cffcb..27f319f4e909d 100644 --- a/articles/cognitive-services/Face/QuickStarts/PHP.md +++ b/articles/cognitive-services/Face/QuickStarts/PHP.md @@ -21,6 +21,7 @@ In this quickstart, you will use the Azure Face REST API with PHP to detect huma - A Face API subscription key. You can get a free trial subscription key from [Try Cognitive Services](https://azure.microsoft.com/try/cognitive-services/?api=face-api). Or, follow the instructions in [Create a Cognitive Services account](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-apis-create-account) to subscribe to the Face API service and get your key. - A code editor such as [Visual Studio Code](https://code.visualstudio.com/download). - The PHP [HTTP_Request2](https://pear.php.net/package/HTTP_Request2) package. +- A PHP-enabled web browser. If you have not set this up, you can do so by installing and setting up [XAMPP](https://www.apachefriends.org/) on your machine. ## Initialize the HTML file diff --git a/articles/cognitive-services/Face/ReleaseNotes.md b/articles/cognitive-services/Face/ReleaseNotes.md index fca45ea0f7a98..5a3c1ec8386c1 100644 --- a/articles/cognitive-services/Face/ReleaseNotes.md +++ b/articles/cognitive-services/Face/ReleaseNotes.md @@ -23,7 +23,7 @@ This article pertains to Face API Service version 1.0. ### Release changes in January 2019 -* Added Snapshot feature to support data migration across subscriptions: [Snapshot](https://docs.microsoft.com/rest/api/cognitiveservices/face/snapshot). More details in [How to Migrate your face data to a different Face subscription](Face-API-How-to-Topics/how-to-migrate-face-data.md). +* Added Snapshot feature to support data migration across subscriptions: [Snapshot](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/snapshot-get). More details in [How to Migrate your face data to a different Face subscription](Face-API-How-to-Topics/how-to-migrate-face-data.md). ### Release changes in October 2018 diff --git a/articles/cognitive-services/KES/GettingStarted.md b/articles/cognitive-services/KES/GettingStarted.md index d85989352c784..57af269e958c7 100644 --- a/articles/cognitive-services/KES/GettingStarted.md +++ b/articles/cognitive-services/KES/GettingStarted.md @@ -248,7 +248,7 @@ When you have created the cloud service, you can use [`kes.exe deploy_service`]( [Swap](../../../articles/cloud-services/cloud-services-nodejs-stage-application.md) the contents of the staging slot with the production slot, so that live traffic is now directed to the newly deployed service. You can repeat this process when deploying an updated version of the service with new data. As with all other Azure cloud services, you can optionally use the Azure portal to configure [auto-scaling](../../../articles/cloud-services/cloud-services-how-to-scale-portal.md). -In this example, you deploy the *Academic* index to the staging slot of an existing cloud service with ** VMs. Use the following command: +In this example, you deploy the *Academic* index to the staging slot of an existing cloud service with *\* VMs. Use the following command: `kes.exe deploy_service http://.blob.core.windows.net//Academic.grammar http://.blob.core.windows.net//Academic.index --slot Staging` diff --git a/articles/cognitive-services/KES/SchemaFormat.md b/articles/cognitive-services/KES/SchemaFormat.md index f1acfa7f8871b..7cd957800bb1e 100644 --- a/articles/cognitive-services/KES/SchemaFormat.md +++ b/articles/cognitive-services/KES/SchemaFormat.md @@ -39,14 +39,14 @@ Below is a list of supported attribute data types: | Type | Description | Operations | Example | |------|-------------|------------|---------| -| String | String (1-1024 characters) | equals, starts_with | "hello world" | -| Int32 | Signed 32-bit integer | equals, starts_with, is_between | 2016 | -| Int64 | Signed 64-bit integer | equals, starts_with, is_between | 9876543210 | -| Double | Double-precision floating-point value | equals, starts_with, is_between | 1.602e-19 | -| Date | Date (1400-01-01 to 9999-12-31) | equals, is_between | '2016-03-14' | -| Guid | Globally unique identifier | equals | "602DD052-CC47-4B23-A16A-26B52D30C05B" | -| Blob | Internally compressed non-indexed data | *None* | "Empower every person and every organization on the planet to achieve more" | -| Composite | Composition of multiple sub-attributes| *N/A* | { "Name":"harry shum", "Affiliation":"microsoft" } | +| `String` | String (1-1024 characters) | equals, starts_with | "hello world" | +| `Int32` | Signed 32-bit integer | equals, starts_with, is_between | 2016 | +| `Int64` | Signed 64-bit integer | equals, starts_with, is_between | 9876543210 | +| `Double` | Double-precision floating-point value | equals, starts_with, is_between | 1.602e-19 | +| `Date` | Date (1400-01-01 to 9999-12-31) | equals, is_between | '2016-03-14' | +| `Guid` | Globally unique identifier | equals | "602DD052-CC47-4B23-A16A-26B52D30C05B" | +| `Blob` | Internally compressed non-indexed data | *None* | "Empower every person and every organization on the planet to achieve more" | +| `Composite` | Composition of multiple sub-attributes| *N/A* | { "Name":"harry shum", "Affiliation":"microsoft" } | String attributes are used to represent string values that may appear as part of the user query. They support the exact-match *equals* operation, as well as the *starts_with* operation for query completion scenarios, such as matching "micros" with "microsoft". Case-insensitive and fuzzy matching to handle spelling errors will be supported in a future release. diff --git a/articles/cognitive-services/LUIS/index.yml b/articles/cognitive-services/LUIS/index.yml index 0ea650635b303..00b58483928d1 100644 --- a/articles/cognitive-services/LUIS/index.yml +++ b/articles/cognitive-services/LUIS/index.yml @@ -85,7 +85,7 @@ sections: - html: Add prebuilt intents and entities - html: Add regular expression entity - html: Add list entity - - html: Add hierarchical entity + - html: Use entity roles - html: Add simple entity and phrase list - html: Add keyPhrase entity - html: Add sentiment analysis diff --git a/articles/cognitive-services/LUIS/luis-concept-batch-test.md b/articles/cognitive-services/LUIS/luis-concept-batch-test.md index 71abdaf2d8a10..42ada0ba1ad0a 100644 --- a/articles/cognitive-services/LUIS/luis-concept-batch-test.md +++ b/articles/cognitive-services/LUIS/luis-concept-batch-test.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 01/02/2019 +ms.date: 03/29/2019 ms.author: diberry --- @@ -71,6 +71,8 @@ Use the following template to start your batch file: The batch file uses the **startPos** and **endPos** properties to note the beginning and end of an entity. The values are zero-based and should not begin or end on a space. This is different from the query logs, which use startIndex and endIndex properties. +[!INCLUDE [Entity roles in batch testing - currently not supported](../../../includes/cognitive-services-luis-roles-not-supported-in-batch-testing.md)] + ## Batch syntax template for intents without entities Use the following template to start your batch file without entities: diff --git a/articles/cognitive-services/LUIS/luis-concept-collaborator.md b/articles/cognitive-services/LUIS/luis-concept-collaborator.md index 610168f5f428c..71878f145ec64 100644 --- a/articles/cognitive-services/LUIS/luis-concept-collaborator.md +++ b/articles/cognitive-services/LUIS/luis-concept-collaborator.md @@ -9,12 +9,12 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 01/23/2019 +ms.date: 04/01/2019 ms.author: diberry --- # Collaborating with other authors -LUIS provides collaboration to allow a group of people to author an app. +LUIS apps require a single owner and optional collaborators allowing multiple people to author a single app. ## LUIS account A LUIS account is associated with a single [Microsoft Live](https://login.live.com/) account. Each LUIS account is given a free [authoring key](luis-concept-keys.md#authoring-key) to use for authoring all the LUIS apps the account has access to. @@ -24,7 +24,8 @@ A LUIS account may have many LUIS apps. See [Azure Active Directory tenant user](luis-how-to-collaborate.md#azure-active-directory-tenant-user) to learn more about Active Directory user accounts. ## LUIS app owner -The account that creates an app is the owner. Each app has a single owner. The owner is listed on app **[Settings](luis-how-to-collaborate.md)**. This is the account that can delete the app. This is also the account that receives email when the endpoint quota reaches 75% of the monthly limit. + +The account that creates an app is the owner and each app has a single owner. The owner is listed on the app **[Settings](luis-how-to-collaborate.md)** page. The owner can delete the app receive email when the endpoint quota reaches 75% of the monthly limit. ## Authorization roles LUIS doesn't support different roles for owners and collaborators with one exception. The owner is the only account that can delete the app. @@ -56,6 +57,10 @@ This method allows you to have one active version, one stage version, and one pu Exported apps are JSON-formatted files, which can be compared with the base export for changes. Combine the files to create a single JSON file of the new version. Change the **versionId** property in the JSON to signify the new merged version. Import that version into the original app. +## Collaborator roles vs entity roles + +[Entity roles](luis-concept-roles.md) apply to the data model of the LUIS app. Collaborator roles apply to levels of authoring access. + ## Next steps Understand [versioning](luis-concept-version.md) concepts. diff --git a/articles/cognitive-services/LUIS/luis-concept-data-extraction.md b/articles/cognitive-services/LUIS/luis-concept-data-extraction.md index 3b21b128cccc3..8768d4454cf7c 100644 --- a/articles/cognitive-services/LUIS/luis-concept-data-extraction.md +++ b/articles/cognitive-services/LUIS/luis-concept-data-extraction.md @@ -1,7 +1,7 @@ --- title: Data extraction titleSuffix: Language Understanding - Azure Cognitive Services -description: Learn what kind of data can be extracted from Language Understanding (LUIS) +description: Extract data from utterance text with intents and entities. Learn what kind of data can be extracted from Language Understanding (LUIS). services: cognitive-services author: diberry manager: nitinme @@ -9,11 +9,11 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 01/09/2019 +ms.date: 04/01/2019 ms.author: diberry --- -# Data extraction from intents and entities +# Extract data from utterance text with intents and entities LUIS gives you the ability to get information from a user's natural language utterances. The information is extracted in a way that it can be used by a program, application, or chat bot to take action. In the following sections, learn what data is returned from intents and entities with examples of JSON. The hardest data to extract is the machine-learned data because it isn't an exact text match. Data extraction of the machine-learned [entities](luis-concept-entity-types.md) needs to be part of the [authoring cycle](luis-concept-app-iteration.md) until you're confident you receive the data you expect. @@ -165,10 +165,12 @@ The data returned from the endpoint includes the entity name, the discovered tex |Data object|Entity name|Value| |--|--|--| -|Simple Entity|"Customer"|"bob jones"| +|Simple Entity|`Customer`|`bob jones`| ## Hierarchical entity data +**Hierarchical entities will eventually be deprecated. Use [entity roles](luis-concept-roles.md) to determine entity subtypes, instead of hierarchical entities.** + [Hierarchical](luis-concept-entity-types.md) entities are machine-learned and can include a word or phrase. Children are identified by context. If you're looking for a parent-child relationship with exact text match, use a [List](#list-entity-data) entity. `book 2 tickets to paris` @@ -427,13 +429,18 @@ Getting names from an utterance is difficult because a name can be almost any co [PersonName](luis-reference-prebuilt-person.md) and [GeographyV2](luis-reference-prebuilt-geographyV2.md) entities are available in some [language cultures](luis-reference-prebuilt-entities.md). ### Names of people -People's name can have some slight format depending on language and culture. Use either a hierarchical entity with first and last names as children or use a simple entity with roles of first and last name. Make sure to give examples that use the first and last name in different parts of the utterance, in utterances of different lengths, and utterances across all intents including the None intent. [Review](luis-how-to-review-endpoint-utterances.md) endpoint utterances on a regular basis to label any names that were not predicted correctly. + +People's name can have some slight format depending on language and culture. Use either a prebuilt **[personName](luis-reference-prebuilt-person.md)** entity or a **[simple entity](luis-concept-entity-types.md#simple-entity)** with [roles](luis-concept-roles.md) of first and last name. + +If you use the simple entity, make sure to give examples that use the first and last name in different parts of the utterance, in utterances of different lengths, and utterances across all intents including the None intent. [Review](luis-how-to-review-endoint-utt.md) endpoint utterances on a regular basis to label any names that were not predicted correctly. ### Names of places -Location names are set and known such as cities, counties, states, provinces, and countries. If your app uses a know set of locations, consider a list entity. If you need to find all place names, create a simple entity, and provide a variety of examples. Add a phrase list of place names to reinforce what place names look like in your app. [Review](luis-how-to-review-endpoint-utterances.md) endpoint utterances on a regular basis to label any names that were not predicted correctly. + +Location names are set and known such as cities, counties, states, provinces, and countries. Use the prebuilt entity **[geographyV2](luis-reference-prebuilt-geographyv2.md)** to extract location information. ### New and emerging names -Some apps need to be able to find new and emerging names such as products or companies. These types of names is the most difficult type of data extraction. Begin with a simple entity and add a phrase list. [Review](luis-how-to-review-endpoint-utterances.md) endpoint utterances on a regular basis to label any names that were not predicted correctly. + +Some apps need to be able to find new and emerging names such as products or companies. These types of names are the most difficult type of data extraction. Begin with a **[simple entity](luis-concept-entity-types.md#simple-entity)** and add a [phrase list](luis-concept-feature.md). [Review](luis-how-to-review-endoint-utt.md) endpoint utterances on a regular basis to label any names that were not predicted correctly. ## Pattern roles data Roles are contextual differences of entities. diff --git a/articles/cognitive-services/LUIS/luis-concept-entity-types.md b/articles/cognitive-services/LUIS/luis-concept-entity-types.md index a2a6db6eb3307..61329254d4bdf 100644 --- a/articles/cognitive-services/LUIS/luis-concept-entity-types.md +++ b/articles/cognitive-services/LUIS/luis-concept-entity-types.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 03/22/2019 +ms.date: 04/01/2019 ms.author: diberry --- # Entity types and their purposes in LUIS @@ -18,7 +18,15 @@ Entities extract data from the utterance. Entity types give you predictable extr ## Entity compared to intent -The entity represents a word or phrase inside the utterance that you want extracted. An utterance can include many entities or none at all. An entity represents a class including a collection of similar objects (places, things, people, events or concepts). Entities describe information relevant to the intent, and sometimes they are essential for your app to perform its task. For example, a News Search app may include entities such as “topic”, “source”, “keyword” and “publishing date”, which are key data to search for news. In a travel booking app, the “location”, “date”, "airline", "travel class" and "tickets" are key information for flight booking (relevant to the "Book flight" intent). +The entity represents a word or phrase inside the utterance that you want extracted. An utterance can include many entities or none at all. A client application may need the entity to perform its task or use it as a guide of several choices to present to the user. + +An entity: + +* Represents a class including a collection of similar objects (places, things, people, events or concepts). +* Describes information relevant to the intent + + +For example, a News Search app may include entities such as “topic”, “source”, “keyword” and “publishing date”, which are key data to search for news. In a travel booking app, the “location”, “date”, "airline", "travel class" and "tickets" are key information for flight booking (relevant to the "Book flight" intent). By comparison, the intent represents the prediction of the entire utterance. @@ -83,14 +91,14 @@ Once the entity is extracted, the entity data can be represented as a single uni |Machine-learned|Can Mark|Tutorial|Example
Response|Entity type|Purpose| |--|--|--|--|--|--| |✔|✔|[✔](luis-tutorial-composite-entity.md)|[✔](luis-concept-data-extraction.md#composite-entity-data)|[**Composite**](#composite-entity)|Grouping of entities, regardless of entity type.| -|✔|✔|[✔](luis-quickstart-intent-and-hier-entity.md)|[✔](luis-concept-data-extraction.md#hierarchical-entity-data)|[**Hierarchical**](#hierarchical-entity)|Grouping of simple entities.| +|✔|✔|-|[✔](luis-concept-data-extraction.md#hierarchical-entity-data)|[**Hierarchical**](#hierarchical-entity)|Grouping of simple entities.| |||[✔](luis-quickstart-intent-and-list-entity.md)|[✔](luis-concept-data-extraction.md#list-entity-data)|[**List**](#list-entity)|List of items and their synonyms extracted with exact text match.| |Mixed||[✔](luis-tutorial-pattern.md)|[✔](luis-concept-data-extraction.md#patternany-entity-data)|[**Pattern.any**](#patternany-entity)|Entity where end of entity is difficult to determine.| |||[✔](luis-tutorial-prebuilt-intents-entities.md)|[✔](luis-concept-data-extraction.md#prebuilt-entity-data)|[**Prebuilt**](#prebuilt-entity)|Already trained to extract various kinds of data.| |||[✔](luis-quickstart-intents-regex-entity.md)|[✔](luis-concept-data-extraction.md#regular-expression-entity-data)|[**Regular Expression**](#regular-expression-entity)|Uses regular expression to match text.| |✔|✔|[✔](luis-quickstart-primary-and-secondary-data.md)|[✔](luis-concept-data-extraction.md#simple-entity-data)|[**Simple**](#simple-entity)|Contains a single concept in word or phrase.| -Only Machine-learned entities need to be marked in the example utterances for every intent. Machine-learned entities work best when tested via [endpoint queries](luis-concept-test.md#endpoint-testing) and [reviewing endpoint utterances](luis-how-to-review-endpoint-utterances.md). +Only Machine-learned entities need to be marked in the example utterances. Machine-learned entities work best when tested via [endpoint queries](luis-concept-test.md#endpoint-testing) and [reviewing endpoint utterances](luis-how-to-review-endoint-utt.md). Pattern.any entities need to be marked in the [Pattern](luis-how-to-model-intent-pattern.md) template examples, not the intent user examples. @@ -115,29 +123,15 @@ This entity is a good fit when the data: ## Hierarchical entity -A hierarchical entity is a category of contextually learned simple entities called children. - -This entity is a good fit when the data: - -* Are simple entities. -* Are related to each other in the context of the utterance. -* Use specific word choice to indicate each child entity. Examples of these words include: from/to, leaving/headed to, away from/toward. -* Children are frequently in the same utterance. -* Need to be grouped and processed by client app as a unit of information. - -Do not use if: +**Hierarchical entities will eventually be deprecated. Use [entity roles](luis-concept-roles.md) to determine entity subtypes, instead of hierarchical entities.** -* You need an entity that has exact text matches for children regardless of context. Use a [List entity](#list-entity) instead. -* You need an entity for a parent-child relationship with other entity types. Use the [Composite entity](#composite-entity). +A hierarchical entity is a category of contextually learned simple entities called children. ![hierarchical entity](./media/luis-concept-entities/hierarchical-entity.png) -[Tutorial](luis-quickstart-intent-and-hier-entity.md)
-[Example JSON response for entity](luis-concept-data-extraction.md#hierarchical-entity-data)
- ### Roles versus hierarchical entities -[Roles](luis-concept-roles.md#roles-versus-hierarchical-entities) of a pattern solve the same problem as hierarchical entities but apply to all entity types. Roles are currently only available in patterns. Roles are not available in intents' example utterances. +[Roles](luis-concept-roles.md) solve the same problem as hierarchical entities but apply to all entity types. ## List entity @@ -256,24 +250,15 @@ The entity is a good fit when: Review [limits](luis-boundaries.md#model-boundaries) to understand how many of each type of entity you can add to a model. -## Composite vs hierarchical entities - -Composite entities and hierarchical entities both have parent-child relationships and are machine learned. The machine-learning allows LUIS to understand the entities based on different contexts (arrangement of words). Composite entities are more flexible because they allow different entity types as children. A hierarchical entity's children are only simple entities. - -|Type|Purpose|Example| -|--|--|--| -|Hierarchical|Parent-child of simple entities|Location.Origin=New York
Location.Destination=London| -|Composite|Parent-child entities: prebuilt, list, simple, hierarchical| number=3
list=first class
prebuilt.datetimeV2=March 5| - ## If you need more than the maximum number of entities -You might need to use hierarchical and composite entities. Hierarchical entities reflect the relationship between entities that share characteristics or are members of a category. The child entities are all members of their parent's category. For example, a hierarchical entity named PlaneTicketClass might have the child entities EconomyClass and FirstClass. The hierarchy spans only one level of depth. +You might need to use composite entities in combination with entity roles. -Composite entities represent parts of a whole. For example, a composite entity named PlaneTicketOrder might have child entities Airline, Destination, DepartureCity, DepartureDate, and PlaneTicketClass. You build a composite entity from pre-existing simple entities, children of hierarchical entities, or prebuilt entities. +Composite entities represent parts of a whole. For example, a composite entity named PlaneTicketOrder might have child entities Airline, Destination, DepartureCity, DepartureDate, and PlaneTicketClass. LUIS also provides the list entity type that isn't machine-learned but allows your LUIS app to specify a fixed list of values. See [LUIS Boundaries](luis-boundaries.md) reference to review limits of the List entity type. -If you've considered hierarchical, composite, and list entities and still need more than the limit, contact support. To do so, gather detailed information about your system, go to the [LUIS](luis-reference-regions.md#luis-website) website, and then select **Support**. If your Azure subscription includes support services, contact [Azure technical support](https://azure.microsoft.com/support/options/). +If you've considered these entities and still need more than the limit, contact support. To do so, gather detailed information about your system, go to the [LUIS](luis-reference-regions.md#luis-website) website, and then select **Support**. If your Azure subscription includes support services, contact [Azure technical support](https://azure.microsoft.com/support/options/). ## Next steps diff --git a/articles/cognitive-services/LUIS/luis-concept-feature.md b/articles/cognitive-services/LUIS/luis-concept-feature.md index a72519e60d6a8..b739373a4106f 100644 --- a/articles/cognitive-services/LUIS/luis-concept-feature.md +++ b/articles/cognitive-services/LUIS/luis-concept-feature.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 02/04/2019 +ms.date: 04/01/2019 ms.author: diberry --- # Phrase list features in your LUIS app @@ -87,7 +87,7 @@ While both a phrase list and list entities can impact utterances across all inte ### Use a phrase list With a phrase list, LUIS can still take context into account and generalize to identify items that are similar to, but not an exact match, as items in a list. If you need your LUIS app to be able to generalize and identify new items in a category, use a phrase list. -When you want to be able to recognize new instances of an entity, like a meeting scheduler that should recognize the names of new contacts, or an inventory app that should recognize new products, use another type of machine-learned entity such as a simple or hierarchical entity. Then create a phrase list of words and phrases that helps LUIS find other words similar to the entity. This list guides LUIS to recognize examples of the entity by adding additional significance to the value of those words. +When you want to be able to recognize new instances of an entity, like a meeting scheduler that should recognize the names of new contacts, or an inventory app that should recognize new products, use another type of machine-learned entity such as a simple entity. Then create a phrase list of words and phrases that helps LUIS find other words similar to the entity. This list guides LUIS to recognize examples of the entity by adding additional significance to the value of those words. Phrase lists are like domain-specific vocabulary that help with enhancing the quality of understanding of both intents and entities. A common usage of a phrase list is proper nouns such as city names. A city name can be several words including hyphens, or apostrophes. diff --git a/articles/cognitive-services/LUIS/luis-concept-patterns.md b/articles/cognitive-services/LUIS/luis-concept-patterns.md index d3f1143061e9d..7de09f3c2287f 100644 --- a/articles/cognitive-services/LUIS/luis-concept-patterns.md +++ b/articles/cognitive-services/LUIS/luis-concept-patterns.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 03/05/2019 +ms.date: 04/01/2019 ms.author: diberry --- # Patterns improve prediction accuracy @@ -25,7 +25,7 @@ Consider a Human Resources app that reports on the organizational chart in relat |Who is Tom's subordinate?|GetOrgChart|.30| |Who is the subordinate of Tom?|GetOrgChart|.30| -If an app has between 10 and 20 utterances with different lengths of sentence, different word order, and even different words (synonyms of "subordinate", "manage", "report"), LUIS may return a low confidence score. Create a pattern to help LUIS understand the importance of the word order, . +If an app has between 10 and 20 utterances with different lengths of sentence, different word order, and even different words (synonyms of "subordinate", "manage", "report"), LUIS may return a low confidence score. Create a pattern to help LUIS understand the importance of the word order. Patterns solve the following situations: @@ -35,7 +35,7 @@ Patterns solve the following situations: ## Patterns are not a guarantee of intent Patterns use a mix of prediction technologies. Setting an intent for a template utterance in a pattern is not a guarantee of the intent prediction but it is a strong signal. - + ## Patterns do not improve machine-learned entity detection @@ -44,7 +44,7 @@ A pattern is primarily meant to help the prediction of intents and roles. The pa Do not expect to see improved entity prediction if you collapse multiple utterances into a single pattern. For Simple entities to fire, you need to add utterances or use list entities else your pattern will not fire. ## Patterns use entity roles -If two or more entities in a pattern are contextually related, patterns use entity [roles](luis-concept-roles.md) to extract contextual information about entities. This is equivalent to hierarchical entity children, but is **only** available in patterns. +If two or more entities in a pattern are contextually related, patterns use entity [roles](luis-concept-roles.md) to extract contextual information about entities. ## Prediction scores with and without patterns Given enough example utterances, LUIS would be able to increase prediction confidence without patterns. Patterns increase the confidence score without having to provide as many utterances. @@ -77,7 +77,7 @@ The **optional** syntax, with square brackets, can be nested two levels. For exa |is a new form|matches outer optional word and non-optional words in pattern| |a new form|matches required words only| -The **grouping** syntax, with parentheses, can be nested two levels. For example: `(({Entity1.RoleName1} | {Entity1.RoleName2} ) | {Entity2} )`. This allows any of the three entities to be matched. +The **grouping** syntax, with parentheses, can be nested two levels. For example: `(({Entity1.RoleName1} | {Entity1.RoleName2} ) | {Entity2} )`. This feature allows any of the three entities to be matched. If Entity1 is a Location with roles such as origin (Seattle) and destination (Cairo) and Entity 2 is a known building name from a list entity (RedWest-C), the following utterances would map to this pattern: diff --git a/articles/cognitive-services/LUIS/luis-concept-roles.md b/articles/cognitive-services/LUIS/luis-concept-roles.md index fdb1ba962173e..8bd64ef829726 100644 --- a/articles/cognitive-services/LUIS/luis-concept-roles.md +++ b/articles/cognitive-services/LUIS/luis-concept-roles.md @@ -9,55 +9,95 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 12/17/2018 +ms.date: 04/01/2019 ms.author: diberry --- -# Entity roles in patterns are contextual subtypes -Roles are named, contextual subtypes of an entity used only in [patterns](luis-concept-patterns.md). +# Entity roles for contextual subtypes -For example, in the utterance `buy a ticket from New York to London`, both New York and London are cities but each has a different meaning in the sentence. New York is the origin city and London is the destination city. +Roles allow entities to have named subtypes. A role can be used with any prebuilt or custom entity type, and used in both example utterances and patterns. + + + + +## Machine-learned entity example of roles + +In the utterance "buy a ticket from **New York** to **London**, both New York and London are cities but each has a different meaning in the sentence. New York is the origin city and London is the destination city. + +``` +buy a ticket from New York to London +``` Roles give a name to those differences: -|Entity|Role|Purpose| +|Entity type|Entity name|Role|Purpose| +|--|--|--|--| +|Simple|Location|origin|where the plane leaves from| +|Simple|Location|destination|where the plane lands| + +## Non-machine-learned entity example of roles + +In the utterance "Schedule the meeting from 8 to 9", both the numbers indicate a time but each time has a different meaning in the utterance. Roles provide the name for the differences. + +``` +Schedule the meeting from 8 to 9 +``` + +|Entity type|Role name|Value| |--|--|--| -|Location|origin|where the plane leaves from| -|Location|destination|where the plane lands| -|Prebuilt datetimeV2|to|end date| -|Prebuilt datetimeV2|from|beginning date| +|Prebuilt datetimeV2|Starttime|8| +|Prebuilt datetimeV2|Endtime|9| -## How are roles used in patterns? -In a pattern's template utterance, roles are used within the utterance: +## Are multiple entities in an utterance the same thing as roles? -|Pattern with entity roles| -|--| -|`buy a ticket from {Location:origin} to {Location:destination}`| +Multiple entities can exist in an utterance and can be extracted without using roles. If the context of the sentence indicates with version of the entity has a value, then a role should be used. +### Don't use roles for duplicates without meaning -## Role syntax in patterns -The entity and role are surrounded in parentheses, `{}`. The entity and the role are separated by a colon. +If the utterance includes a list of locations, `I want to travel to Seattle, Cairo, and London.`, this is a list where each item doesn't have an additional meaning. +### Use roles if duplicates indicate meaning -[!INCLUDE [H2 Roles versus hierarchical entities](../../../includes/cognitive-services-luis-hier-roles.md)] +If the utterance includes a list of locations with meaning, `I want to travel from Seattle, with a layover in Londen, landing in Cairo.`, this meaning of origin, layover, and destination should be captured with roles. -## Example role for Entities +### Roles can indicate order -A role is just a contextually learned placement of an entity within an utterance. It is most effective when the utterance has more than one of that entity type. The easiest example for any entity type is to distinguish between a to and from location. The location can be represented in a lot of different entity types. +If the utterance changed to indicate order that you wanted to extract, `I want to first start with Seattle, second London, then third Cairo`, you can extract in a couple of ways. You can tag the tokens that indicate the role, `first start with`, `second`, `third`. You could also use the prebuilt entity **Ordinal** and the **GeographyV2** prebuilt entity in a composite entity to capture the idea of order and place. -An example use case is transferring an employee from one department to another where each department is an item in a list. For example: +## How are roles used in example utterances? -`Move [PersonName] from [Department:from] to [Department:to]`. +When an entity has a role, and the entity is marked in an example utterance, you have the choice of selecting just the entity, or selecting the entity and role. -In the returned prediction, both department entities will be returned in the JSON response and each will include the role name. +The following example utterances use entities and roles: -## Roles with prebuilt entities +|Token view|Entity view| +|--|--| +|I'm interesting in learning more about **Seattle**|I'm interested in learning more about {Location}| +|Buy a ticket from Seattle to New York|Buy a ticket from {Location:Origin} to {Location:Destination}| + +## How are roles related to hierarchical entities? + +Roles are now available for all entities in example utterances, as well as the previous use of patterns. Because they are available everywhere, they replace the need for hierarchical entities. New entities should be created with roles, instead of using hierarchical entities. + +Hierarchical entities will eventually be deprecated. + +## How are roles used in patterns? +In a pattern's template utterance, roles are used within the utterance: + +|Pattern with entity roles| +|--| +|`buy a ticket from {Location:origin} to {Location:destination}`| + + +## Role syntax in patterns +The entity and role are surrounded in parentheses, `{}`. The entity and the role are separated by a colon. -Use roles with prebuilt entities to give meaning to different instances of the prebuilt entity within an utterance. +## Entity roles versus collaborator roles -### Roles with datetimeV2 +Entity roles apply to the data model of the LUIS app. [Collaborator](luis-concept-collaborator.md) roles apply to levels of authoring access. -The prebuilt entity, datetimeV2, does a great job of understanding a wide range of variety in dates and times in utterances. You may want to specify dates and date ranges differently than the prebuilt entity's default understanding. +[!INCLUDE [Entity roles in batch testing - currently not supported](../../../includes/cognitive-services-luis-roles-not-supported-in-batch-testing.md)] ## Next steps +* Use a [hands-on tutorial](tutorial-entity-roles.md) using entity roles with non-machine-learned entities * Learn how to add [roles](luis-how-to-add-entities.md#add-a-role-to-pattern-based-entity) diff --git a/articles/cognitive-services/LUIS/luis-get-started-cs-add-utterance.md b/articles/cognitive-services/LUIS/luis-get-started-cs-add-utterance.md index 5500626466af0..00804dbfba31a 100644 --- a/articles/cognitive-services/LUIS/luis-get-started-cs-add-utterance.md +++ b/articles/cognitive-services/LUIS/luis-get-started-cs-add-utterance.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: quickstart -ms.date: 12/17/2018 +ms.date: 04/08/2019 ms.author: diberry #Customer intent: As an API or REST developer new to the LUIS service, I want to programmatically add an example utterance to an intent and train the model using C#. --- @@ -33,19 +33,19 @@ ms.author: diberry ## Create quickstart code -In Visual Studio, create a new **Windows Classic Desktop Console** app using the .NET Framework. +In Visual Studio, create a new **Windows Classic Desktop Console** app using the .NET Framework. Name the project `ConsoleApp1`. ![Visual Studio project type](./media/luis-quickstart-cs-add-utterance/vs-project-type.png) ### Add the System.Web dependency -The Visual Studio project needs **System.Web**. In the Solution Explorer, right-click on **References** and select **Add Reference**. +The Visual Studio project needs **System.Web**. In the Solution Explorer, right-click on **References** and select **Add Reference** from the Assemblies section. ![Add System.web reference](./media/luis-quickstart-cs-add-utterance/system.web.png) ### Add other dependencies -The Visual Studio project needs **JsonFormatterPlus** and **CommandLineParser**. In the Solution Explorer, right-click on **References** and select **Manage NuGet Packages...**. Search for and add each of the two packages. +The Visual Studio project needs **JsonFormatterPlus** and **CommandLineParser**. In the Solution Explorer, right-click on **References** and select **Manage NuGet Packages...**. Browse for and add each of the two packages. ![Add 3rd party dependencies](./media/luis-quickstart-cs-add-utterance/add-dependencies.png) @@ -60,7 +60,7 @@ using System.Linq; using System.Text; using System.Threading.Tasks; -namespace ConsoleApp3 +namespace ConsoleApp1 { class Program { @@ -71,7 +71,7 @@ namespace ConsoleApp3 } ``` -Add the dependencies. +Update the dependencies so that are: [!code-csharp[Add the dependencies](~/samples-luis/documentation-samples/quickstarts/change-model/csharp/ConsoleApp1/Program.cs?range=1-11 "Add the dependencies")] @@ -111,7 +111,7 @@ To manage command-line arguments, add the main code. Add method to the **Program ### Copy utterances.json to output directory -In the Solution Explorer, right-click the `utterances.json` and select **Properties**. In the properties windows, mark the **Build Action** of `Content`, and the **Copy to Output Directory** of `Copy Always`. +In the Solution Explorer, add the `utterances.json` by right-clicking in the Solution Explorer's project name, then selecting **Add**, then selecting **Existing item**. Select the `utterances.json` file. This adds the file to the project. Then it needs to be added to the output direction. Right-click the `utterances.json` and select **Properties**. In the properties windows, mark the **Build Action** of `Content`, and the **Copy to Output Directory** of `Copy Always`. ![Mark the JSON file as content](./media/luis-quickstart-cs-add-utterance/content-properties.png) @@ -124,7 +124,7 @@ Build the code in Visual Studio. In the project's /bin/Debug directory, run the application from a command line. ```console -ConsoleApp\bin\Debug> ConsoleApp1.exe --add utterances.json --train --status +ConsoleApp1.exe --add utterances.json --train --status ``` This command-line displays the results of calling the add utterances API. diff --git a/articles/cognitive-services/LUIS/luis-how-to-add-entities.md b/articles/cognitive-services/LUIS/luis-how-to-add-entities.md index 70375b1fe9b33..422209c414115 100644 --- a/articles/cognitive-services/LUIS/luis-how-to-add-entities.md +++ b/articles/cognitive-services/LUIS/luis-how-to-add-entities.md @@ -9,13 +9,13 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: article -ms.date: 03/11/2019 +ms.date: 04/01/2019 ms.author: diberry --- # Create entities without utterances -The entity represents a word or phrase inside the utterance that you want extracted. An entity represents a class including a collection of similar objects (places, things, people, events or concepts). Entities describe information relevant to the intent, and sometimes they are essential for your app to perform its task. You can create entities when you add an utterance to an intent or apart from (before or after) adding an utterance to an intent. +The entity represents a word or phrase inside the utterance that you want extracted. An entity represents a class including a collection of similar objects (places, things, people, events, or concepts). Entities describe information relevant to the intent, and sometimes they are essential for your app to perform its task. You can create entities when you add an utterance to an intent or apart from (before or after) adding an utterance to an intent. You can add, edit, or delete entities in your LUIS app through the **Entities list** on the **Entities** page. LUIS offers two main types of entities: [prebuilt entities](luis-reference-prebuilt-entities.md), and your own [custom entities](luis-concept-entity-types.md#types-of-entities). @@ -51,7 +51,7 @@ A simple entity describes a single concept. Use the following procedure to creat -## Add regular expression entities for highly-structured concepts +## Add regular expression entities for highly structured concepts A regular expression entity is used to pull out data from the utterance based on a regular expression you provide. @@ -130,7 +130,7 @@ In the utterance `Where is Request relocation from employee new to the company o ## Add a role to distinguish different contexts -A role is a named subtype of an entity based on context. It is comparable to an [hierarchical](#add-hierarchical-entities) entity but roles are only used in [patterns](luis-how-to-model-intent-pattern.md). +A role is a named subtype based on context. It is available in all entities including prebuilt and non-machine-learned entities. Using the same example as the hierarchical entity of origin and destination cities, the difference is that a role is named origin instead of a hierarchical child. diff --git a/articles/cognitive-services/LUIS/luis-how-to-add-example-utterances.md b/articles/cognitive-services/LUIS/luis-how-to-add-example-utterances.md index 443bc4bcac335..4c0992714c66d 100644 --- a/articles/cognitive-services/LUIS/luis-how-to-add-example-utterances.md +++ b/articles/cognitive-services/LUIS/luis-how-to-add-example-utterances.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: article -ms.date: 02/19/2019 +ms.date: 04/01/2019 ms.author: diberry --- @@ -86,6 +86,8 @@ Assuming the utterance, `Does John Smith work in Seattle?`, a composite utteranc ## Add hierarchical entity +**Hierarchical entities will eventually be deprecated. Use [entity roles](luis-concept-roles.md) to determine entity subtypes, instead of hierarchical entities.** + A hierarchical entity is a category of contextually learned and conceptually related entities. In the following example, the entity contains origin and destination locations. In the utterance `Move John Smith from Seattle to Cairo`, Seattle is the origin location and Cairo is the destination location. Each location is contextually different and learned from word order and word choice in the utterance. @@ -101,6 +103,12 @@ In the utterance `Move John Smith from Seattle to Cairo`, Seattle is the origin >[!CAUTION] >Child entity names must be unique across all entities in a single app. Two different hierarchical entities may not contain child entities with the same name. +## Add entity's role to utterance + +A role is a named subtype of an entity, determined by the context of the utterance. You can mark an entity within an utterance as the entity, or select a role within that entity. Any entity can have roles including custom entities that are machine-learned (simple entities and composite entities), are not machine-learned (prebuilt entities, regular expression entities, list entities). + +Learn [how to mark an utterance with entity roles](tutorial-entity-roles.md) from a hands-on tutorial. + ## Entity status predictions When you enter a new utterance in the LUIS portal, the utterance may have entity prediction errors. The prediction error is a difference between how an entity is labeled compared with how LUIS has predicted the entity. @@ -146,11 +154,11 @@ To remove a machine-learned entity label from an utterance, select the entity in ### Add prebuilt entity label -When you add the prebuilt entities to your LUIS app, you don't need to tag utterances with these entities. To learn more about prebuilt entities and how to add them, see [Add entities](luis-how-to-add-entities.md#add-prebuilt-entity). +When you add the prebuilt entities to your LUIS app, you don't need to tag utterances with these entities. To learn more about prebuilt entities and how to add them, see [Add entities](luis-how-to-add-entities.md#add-a-prebuilt-entity-to-your-app). ### Add regular expression entity label -If you add the regular expression entities to your LUIS app, you don't need to tag utterances with these entities. To learn more about regular expression entities and how to add them, see [Add entities](luis-how-to-add-entities.md#add-regular-expression-entities). +If you add the regular expression entities to your LUIS app, you don't need to tag utterances with these entities. To learn more about regular expression entities and how to add them, see [Add entities](luis-how-to-add-entities.md#add-regular-expression-entities-for-highly-structured-concepts). ### Create a pattern from an utterance diff --git a/articles/cognitive-services/LUIS/luis-how-to-add-intents.md b/articles/cognitive-services/LUIS/luis-how-to-add-intents.md index 166c8d77ba4ba..f9d193ce422e1 100644 --- a/articles/cognitive-services/LUIS/luis-how-to-add-intents.md +++ b/articles/cognitive-services/LUIS/luis-how-to-add-intents.md @@ -8,7 +8,7 @@ manager: nitinme ms.custom: seodec18 ms.subservice: language-understanding ms.topic: article -ms.date: 02/19/2019 +ms.date: 04/01/2019 ms.author: diberry ms.service: cognitive-services --- @@ -64,7 +64,7 @@ The text is highlighted in blue, indicating an entity. ## Add a prebuilt entity -For information, see [Prebuilt entity](luis-how-to-add-entities.md#add-prebuilt-entity). +For information, see [Prebuilt entity](luis-how-to-add-entities.md#add-a-prebuilt-entity-to-your-app). ## Using the contextual toolbar diff --git a/articles/cognitive-services/LUIS/luis-how-to-batch-test.md b/articles/cognitive-services/LUIS/luis-how-to-batch-test.md index d7c8f0f385015..7760cde51b5b4 100644 --- a/articles/cognitive-services/LUIS/luis-how-to-batch-test.md +++ b/articles/cognitive-services/LUIS/luis-how-to-batch-test.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: article -ms.date: 01/02/2019 +ms.date: 03/29/2019 ms.author: diberry --- @@ -91,6 +91,8 @@ The two sections of the chart in red indicate utterances that did not match the The two sections of the chart in green did match the expected prediction. +[!INCLUDE [Entity roles in batch testing - currently not supported](../../../includes/cognitive-services-luis-roles-not-supported-in-batch-testing.md)] + ## Next steps If testing indicates that your LUIS app doesn't recognize the correct intents and entities, you can work to improve your LUIS app's performance by labeling more utterances or adding features. diff --git a/articles/cognitive-services/LUIS/luis-how-to-model-intent-pattern.md b/articles/cognitive-services/LUIS/luis-how-to-model-intent-pattern.md index 0ebe6ce6a02e8..cf56e76deaed6 100644 --- a/articles/cognitive-services/LUIS/luis-how-to-model-intent-pattern.md +++ b/articles/cognitive-services/LUIS/luis-how-to-model-intent-pattern.md @@ -1,7 +1,7 @@ --- title: Patterns add accuracy titleSuffix: Language Understanding - Azure Cognitive Services -description: Learn how to add pattern templates in Language Understanding (LUIS) applications to improve prediction accuracy. +description: Add pattern templates to improve prediction accuracy in Language Understanding (LUIS) applications. services: cognitive-services author: diberry manager: nitinme @@ -9,12 +9,12 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: conceptual -ms.date: 02/22/2019 +ms.date: 04/01/2019 ms.author: diberry --- # How to add patterns to improve prediction accuracy -After a LUIS app receives endpoint utterances, use a [pattern](luis-concept-patterns.md) to improve prediction accuracy for utterances that reveal a pattern in word order and word choice. Patterns use specific [syntax](luis-concept-patterns.md#pattern-syntax) to indicate the location of: [entities](luis-concept-entity-types.md), entity roles, and optional text. +After a LUIS app receives endpoint utterances, use a [pattern](luis-concept-patterns.md) to improve prediction accuracy for utterances that reveal a pattern in word order and word choice. Patterns use specific [syntax](luis-concept-patterns.md#pattern-syntax) to indicate the location of: [entities](luis-concept-entity-types.md), entity [roles](luis-concept-roles.md), and optional text. ## Add template utterance to create pattern 1. Open your app by selecting its name on **My Apps** page, and then select **Patterns** in the left panel, under **Improve app performance**. @@ -29,7 +29,7 @@ After a LUIS app receives endpoint utterances, use a [pattern](luis-concept-patt ![Screenshot of entity for pattern](./media/luis-how-to-model-intent-pattern/patterns-3.png) - If your entity includes a role, indicate the role with a single colon, `:`, after the entity name, such as `{Location:Origin}`. The list of roles for the entities displays in a list. Select the role, and then select Enter. + If your entity includes a [role](luis-concept-roles.md), indicate the role with a single colon, `:`, after the entity name, such as `{Location:Origin}`. The list of roles for the entities displays in a list. Select the role, and then select Enter. ![Screenshot of entity with role](./media/luis-how-to-model-intent-pattern/patterns-4.png) diff --git a/articles/cognitive-services/LUIS/luis-how-to-train.md b/articles/cognitive-services/LUIS/luis-how-to-train.md index 3fe0e1308fdd0..1e7419e8a6dbe 100644 --- a/articles/cognitive-services/LUIS/luis-how-to-train.md +++ b/articles/cognitive-services/LUIS/luis-how-to-train.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: article -ms.date: 01/23/2019 +ms.date: 04/07/2019 ms.author: diberry --- @@ -39,6 +39,10 @@ To start the iterative process in the [LUIS portal](https://www.luis.ai), you fi >[!NOTE] >If you have one or more intents in your app that do not contain example utterances, you cannot train your app. Add utterances for all your intents. For more information, see [Add example utterances](luis-how-to-add-example-utterances.md). +## Training date and time + +Training date and time is GMT + 2. + ## Train with all data Training uses a small percentage of negative sampling. If you want to use all data instead of the small negative sampling, use the [Version settings API](https://westus.dev.cognitive.microsoft.com/docs/services/5890b47c39e2bb17b84a55ff/operations/versions-update-application-version-settings) with the `UseAllTrainingData` set to true to turn off this feature. diff --git a/articles/cognitive-services/LUIS/luis-quickstart-intent-and-hier-entity.md b/articles/cognitive-services/LUIS/luis-quickstart-intent-and-hier-entity.md deleted file mode 100644 index 5a2b47166f36a..0000000000000 --- a/articles/cognitive-services/LUIS/luis-quickstart-intent-and-hier-entity.md +++ /dev/null @@ -1,181 +0,0 @@ ---- -title: Hierarchical entity -titleSuffix: Azure Cognitive Services -description: Find related pieces of data based on context. For example, an origin and destination locations for a physical move from one building and office to another building and office are related. -services: cognitive-services -author: diberry -manager: nitinme -ms.custom: seodec18 -ms.service: cognitive-services -ms.subservice: language-understanding -ms.topic: tutorial -ms.date: 02/19/2019 -ms.author: diberry -#Customer intent: As a new user, I want to understand how and why to use the hierarchical entity. ---- - -# Tutorial: Extract contextually related data from an utterance - -In this tutorial, find related pieces of data based on context. For example, an origin and destination locations for a transfer from one city to another. Both pieces of data may be required and they are related to each other. - -**In this tutorial, you learn how to:** - -> [!div class="checklist"] -> * Create new app -> * Add intent -> * Add location hierarchical entity with origin and destination children -> * Train -> * Publish -> * Get intents and entities from endpoint - -[!INCLUDE [LUIS Free account](../../../includes/cognitive-services-luis-free-key-short.md)] - -## Hierarchical data - -This app determines where an employee is to be moved from the origin city to the destination city. It uses the hierarchical entity to determine the locations within the utterance. - -The hierarchical entity is a good fit for this type of data because the two pieces of data, child locations: - -* Are simple entities. -* Are related to each other in the context of the utterance. -* Use specific word choice to indicate each entity. Examples of these words include: from/to, leaving/headed to, away from/toward. -* Both children are frequently in the same utterance. -* Need to be grouped and processed by client app as a unit of information. - -## Create a new app - -[!INCLUDE [Follow these steps to create a new LUIS app](../../../includes/cognitive-services-luis-create-new-app-steps.md)] - -## Create an intent to move employees between cities - -1. [!INCLUDE [Start in Build section](../../../includes/cognitive-services-luis-tutorial-build-section.md)] - -1. Select **Create new intent**. - -1. Enter `MoveEmployeeToCity` in the pop-up dialog box then select **Done**. - - ![Screenshot of create new intent dialog with](./media/luis-quickstart-intent-and-hier-entity/create-new-intent-move-employee-to-city.png) - -1. Add example utterances to the intent. - - |Example utterances| - |--| - |move John W. Smith leaving Seattle headed to Dallas| - |transfer Jill Jones from Seattle to Cairo| - |Place John Jackson away from Tampa, coming to Atlanta | - |move Debra Doughtery to Tulsa from Dallas| - |mv Jill Jones leaving Cairo headed to Tampa| - |Shift Alice Anderson to Oakland from Redmond| - |Carl Chamerlin from San Francisco to Redmond| - |Transfer Steve Standish from San Diego toward Bellevue | - |lift Tanner Thompson from Kansas city and shift to Chicago| - - [![Screenshot of LUIS with new utterances in MoveEmployee intent](./media/luis-quickstart-intent-and-hier-entity/hr-enter-utterances.png)](./media/luis-quickstart-intent-and-hier-entity/hr-enter-utterances.png#lightbox) - -## Create a location entity -LUIS needs to understand what a location is by labeling the origin and destination in the utterances. If you need to see the utterance in the token (raw) view, select the toggle in the bar above the utterances labeled **Entities View**. After you toggle the switch, the control is labeled **Tokens View**. - -Consider the following utterance: - -```json -move John W. Smith leaving Seattle headed to Dallas -``` - -The utterance has two locations specified, `Seattle` and `Dallas`. Both are grouped as children of a hierarchical entity, `Location`, because both pieces of data need to be extracted from the utterance to complete the request in the client application and they are related to each other. - -If only one child (origin or destination) of a hierarchical entity is present, it is still extracted. All children do not need to be found for just one, or some, to be extracted. - -1. In the utterance, `move John W. Smith leaving Seattle headed to Dallas`, select the word `Seattle`. A drop-down menu appears with a text box at the top. Enter the entity name `Location` in the text box then select **Create new entity** in the drop-down menu. - - [![Screenshot of creating new entity on intent page](media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-1.png "Screenshot of creating new entity on intent page")](media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-1.png#lightbox) - -1. In the pop-up window, select the **Hierarchical** entity type with `Origin` and `Destination` as the child entities. Select **Done**. - - ![Screenshot of entity creation pop-up dialog for new Location entity](media/luis-quickstart-intent-and-hier-entity/hr-create-new-entity-2.png "Screenshot of entity creation pop-up dialog for new Location entity") - -1. The label for `Seattle` is marked as `Location` because LUIS doesn't know if the term was the origin or destination, or neither. Select `Seattle`, then select **Location**, then follow the menu to the right and select `Origin`. - - [![Screenshot of entity labeling pop-up dialog to change locations entity child](media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-2.png "Screenshot of entity labeling pop-up dialog to change locations entity child")](media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-2.png#lightbox) - -1. Label the other locations in all the other utterances. When all locations are marked, the utterances begin to look like a pattern. - - [![Screenshot of Locations entity labeled in utterances](media/luis-quickstart-intent-and-hier-entity/all-intents-marked-with-origin-and-destination-location.png "Screenshot of Locations entity labeled in utterances")](media/luis-quickstart-intent-and-hier-entity/all-intents-marked-with-origin-and-destination-location.png#lightbox) - - The red underline indicates LUIS is not confident about the entity. Training resolves this. - -## Add example utterances to the None intent - -[!INCLUDE [Follow these steps to add the None intent to the app](../../../includes/cognitive-services-luis-create-the-none-intent.md)] - -## Train the app so the changes to the intent can be tested - -[!INCLUDE [LUIS How to Train steps](../../../includes/cognitive-services-luis-tutorial-how-to-train.md)] - -## Publish the app so the trained model is queryable from the endpoint - -[!INCLUDE [LUIS How to Publish steps](../../../includes/cognitive-services-luis-tutorial-how-to-publish.md)] - -## Get intent and entity prediction from endpoint - -1. [!INCLUDE [LUIS How to get endpoint first step](../../../includes/cognitive-services-luis-tutorial-how-to-get-endpoint.md)] - - -1. Go to the end of the URL in the address bar and enter `Please move Carl Chamerlin from Tampa to Portland`. The last querystring parameter is `q`, the utterance **query**. This utterance is not the same as any of the labeled utterances so it is a good test and should return the `MoveEmployee` intent with the hierarchical entity extracted. - - ```json - { - "query": "Please move Carl Chamerlin from Tampa to Portland", - "topScoringIntent": { - "intent": "MoveEmployeeToCity", - "score": 0.979823351 - }, - "intents": [ - { - "intent": "MoveEmployeeToCity", - "score": 0.979823351 - }, - { - "intent": "None", - "score": 0.0156363435 - } - ], - "entities": [ - { - "entity": "portland", - "type": "Location::Destination", - "startIndex": 41, - "endIndex": 48, - "score": 0.6044041 - }, - { - "entity": "tampa", - "type": "Location::Origin", - "startIndex": 32, - "endIndex": 36, - "score": 0.739491045 - } - ] - } - ``` - - The correct intent is predicted and the entities array has both the origin and destination values in the corresponding **entities** property. - -## Clean up resources - -[!INCLUDE [LUIS How to clean up resources](../../../includes/cognitive-services-luis-tutorial-how-to-clean-up-resources.md)] - -## Related information - -* [Hierarchical entity](luis-concept-entity-types.md) conceptual information -* [How to train](luis-how-to-train.md) -* [How to publish](luis-how-to-publish-app.md) -* [How to test in LUIS portal](luis-interactive-test.md) -* [Roles versus hierarchical entities](luis-concept-roles.md#roles-versus-hierarchical-entities) -* [Improve predictions with Patterns](luis-concept-patterns.md) - -## Next steps - -This tutorial created a new intent and added example utterances for the contextually learned data of origin and destination locations. Once the app is trained and published, a client-application can use that information to create a move ticket with the relevant information. - -> [!div class="nextstepaction"] -> [Learn how to add a composite entity](luis-tutorial-composite-entity.md) diff --git a/articles/cognitive-services/LUIS/luis-quickstart-intent-and-list-entity.md b/articles/cognitive-services/LUIS/luis-quickstart-intent-and-list-entity.md index ecc0e26ecf25d..ee757611cfd4d 100644 --- a/articles/cognitive-services/LUIS/luis-quickstart-intent-and-list-entity.md +++ b/articles/cognitive-services/LUIS/luis-quickstart-intent-and-list-entity.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: tutorial -ms.date: 12/21/2018 +ms.date: 04/01/2019 ms.author: diberry #Customer intent: As a new user, I want to understand how and why to use the list entity. --- @@ -181,5 +181,5 @@ This tutorial created a new intent, added example utterances, then created a lis Continue with this app, [adding a composite entity](luis-tutorial-composite-entity.md). > [!div class="nextstepaction"] -> [Add a hierarchical entity to the app](luis-quickstart-intent-and-hier-entity.md) +> [Add prebuilt entity with a role to the app](tutorial-entity-roles.md) diff --git a/articles/cognitive-services/LUIS/luis-quickstart-primary-and-secondary-data.md b/articles/cognitive-services/LUIS/luis-quickstart-primary-and-secondary-data.md index 74b158c45ac5d..8c86d09f255c7 100644 --- a/articles/cognitive-services/LUIS/luis-quickstart-primary-and-secondary-data.md +++ b/articles/cognitive-services/LUIS/luis-quickstart-primary-and-secondary-data.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: tutorial -ms.date: 02/19/2019 +ms.date: 04/01/2019 ms.author: diberry #Customer intent: As a new user, I want to understand how and why to use the simple entity. --- @@ -44,7 +44,7 @@ The simple entity is a good fit for this type of data when: * Data is not well-formatted such as a regular expression. * Data is not common such as a prebuilt entity of phone number or data. * Data is not matched exactly to a list of known words, such as a list entity. -* Data does not contain other data items such as a composite entity or hierarchical entity. +* Data does not contain other data items such as a composite entity or contextual roles. Consider the following utterances from a chat bot: diff --git a/articles/cognitive-services/LUIS/luis-reference-prebuilt-entities.md b/articles/cognitive-services/LUIS/luis-reference-prebuilt-entities.md index bada76fcaf6ad..176519ba8ed86 100644 --- a/articles/cognitive-services/LUIS/luis-reference-prebuilt-entities.md +++ b/articles/cognitive-services/LUIS/luis-reference-prebuilt-entities.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: article -ms.date: 04/03/2019 +ms.date: 04/05/2019 ms.author: diberry --- @@ -105,12 +105,12 @@ The following entities are supported: [DatetimeV2](luis-reference-prebuilt-datetimev2.md):
date
daterange
time
timerange | ✔ | [Dimension](luis-reference-prebuilt-dimension.md):
volume
area
weight
information (ex: bit/byte)
length (ex: meter)
speed (ex: mile per hour) | ✔ | [Email](luis-reference-prebuilt-email.md) | ✔ | -[GeographyV2](luis-reference-prebuilt-geographyV2.md) | ✔ | +[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - | [KeyPhrase](luis-reference-prebuilt-keyphrase.md) | ✔ | [Number](luis-reference-prebuilt-number.md) | ✔ | [Ordinal](luis-reference-prebuilt-ordinal.md) | ✔ | [Percentage](luis-reference-prebuilt-percentage.md) | ✔ | -[PersonName](luis-reference-prebuilt-person.md) | ✔ | +[PersonName](luis-reference-prebuilt-person.md) | - | [Phonenumber](luis-reference-prebuilt-phonenumber.md) | ✔ | [Temperature](luis-reference-prebuilt-temperature.md):
fahrenheit
kelvin
rankine
delisle
celsius | ✔ | [URL](luis-reference-prebuilt-url.md) | ✔ | diff --git a/articles/cognitive-services/LUIS/luis-traffic-manager.md b/articles/cognitive-services/LUIS/luis-traffic-manager.md index 94fab948482ed..81f8ff2b3c1b4 100644 --- a/articles/cognitive-services/LUIS/luis-traffic-manager.md +++ b/articles/cognitive-services/LUIS/luis-traffic-manager.md @@ -82,7 +82,7 @@ To create the East US Traffic Manager profile, there are several steps: create p |-RelativeDnsName|luis-dns-eastus|This is the subdomain for the service: luis-dns-eastus.trafficmanager.net| |-Ttl|30|Polling interval, 30 seconds| |-MonitorProtocol
-MonitorPort|HTTPS
443|Port and protocol for LUIS is HTTPS/443| - |-MonitorPath|`/luis/v2.0/apps/?subscription-key=&q=traffic-manager-east`|Replace and with your own values.| + |-MonitorPath|`/luis/v2.0/apps/?subscription-key=&q=traffic-manager-east`|Replace `` and `` with your own values.| A successful request has no response. @@ -150,7 +150,7 @@ To create the West US Traffic Manager profile, follow the same steps: create pro |-RelativeDnsName|luis-dns-westus|This is the subdomain for the service: luis-dns-westus.trafficmanager.net| |-Ttl|30|Polling interval, 30 seconds| |-MonitorProtocol
-MonitorPort|HTTPS
443|Port and protocol for LUIS is HTTPS/443| - |-MonitorPath|`/luis/v2.0/apps/?subscription-key=&q=traffic-manager-west`|Replace and with your own values. Remember this endpoint key is different than the east endpoint key| + |-MonitorPath|`/luis/v2.0/apps/?subscription-key=&q=traffic-manager-west`|Replace `` and `` with your own values. Remember this endpoint key is different than the east endpoint key| A successful request has no response. diff --git a/articles/cognitive-services/LUIS/luis-tutorial-batch-testing.md b/articles/cognitive-services/LUIS/luis-tutorial-batch-testing.md index c77163ce01875..3148ebd53a164 100644 --- a/articles/cognitive-services/LUIS/luis-tutorial-batch-testing.md +++ b/articles/cognitive-services/LUIS/luis-tutorial-batch-testing.md @@ -9,7 +9,7 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: article -ms.date: 12/21/2018 +ms.date: 03/29/2019 ms.author: diberry --- @@ -196,6 +196,8 @@ The value of a **Job** entity, provided in the test utterances, is usually one o 7. Select **See results**. +[!INCLUDE [Entity roles in batch testing - currently not supported](../../../includes/cognitive-services-luis-roles-not-supported-in-batch-testing.md)] + ## Review entity batch results The chart opens with all the intents correctly predicted. Scroll down in the right-side filter to find the erroring entity predictions. diff --git a/articles/cognitive-services/LUIS/luis-tutorial-pattern-roles.md b/articles/cognitive-services/LUIS/luis-tutorial-pattern-roles.md index c2bc83da01881..e2bea4ff9c63d 100644 --- a/articles/cognitive-services/LUIS/luis-tutorial-pattern-roles.md +++ b/articles/cognitive-services/LUIS/luis-tutorial-pattern-roles.md @@ -1,7 +1,7 @@ --- title: Pattern roles titleSuffix: Azure Cognitive Services -description: Use a pattern to extract data from a well-formatted template utterance. The template utterance uses a simple entity and roles to extract related data such as origin location and destination location. +description: Patterns extract data from well-formatted template utterances. The template utterance uses a simple entity and roles to extract related data such as origin location and destination location. ms.custom: seodec18 services: cognitive-services author: diberry @@ -9,14 +9,14 @@ manager: nitinme ms.service: cognitive-services ms.subservice: language-understanding ms.topic: tutorial -ms.date: 12/21/2018 +ms.date: 04/01/2019 ms.author: diberry #Customer intent: As a new user, I want to understand how and why to use pattern roles. --- -# Tutorial: Extract contextually-related patterns using roles +# Tutorial: Extract contextually related patterns using roles -In this tutorial, use a pattern to extract data from a well-formatted template utterance. The template utterance uses a simple entity and roles to extract related data such as origin location and destination location. When using patterns, fewer example utterances are needed for the intent. +In this tutorial, use a pattern to extract data from a well-formatted template utterance. The template utterance uses a [simple entity](luis-concept-entity-types.md#simple-entity) and [roles](luis-concept-roles.md) to extract related data such as origin location and destination location. When using patterns, fewer example utterances are needed for the intent. **In this tutorial, you learn how to:** @@ -36,7 +36,7 @@ In this tutorial, use a pattern to extract data from a well-formatted template u ## Using roles in patterns -The purpose of roles is to extract contextually-related entities in an utterance. In the utterance, `Move new employee Robert Williams from Sacramento and San Francisco`, the origin city, and destination city values are related to each other and use common language to denote each location. +The purpose of roles is to extract contextually related entities in an utterance. In the utterance, `Move new employee Robert Williams from Sacramento and San Francisco`, the origin city, and destination city values are related to each other and use common language to denote each location. The name of the new employee, Billy Patterson, is not part of the list entity **Employee** yet. The new employee name is extracted first, in order to send the name to an external system to create the company credentials. After the company credentials are created, the employee credentials are added to the list entity **Employee**. @@ -370,19 +370,6 @@ Cities, like people's names are tricky in that they can be any mix of words and The intent score is now much higher and the role names are part of the entity response. -## Hierarchical entities versus roles - -In the [hierarchical tutorial](luis-quickstart-intent-and-hier-entity.md), the **MoveEmployee** intent detected when to move an existing employee from one building and office to another. The example utterances had origin and destination locations but did not use roles. Instead, the origin and destination were children of the hierarchical entity. - -In this tutorial, the Human Resources app detects utterances about moving new employees from one city to another. These two types of utterances are the same but solved with different LUIS abilities. - -|Tutorial|Example utterance|Origin and destination locations| -|--|--|--| -|[Hierarchical (no roles)](luis-quickstart-intent-and-hier-entity.md)|mv Jill Jones from **a-2349** to **b-1298**|a-2349, b-1298| -|This tutorial (with roles)|Move Billy Patterson from **Yuma** to **Denver**.|Yuma, Denver| - -For more information, see [Roles versus hierarchical entities](luis-concept-roles.md#roles-versus-hierarchical-entities). - ## Clean up resources [!INCLUDE [LUIS How to clean up resources](../../../includes/cognitive-services-luis-tutorial-how-to-clean-up-resources.md)] diff --git a/articles/cognitive-services/LUIS/luis-tutorial-speech-to-intent.md b/articles/cognitive-services/LUIS/luis-tutorial-speech-to-intent.md index 8d5d82a4cb414..ac9e3c8be7024 100644 --- a/articles/cognitive-services/LUIS/luis-tutorial-speech-to-intent.md +++ b/articles/cognitive-services/LUIS/luis-tutorial-speech-to-intent.md @@ -9,10 +9,10 @@ ms.custom: seodec18 ms.service: cognitive-services ms.subservice: language-understanding ms.topic: tutorial -ms.date: 12/07/2018 +ms.date: 04/08/2018 ms.author: diberry #Customer intent: Use speech service and get LUIS prediction information -- without calling LUIS directly. -#dfb - verified this tutorial works on 6/26 using logitech wireless headset +#dfb - verified this tutorial works on 04/08/2019 using Jabra wired headset --- # Integrate Speech service with your Language Understanding app @@ -21,7 +21,7 @@ The [Speech service](https://docs.microsoft.com/azure/cognitive-services/Speech- For this article, you need a free [LUIS][LUIS] website account in order to import the application. ## Create LUIS endpoint key -In the Azure portal, [create](luis-how-to-azure-subscription.md) a **Language Understanding** (LUIS) key. +In the Azure portal, [create](luis-how-to-azure-subscription.md) a **Cognitive Service** (LUIS) key for your LUIS app. ## Import Human Resources LUIS app The intents, and utterances for this article are from the Human Resources LUIS app available from the [Azure-Samples](https://github.com/Azure-Samples/cognitive-services-language-understanding) GitHub repository. Download the [HumanResources.json](https://github.com/Azure-Samples/cognitive-services-language-understanding/blob/master/documentation-samples/tutorials/HumanResources.json) file, save it with the `.json` extension, and [import](luis-how-to-start-new-app.md#import-new-app) it into LUIS. diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/system.web.png b/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/system.web.png index 2d0ecbdf668fe..b3c5dfd090336 100644 Binary files a/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/system.web.png and b/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/system.web.png differ diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/vs-project-type.png b/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/vs-project-type.png index f14a6e25b36dd..5f87828dbea63 100644 Binary files a/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/vs-project-type.png and b/articles/cognitive-services/LUIS/media/luis-quickstart-cs-add-utterance/vs-project-type.png differ diff --git a/articles/cognitive-services/LUIS/media/tutorial-entity-roles/add-geographyV2-prebuilt-entity.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/add-geographyV2-prebuilt-entity.png new file mode 100644 index 0000000000000..f56de46281ccf Binary files /dev/null and b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/add-geographyV2-prebuilt-entity.png differ diff --git a/articles/cognitive-services/LUIS/media/tutorial-entity-roles/add-roles-to-prebuilt-entity.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/add-roles-to-prebuilt-entity.png new file mode 100644 index 0000000000000..c6535fd248107 Binary files /dev/null and b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/add-roles-to-prebuilt-entity.png differ diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/all-intents-marked-with-origin-and-destination-location.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/all-intents-marked-with-origin-and-destination-location.png similarity index 100% rename from articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/all-intents-marked-with-origin-and-destination-location.png rename to articles/cognitive-services/LUIS/media/tutorial-entity-roles/all-intents-marked-with-origin-and-destination-location.png diff --git a/articles/cognitive-services/LUIS/media/tutorial-entity-roles/all-locations-marked-with-roles.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/all-locations-marked-with-roles.png new file mode 100644 index 0000000000000..9f53aa7b422cd Binary files /dev/null and b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/all-locations-marked-with-roles.png differ diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/create-new-intent-move-employee-to-city.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/create-new-intent-move-employee-to-city.png similarity index 100% rename from articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/create-new-intent-move-employee-to-city.png rename to articles/cognitive-services/LUIS/media/tutorial-entity-roles/create-new-intent-move-employee-to-city.png diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/hr-create-new-entity-2.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/hr-create-new-entity-2.png similarity index 100% rename from articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/hr-create-new-entity-2.png rename to articles/cognitive-services/LUIS/media/tutorial-entity-roles/hr-create-new-entity-2.png diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/hr-enter-utterances.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/hr-enter-utterances.png similarity index 100% rename from articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/hr-enter-utterances.png rename to articles/cognitive-services/LUIS/media/tutorial-entity-roles/hr-enter-utterances.png diff --git a/articles/cognitive-services/LUIS/media/tutorial-entity-roles/tag-origin-city-with-role.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/tag-origin-city-with-role.png new file mode 100644 index 0000000000000..ab46b2170ea8c Binary files /dev/null and b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/tag-origin-city-with-role.png differ diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-1.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/tutorial-hierarichical-entity-labeling-1.png similarity index 100% rename from articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-1.png rename to articles/cognitive-services/LUIS/media/tutorial-entity-roles/tutorial-hierarichical-entity-labeling-1.png diff --git a/articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-2.png b/articles/cognitive-services/LUIS/media/tutorial-entity-roles/tutorial-hierarichical-entity-labeling-2.png similarity index 100% rename from articles/cognitive-services/LUIS/media/luis-quickstart-intent-and-hier-entity/tutorial-hierarichical-entity-labeling-2.png rename to articles/cognitive-services/LUIS/media/tutorial-entity-roles/tutorial-hierarichical-entity-labeling-2.png diff --git a/articles/cognitive-services/LUIS/toc.yml b/articles/cognitive-services/LUIS/toc.yml index 7e5217efc613c..a785ea0a87738 100644 --- a/articles/cognitive-services/LUIS/toc.yml +++ b/articles/cognitive-services/LUIS/toc.yml @@ -61,12 +61,15 @@ href: luis-quickstart-intents-regex-entity.md - name: Get exact text matches with lists href: luis-quickstart-intent-and-list-entity.md - - name: Get contextually-related data with hierarchical entities - href: luis-quickstart-intent-and-hier-entity.md + - name: Get related data with entity roles + href: tutorial-entity-roles.md + displayName: roles, geographyV2, context - name: Group and extract related data with composite entities href: luis-tutorial-composite-entity.md + displayName: roles - name: Get names with simple entities href: luis-quickstart-primary-and-secondary-data.md + displayName: roles - name: Improve app items: - name: Fix unsure predictions @@ -77,6 +80,7 @@ href: luis-tutorial-pattern.md - name: Extract contextually-related patterns href: luis-tutorial-pattern-roles.md + displayName: roles - name: Extract free-form data href: luis-tutorial-pattern-any.md - name: Use bot @@ -112,7 +116,7 @@ - name: Intents href: luis-concept-intent.md - name: Entities - displayName: prebuilt, custom, regular expression, regex, simple, list, pattern.any, composite, hierarchical, machine-learn, exact, mixed + displayName: prebuilt, custom, regular expression, regex, simple, list, pattern.any, composite, hierarchical, machine-learn, exact, mixed, roles href: luis-concept-entity-types.md - name: Utterances href: luis-concept-utterance.md @@ -130,6 +134,7 @@ href: luis-concept-feature.md - name: Patterns href: luis-concept-patterns.md + displayName: roles - name: Data management items: - name: Altering data @@ -138,6 +143,7 @@ href: luis-concept-data-conversion.md - name: Extracting data href: luis-concept-data-extraction.md + displayName: roles - name: Data Storage href: luis-concept-data-storage.md - name: Test @@ -171,7 +177,7 @@ href: luis-how-to-add-example-utterances.md - name: Add entity without utterance href: luis-how-to-add-entities.md - displayName: import + displayName: roles, import - name: Use prebuilt models items: - name: Use domains @@ -219,7 +225,7 @@ displayName: synonym, interchange href: luis-how-to-add-features.md - name: Add Patterns - displayName: syntax, template + displayName: syntax, template, roles href: luis-how-to-model-intent-pattern.md - name: Train href: luis-how-to-train.md diff --git a/articles/cognitive-services/LUIS/tutorial-entity-roles.md b/articles/cognitive-services/LUIS/tutorial-entity-roles.md new file mode 100644 index 0000000000000..7a94993d50cc3 --- /dev/null +++ b/articles/cognitive-services/LUIS/tutorial-entity-roles.md @@ -0,0 +1,175 @@ +--- +title: Contextual data with roles - Language Understanding +titleSuffix: Azure Cognitive Services +description: Find related data based on context. For example, an origin and destination locations for a physical move from one building and office to another building and office are related. +services: cognitive-services +author: diberry +manager: nitinme +ms.custom: seodec18 +ms.service: cognitive-services +ms.subservice: language-understanding +ms.topic: tutorial +ms.date: 03/08/2019 +ms.author: diberry +#Customer intent: As a new user, I want to understand how and why to use the hierarchical entity. +--- + +# Tutorial: Extract contextually related data from an utterance + +In this tutorial, find related pieces of data based on context. For example, an origin and destination locations for a transfer from one city to another. Both pieces of data may be required and they are related to each other. + +This tutorial was previously written using hierarchical entities. Entity roles replace the need for the hierarchical entity type. A role can be used with any prebuilt or custom entity type, and used in both example utterances and patterns. + +**In this tutorial, you learn how to:** + +> [!div class="checklist"] +> * Create new app +> * Add intent +> * Get origin and destination information using roles +> * Train +> * Publish +> * Get intents and entity roles from endpoint + +[!INCLUDE [LUIS Free account](../../../includes/cognitive-services-luis-free-key-short.md)] + +## Related data + +This app determines where an employee is to be moved from the origin city to the destination city. It uses a GeographyV2 prebuilt entity to identify the city names and it uses roles to determine the location types (origin and destination) within the utterance. + +A role should be used when the entity data to extract: + +* Is related to each other in the context of the utterance. +* Uses specific word choice to indicate each role. Examples of these words include: from/to, leaving/headed to, away from/toward. +* Both roles are frequently in the same utterance, allowing LUIS to learn from this frequent contextual usage. +* Need to be grouped and processed by client app as a unit of information. + +## Create a new app + +[!INCLUDE [Follow these steps to create a new LUIS app](../../../includes/cognitive-services-luis-create-new-app-steps.md)] + +## Create an intent to move employees between cities + +1. [!INCLUDE [Start in Build section](../../../includes/cognitive-services-luis-tutorial-build-section.md)] + +1. Select **Create new intent**. + +1. Enter `MoveEmployeeToCity` in the pop-up dialog box then select **Done**. + + ![Screenshot of create new intent dialog with](./media/tutorial-entity-roles/create-new-intent-move-employee-to-city.png) + +1. Add example utterances to the intent. + + |Example utterances| + |--| + |move John W. Smith leaving Seattle headed to Orlando| + |transfer Jill Jones from Seattle to Cairo| + |Place John Jackson away from Tampa, coming to Atlanta | + |move Debra Doughtery to Tulsa from Chicago| + |mv Jill Jones leaving Cairo headed to Tampa| + |Shift Alice Anderson to Oakland from Redmond| + |Carl Chamerlin from San Francisco to Redmond| + |Transfer Steve Standish from San Diego toward Bellevue | + |lift Tanner Thompson from Kansas city and shift to Chicago| + + [![Screenshot of LUIS with new utterances in MoveEmployee intent](./media/tutorial-entity-roles/hr-enter-utterances.png)](./media/tutorial-entity-roles/hr-enter-utterances.png#lightbox) + +## Add prebuilt entity geographyV2 + +The prebuilt entity, geographyV2, extracts location information, including city names. Since the utterances have two city names, relating to each other in context, use roles to extract that context. + +1. Select **Entities** from the left-side navigation. + +1. Select **Add prebuilt entity**, then select `geo` in the search bar to filter the prebuilt entities. + + ![Add geographyV2 prebuilt entity to app](media/tutorial-entity-roles/add-geographyV2-prebuilt-entity.png) +1. Select the checkbox and select **Done**. +1. In the **Entities** list, select the **geographyV2** to open the new entity. +1. Add two roles, `Origin`, and `Destination`. + + ![Add roles to prebuilt entity](media/tutorial-entity-roles/add-roles-to-prebuilt-entity.png) +1. Select **Intents** from the left-side navigation, then select the **MoveEmployeeToCity** intent. Notice the city names are labeled with the prebuilt entity **geogrpahyV2**. +1. In the first utterance of the list, select the origin location. A drop-down menu appears. Select **geographyV2** in the list, then follow the menu across to select **Origin**. + + [![Screenshot of marking city as Origin location](media/tutorial-entity-roles/tag-origin-city-with-role.png "Screenshot of marking city as Origin location")](media/tutorial-entity-roles/tag-origin-city-with-role.png#lightbox) + +1. Use the method from the previous step to mark all roles of locations in all the utterances. + + [![Screenshot of Locations entity labeled in utterances](media/tutorial-entity-roles/all-locations-marked-with-roles.png "Screenshot of Locations entity labeled in utterances")](media/tutorial-entity-roles/all-locations-marked-with-roles.png#lightbox) + +## Add example utterances to the None intent + +[!INCLUDE [Follow these steps to add the None intent to the app](../../../includes/cognitive-services-luis-create-the-none-intent.md)] + +## Train the app so the changes to the intent can be tested + +[!INCLUDE [LUIS How to Train steps](../../../includes/cognitive-services-luis-tutorial-how-to-train.md)] + +## Publish the app so the trained model is queryable from the endpoint + +[!INCLUDE [LUIS How to Publish steps](../../../includes/cognitive-services-luis-tutorial-how-to-publish.md)] + +## Get intent and entity prediction from endpoint + +1. [!INCLUDE [LUIS How to get endpoint first step](../../../includes/cognitive-services-luis-tutorial-how-to-get-endpoint.md)] + + +1. Go to the end of the URL in the address bar and enter `Please move Carl Chamerlin from Tampa to Portland`. The last querystring parameter is `q`, the utterance **query**. This utterance is not the same as any of the labeled utterances so it is a good test and should return the `MoveEmployee` intent with the hierarchical entity extracted. + + ```json + { + "query": "Please move Carl Chamerlin from Tampa to Portland", + "topScoringIntent": { + "intent": "MoveEmployeeToCity", + "score": 0.979823351 + }, + "intents": [ + { + "intent": "MoveEmployeeToCity", + "score": 0.979823351 + }, + { + "intent": "None", + "score": 0.0156363435 + } + ], + "entities": [ + { + "entity": "geographyV2", + "role": "Destination", + "startIndex": 41, + "endIndex": 48, + "score": 0.6044041 + }, + { + "entity": "geographyV2", + "role": "Origin", + "startIndex": 32, + "endIndex": 36, + "score": 0.739491045 + } + ] + } + ``` + + The correct intent is predicted and the entities array has both the origin and destination roles in the corresponding **entities** property. + +## Clean up resources + +[!INCLUDE [LUIS How to clean up resources](../../../includes/cognitive-services-luis-tutorial-how-to-clean-up-resources.md)] + +## Related information + +* [Entities concepts](luis-concept-entity-types.md) +* [Roles concepts](luis-concept-roles.md) +* [Prebuilt entities list](luis-reference-prebuilt-entities.md) +* [How to train](luis-how-to-train.md) +* [How to publish](luis-how-to-publish-app.md) +* [How to test in LUIS portal](luis-interactive-test.md) +* [Roles](luis-concept-roles.md) + +## Next steps + +This tutorial created a new intent and added example utterances for the contextually learned data of origin and destination locations. Once the app is trained and published, a client-application can use that information to create a move ticket with the relevant information. + +> [!div class="nextstepaction"] +> [Learn how to add a composite entity](luis-tutorial-composite-entity.md) diff --git a/articles/cognitive-services/Labs/Answer-Search/reference.md b/articles/cognitive-services/Labs/Answer-Search/reference.md index ccce9a03df928..5032a10ae3bc3 100644 --- a/articles/cognitive-services/Labs/Answer-Search/reference.md +++ b/articles/cognitive-services/Labs/Answer-Search/reference.md @@ -31,7 +31,7 @@ https://api.labs.cognitive.microsoft.com/answerSearch/v7.0/search?q= ``` The request must use the HTTPS protocol and include following query parameter: -- q= - The query that identifies the object of search +- `q=` - The query that identifies the object of search For examples that show how to make requests, see [C# quickstart](c-sharp-quickstart.md) or [Java quickstart](java-quickstart.md). diff --git a/articles/cognitive-services/Labs/Conversation-Learner/tutorials/08-pre-trained-entities.md b/articles/cognitive-services/Labs/Conversation-Learner/tutorials/08-pre-trained-entities.md index 20d51f877ce22..770399017e862 100644 --- a/articles/cognitive-services/Labs/Conversation-Learner/tutorials/08-pre-trained-entities.md +++ b/articles/cognitive-services/Labs/Conversation-Learner/tutorials/08-pre-trained-entities.md @@ -56,7 +56,7 @@ Start on the home page in the Web UI. 1. Select **Actions** in the left panel, then **New Action**. 2. Enter **What's the date?** for **Bot's Response...**. Pre-Trained entities cannot be **Required Entities** as they are recognized by default for all utterances. -3. Enter **builtin-datetimev2** for **Disqualifying Entitles**. +3. Enter **builtin-datetimev2** for **Disqualifying Entities**. 4. Select **Create**. ![](../media/T08_action_create_2.png) diff --git a/articles/cognitive-services/QnAMaker/Concepts/confidence-score.md b/articles/cognitive-services/QnAMaker/Concepts/confidence-score.md index df9b759b441cc..7ccd7fda5f969 100644 --- a/articles/cognitive-services/QnAMaker/Concepts/confidence-score.md +++ b/articles/cognitive-services/QnAMaker/Concepts/confidence-score.md @@ -1,6 +1,6 @@ --- -title: Confidence Score - Microsoft Cognitive Services | Microsoft Docs -titleSuffix: Azure +title: Confidence Score - QnA Maker +titleSuffix: Azure Cognitive Services description: The confidence score indicates the confidence that the answer is the right match for the given user query. services: cognitive-services author: tulasim88 @@ -8,7 +8,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: qna-maker ms.topic: article -ms.date: 02/21/2019 +ms.date: 04/05/2019 ms.author: tulasim ms.custom: seodec18 --- @@ -60,7 +60,7 @@ When multiple responses have a similar confidence score, it is likely that the q ## Confidence score differences -The confidence score of an answer may change negligibly between the test and published version of the knowledge base even if the content is the same. This is because the content of the test and the published knowledge base are located in different Azure Search indexes. When you publish a knowledge base, the question and answer contents of your knowledge base moves from the test index to a production index in Azure search. See how the [publish](../How-To/publish-knowledge-base.md) operation works. +The confidence score of an answer may change negligibly between the test and published version of the knowledge base even if the content is the same. This is because the content of the test and the published knowledge base are located in different Azure Search indexes. When you publish a knowledge base, the question and answer contents of your knowledge base moves from the test index to a production index in Azure search. See how the [publish](../Quickstarts/create-publish-knowledge-base.md#publish-the-knowledge-base) operation works. If you have a knowledge base in different regions, each region uses its own Azure Search index. Because different indexes are used, the scores will not be exactly the same. diff --git a/articles/cognitive-services/QnAMaker/Concepts/development-lifecycle-knowledge-base.md b/articles/cognitive-services/QnAMaker/Concepts/development-lifecycle-knowledge-base.md index d3e5fc40fb017..750e1ee602aa7 100644 --- a/articles/cognitive-services/QnAMaker/Concepts/development-lifecycle-knowledge-base.md +++ b/articles/cognitive-services/QnAMaker/Concepts/development-lifecycle-knowledge-base.md @@ -8,7 +8,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: qna-maker ms.topic: article -ms.date: 02/21/2019 +ms.date: 04/05/2019 ms.author: tulasim ms.custom: seodec18 --- @@ -39,7 +39,7 @@ This way, any changes being made to the test version of the knowledge base do no Each of these knowledge bases can be targeted for testing separately. Using the APIs, you can target the test version of the knowledge base with `isTest=true` flag in the generateAnswer call. -Learn how to [publish your knowledge base](../How-To/publish-knowledge-base.md). +Learn how to [publish your knowledge base](../Quickstarts/create-publish-knowledge-base.md#publish-the-knowledge-base). ## Monitor usage To be able to log the chat logs of your service, you would need to enable Application Insights when you [create your QnA Maker service](../How-To/set-up-qnamaker-service-azure.md). diff --git a/articles/cognitive-services/QnAMaker/How-To/add-sharepoint-datasources.md b/articles/cognitive-services/QnAMaker/How-To/add-sharepoint-datasources.md index 6900ea1e986e7..a8ff2e2dbfb3c 100644 --- a/articles/cognitive-services/QnAMaker/How-To/add-sharepoint-datasources.md +++ b/articles/cognitive-services/QnAMaker/How-To/add-sharepoint-datasources.md @@ -8,7 +8,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: qna-maker ms.topic: article -ms.date: 03/26/2019 +ms.date: 04/05/2019 ms.author: tulasim --- @@ -52,7 +52,7 @@ Once the QnA Maker manager selects the account, the Active Directory administrat ### Active directory manager: grant file read access to QnA Maker -The Active Directory manager (not the QnA Maker manager) needs to grant access to QnA Maker to access the Sharepoint resource by selecting [this link](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=files.read%20openid%20profile&client_id=c2c11949-e9bb-4035-bda8-59542eb907a6&redirect_uri=https%3A%2F%2Fwww.qnamaker.ai%3A%2FCreate&state=68) to authorize the QnA Maker Portal Sharepoint enterprise app to have file read permissions. +The Active Directory manager (not the QnA Maker manager) needs to grant access to QnA Maker to access the Sharepoint resource by selecting [this link](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=Files.Read%20Files.Read.All%20Sites.Read.All%20User.Read%20User.ReadBasic.All%20profile%20openid%20email&client_id=c2c11949-e9bb-4035-bda8-59542eb907a6&redirect_uri=https%3A%2F%2Fwww.qnamaker.ai%3A%2FCreate&state=68) to authorize the QnA Maker Portal Sharepoint enterprise app to have file read permissions. ![Azure Active Directory manager grants permission interactively](../media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png) @@ -91,7 +91,7 @@ The Active Directory manager will get a pop-up window requesting permissions to 1. Select **YES** in the pop-up confirmation windows. ![Grant required permissions](../media/add-sharepoint-datasources/grant-required-permissions.png) - +--> ### Grant access from the Azure Active Directory admin center 1. The Active Directory manager signs in to the Azure portal and opens **[Enterprise applications](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps)**. @@ -106,7 +106,7 @@ The Active Directory manager will get a pop-up window requesting permissions to 1. Select a Sign-On account with permissions to grant permissions for the Active Directory. ---> + > [!div class="checklist"] -> * Create an Azure Bot Service with the QnA Maker template +> * Create an Azure Bot Service from an existing knowledge base > * Chat with the bot to verify the code is working -> * Connect your published KB to the bot -> * Test the bot with a question - -For this article, you can use the free QnA Maker [service](../how-to/set-up-qnamaker-service-azure.md). ## Prerequisites -You need to have a published knowledge base for this tutorial. If you do not have one, follow the steps in [Create a knowledge base](../How-To/create-knowledge-base.md) to create a QnA Maker service with questions and answers. - -## Create a QnA Bot - -1. In the Azure portal, select **Create a resource**. - - ![bot service creation](../media/qnamaker-tutorials-create-bot/bot-service-creation.png) +You need to have a published knowledge base for this tutorial. If you do not have one, follow the steps in [Create and answer from KB](create-publish-query-in-portal.md) tutorial to create a QnA Maker knowledge base with questions and answers. -2. In the search box, search for **Web App Bot**. + - ![bot service selection](../media/qnamaker-tutorials-create-bot/bot-service-selection.png) - -3. In **Bot Service**, provide the required information: +## Create a QnA Bot - - Set **App name** to your bot’s name. The name is used as the subdomain when your bot is deployed to the cloud (for example, mynotesbot.azurewebsites.net). - - Select the subscription, resource group, App service plan, and location. +Create a bot as a client application for the knowledge base. -4. To use the v3 templates, select SDK version of **SDK v3** and SDK language of **C#** or **Node.js**. +1. In the QnA Maker portal, go to the **Publish** page, and publish your knowledge base. Select **Create Bot**. - ![bot sdk settings](../media/qnamaker-tutorials-create-bot/bot-v3.png) + ![In the QnA Maker portal, go to the Publish page, and publish your knowledge base. Select Create Bot.](../media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base-page.png) -5. Select the **Question and Answer** template for the Bot template field, then save the template settings by selecting **Select**. + The Azure portal opens with the bot creation configuration. - ![save bot service template selection](../media/qnamaker-tutorials-create-bot/bot-v3-template.png) +1. Enter the settings to create the bot: -6. Review your settings, then select **Create**. This creates and deploys the bot service with to Azure. + |Setting|Value|Purpose| + |--|--|--| + |Bot name|`my-tutorial-kb-bot`|This is the Azure resource name for the bot.| + |Subscription|See purpose.|Select the same subscription as you used to create the QnA Maker resources.| + |Resource group|`my-tutorial-rg`|The resource group used for all the bot-related Azure resources.| + |Location|`west us`|The bot's Azure resource location.| + |Pricing tier|`F0`|The free tier for the Azure bot service.| + |App name|`my-tutorial-kb-bot-app`|This is a web app to support your bot only. This should not be the same app name as your QnA Maker service is already using. Sharing QnA Maker's web app with any other resource is not supported.| + |SDK Language|C#|This is the underlying programming language used by the bot framework SDK. Your choices are C# or Node.js.| + |QnA Auth Key|**Do not change**|This value is filled in for you.| + |App service plan/Location|**Do not change**|For this tutorial, the location is not important.| + |Azure Storage|**Do not change**|Conversation data is stored in Azure Storage tables.| + |Application Insights|**Do not change**|Logging is sent to Application Insights.| + |Microsoft App ID|**Do not change**|Active directory user and password is required.| - ![create bot](../media/qnamaker-tutorials-create-bot/bot-blade-settings-v3.png) + ![Create the knowledge base bot with these settings.](../media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base.png) -7. Confirm that the bot service has been deployed. + Wait a couple of minutes until the bot creation process notification reports success. - - Select **Notifications** (the bell icon that is located along the top edge of the Azure portal). The notification will change from **Deployment started** to **Deployment succeeded**. - - After the notification changes to **Deployment succeeded**, select **Go to resource** on that notification. + ## Chat with the Bot -Selecting **Go to resource** takes you to the bot's resource. +1. In the Azure portal, open the new bot resource from the notification. -Select **Test in Web Chat** to open the Web Chat pane. Type "hi" in Web Chat. + ![In the Azure portal, open the new bot resource from the notification.](../media/qnamaker-tutorials-create-bot/azure-portal-notifications.png) -![QnA bot web chat](../media/qnamaker-tutorials-create-bot/qna-bot-web-chat.PNG) +1. From **Bot management**, select **Test in Web Chat** and enter: `How large can my KB be?`. The bot will respond with: -The bot responds with "Please set QnAKnowledgebaseId and QnASubscriptionKey in App Settings. This response confirms that your QnA Bot has received the message, but there is no QnA Maker knowledge base associated with it yet. -## Connect your QnA Maker knowledge base to the bot + `The size of the knowledge base depends on the SKU of Azure search you choose when creating the QnA Maker service. Read [here](https://docs.microsoft.com/azure/cognitive-services/qnamaker/tutorials/choosing-capacity-qnamaker-deployment)for more details.` -1. Open **Application Settings** and edit the **QnAKnowledgebaseId**, **QnAAuthKey**, and the **QnAEndpointHostName** fields to contain the values of your QnA Maker knowledge base. - ![app settings](../media/qnamaker-tutorials-create-bot/application-settings.PNG) + ![Test the new knowledge base bot.](../media/qnamaker-tutorial-create-publish-query-in-portal/test-bot-in-web-chat-in-azure-portal.png) -1. Get your knowledge base ID, host url, and the endpoint key from the settings tab of your knowledge base in the QnA Maker portal. - - - Sign in to [QnA Maker](https://qnamaker.ai) - - Go to your knowledge base - - Select the **Settings** tab - - **Publish** your knowledge base, if not already done so - - ![QnA Maker values](../media/qnamaker-tutorials-create-bot/qnamaker-settings-kbid-key.PNG) - -## Test the bot - -In the Azure portal, select **Test in Web Chat** to test the bot. - -![QnA Maker bot](../media/qnamaker-tutorials-create-bot/qna-bot-web-chat-response.PNG) - -Your QnA Bot answers from your knowledge base. + For more information about Azure Bots, see [Use QnA Maker to answer questions](https://docs.microsoft.com/azure/bot-service/bot-builder-howto-qna?view=azure-bot-service-4.0&tabs=cs) ## Related to QnA Maker bots @@ -108,7 +87,11 @@ Your QnA Bot answers from your knowledge base. ## Clean up resources -When you are done with this tutorial's bot, remove the bot in the Azure portal. The bot services include: +When you are done with this tutorial's bot, remove the bot in the Azure portal. + +If you created a new resource group for the bot's resources, delete the resource group. + +If you didn't create a new resource group, you need to find the resources associated with the bot. The easiest way is to search by the name of the bot and bot app. The bot resources include: * The App Service plan * The Search service diff --git a/articles/cognitive-services/QnAMaker/Tutorials/migrate-knowledge-base.md b/articles/cognitive-services/QnAMaker/Tutorials/migrate-knowledge-base.md index 8afbd8978dbdb..db12b391818fb 100644 --- a/articles/cognitive-services/QnAMaker/Tutorials/migrate-knowledge-base.md +++ b/articles/cognitive-services/QnAMaker/Tutorials/migrate-knowledge-base.md @@ -1,14 +1,14 @@ --- title: Migrate knowledge bases - QnA Maker titleSuffix: Azure Cognitive Services -description: Move a knowledge base created with QnA Maker into a new knowledge base. +description: Migrating a knowledge base requires exporting from one knowledge base, then importing into another. services: cognitive-services author: tulasim88 manager: nitinme ms.service: cognitive-services ms.subservice: qna-maker ms.topic: article -ms.date: 02/13/2019 +ms.date: 04/08/2019 ms.author: tulasim ms.custom: seodec18 --- @@ -42,10 +42,10 @@ Migrating a knowledge base requires exporting from one knowledge base, then impo ![Import knowledge base](../media/qnamaker-how-to-migrate-kb/Import.png) 1. **Test** the new knowledge base using the Test panel. Learn how to [test your knowledge base](../How-To/test-knowledge-base.md). -1. **Publish** the knowledge base. Learn how to [publish your knowledge base](../How-To/publish-knowledge-base.md). +1. **Publish** the knowledge base. Learn how to [publish your knowledge base](../Quickstarts/create-publish-knowledge-base.md#publish-the-knowledge-base). 1. Use the endpoint in your application or bot code. See here how to [create a QnA bot](../Tutorials/create-qna-bot.md). - ![QnA Maker values](../media/qnamaker-tutorials-create-bot/qnamaker-settings-kbid-key.PNG) + ![QnA Maker values](../media/qnamaker-how-to-migrate-kb/qnamaker-settings-kbid-key.png) At this point, all the knowledge base content - questions, answers and metadata, along with the names of the source files and the URLs, are imported to the new knowledge base. diff --git a/articles/cognitive-services/QnAMaker/media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png b/articles/cognitive-services/QnAMaker/media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png index b49684a4ddc21..701e6bccb7273 100644 Binary files a/articles/cognitive-services/QnAMaker/media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png and b/articles/cognitive-services/QnAMaker/media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-create-publish-knowledge-base/create-bot-from-published-knowledge-base-page.png b/articles/cognitive-services/QnAMaker/media/qnamaker-create-publish-knowledge-base/create-bot-from-published-knowledge-base-page.png new file mode 100644 index 0000000000000..eebe828e9d32b Binary files /dev/null and b/articles/cognitive-services/QnAMaker/media/qnamaker-create-publish-knowledge-base/create-bot-from-published-knowledge-base-page.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/qnamaker-settings-kbid-key.PNG b/articles/cognitive-services/QnAMaker/media/qnamaker-how-to-migrate-kb/qnamaker-settings-kbid-key.png similarity index 100% rename from articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/qnamaker-settings-kbid-key.PNG rename to articles/cognitive-services/QnAMaker/media/qnamaker-how-to-migrate-kb/qnamaker-settings-kbid-key.png diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/create-bot-from-published-knowledge-base-page.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/create-bot-from-published-knowledge-base-page.png new file mode 100644 index 0000000000000..eebe828e9d32b Binary files /dev/null and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/create-bot-from-published-knowledge-base-page.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/create-bot-from-published-knowledge-base.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/create-bot-from-published-knowledge-base.png new file mode 100644 index 0000000000000..32e1501e95f73 Binary files /dev/null and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/create-bot-from-published-knowledge-base.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-2.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-2.png index 25fbbc37e45d4..f291848ccb543 100644 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-2.png and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-2.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-3-curl.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-3-curl.png index a261fb52b4d4f..7a27d8b5d1690 100644 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-3-curl.png and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/publish-3-curl.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/test-bot-in-web-chat-in-azure-portal.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/test-bot-in-web-chat-in-azure-portal.png new file mode 100644 index 0000000000000..1279a6fbca8a4 Binary files /dev/null and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorial-create-publish-query-in-portal/test-bot-in-web-chat-in-azure-portal.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/application-settings.PNG b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/application-settings.PNG deleted file mode 100644 index 970ff4c4d09a6..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/application-settings.PNG and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/azure-portal-notifications.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/azure-portal-notifications.png new file mode 100644 index 0000000000000..c8e81e55e816b Binary files /dev/null and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/azure-portal-notifications.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-blade-settings-v3.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-blade-settings-v3.png deleted file mode 100644 index d2845e0c192b7..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-blade-settings-v3.png and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-creation.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-creation.png deleted file mode 100644 index 2bb6ec962c047..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-creation.png and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-qna-template.PNG b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-qna-template.PNG deleted file mode 100644 index c3be4ef3c8269..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-qna-template.PNG and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-selection.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-selection.png deleted file mode 100644 index c39c9f01dc9e4..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-service-selection.png and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-v3-template.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-v3-template.png deleted file mode 100644 index 41d9e96bc2442..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-v3-template.png and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-v3.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-v3.png deleted file mode 100644 index 2fd739b90e546..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/bot-v3.png and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base-page.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base-page.png new file mode 100644 index 0000000000000..eebe828e9d32b Binary files /dev/null and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base-page.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base.png b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base.png new file mode 100644 index 0000000000000..32e1501e95f73 Binary files /dev/null and b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/create-bot-from-published-knowledge-base.png differ diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/qna-bot-web-chat-response.PNG b/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/qna-bot-web-chat-response.PNG deleted file mode 100644 index 08e9f6d7dbe74..0000000000000 Binary files a/articles/cognitive-services/QnAMaker/media/qnamaker-tutorials-create-bot/qna-bot-web-chat-response.PNG and /dev/null differ diff --git a/articles/cognitive-services/QnAMaker/toc.yml b/articles/cognitive-services/QnAMaker/toc.yml index 364917f97f912..d7be701202b65 100644 --- a/articles/cognitive-services/QnAMaker/toc.yml +++ b/articles/cognitive-services/QnAMaker/toc.yml @@ -8,8 +8,6 @@ items: - name: Create a new knowledge base href: How-To/create-knowledge-base.md - - name: Publish a knowledge base - href: How-To/publish-knowledge-base.md - name: Get answer from knowledge base items: - name: Using Postman @@ -86,6 +84,7 @@ items: - name: Create and publish a knowledge base href: Quickstarts/create-publish-knowledge-base.md + displayName: create bot, bot, publish to bot, test, edit - name: Add chit-chat to knowledge base href: How-to/chit-chat-knowledge-base.md - name: Migrate a knowledge base diff --git a/articles/cognitive-services/Speech-Service/batch-transcription.md b/articles/cognitive-services/Speech-Service/batch-transcription.md index 31ddfadfbead3..b12422feae232 100644 --- a/articles/cognitive-services/Speech-Service/batch-transcription.md +++ b/articles/cognitive-services/Speech-Service/batch-transcription.md @@ -83,6 +83,16 @@ Configuration parameters are provided as JSON: | `PunctuationMode` | Specifies how to handle punctuation in recognition results. Accepted values are `none` which disables punctuation, `dictated` which implies explicit punctuation, `automatic` which lets the decoder deal with punctuation, or `dictatedandautomatic` which implies dictated punctuation marks or automatic. | Optional | | `AddWordLevelTimestamps` | Specifies if word level timestamps should be added to the output. Accepted values are `true` which enables word level timestamps and `false` (the default value) to disable it. | Optional | +### Storage + +Batch transcription supports [Azure Blob storage](https://docs.microsoft.com/azure/storage/blobs/storage-blobs-overview) for reading audio and writing transcriptions to storage. + +## Webhooks + +Polling for transcription status may not be the most performant, or provide the best user experience. To poll for status, you can register callbacks, which will notify the client when long-running transcription tasks have completed. + +For more details, see [Webhooks](webhooks.md). + ## Sample code The complete sample is available in the [GitHub sample repository](https://aka.ms/csspeech/samples) inside the `samples/batch` subdirectory. @@ -104,10 +114,6 @@ The current sample code doesn't specify a custom model. The service uses the bas > [!NOTE] > For baseline transcriptions, you don't need to declare the ID for the baseline models. If you only specify a language model ID (and no acoustic model ID), a matching acoustic model is automatically selected. If you only specify an acoustic model ID, a matching language model is automatically selected. -### Supported storage - -Currently, only Azure Blob storage is supported. - ## Download the sample You can find the sample in the `samples/batch` directory in the [GitHub sample repository](https://aka.ms/csspeech/samples). diff --git a/articles/cognitive-services/Speech-Service/how-to-customize-pronunciation.md b/articles/cognitive-services/Speech-Service/how-to-customize-pronunciation.md index 33e5363970ff1..d3eafb7172b78 100644 --- a/articles/cognitive-services/Speech-Service/how-to-customize-pronunciation.md +++ b/articles/cognitive-services/Speech-Service/how-to-customize-pronunciation.md @@ -58,7 +58,7 @@ Custom pronunciation is currently supported for English (en-US) and German (de-d A display form can be only a custom word, an acronym, or compound words that combine existing words. >[!NOTE] ->We don't recommend using this feature to reformulate common words or to modify the spoken form. It is better to run the decoder to see whether some unusual words (such as abbreviations, technical words, or foreign words) are incorrectly decoded. If they are, add them to the custom pronunciation file. In the language model, you should always and only use the display form of a word. +>We don't recommend using this feature to reformulate common words or to modify the spoken form. It is better check whether some unusual words (such as abbreviations, technical words, or foreign words) are incorrectly transribed before this feature is used. If they are, add them to the custom pronunciation file. In the language model, you should always and only use the display form of a word. ## Requirements for the file size The size of the .txt file that contains the pronunciation entries is limited to 1 megabyte (1KB for free tier keys). Usually, you don't need to upload large amounts of data through this file. Most custom pronunciation files are likely to be just a few kilobytes (KBs) in size. The encoding of the .txt file for all locales should be UTF-8 BOM. For the English locale, ANSI is also acceptable. diff --git a/articles/cognitive-services/Speech-Service/how-to-recognize-intents-from-speech-csharp.md b/articles/cognitive-services/Speech-Service/how-to-recognize-intents-from-speech-csharp.md index d4823253bb8c8..25a00449d7980 100644 --- a/articles/cognitive-services/Speech-Service/how-to-recognize-intents-from-speech-csharp.md +++ b/articles/cognitive-services/Speech-Service/how-to-recognize-intents-from-speech-csharp.md @@ -129,20 +129,22 @@ Next, create an intent recognizer using `new IntentRecognizer(config)`. Since th Now import the model from the LUIS app using `LanguageUnderstandingModel.FromAppId()` and add the LUIS intents that you wish to recognize via the recognizer's `AddIntent()` method. These two steps improve the accuracy of speech recognition by indicating words that the user is likely to use in their requests. It is not necessary to add all the app's intents if you do not need to recognize them all in your application. -Adding intents requires three arguments: the LUIS model (which has just been created and is named `model`), the intent name, and an intent ID. The difference between the ID and the name is as follows. +Adding intents requires three arguments: the LUIS model (which has been created and is named `model`), the intent name, and an intent ID. The difference between the ID and the name is as follows. |`AddIntent()` argument|Purpose| |--------|-------| |intentName |The name of the intent as defined in the LUIS app. Must match the LUIS intent name exactly.| |intentID |An ID assigned to a recognized intent by the Speech SDK. Can be whatever you like; does not need to correspond to the intent name as defined in the LUIS app. If multiple intents are handled by the same code, for instance, you could use the same ID for them.| -The Home Automation LUIS app has two intents: one for turning a device on, and another for turning a device off. The lines below add these intents to the recognizer; replace the three `AddIntent` lines in the `RecognizeIntentAsync()` method with this code. +The Home Automation LUIS app has two intents: one for turning on a device, and another for turning a device off. The lines below add these intents to the recognizer; replace the three `AddIntent` lines in the `RecognizeIntentAsync()` method with this code. ```csharp recognizer.AddIntent(model, "HomeAutomation.TurnOff", "off"); recognizer.AddIntent(model, "HomeAutomation.TurnOn", "on"); ``` +Instead of adding individual intents, you can also use the `AddAllIntents` method to add all the intents in a model to the recognizer. + ## Start recognition With the recognizer created and the intents added, recognition can begin. The Speech SDK supports both single-shot and continuous recognition. diff --git a/articles/cognitive-services/Speech-Service/how-to-select-audio-input-devices.md b/articles/cognitive-services/Speech-Service/how-to-select-audio-input-devices.md index 370b8dd26d0dc..3199fa98b7ab8 100644 --- a/articles/cognitive-services/Speech-Service/how-to-select-audio-input-devices.md +++ b/articles/cognitive-services/Speech-Service/how-to-select-audio-input-devices.md @@ -14,7 +14,7 @@ ms.author: chlandsi # Select an audio input device with the Speech SDK -Version 1.3.0 of the Speech SDK introduces an API to select the audio input +Version 1.3.0 of the Speech SDK introduces an API to select the audio input. This article describes how to obtain the IDs of the audio devices connected to a system. These can then be used in the Speech SDK by configuring the audio device through the `AudioConfig` object: @@ -38,8 +38,11 @@ audioConfig = AudioConfiguration.FromMicrophoneInput(""); audioConfig = AudioConfiguration.fromMicrophoneInput(""); ``` -> [!NOTE] -> This functionality is not yet available from JavaScript. +```JavaScript +audioConfig = AudioConfiguration.fromMicrophoneInput(""); +``` +>[!Note] +> Microphone usage is not available for JavaScript running in Node.js ## Audio device IDs on Windows for Desktop applications @@ -364,6 +367,10 @@ For example, the instruction enables the use of a Bluetooth headset for a speech-enabled app. +## Audio device IDs in JavaScript + +In JavaScript the [MediaDevices.enumerateDevices()](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/enumerateDevices) method can be used to enumerate the media devices and find a device ID to pass to `fromMicrophone(...)`. + ## Next steps > [!div class="nextstepaction"] diff --git a/articles/cognitive-services/Speech-Service/how-to-use-compressed-audio-input-streams.md b/articles/cognitive-services/Speech-Service/how-to-use-compressed-audio-input-streams.md new file mode 100644 index 0000000000000..b61a61d1ed907 --- /dev/null +++ b/articles/cognitive-services/Speech-Service/how-to-use-compressed-audio-input-streams.md @@ -0,0 +1,57 @@ +--- +title: Stream compressed audio with the Speech SDK - Speech Services +titleSuffix: Azure Cognitive Services +description: Learn how to stream compressed audio to Azure Speech Services with the Speech SDK. Available for C++, C#, and Java for Linux. +services: cognitive-services +author: amitkumarshukla +manager: nitinme + +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: conceptual +ms.date: 04/03/2019 +ms.author: amishu +--- +# Stream compressed audio with the Speech SDK + +The Speech SDK's **Compressed Audio Input Stream** API provides a way to stream compressed audio to the Speech Service using PullStream or PushStream. + +> [!IMPORTANT] +> Streaming compressed audio is only supported for C++, C#, and Java on Linux (Ubuntu 16.04 or Ubuntu 18.04). +> Support is limited to MP3 and OPUS/OGG. + +## Prerequisites + +You must install these dependencies to use compressed audio input with the Speech SDK for Linux: + +```sh +sudo apt install libgstreamer1.0-0 gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly +``` + +## Streaming compressed audio + +To stream in a compressed audio format to the Speech Services, create `PullAudioInputStream` or `PushAudioInputStream`. Then, create an `AudioConfig` from an instance of your stream class, specifying the compression format of the stream. + +Let's assume that you have an input stream class called `myPushStream` and are using OPUS/OGG. This is what the code may look like: + +```csharp +using Microsoft.CognitiveServices.Speech; +using Microsoft.CognitiveServices.Speech.Audio; + +var speechConfig = SpeechConfig.FromSubscription("YourSubscriptionKey", "YourServiceRegion"); + +// Create an audio config specifying the compressed audio format and the instance of your input stream class. +var audioFormat = AudioStreamFormat.GetCompressedFormat(AudioStreamContainerFormat.OGG_OPUS); +var audioConfig = AudioConfig.FromStreamInput(myPushStream, audioFormat); + +var recognizer = new SpeechRecognizer(speechConfig, audioConfig); + +var result = await recognizer.RecognizeOnceAsync(); + +var text = result.GetText(); +``` + +## Next steps + +* [Get your Speech trial subscription](https://azure.microsoft.com/try/cognitive-services/) +* [See how to recognize speech in C#](quickstart-csharp-dotnet-windows.md) diff --git a/articles/cognitive-services/Speech-Service/how-to-use-logging.md b/articles/cognitive-services/Speech-Service/how-to-use-logging.md new file mode 100644 index 0000000000000..c092685022393 --- /dev/null +++ b/articles/cognitive-services/Speech-Service/how-to-use-logging.md @@ -0,0 +1,118 @@ +--- +title: Speech SDK logging - Speech Services +titleSuffix: Azure Cognitive Services +description: Enable logging in the Speech SDK. +services: cognitive-services +author: amitkumarshukla +manager: nitinme + +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: conceptual +ms.date: 04/03/2019 +ms.author: amishu +--- + +# Enable logging in the Speech SDK + +Logging to file is an optional feature for the Speech SDK. During development logging provides additional information and diagnostics from the Speeck SDK's core components. It can be enabled by setting the property `Speech_LogFilename` on a speech configuration object to the location and name of the log file. Logging will be activated globally once a recognizer is created from that configuration and can't be disabled afterwards. You can't change the name of a log file during a running logging session. + +> [!NOTE] +> Logging is available in all supported Speech SDK programming languages, with the exception of JavaScript. + +## Sample + +The log file name is specified on a configuration object. Taking the `SpeechConfig` as an example and assuming that you have created an instance called `config`: + +```csharp +config.SetProperty(PropertyId.Speech_LogFilename, "LogfilePathAndName"); +``` + +```java +config.setProperty(PropertyId.Speech_LogFilename, "LogfilePathAndName"); +``` + +```C++ +config->SetProperty(PropertyId::Speech_LogFilename, "LogfilePathAndName"); +``` + +```Python +config.set_property(speechsdk.PropertyId.Speech_LogFilename, "LogfilePathAndName") +``` + +```objc +[config setPropertyTo:@"LogfilePathAndName" byId:SPXSpeechLogFilename]; +``` + +You can create a recognizer from the config object. This will enable logging for all recognizers. + +> [!NOTE] +> If you create a `SpeechSynthesizer` from the config object, it will not enable logging. If logging is enabled though, you will also receive diagnostics from the `SpeechSynthesizer`. + +## Create a log file on different platforms + +For Windows or Linux, the log file can be in any path the user has write permission for. Write permissions to file system locations in other operating systems may be limited or restricted by default. + +### Universal Windows Platform (UWP) + +UWP applications need to be places log files in one of the application data locations (local, roaming, or temporary). A log file can be created in the local application folder: + +```csharp +StorageFolder storageFolder = ApplicationData.Current.LocalFolder; +StorageFile logFile = await storageFolder.CreateFileAsync("logfile.txt", CreationCollisionOption.ReplaceExisting); +config.SetProperty(PropertyId.Speech_LogFilename, logFile.Path); +``` + +More about file access permission for UWP applications is available [here](https://docs.microsoft.com/windows/uwp/files/file-access-permissions). + +### Android + +You can save a log file to either internal storage, external storage, or the cache directory. Files created in the internal storage or the cache directory are private to the application. It is preferable to create a log file in external storage. + +```java +File dir = context.getExternalFilesDir(null); +File logFile = new File(dir, "logfile.txt"); +config.setProperty(PropertyId.Speech_LogFilename, logFile.getAbsolutePath()); +``` + +The code above will save a log file to the external storage in the root of an application-specific directory. A user can access the file with the file manager (usually in `Android/data/ApplicationName/logfile.txt`). The file will be deleted when the application is uninstalled. + +You also need to request `WRITE_EXTERNAL_STORAGE` permission in the manifest file: + +```xml + + ... + + ... + +``` + +More about data and file storage for Android applications is available [here](https://developer.android.com/guide/topics/data/data-storage.html). + +#### iOS + +Only directories inside the application sandbox are accessible. Files can be created in the documents, library, and temp directories. Files in the documents directory can be made available to a user. The following code snippet shows creation of a log file in the application document directory: + +```objc +NSString *filePath = [ + [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES) firstObject] + stringByAppendingPathComponent:@"logfile.txt"]; +[speechConfig setPropertyTo:filePath byId:SPXSpeechLogFilename]; +``` + +To access a created file, add the below properties to the `Info.plist` property list of the application: + +```xml +UIFileSharingEnabled + +LSSupportsOpeningDocumentsInPlace + +``` + +More about iOS File System is available [here](https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html). + +## Next steps + +> [!div class="nextstepaction"] +> [Explore our samples on GitHub](https://aka.ms/csspeech/samples) + diff --git a/articles/cognitive-services/Speech-Service/index.yml b/articles/cognitive-services/Speech-Service/index.yml index 7c5664ffa95cf..b133f21c6d646 100644 --- a/articles/cognitive-services/Speech-Service/index.yml +++ b/articles/cognitive-services/Speech-Service/index.yml @@ -20,7 +20,7 @@ metadata: ms.custom: seodec18 abstract: - description: Learn how to use the Speech Services and the Speech SDK to add speech-enabled features to your apps. You can use the Speech SDK to add speech-to-text (speech recognition/SR), intent, translation, and text-to-speech (TTS) capabilities to your apps. The Speech Services also have REST APIs that works with any programming language that can make HTTP requests. + description: Learn how to use the Speech Services and the Speech SDK to add speech-enabled features to your apps. You can use the Speech SDK to add speech-to-text (speech recognition/SR), intent, translation, and text-to-speech (TTS) capabilities to your apps. The Speech Services also have REST APIs that work with any programming language that can make HTTP requests. sections: - items: - type: list @@ -161,12 +161,12 @@ sections: values: - href: - href: + - href: quickstart-cpp-macos + - href: quickstart-csharp-dotnetcore-windows - href: - - href: - - href: - - href: + - href: quickstart-java-jre - href: quickstart-python - - href: + - href: quickstart-objective-c-macos - href: quickstart-js-node - href: - title: Devices SDK (ARM32) @@ -216,6 +216,7 @@ sections: - html: Speech-to-text (SR)
- html: Intent Recognition
- html: Translation + - html: Text-to-speech
- title: Samples items: - type: paragraph diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-01-start-new-android-studio-project.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-01-start-new-android-studio-project.png index f474c1864deff..39146f5069232 100644 Binary files a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-01-start-new-android-studio-project.png and b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-01-start-new-android-studio-project.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-02-create-android-project.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-02-create-android-project.png deleted file mode 100644 index d58f53edc83ae..0000000000000 Binary files a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-02-create-android-project.png and /dev/null differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-02-target-android-devices.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-02-target-android-devices.png new file mode 100644 index 0000000000000..34844eb190f19 Binary files /dev/null and b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-02-target-android-devices.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-03-create-android-project.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-03-create-android-project.png new file mode 100644 index 0000000000000..6939c49948243 Binary files /dev/null and b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-03-create-android-project.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-03-target-android-devices.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-03-target-android-devices.png deleted file mode 100644 index 03e5ae3011d99..0000000000000 Binary files a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-03-target-android-devices.png and /dev/null differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-04-add-an-activity-to-mobile.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-04-add-an-activity-to-mobile.png deleted file mode 100644 index 96866d666f7e7..0000000000000 Binary files a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-04-add-an-activity-to-mobile.png and /dev/null differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-05-configure-activity.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-05-configure-activity.png deleted file mode 100644 index f81aa04582bbb..0000000000000 Binary files a/articles/cognitive-services/Speech-Service/media/sdk/qs-java-android-05-configure-activity.png and /dev/null differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-info-plist.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-info-plist.png new file mode 100644 index 0000000000000..9e7dd5777968a Binary files /dev/null and b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-info-plist.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-project-settings.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-project-settings.png new file mode 100644 index 0000000000000..d71f31b89811e Binary files /dev/null and b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-project-settings.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-sandbox.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-sandbox.png new file mode 100644 index 0000000000000..ad917bb85064b Binary files /dev/null and b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-macos-sandbox.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-simulated-app.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-simulated-app.png index 91c85f8cc0954..6e1ff4ada1bd9 100644 Binary files a/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-simulated-app.png and b/articles/cognitive-services/Speech-Service/media/sdk/qs-objectivec-simulated-app.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-tts-cpp-windows-console-output.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-tts-cpp-windows-console-output.png new file mode 100644 index 0000000000000..463502b44fffc Binary files /dev/null and b/articles/cognitive-services/Speech-Service/media/sdk/qs-tts-cpp-windows-console-output.png differ diff --git a/articles/cognitive-services/Speech-Service/media/sdk/qs-tts-csharp-dotnet-windows-console-output.png b/articles/cognitive-services/Speech-Service/media/sdk/qs-tts-csharp-dotnet-windows-console-output.png new file mode 100644 index 0000000000000..62603d11a7025 Binary files /dev/null and b/articles/cognitive-services/Speech-Service/media/sdk/qs-tts-csharp-dotnet-windows-console-output.png differ diff --git a/articles/cognitive-services/Speech-Service/overview.md b/articles/cognitive-services/Speech-Service/overview.md index 2377fb27a7fcd..c6c4a8d7bfd31 100644 --- a/articles/cognitive-services/Speech-Service/overview.md +++ b/articles/cognitive-services/Speech-Service/overview.md @@ -8,7 +8,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: speech-service ms.topic: overview -ms.date: 03/13/2019 +ms.date: 04/03/2019 ms.author: erhopf --- @@ -26,7 +26,7 @@ These features make up the Azure Speech Services. Use the links in this table to | [Speech-to-Text](speech-to-text.md) | Speech-to-text | Speech-to-text transcribes audio streams to text in real time that your applications, tools, or devices can consume or display. Use speech-to-text with [Language Understanding (LUIS)](https://docs.microsoft.com/azure/cognitive-services/luis/) to derive user intents from transcribed speech and act on voice commands. | [Yes](https://docs.microsoft.com/azure/cognitive-services/speech-service/speech-sdk-reference) | [Yes](https://docs.microsoft.com/azure/cognitive-services/speech-service/rest-apis) | | | [Batch Transcription](batch-transcription.md) | Batch transcription enables asynchronous speech-to-text transcription of large volumes of data. This is a REST-based service, which uses same endpoint as customization and model management. | No | [Yes](https://westus.cris.ai/swagger/ui/index) | | | [Customization](#customize-your-speech-experience) | If you are using speech-to-text for recognition and transcription in a unique environment, you can create and train custom acoustic, language, and pronunciation models to address ambient noise or industry-specific vocabulary. | No | [Yes](https://westus.cris.ai/swagger/ui/index) | -| [Text-to-Speech](text-to-speech.md) | Text-to-speech | Text-to-speech converts input text into human-like synthesized speech. Choose from standard voices and neural voices (see [Language support](language-support.md)). | No | [Yes](https://docs.microsoft.com/azure/cognitive-services/speech-service/rest-apis) | +| [Text-to-Speech](text-to-speech.md) | Text-to-speech | Text-to-speech converts input text into human-like synthesized speech. Choose from standard voices and neural voices (see [Language support](language-support.md)). | [Yes](https://docs.microsoft.com/azure/cognitive-services/speech-service/speech-sdk-reference) | [Yes](https://docs.microsoft.com/azure/cognitive-services/speech-service/rest-apis) | | | [Customization](#customize-your-speech-experience) | Create custom voice fonts unique to your brand or product. | No | [Yes](https://docs.microsoft.com/azure/cognitive-services/speech-service/rest-apis) | | [Speech Translation](speech-translation.md) | Speech translation | Speech translation enables real-time, multi-language translation of speech to your applications, tools, and devices. Use this service for speech-to-speech and speech-to-text translation. | [Yes](https://docs.microsoft.com/azure/cognitive-services/speech-service/speech-sdk-reference) | No | @@ -34,7 +34,8 @@ These features make up the Azure Speech Services. Use the links in this table to Learn what's new with the Azure Speech Services. -* March 2019 - A new endpoint for text-to-speech (TTS) that returns a full list of voices available in a specific regions is now available. Additionally, new regions are now supported for TTS. For more information, see [Text-to-speech API reference (REST)](rest-text-to-speech.md). +* April 2019 - Released Speech SDK 1.4.0 with support for text-to-speech (Beta) for C++, C#, and Java on Windows and Linux. Additionally, the SDK now supports MP3 and Opus/Ogg audio formats for C++ and C# on Linux. For a full list of updates, enhancements, and known issues, see [Release notes](releasenotes.md). +* March 2019 - A new endpoint for text-to-speech (TTS) that returns a full list of voices available in a specific region is now available. Additionally, new regions are now supported for TTS. For more information, see [Text-to-speech API reference (REST)](rest-text-to-speech.md). * February 2019 - Released Speech SDK 1.3.0 with support for [Unity (beta)](quickstart-csharp-unity.md). Added support for the `AudioInput` class, which enables you to choose the streaming source for audio. For a complete list of enhancements and known issues, see [Release notes](releasenotes.md). * December 2018 - Released Speech SDK 1.2.0 with support for [Python](quickstart-python.md) and [Node.js](quickstart-js-node.md), as well as Ubuntu 18.04 LTS. For more information, see [Release notes](releasenotes.md). @@ -42,11 +43,11 @@ Learn what's new with the Azure Speech Services. We offer quickstarts in most popular programming languages, each designed to have you running code in less than 10 minutes. This table contains the most popular quickstarts for each feature. Use the left-hand navigation to explore additional languages and platforms. -| Speech-to-text (SDK) | Translation (SDK) | Text-to-Speech (REST) | -|-------------------|-------------------|-----------------------| -| [C#, .NET Core (Windows)](quickstart-csharp-dotnet-windows.md) | [Java (Windows, Linux)](quickstart-translate-speech-java-jre.md) | [Python (Windows, Linux, macOS)](quickstart-python-text-to-speech.md) | -| [Javascript (Browser)](quickstart-js-browser.md) | [C#, .NET Core (Windows)](quickstart-translate-speech-dotnetcore-windows.md) | [C#, .NET Core (Windows, Linux, macOS)](quickstart-dotnet-text-to-speech.md) | -| [Python (Windows, Linux, macOS)](quickstart-python.md) | [C#, .NET Framework (Windows)](quickstart-translate-speech-dotnetframework-windows.md) | [Node.js (Windows, Linux, macOS)](quickstart-nodejs-text-to-speech.md) | +| Speech-to-text (SDK) | Translation (SDK) | Text-to-Speech (REST) | Text-to-Speech (SDK) | +|-------------------|-------------------|-----------------------|-----------------------| +| [C#, .NET Core (Windows)](quickstart-csharp-dotnet-windows.md) | [Java (Windows, Linux)](quickstart-translate-speech-java-jre.md) | [Python (Windows, Linux, macOS)](quickstart-python-text-to-speech.md) | [C#, .NET Framework (Windows)](quickstart-text-to-speech-dotnet-windows.md) | +| [JavaScript (Browser)](quickstart-js-browser.md) | [C#, .NET Core (Windows)](quickstart-translate-speech-dotnetcore-windows.md) | [C#, .NET Core (Windows, Linux, macOS)](quickstart-dotnet-text-to-speech.md) | [C++ (Windows)](quickstart-text-to-speech-cpp-windows.md) | +| [Python (Windows, Linux, macOS)](quickstart-python.md) | [C#, .NET Framework (Windows)](quickstart-translate-speech-dotnetframework-windows.md) | [Node.js (Windows, Linux, macOS)](quickstart-nodejs-text-to-speech.md) | [C++ (Linux)](quickstart-text-to-speech-cpp-linux.md) | | [Java (Windows, Linux)](quickstart-java-jre.md) | [C++ (Windows)](quickstart-translate-speech-cpp-windows.md) | | After you've had a chance to use the Speech Services, try our tutorial that teaches you how to recognize intents from speech using the Speech SDK and LUIS. @@ -57,7 +58,7 @@ After you've had a chance to use the Speech Services, try our tutorial that teac Sample code is available on GitHub for each of the Azure Speech Services. These samples cover common scenarios like reading audio from a file or stream, continuous and single-shot recognition, and working with custom models. Use these links to view SDK and REST samples: -* [Speech-to-text and speech translation samples (SDK)](https://github.com/Azure-Samples/cognitive-services-speech-sdk) +* [Speech-to-text, text-to-speech, and speech translation samples (SDK)](https://github.com/Azure-Samples/cognitive-services-speech-sdk) * [Batch transcription samples (REST)](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/samples/batch) * [Text-to-speech samples (REST)](https://github.com/Azure-Samples/Cognitive-Speech-TTS) diff --git a/articles/cognitive-services/Speech-Service/quickstart-cpp-linux.md b/articles/cognitive-services/Speech-Service/quickstart-cpp-linux.md index e205aa4188758..e370da3fa57f7 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-cpp-linux.md +++ b/articles/cognitive-services/Speech-Service/quickstart-cpp-linux.md @@ -26,7 +26,7 @@ You need a Speech Services subscription key to complete this Quickstart. You can [!INCLUDE [License Notice](../../../includes/cognitive-services-speech-service-license-notice.md)] -The current version of the Cognitive Services Speech SDK is `1.3.1`. +The current version of the Cognitive Services Speech SDK is `1.4.0`. The Speech SDK for Linux can be used to build both 64-bit and 32-bit applications. The required libraries and header files can be downloaded as a tar file from https://aka.ms/csspeech/linuxbinary. diff --git a/articles/cognitive-services/Speech-Service/quickstart-cpp-macos.md b/articles/cognitive-services/Speech-Service/quickstart-cpp-macos.md new file mode 100644 index 0000000000000..f22994585440b --- /dev/null +++ b/articles/cognitive-services/Speech-Service/quickstart-cpp-macos.md @@ -0,0 +1,113 @@ +--- +title: 'Quickstart: Recognize speech, C++ (macOS) - Speech Services' +titleSuffix: Azure Cognitive Services +description: Learn how to recognize speech in C++ on macOS by using the Speech SDK +services: cognitive-services +author: wolfma61 +manager: nitinme +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: quickstart +ms.date: 04/03/2019 +ms.author: wolfma +--- + +# Quickstart: Recognize speech in C++ on macOS by using the Speech SDK + +[!INCLUDE [Selector](../../../includes/cognitive-services-speech-service-quickstart-selector.md)] + +In this article, you create a C++ console application for macOS 10.13 and above. You use the Cognitive Services [Speech SDK](speech-sdk.md) to transcribe speech to text in real time from your Mac's microphone. The application is built with the [Speech SDK for macOS](https://aka.ms/csspeech/macosbinary) and your Mac's default C++ compiler (for example, `g++`). + +## Prerequisites + +You need a Speech Services subscription key to complete this Quickstart. You can get one for free. See [Try the Speech Services for free](get-started.md) for details. + +## Install Speech SDK + +[!INCLUDE [License Notice](../../../includes/cognitive-services-speech-service-license-notice.md)] + +The current version of the Cognitive Services Speech SDK is `1.4.0`. + +The Speech SDK for macOS can be downloaded as a zipped framework bundle from https://aka.ms/csspeech/macosbinary. + +Download and install the SDK as follows: + +1. Choose a directory to which the Speech SDK files should be extracted, and set the `SPEECHSDK_ROOT` environment variable to point to that directory. This variable makes it easy to refer to the directory in future commands. For example, if you want to use the directory `speechsdk` in your home directory, use a command like the following: + + ```sh + export SPEECHSDK_ROOT="$HOME/speechsdk" + ``` + +1. Create the directory if it doesn't exist yet. + + ```sh + mkdir -p "$SPEECHSDK_ROOT" + ``` + +1. Download and extract the `.zip` archive containing the Speech SDK framework: + + ```sh + wget -O SpeechSDK-macOS.zip https://aka.ms/csspeech/macosbinary + unzip SpeechSDK-macOS.zip -d "$SPEECHSDK_ROOT" + ``` + +1. Validate the contents of the top-level directory of the extracted package: + + ```sh + ls -l "$SPEECHSDK_ROOT" + ``` + + The directory listing should contain the third-party notice and license files, as well as a `MicrosoftCognitiveServicesSpeech.framework` directory. + +## Add sample code + +1. Create a C++ source file named `helloworld.cpp`, and paste the following code into it. + + [!code-cpp[Quickstart Code](~/samples-cognitive-services-speech-sdk/quickstart/cpp-macos/helloworld.cpp#code)] + +1. In this new file, replace the string `YourSubscriptionKey` with your Speech Services subscription key. + +1. Replace the string `YourServiceRegion` with the [region](regions.md) associated with your subscription (for example, `westus` for the free trial subscription). + +## Build the app + +> [!NOTE] +> Make sure to enter the commands below as a _single command line_. The easiest way to do that is to copy the command by using the **Copy** button next to each command, and then paste it at your shell prompt. + +* Run the following command to build the application. + + ```sh + g++ helloworld.cpp -o helloworld --std=c++11 -F${SPEECHSDK_ROOT} -framework MicrosoftCognitiveServicesSpeech + ``` + +## Run the app + +1. Configure the loader's library path to point to the Speech SDK library. + + ```sh + export DYLD_FRAMEWORK_PATH="$DYLD_FRAMEWORK_PATH:$SPEECHSDK_ROOT" + ``` + +1. Run the application. + + ```sh + ./helloworld + ``` + +1. In the console window, a prompt appears, requesting that you say something. Speak an English phrase or sentence. Your speech is transmitted to the Speech Services and transcribed to text, which appears in the same window. + + ```text + Say something... + We recognized: What's the weather like? + ``` + +## Next steps + +> [!div class="nextstepaction"] +> [Explore C++ samples on GitHub](https://aka.ms/csspeech/samples) + +## See also + +- [Customize acoustic models](how-to-customize-acoustic-models.md) +- [Customize language models](how-to-customize-language-model.md) + diff --git a/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnet-windows.md b/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnet-windows.md index 1a01839781d3e..5da404fdcb937 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnet-windows.md +++ b/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnet-windows.md @@ -20,7 +20,7 @@ Use this guide to create a speech-to-text console application using the .NET fra For a quick demonstration (without building the Visual Studio project yourself as shown below): -Get the latest [Cognitive Services Speech SDK](https://github.com/Azure-Samples/cognitive-services-speech-sdk) from Github. +Get the latest [Cognitive Services Speech SDK Samples](https://github.com/Azure-Samples/cognitive-services-speech-sdk) from GitHub. ## Prerequisites diff --git a/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnetcore-windows.md b/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnetcore-windows.md index 30c9b5bf717c2..f564ec6b14fd6 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnetcore-windows.md +++ b/articles/cognitive-services/Speech-Service/quickstart-csharp-dotnetcore-windows.md @@ -1,7 +1,7 @@ --- -title: 'Quickstart: Recognize speech, C# (.NET Core Windows) - Speech Services' +title: 'Quickstart: Recognize speech, C# (.NET Core) - Speech Services' titleSuffix: Azure Cognitive Services -description: Learn how to recognize speech in C# under .NET Core on Windows by using the Speech SDK +description: Learn how to recognize speech in C# under .NET Core on Windows or macOS by using the Speech SDK services: cognitive-services author: wolfma61 manager: nitinme @@ -16,7 +16,7 @@ ms.author: wolfma [!INCLUDE [Selector](../../../includes/cognitive-services-speech-service-quickstart-selector.md)] -In this article, you create a C# console application for .NET Core on Windows by using the Cognitive Services [Speech SDK](speech-sdk.md). You transcribe speech to text in real time from your PC's microphone. The application is built with the [Speech SDK NuGet package](https://aka.ms/csspeech/nuget) and Microsoft Visual Studio 2017 (any edition). +In this article, you create a C# console application for .NET Core on Windows or macOS by using the Cognitive Services [Speech SDK](speech-sdk.md). You transcribe speech to text in real time from your PC's microphone. The application is built with the [Speech SDK NuGet package](https://aka.ms/csspeech/nuget) and Microsoft Visual Studio 2017 (any edition). > [!NOTE] > .NET Core is an open-source, cross-platform .NET platform that implements the [.NET Standard](https://docs.microsoft.com/dotnet/standard/net-standard) specification. diff --git a/articles/cognitive-services/Speech-Service/quickstart-java-android.md b/articles/cognitive-services/Speech-Service/quickstart-java-android.md index 0609b1965d374..b35c06ecb66b5 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-java-android.md +++ b/articles/cognitive-services/Speech-Service/quickstart-java-android.md @@ -17,7 +17,7 @@ ms.author: wolfma [!INCLUDE [Selector](../../../includes/cognitive-services-speech-service-quickstart-selector.md)] In this article, you'll learn how to develop a Java application for Android using the Cognitive Services Speech SDK to transcribe speech to text. -The application is based on the Microsoft Cognitive Services Speech SDK Maven Package, version 1.3.1, and Android Studio 3.1. +The application is based on the Speech SDK Maven Package, version 1.4.0, and Android Studio 3.3. The Speech SDK is currently compatible with Android devices having 32/64-bit ARM and Intel x86/x64 compatible processors. > [!NOTE] @@ -33,27 +33,19 @@ You need a Speech Services subscription key to complete this Quickstart. You can ![Screenshot of Android Studio Welcome window](media/sdk/qs-java-android-01-start-new-android-studio-project.png) -1. The **Create New Project** wizard appears. In the **Create Android Project** screen, enter **Quickstart** as **application name**, **samples.speech.cognitiveservices.microsoft.com** as **company domain**, and choose a project directory. Leave the C++ and Kotlin check boxes unchecked, and select **Next**. +1. The **Choose your project** wizard appears, select **Phone and Tablet** and **Empty Activity** in the activity selection box. Select **Next**. - ![Screenshot of Create New Project wizard](media/sdk/qs-java-android-02-create-android-project.png) + ![Screenshot of Choose your project wizard](media/sdk/qs-java-android-02-target-android-devices.png) -1. In the **Target Android Devices** screen, select only **Phone and Tablet**. In the drop-down list below it, choose **API 23: Android 6.0 (Marshmallow)**, and select **Next**. +1. In the **Configure your project** screen, enter **Quickstart** as **Name**, **samples.speech.cognitiveservices.microsoft.com** as **Package name**, and choose a project directory. For **Minimum API level** pick **API 23: Android 6.0 (Marshmallow)**, leave all other checkboxes unchecked, and select **Finish**. - ![Screenshot of Create New Project wizard](media/sdk/qs-java-android-03-target-android-devices.png) - -1. In the **Add an Activity to Mobile** screen, select **Empty Activity**, and click **Next**. - - ![Screenshot of Create New Project wizard](media/sdk/qs-java-android-04-add-an-activity-to-mobile.png) - -1. In the **Configure Activity** screen, use **MainActivity** as the activity name and **activity\_main** as the layout name. Select both check boxes, and select **Finish**. - - ![Screenshot of Create New Project wizard](media/sdk/qs-java-android-05-configure-activity.png) + ![Screenshot of Configure your project wizard](media/sdk/qs-java-android-03-create-android-project.png) Android Studio takes a moment to prepare your new Android project. Next, configure the project to know about the Speech SDK and to use Java 8. [!INCLUDE [License Notice](../../../includes/cognitive-services-speech-service-license-notice.md)] -The current version of the Cognitive Services Speech SDK is `1.3.1`. +The current version of the Cognitive Services Speech SDK is `1.4.0`. The Speech SDK for Android is packaged as an [AAR (Android Library)](https://developer.android.com/studio/projects/android-library), which includes the necessary libraries and required Android permissions. It is hosted in a Maven repository at https:\//csspeechstorage.blob.core.windows.net/maven/. @@ -68,7 +60,7 @@ Set up your project to use the Speech SDK. Open the Project Structure window by ![Screenshot of Project Structure window](media/sdk/qs-java-android-07-add-module-dependency.png) -1. In the window that comes up, enter the name and version of our Speech SDK for Android, `com.microsoft.cognitiveservices.speech:client-sdk:1.3.1`. Then select **OK**. +1. In the window that comes up, enter the name and version of our Speech SDK for Android, `com.microsoft.cognitiveservices.speech:client-sdk:1.4.0`. Then select **OK**. The Speech SDK should be added to the list of dependencies now, as shown below: ![Screenshot of Project Structure window](media/sdk/qs-java-android-08-dependency-added-1.0.0.png) @@ -95,16 +87,9 @@ We will create a basic user interface for the application. Edit the layout for y The text and graphical representation of your UI should now look like this: - - - - - -
![](media/sdk/qs-java-android-11-gui.png) - + [!code-xml[](~/samples-cognitive-services-speech-sdk/quickstart/java-android/app/src/main/res/layout/activity_main.xml)] -
## Add sample code diff --git a/articles/cognitive-services/Speech-Service/quickstart-java-jre.md b/articles/cognitive-services/Speech-Service/quickstart-java-jre.md index eddfe1433df68..b6c18056e6b86 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-java-jre.md +++ b/articles/cognitive-services/Speech-Service/quickstart-java-jre.md @@ -1,7 +1,7 @@ --- title: 'Quickstart: Recognize speech, Java (Windows, Linux) - Speech Services' titleSuffix: Azure Cognitive Services -description: In this quickstart, you'll learn create a simple Java application that captures and transcribes user speech from your computer's microphone. +description: In this quickstart, you'll learn to create a simple Java application that captures and transcribes user speech from your computer's microphone. services: cognitive-services author: fmegen manager: nitinme @@ -16,7 +16,7 @@ ms.author: fmegen [!INCLUDE [Selector](../../../includes/cognitive-services-speech-service-quickstart-selector.md)] -In this article, you create a Java console application by using the [Speech SDK](speech-sdk.md). You transcribe speech to text in real time from your PC's microphone. The application is built with the Speech SDK Maven package, and the Eclipse Java IDE (v4.8) on 64-bit Windows or 64-bit Ubuntu Linux 16.04 / 18.04. It runs on a 64-bit Java 8 runtime environment (JRE). +In this article, you create a Java console application by using the [Speech SDK](speech-sdk.md). You transcribe speech to text in real time from your PC's microphone. The application is built with the Speech SDK Maven package, and the Eclipse Java IDE (v4.8) on 64-bit Windows, 64-bit Ubuntu Linux 16.04 / 18.04 or on macOS 10.13 or later. It runs on a 64-bit Java 8 runtime environment (JRE). > [!NOTE] > For the Speech Devices SDK and the Roobo device, see [Speech Devices SDK](speech-devices-sdk.md). @@ -25,7 +25,7 @@ In this article, you create a Java console application by using the [Speech SDK] This quickstart requires: -* Operating System: Windows (64-bit) or Ubuntu Linux 16.04/18.04 (64-bit) +* Operating System: Windows (64-bit), Ubuntu Linux 16.04/18.04 (64-bit), or macOS 10.13 or later * [Eclipse Java IDE](https://www.eclipse.org/downloads/) * [Java 8](https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html) or [JDK 8](https://www.oracle.com/technetwork/java/javase/downloads/index.html) * An Azure subscription key for the Speech Service. [Get one for free](get-started.md). @@ -37,7 +37,7 @@ sudo apt-get update sudo apt-get install build-essential libssl1.0.0 libasound2 wget ``` -If you're running Windows (64-bit) please ensure you have installed Microsoft Visual C++ Redistributable for your platform. +If you're running Windows (64-bit) ensure you have installed Microsoft Visual C++ Redistributable for your platform. * [Download Microsoft Visual C++ Redistributable for Visual Studio 2017](https://support.microsoft.com/help/2977003/the-latest-supported-visual-c-downloads) diff --git a/articles/cognitive-services/Speech-Service/quickstart-js-browser.md b/articles/cognitive-services/Speech-Service/quickstart-js-browser.md index 23bd62cc355cd..556c959751657 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-js-browser.md +++ b/articles/cognitive-services/Speech-Service/quickstart-js-browser.md @@ -17,14 +17,14 @@ ms.author: fmegen [!INCLUDE [Selector](../../../includes/cognitive-services-speech-service-quickstart-selector.md)] In this article, you'll learn how to create a website using the JavaScript binding of the Cognitive Services Speech SDK to transcribe speech to text. -The application is based on the Microsoft Cognitive Services Speech SDK ([Download version 1.3.0](https://aka.ms/csspeech/jsbrowserpackage)). +The application is based on the Speech SDK for JavaScript ([Download version 1.4.0](https://aka.ms/csspeech/jsbrowserpackage)). ## Prerequisites * A subscription key for the Speech service. See [Try the Speech Services for free](get-started.md). * A PC or Mac, with a working microphone. * A text editor. -* A current version of Chrome or Microsoft Edge. +* A current version of Chrome, Microsoft Edge, or Safari. * Optionally, a web server that supports hosting PHP scripts. ## Create a new Website folder @@ -47,7 +47,7 @@ Create a new file in the folder, named `index.html` and open this file with a te ```html - Microsoft Cognitive Service Speech SDK JavaScript Quickstart + Speech SDK JavaScript Quickstart @@ -94,6 +94,10 @@ That way, your subscription key will never leave your server while allowing user To launch the app, double-click on the index.html file or open index.html with your favorite web browser. It will present a simple GUI allowing you to enter your subscription key and [region](regions.md) and trigger a recognition using the microphone. +> [!NOTE] +> This method doesn't work on the Safari browser. +> On Safari, the sample web page needs to be hosted on a web server; Safari doesn't allow websites loaded from a local file to use the microphone. + ## Build and run the sample via a web server To launch your app, open your favorite web browser and point it to the public URL that you host the folder on, enter your [region](regions.md), and trigger a recognition using the microphone. If configured, it will acquire a token from your token source. diff --git a/articles/cognitive-services/Speech-Service/quickstart-objective-c-macos.md b/articles/cognitive-services/Speech-Service/quickstart-objective-c-macos.md new file mode 100644 index 0000000000000..b5fcc2522d303 --- /dev/null +++ b/articles/cognitive-services/Speech-Service/quickstart-objective-c-macos.md @@ -0,0 +1,92 @@ +--- +title: 'Quickstart: Recognize speech, Objective-C - Speech Services' +titleSuffix: Azure Cognitive Services +description: Learn how to recognize speech in Objective-C on macOS using the Speech SDK +services: cognitive-services +author: chlandsi +manager: nitinme +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: quickstart +ms.date: 04/03/2019 +ms.author: chlandsi +--- + +# Quickstart: Recognize speech in Objective-C on macOS using the Speech SDK + +[!INCLUDE [Selector](../../../includes/cognitive-services-speech-service-quickstart-selector.md)] + +In this article, you learn how to create a macOS app in Objective-C using the Cognitive Services Speech SDK to transcribe speech recorded from a microphone to text. + +## Prerequisites + +Before you get started, here's a list of prerequisites: + +* A [subscription key](get-started.md) for the Speech Service +* A macOS machine with [Xcode 9.4.1](https://geo.itunes.apple.com/us/app/xcode/id497799835?mt=12) or later and macOS 10.13 or later + +## Get the Speech SDK for macOS + +[!INCLUDE [License Notice](../../../includes/cognitive-services-speech-service-license-notice.md)] + +The current version of the Cognitive Services Speech SDK is `1.4.0`. + +The Cognitive Services Speech SDK for Mac is distributed as a framework bundle. +It can be used in Xcode projects as a [CocoaPod](https://cocoapods.org/), or downloaded from https://aka.ms/csspeech/macosbinary and linked manually. This guide uses a CocoaPod. + +## Create an Xcode project + +Start Xcode, and start a new project by clicking **File** > **New** > **Project**. +In the template selection dialog, choose the "Cocoa App" template. + +In the dialogs that follow, make the following selections: + +1. Project Options Dialog + 1. Enter a name for the quickstart app, for example `helloworld`. + 1. Enter an appropriate organization name and an organization identifier, if you already have an Apple developer account. For testing purposes, you can just pick any name like `testorg`. To sign the app, you need a proper provisioning profile. Refer to the [Apple developer site](https://developer.apple.com/) for details. + 1. Make sure Objective-C is chosen as the language for the project. + 1. Disable the checkboxes to use storyboards and to create a document-based application. The simple UI for the sample app will be created programmatically. + 1. Disable all checkboxes for tests and core data. + ![Project Settings](media/sdk/qs-objectivec-macos-project-settings.png) +1. Select project directory + 1. Choose a directory to put the project in. This creates a `helloworld` directory in your home directory that contains all the files for the Xcode project. + 1. Disable the creation of a Git repo for this example project. +1. Set the entitlements for network and microphone access. Click the app name in the first line in the overview on the left to get to the app configuration, and then choose the "Capabilities" tab. + 1. Enable the "App sandbox" setting for the app. + 1. Enable the checkboxes for "Outgoing Connections" and "Microphone" access. + ![Sandbox Settings](media/sdk/qs-objectivec-macos-sandbox.png) +1. The app also needs to declare use of the microphone in the `Info.plist` file. Click on the file in the overview, and add the "Privacy - Microphone Usage Description" key, with a value like "Microphone is needed for speech recognition". + ![Settings in Info.plist](media/sdk/qs-objectivec-macos-info-plist.png) +1. Close the Xcode project. You will use a different instance of it later after setting up the CocoaPods. + +## Install the SDK as a CocoaPod + +1. Install the CocoaPod dependency manager as described in its [installation instructions](https://guides.cocoapods.org/using/getting-started.html). +1. Navigate to the directory of your sample app (`helloworld`). Place a text file with the name `Podfile` and the following content in that directory: + ``` + target 'helloworld' do + platform :osx, '10.13' + pod 'MicrosoftCognitiveServicesSpeech-macOS', '~> 1.4.0' + end + ``` +1. Navigate to the `helloworld` directory in a terminal and run the command `pod install`. This will generate a `helloworld.xcworkspace` Xcode workspace containing both the sample app and the Speech SDK as a dependency. This workspace will be used in the following. + +## Add the sample code + +1. Open the `helloworld.xcworkspace` workspace in Xcode. +1. Replace the contents of the autogenerated `AppDelegate.m` file by: + [!code-objectivec[Quickstart Code](~/samples-cognitive-services-speech-sdk/quickstart/objectivec-macos/helloworld/helloworld/AppDelegate.m#code)] +1. Replace the string `YourSubscriptionKey` with your subscription key. +1. Replace the string `YourServiceRegion` with the [region](regions.md) associated with your subscription (for example, `westus` for the free trial subscription). + +## Build and run the sample + +1. Make the debug output visible (**View** > **Debug Area** > **Activate Console**). +1. Build and run the example code by selecting **Product** -> **Run** from the menu or clicking the **Play** button. +1. After you click the button and say a few words, you should see the text you have spoken on the lower part of the screen. When you run the app for the first time, you should be prompted to give the app access to your computer's microphone. + +## Next steps + +> [!div class="nextstepaction"] +> [Explore Objective-C samples on GitHub](https://aka.ms/csspeech/samples) + diff --git a/articles/cognitive-services/Speech-Service/quickstart-objectivec-ios.md b/articles/cognitive-services/Speech-Service/quickstart-objectivec-ios.md index e6e6d9174c6e5..16f6c41e55e79 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-objectivec-ios.md +++ b/articles/cognitive-services/Speech-Service/quickstart-objectivec-ios.md @@ -16,7 +16,7 @@ ms.author: chlandsi [!INCLUDE [Selector](../../../includes/cognitive-services-speech-service-quickstart-selector.md)] -In this article, you learn how to create an iOS app in Objective-C using the Cognitive Services Speech SDK to transcribe an audio file with recorded speech to text. +In this article, you learn how to create an iOS app in Objective-C using the Cognitive Services Speech SDK to transcribe speech to text from microphone or from a file with recorded audio. ## Prerequisites @@ -24,16 +24,16 @@ Before you get started, here's a list of prerequisites: * A [subscription key](get-started.md) for the Speech Service * A macOS machine with [Xcode 9.4.1](https://geo.itunes.apple.com/us/app/xcode/id497799835?mt=12) or later -* The target set to iOS version 11.4 or later +* The target set to iOS version 9.3 or later ## Get the Speech SDK for iOS [!INCLUDE [License Notice](../../../includes/cognitive-services-speech-service-license-notice.md)] -The current version of the Cognitive Services Speech SDK is `1.3.1`. +The current version of the Cognitive Services Speech SDK is `1.4.0`. -The Cognitive Services Speech SDK for Mac and iOS is currently distributed as a Cocoa Framework. -It can be downloaded from https://aka.ms/csspeech/iosbinary. Download the file to your home directory. +The Cognitive Services Speech SDK for iOS is currently distributed as a Cocoa Framework. +It can be downloaded from [here](https://aka.ms/csspeech/iosbinary). Download the file to your home directory. ## Create an Xcode Project @@ -99,3 +99,4 @@ Replace the autogenerated XML with this code: > [!div class="nextstepaction"] > [Explore Objective-C samples on GitHub](https://aka.ms/csspeech/samples) + diff --git a/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-cpp-linux.md b/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-cpp-linux.md new file mode 100644 index 0000000000000..91b6c0ba4c6c2 --- /dev/null +++ b/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-cpp-linux.md @@ -0,0 +1,135 @@ +--- +title: 'Quickstart: Synthesize speech, C++ (Linux) - Speech Services' +titleSuffix: Azure Cognitive Services +description: Learn how to synthesize speech in C++ on Linux by using the Speech SDK +services: cognitive-services +author: yinhew +manager: nitinme +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: quickstart +ms.date: 4/03/2019 +ms.author: yinhew +--- + +# Quickstart: Synthesize speech in C++ on Linux by using the Speech SDK + +In this article, you create a C++ console application for Ubuntu Linux 16.04 or 18.04. You use the Cognitive Services [Speech SDK](speech-sdk.md) to synthesize speech from text in real time and play the speech on your PC's speaker. The application is built with the [Speech SDK for Linux](https://aka.ms/csspeech/linuxbinary) and your Linux distribution's C++ compiler (for example, `g++`). + +## Prerequisites + +You need a Speech Services subscription key to complete this Quickstart. You can get one for free. See [Try the Speech Services for free](get-started.md) for details. + +## Install Speech SDK + +[!INCLUDE [License Notice](../../../includes/cognitive-services-speech-service-license-notice.md)] + +The current version of the Cognitive Services Speech SDK is `1.4.0`. + +The Speech SDK for Linux can be used to build both 64-bit and 32-bit applications. The required libraries and header files can be downloaded as a tar file from https://aka.ms/csspeech/linuxbinary. + +Download and install the SDK as follows: + +1. Make sure the SDK's dependencies are installed. + + ```sh + sudo apt-get update + sudo apt-get install build-essential libssl1.0.0 libasound2 wget + ``` + +1. Choose a directory to which the Speech SDK files should be extracted, and set the `SPEECHSDK_ROOT` environment variable to point to that directory. This variable makes it easy to refer to the directory in future commands. For example, if you want to use the directory `speechsdk` in your home directory, use a command like the following: + + ```sh + export SPEECHSDK_ROOT="$HOME/speechsdk" + ``` + +1. Create the directory if it doesn't exist yet. + + ```sh + mkdir -p "$SPEECHSDK_ROOT" + ``` + +1. Download and extract the `.tar.gz` archive containing the Speech SDK binaries: + + ```sh + wget -O SpeechSDK-Linux.tar.gz https://aka.ms/csspeech/linuxbinary + tar --strip 1 -xzf SpeechSDK-Linux.tar.gz -C "$SPEECHSDK_ROOT" + ``` + +1. Validate the contents of the top-level directory of the extracted package: + + ```sh + ls -l "$SPEECHSDK_ROOT" + ``` + + The directory listing should contain the third-party notice and license files, as well as an `include` directory containing header (`.h`) files and a `lib` directory containing libraries. + + [!INCLUDE [Linux Binary Archive Content](../../../includes/cognitive-services-speech-service-linuxbinary-content.md)] + +## Add sample code + +1. Create a C++ source file named `helloworld.cpp`, and paste the following code into it. + + [!code-cpp[Quickstart Code](~/samples-cognitive-services-speech-sdk/quickstart/text-to-speech/cpp-linux/helloworld.cpp#code)] + +1. In this new file, replace the string `YourSubscriptionKey` with your Speech Services subscription key. + +1. Replace the string `YourServiceRegion` with the [region](regions.md) associated with your subscription (for example, `westus` for the free trial subscription). + +## Build the app + +> [!NOTE] +> Make sure to enter the commands below as a _single command line_. The easiest way to do that is to copy the command by using the **Copy** button next to each command, and then paste it at your shell prompt. + +* On an **x64** (64-bit) system, run the following command to build the application. + + ```sh + g++ helloworld.cpp -o helloworld -I "$SPEECHSDK_ROOT/include/cxx_api" -I "$SPEECHSDK_ROOT/include/c_api" --std=c++14 -lpthread -lMicrosoft.CognitiveServices.Speech.core -L "$SPEECHSDK_ROOT/lib/x64" -l:libssl.so.1.0.0 -l:libasound.so.2 + ``` + +* On an **x86** (32-bit) system, run the following command to build the application. + + ```sh + g++ helloworld.cpp -o helloworld -I "$SPEECHSDK_ROOT/include/cxx_api" -I "$SPEECHSDK_ROOT/include/c_api" --std=c++14 -lpthread -lMicrosoft.CognitiveServices.Speech.core -L "$SPEECHSDK_ROOT/lib/x86" -l:libssl.so.1.0.0 -l:libasound.so.2 + ``` + +## Run the app + +1. Configure the loader's library path to point to the Speech SDK library. + + * On an **x64** (64-bit) system, enter the following command. + + ```sh + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$SPEECHSDK_ROOT/lib/x64" + ``` + + * On an **x86** (32-bit) system, enter this command. + + ```sh + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$SPEECHSDK_ROOT/lib/x86" + ``` + +1. Run the application. + + ```sh + ./helloworld + ``` + +1. In the console window, a prompt appears, prompting you to type some text. Type a few words or a sentence. The text that you typed is transmitted to the Speech Services and synthesized to speech, which plays on your speaker. + + ```text + Type some text that you want to speak... + > hello + Speech synthesized to speaker for text [hello] + Press enter to exit... + ``` + +## Next steps + +> [!div class="nextstepaction"] +> [Explore C++ samples on GitHub](https://aka.ms/csspeech/samples) + +## See also + +- [Customize voice fonts](how-to-customize-voice-font.md) +- [Record voice samples](record-custom-voice-samples.md) diff --git a/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-cpp-windows.md b/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-cpp-windows.md new file mode 100644 index 0000000000000..0ab5ecea63434 --- /dev/null +++ b/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-cpp-windows.md @@ -0,0 +1,67 @@ +--- +title: 'Quickstart: Synthesize speech, C++ (Windows) - Speech Services' +titleSuffix: Azure Cognitive Services +description: Learn how to synthesize speech in C++ on Windows Desktop by using the Speech SDK +services: cognitive-services +author: yinhew +manager: nitinme +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: quickstart +ms.date: 4/03/2019 +ms.author: yinhew +--- + +# Quickstart: Synthesize speech in C++ on Windows by using the Speech SDK + +In this article, you create a C++ console application for Windows. You use the Cognitive Services [Speech SDK](speech-sdk.md) to synthesize speech from text in real time and play the speech on your PC's speaker. The application is built with the [Speech SDK NuGet package](https://aka.ms/csspeech/nuget) and Microsoft Visual Studio 2017 (any edition). + +The feature described within this article is available from [Speech SDK 1.4.0](https://www.nuget.org/packages/Microsoft.CognitiveServices.Speech/1.4.0). + +For a complete list of languages/voices available for speech synthesis, see [language support](language-support.md#text-to-speech). + +## Prerequisites + +You need a Speech Services subscription key to complete this Quickstart. You can get one for free. See [Try the Speech Services for free](get-started.md) for details. + +## Create a Visual Studio project + +[!INCLUDE [](../../../includes/cognitive-services-speech-service-quickstart-cpp-create-proj.md)] + +## Add sample code + +1. Open the source file *helloworld.cpp*. Replace all the code below the initial include statement (`#include "stdafx.h"` or `#include "pch.h"`) with the following: + + [!code-cpp[Quickstart Code](~/samples-cognitive-services-speech-sdk/quickstart/text-to-speech/cpp-windows/helloworld/helloworld.cpp#code)] + +1. In the same file, replace the string `YourSubscriptionKey` with your subscription key. + +1. Replace the string `YourServiceRegion` with the [region](regions.md) associated with your subscription (for example, `westus` for the free trial subscription). + +1. Save changes to the project. + +## Build and run the app + +1. Build the application. From the menu bar, choose **Build** > **Build Solution**. The code should compile without errors. + + ![Screenshot of Visual Studio application, with Build Solution option highlighted](media/sdk/qs-cpp-windows-06-build.png) + +1. Start the application. From the menu bar, choose **Debug** > **Start Debugging**, or press **F5**. + + ![Screenshot of Visual Studio application, with Start Debugging option highlighted](media/sdk/qs-cpp-windows-07-start-debugging.png) + +1. A console window appears, prompting you to type some text. Type a few words or a sentence. The text that you typed is transmitted to the Speech Services and synthesized to speech, which plays on your speaker. + + ![Screenshot of console output after successful synthesis](media/sdk/qs-tts-cpp-windows-console-output.png) + +## Next steps + +Additional samples, such as how to save speech to an audio file, are available on GitHub. + +> [!div class="nextstepaction"] +> [Explore C++ samples on GitHub](https://aka.ms/csspeech/samples) + +## See also + +- [Customize voice fonts](how-to-customize-voice-font.md) +- [Record voice samples](record-custom-voice-samples.md) diff --git a/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-dotnet-windows.md b/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-dotnet-windows.md new file mode 100644 index 0000000000000..e84a912b26eb0 --- /dev/null +++ b/articles/cognitive-services/Speech-Service/quickstart-text-to-speech-dotnet-windows.md @@ -0,0 +1,69 @@ +--- +title: 'Quickstart: Synthesize speech, .NET Framework (Windows) - Speech Services' +titleSuffix: Azure Cognitive Services +description: Use this guide to create a text-to-speech console application using the .NET framework for Windows and the Speech SDK. When finished, you can synthesize speech from text, and hear the speech on your speaker in real time. +services: cognitive-services +author: yinhew +manager: nitinme +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: quickstart +ms.date: 4/03/2019 +ms.author: yinhew +--- + +# Quickstart: Synthesize speech with the Speech SDK for .NET Framework (Windows) + +Use this guide to create a text-to-speech console application using the .NET framework for Windows and the Speech SDK. When finished, you can synthesize speech from text, and hear the speech on your speaker in real time. + +For a quick demonstration (without building the Visual Studio project yourself as shown below): + +Get the latest [Cognitive Services Speech SDK Samples](https://github.com/Azure-Samples/cognitive-services-speech-sdk) from GitHub. + +## Prerequisites + +To complete this project, you'll need: + +* [Visual Studio 2017](https://visualstudio.microsoft.com/downloads/) +* A subscription key for the Speech Service. [Get one for free](get-started.md). +* A speaker (or headset) available. + +## Create a Visual Studio project + +[!INCLUDE [Create project](../../../includes/cognitive-services-speech-service-create-speech-project-vs-csharp.md)] + +## Add sample code + +1. Open `Program.cs` and replace the automatically generated code with this sample: + + [!code-csharp[Quickstart Code](~/samples-cognitive-services-speech-sdk/quickstart/text-to-speech/csharp-dotnet-windows/helloworld/Program.cs#code)] + +1. Locate and replace the string `YourSubscriptionKey` with your Speech Services subscription key. + +1. Locate and replace the string `YourServiceRegion` with the [region](regions.md) associated with your subscription. For example, if you're using the free trial, the region is `westus`. + +1. Save the changes to the project. + +## Build and run the app + +1. From the menu bar, select **Build** > **Build Solution**. The code should compile without errors now. + + ![Screenshot of Visual Studio application, with Build Solution option highlighted](media/sdk/qs-csharp-dotnet-windows-08-build.png "Successful build") + +1. From the menu bar, select **Debug** > **Start Debugging**, or press **F5** to start the application. + + ![Screenshot of Visual Studio application, with Start Debugging option highlighted](media/sdk/qs-csharp-dotnet-windows-09-start-debugging.png "Start the app into debugging") + +1. A console window will appear, prompting you to type some text. Type a few words or a sentence. The text that you typed is transmitted to the Speech Services and synthesized to speech, which plays on your speaker. + + ![Screenshot of console output after successful recognition](media/sdk/qs-tts-csharp-dotnet-windows-console-output.png "Console output after successful recognition") + +## Next steps + +> [!div class="nextstepaction"] +> [Explore C# samples on GitHub](https://aka.ms/csspeech/samples) + +## See also + +- [Customize voice fonts](how-to-customize-voice-font.md) +- [Record voice samples](record-custom-voice-samples.md) diff --git a/articles/cognitive-services/Speech-Service/quickstart-translate-speech-cpp-windows.md b/articles/cognitive-services/Speech-Service/quickstart-translate-speech-cpp-windows.md index 3b9bb9940535a..976dca340cc46 100644 --- a/articles/cognitive-services/Speech-Service/quickstart-translate-speech-cpp-windows.md +++ b/articles/cognitive-services/Speech-Service/quickstart-translate-speech-cpp-windows.md @@ -27,7 +27,7 @@ This quickstart requires: ## Create a Visual Studio project -[!INCLUDE [](../../../includes/cognitive-services-speech-service-quickstart-cpp-create-proj.md)] +[!INCLUDE[](../../../includes/cognitive-services-speech-service-quickstart-cpp-create-proj.md)] ## Add sample code diff --git a/articles/cognitive-services/Speech-Service/regions.md b/articles/cognitive-services/Speech-Service/regions.md index 6c0030d4cc5f8..d3aba52082a49 100644 --- a/articles/cognitive-services/Speech-Service/regions.md +++ b/articles/cognitive-services/Speech-Service/regions.md @@ -34,10 +34,10 @@ The Speech SDK is available in these regions for **speech recognition** and **tr West US2 | `westus2` | https://westus2.cris.ai East US | `eastus` | https://eastus.cris.ai East US2 | `eastus2` | https://eastus2.cris.ai - Central US | 'centralus' | https://centralus.cris.ai - North Central US | 'northcentralus' | https://northcentralus.cris.ai - South Central US | 'southcentralus' | https://southcentralus.cris.ai - Central India | 'centralindia' | https://centralindia.cris.ai + Central US | `centralus` | https://centralus.cris.ai + North Central US | `northcentralus` | https://northcentralus.cris.ai + South Central US | `southcentralus` | https://southcentralus.cris.ai + Central India | `centralindia` | https://centralindia.cris.ai East Asia | `eastasia` | https://eastasia.cris.ai South East Asia | `southeastasia` | https://southeastasia.cris.ai Japan East | `japaneast` | https://japaneast.cris.ai diff --git a/articles/cognitive-services/Speech-Service/releasenotes.md b/articles/cognitive-services/Speech-Service/releasenotes.md index 014634b8e713d..5629793cf29ba 100644 --- a/articles/cognitive-services/Speech-Service/releasenotes.md +++ b/articles/cognitive-services/Speech-Service/releasenotes.md @@ -8,13 +8,47 @@ manager: nitinme ms.service: cognitive-services ms.subservice: speech-service ms.topic: conceptual -ms.date: 2/20/2019 +ms.date: 4/5/2019 ms.author: wolfma ms.custom: seodec18 --- # Release notes +## Speech SDK 1.4.1 + +This is a JavaScript-only release. No features have been added. The following fixes were made: + +* Prevent webpack from loading https-proxy-agent. + +## Speech SDK 1.4.0: 2019-April release + +**New features** + +* The SDK now supports the text-to-speech service as a beta version. It is supported on Windows and Linux Desktop from C++ and C#. For more information check the [text-to-speech overview](text-to-speech.md#get-started-with-text-to-speech). +* The SDK now supports MP3 and Opus/Ogg audio files as stream input files. This feature is available only on Linux from C++ and C# and is currently in beta (more details [here](how-to-use-compressed-audio-input-streams.md)). +* The Speech SDK for Java, .NET core, C++ and Objective-C have gained macOS support. The Objective-C support for macOS is currently in beta. +* iOS: The Speech SDK for iOS (Objective-C) is now also published as a CocoaPod. +* JavaScript: Support for non-default microphone as an input device. +* JavaScript: Proxy support for Node.js. + +**Samples** + +* Samples for using the Speech SDK with C++ and with Objective-C on macOS have been added. +* Samples demonstrating the usage of the text-to-speech service have been added. + +**Improvements / Changes** + +* Python: Additional properties of recognition results are now exposed via the `properties` property. +* For additional development and debug support you can redirect SDK logging and diagnostics information into a log file (more details [here](how-to-use-logging.md)). +* JavaScript: Improve audio processing performance. + +**Bug fixes** + +* Mac/iOS: A bug that led to a long wait when a connection to the Speech Service could not be established was fixed. +* Python: improve error handling for arguments in Python callbacks. +* JavaScript: Fixed wrong state reporting for speech ended on RequestSession. + ## Speech SDK 1.3.1: 2019-February refresh This is a bug fix release and only affecting the native/managed SDK. It is not affecting the JavaScript version of the SDK. diff --git a/articles/cognitive-services/Speech-Service/speech-sdk.md b/articles/cognitive-services/Speech-Service/speech-sdk.md index 3bdf9ddb50ef5..f7421b25c30a0 100644 --- a/articles/cognitive-services/Speech-Service/speech-sdk.md +++ b/articles/cognitive-services/Speech-Service/speech-sdk.md @@ -8,14 +8,13 @@ manager: nitinme ms.service: cognitive-services ms.subservice: speech-service ms.topic: conceptual -ms.date: 2/20/2019 +ms.date: 04/08/2019 ms.author: wolfma -ms.custom: seodec18 --- # About the Speech SDK -The Speech Software Development Kit (SDK) gives your applications access to the functions of the Speech Services, making it easier to develop speech-enabled software. Currently, the SDKs provide access to **Speech to Text**, **Speech Translation**, and **Intent Recognition**. A general overview about the capabilities and supported platforms can be found on the documentation [entry page](https://aka.ms/csspeech). +The Speech Software Development Kit (SDK) gives your applications access to the functions of the Speech Services, making it easier to develop speech-enabled software. Currently, the SDKs provide access to **speech-to-text**, **text-to-speech**, **speech translation**, and **intent recognition**. A general overview about the capabilities and supported platforms can be found on the documentation [entry page](https://aka.ms/csspeech). [!INCLUDE [Speech SDK Platforms](../../../includes/cognitive-services-speech-service-speech-sdk-platforms.md)] @@ -31,7 +30,7 @@ For Windows, we support the following languages: You can reference and use the latest version of our Speech SDK NuGet package. The package includes 32-bit and 64-bit client libraries and managed (.NET) libraries. The SDK can be installed in Visual Studio by using NuGet. Search for **Microsoft.CognitiveServices.Speech**. * Java: - You can reference and use the latest version of our Speech SDK Maven package, which supports only Windows x64. In your Maven project, add `https://csspeechstorage.blob.core.windows.net/maven/` as an additional repository and reference `com.microsoft.cognitiveservices.speech:client-sdk:1.3.1` as a dependency. + You can reference and use the latest version of our Speech SDK Maven package, which supports only Windows x64. In your Maven project, add `https://csspeechstorage.blob.core.windows.net/maven/` as an additional repository and reference `com.microsoft.cognitiveservices.speech:client-sdk:1.4.0` as a dependency. ### Linux @@ -49,11 +48,11 @@ sudo apt-get install build-essential libssl1.0.0 libasound2 You can reference and use the latest version of our Speech SDK NuGet package. To reference the SDK, add the following package reference to your project: ```xml - + ``` * Java: - You can reference and use the latest version of our Speech SDK Maven package. In your Maven project, add `https://csspeechstorage.blob.core.windows.net/maven/` as an additional repository and reference `com.microsoft.cognitiveservices.speech:client-sdk:1.3.1` as a dependency. + You can reference and use the latest version of our Speech SDK Maven package. In your Maven project, add `https://csspeechstorage.blob.core.windows.net/maven/` as an additional repository and reference `com.microsoft.cognitiveservices.speech:client-sdk:1.4.0` as a dependency. * C++: Download the SDK as a [.tar package](https://aka.ms/csspeech/linuxbinary) and unpack the files in a directory of your choice. The following table shows the SDK folder structure: @@ -69,7 +68,7 @@ sudo apt-get install build-essential libssl1.0.0 libasound2 ### Android -The Java SDK for Android is packaged as an [AAR (Android Library)](https://developer.android.com/studio/projects/android-library), which includes the necessary libraries and required Android permissions. It's hosted in a Maven repository at `https://csspeechstorage.blob.core.windows.net/maven/` as package `com.microsoft.cognitiveservices.speech:client-sdk:1.3.1`. +The Java SDK for Android is packaged as an [AAR (Android Library)](https://developer.android.com/studio/projects/android-library), which includes the necessary libraries and required Android permissions. It's hosted in a Maven repository at `https://csspeechstorage.blob.core.windows.net/maven/` as package `com.microsoft.cognitiveservices.speech:client-sdk:1.4.0`. To consume the package from your Android Studio project, make the following changes: @@ -82,7 +81,7 @@ To consume the package from your Android Studio project, make the following chan * In the module-level build.gradle file, add the following to the `dependencies` section: ```gradle - implementation 'com.microsoft.cognitiveservices.speech:client-sdk:1.3.1' + implementation 'com.microsoft.cognitiveservices.speech:client-sdk:1.4.0' ``` The Java SDK is also part of the [Speech Devices SDK](speech-devices-sdk.md). diff --git a/articles/cognitive-services/Speech-Service/speech-to-text.md b/articles/cognitive-services/Speech-Service/speech-to-text.md index 05c25c3cb92ec..15634a9b6dc30 100644 --- a/articles/cognitive-services/Speech-Service/speech-to-text.md +++ b/articles/cognitive-services/Speech-Service/speech-to-text.md @@ -53,8 +53,8 @@ We offer quickstarts in most popular programming languages, each designed to hav | [C++](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-cpp-linux) | Linux | [Browse](https://aka.ms/csspeech/cppref) | | [Java](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-java-android) | Android | [Browse](https://aka.ms/csspeech/javaref) | | [Java](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-java-jre) | Windows, Linux | [Browse](https://aka.ms/csspeech/javaref) | -| [Javascript, Browser](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-js-browser) | Browser, Windows, Linux, macOS | [Browse](https://aka.ms/AA434tv) | -| [Javascript, Node.js](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-js-node) | Windows, Linux, macOS | [Browse](https://aka.ms/AA434tv) | +| [JavaScript, Browser](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-js-browser) | Browser, Windows, Linux, macOS | [Browse](https://aka.ms/AA434tv) | +| [JavaScript, Node.js](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-js-node) | Windows, Linux, macOS | [Browse](https://aka.ms/AA434tv) | | [Objective-C](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-objectivec-ios) | iOS | [Browse](https://aka.ms/csspeech/objectivecref) | | [Python](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstart-python) | Windows, Linux, macOS | [Browse](https://aka.ms/AA434tr) | diff --git a/articles/cognitive-services/Speech-Service/support.md b/articles/cognitive-services/Speech-Service/support.md index 0ea420c47009d..ef69611375100 100644 --- a/articles/cognitive-services/Speech-Service/support.md +++ b/articles/cognitive-services/Speech-Service/support.md @@ -19,6 +19,7 @@ Are you just starting to explore the functionality of the Speech Services? Are y > [!div class="checklist"] > * Stay informed about new developments in *Azure Cognitive Services*, or find the latest news related to *Speech service*. +> * Release notes contain information for all releases. > * Search to see if your issue was discussed by the community, or if existing documentation for the feature you want to implement already exists. > * If you can't find a satisfactory answer, ask a question on *Stack Overflow*. > * If you find an issue with one of the samples on GitHub, raise a *GitHub* issue. @@ -28,6 +29,10 @@ Are you just starting to explore the functionality of the Speech Services? Are y News about Cognitive Services is collected in the [Cognitive Services blog](https://azure.microsoft.com/blog/topics/cognitive-services/). For the latest information about Speech Services, track the [Speech Services blog](https://azure.microsoft.com/blog/tag/speech-service/). +## Release notes + +The [release notes](https://aka.ms/csspeech/whatsnew) are updated as soon as a new release is available. The notes contain information about new features, improvements, and bug fixes. + ## Search You might find the answer you need in the documentation, the samples, or answers to [Stack Overflow](https://www.stackoverflow.com) questions or in the samples. @@ -46,7 +51,7 @@ Where *{Your Search Terms}* is your search keywords. Azure customers can create and manage support requests in the Azure portal. -* [Azure Portal](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) +* [Azure portal](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) * [Azure portal for the United States government](https://portal.azure.us) ## Post a question to Stack Overflow @@ -104,7 +109,7 @@ Which version of the SDK are you using. **Additional context** - Error messages, log information, stack trace, ... - - If you report an error for a specific service interaction, please report the SessionId and time (incl. timezone) of the reported incidents. The SessionId is reported in all call-backs/events you receive. + - If you report an error for a specific service interaction, report the SessionId and time (incl. timezone) of the reported incidents. The SessionId is reported in all call-backs/events you receive. - Any other additional information diff --git a/articles/cognitive-services/Speech-Service/swagger-documentation.md b/articles/cognitive-services/Speech-Service/swagger-documentation.md new file mode 100644 index 0000000000000..a957bfc492e63 --- /dev/null +++ b/articles/cognitive-services/Speech-Service/swagger-documentation.md @@ -0,0 +1,45 @@ +--- +title: Swagger documentation - Speech Services +titleSuffix: Azure Cognitive Services +description: The Swagger documentation can be used to auto-generate SDks for a number of programming languages. All operations in our service are supported by Swagger +services: cognitive-services +author: PanosPeriorellis +manager: nitinme +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: overview +ms.date: 04/12/2019 +ms.author: erhopf +--- + +# Swagger documentation + +The Speech Services offer a Swagger specification to interact with a handful of REST APIs used to import data, create models, test model accuracy, create custom endpoints, queue up batch transcriptions, and manage subscriptions. Most operations available through the Custom Speech portal can be completed programmatically using these APIs. + +> [!NOTE] +> Both Speech-to-Text and Text-to-Speech operations are supported available as REST APIs, which are in turn documented in the Swagger specification. + +## Generating code from the Swagger specification + +The [Swager specification](https://cris.ai/swagger/ui/index) has options that allow you to quickly test for various paths. However, sometimes it's desirable to generate code for all paths, creating a single library of calls that you can base future solutions on. Let's take a look at the process to generate a Python library. + +You'll need to set Swagger to the same region as your Speech Service subscription. You can confirm your region in the Azure portal under your Speech Services resource. For a complete list of supported regions, see [Regions](regions.md). + +1. Go to https://editor.swagger.io +2. Click **File**, then click **Import** +3. Enter the swagger URL including the region for your Speech Services subscription `https://.cris.ai/docs/v2.0/swagger` +4. Click **Generate Client** and select Python +5. Save the client library + +You can use the Python library that you generated with the [Speech Services samples on GitHub](https://aka.ms/csspeech/samples). + +## Reference docs + +* [REST (Swagger): Batch transcription and customization](https://westus.cris.ai/swagger/ui/index) +* [REST API: Speech-to-text](rest-speech-to-text.md) +* [REST API: Text-to-speech](rest-text-to-speech.md) + +## Next steps + +* [Speech Services samples on GitHub](https://aka.ms/csspeech/samples). +* [Get a Speech Services subscription key for free](get-started.md) diff --git a/articles/cognitive-services/Speech-Service/text-to-speech.md b/articles/cognitive-services/Speech-Service/text-to-speech.md index 3ac0d80e0ac3d..e20ae74da20b8 100644 --- a/articles/cognitive-services/Speech-Service/text-to-speech.md +++ b/articles/cognitive-services/Speech-Service/text-to-speech.md @@ -1,28 +1,36 @@ --- title: Text-to-speech with Azure Speech Services titleSuffix: Azure Cognitive Services -description: Text-to-speech from Azure Speech Services is a REST-based service that enables your applications, tools, or devices to convert text into natural human-like synthesized speech. Choose from standard and neural voices, or create your own custom voice unique to your product or brand. 75+ standard voices are available in more than 45 languages and locales, and 5 neural voices are available in 4 languages and locales. +description: Text-to-speech from Azure Speech Services is a service that enables your applications, tools, or devices to convert text into natural human-like synthesized speech. Choose from standard and neural voices, or create your own custom voice unique to your product or brand. 75+ standard voices are available in more than 45 languages and locales, and 5 neural voices are available in 4 languages and locales. services: cognitive-services author: erhopf manager: nitinme ms.service: cognitive-services ms.subservice: speech-service ms.topic: conceptual -ms.date: 03/19/2019 +ms.date: 04/04/2019 ms.author: erhopf ms.custom: seodec18 --- # What is text-to-speech? -Text-to-speech from Azure Speech Services is a REST-based service that enables your applications, tools, or devices to convert text into natural human-like synthesized speech. Choose from standard and neural voices, or create your own custom voice unique to your product or brand. 75+ standard voices are available in more than 45 languages and locales, and 5 neural voices are available in 4 languages and locales. For a full list, see [supported languages](language-support.md#text-to-speech). +Text-to-speech from Azure Speech Services is a service that enables your applications, tools, or devices to convert text into natural human-like synthesized speech. Choose from standard and neural voices, or create your own custom voice unique to your product or brand. 75+ standard voices are available in more than 45 languages and locales, and 5 neural voices are available in 4 languages and locales. For a full list, see [supported languages](language-support.md#text-to-speech). Text-to-speech technology allows content creators to interact with their users in different ways. Text-to-speech can improve accessibility by providing users with an option to interact with content audibly. Whether the user has a visual impairment, a learning disability, or requires navigation information while driving, text-to-speech can improve an existing experience. Text-to-speech is also a valuable add-on for voice bots and virtual assistants. +### Standard voices + +Standard voices are created using Statistical Parametric Synthesis and/or Concatenation Synthesis techniques. These voices are highly intelligible and sound quite natural. You can easily enable your applications to speak in more than 45 languages, with a wide range of voice options. These voices provide high pronunciation accuracy, including support for abbreviations, acronym expansions, date/time interpretations, polyphones, and more. Use standard voice to improve accessibility for your applications and services by allowing users to interact with your content audibly. + ### Neural voices +Neural voices use deep neural networks to overcome the limits of traditional text-to-speech systems in matching the patterns of stress and intonation in spoken language, and in synthesizing the units of speech into a computer voice. Standard text-to-speech breaks down prosody into separate linguistic analysis and acoustic prediction steps that are governed by independent models. That can result in muffled, buzzy voice synthesis. Our neural capability does prosody prediction and voice synthesis simultaneously, which results in a more fluid and natural-sounding voice. + Neural voices can be used to make interactions with chatbots and virtual assistants more natural and engaging, convert digital texts such as e-books into audiobooks and enhance in-car navigation systems. With the human-like natural prosody and clear articulation of words, Neural voices significantly reduce listening fatigue when you interact with AI systems. For more information about neural voices, see [supported languages](language-support.md#text-to-speech). +To learn more about the benefits of neural voices, see [Microsoft’s new neural text-to-speech service helps machines speak like people](https://azure.microsoft.com/blog/microsoft-s-new-neural-text-to-speech-service-helps-machines-speak-like-people/). + ### Custom voices Voice customization lets you create a recognizable, one-of-a-kind voice for your brand. To create your custom voice font, you make a studio recording and upload the associated scripts as the training data. The service then creates a unique voice model tuned to your recording. You can use this custom voice font to synthesize speech. For more information, see [custom voices](how-to-customize-voice-font.md). @@ -33,23 +41,30 @@ This table lists the core features for text-to-speech: | Use case | SDK | REST | |----------|-----|------| -| Convert text to speech. | No | Yes | +| Convert text to speech. | Yes | Yes | | Upload datasets for voice adaptation. | No | Yes\* | | Create and manage voice font models. | No | Yes\* | | Create and manage voice font deployments. | No | Yes\* | | Create and manage voice font tests. | No | Yes\* | | Manage subscriptions. | No | Yes\* | -\* *These services are available using the cris.ai endpoint. See [Swagger reference](https://westus.cris.ai/swagger/ui/index).* - -> [!NOTE] -> The text-to-speech endpoint implements throttling that limits requests to 25 per 5 seconds. When throttling occurs, you'll be notified via message headers. +\* *These services are available using the cris.ai endpoint. See [Swagger reference](https://westus.cris.ai/swagger/ui/index). These custom voice training and management APIs implement throttling that limits requests to 25 per 5 seconds, while the speech synthesis API itself implements throttling that allows 200 requests per second as the highest. When throttling occurs, you'll be notified via message headers.* ## Get started with text to speech We offer quickstarts designed to have you running code in less than 10 minutes. This table includes a list of text-to-speech quickstarts organized by language. -| Quickstart | Platform | API reference | +### SDK quickstarts + +| Quickstart (SDK) | Platform | API reference | +|------------|----------|---------------| +| [C#, .NET Framework](quickstart-text-to-speech-dotnet-windows.md) | Windows | [Browse](https://aka.ms/csspeech/csharpref) | +| [C++](quickstart-text-to-speech-cpp-windows.md) | Windows | [Browse](https://aka.ms/csspeech/cppref) | +| [C++](quickstart-text-to-speech-cpp-linux.md) | Linux | [Browse](https://aka.ms/csspeech/cppref) | + +### REST quickstarts + +| Quickstart (REST) | Platform | API reference | |------------|----------|---------------| | [C#, .NET Core](quickstart-dotnet-text-to-speech.md) | Windows, macOS, Linux | [Browse](https://docs.microsoft.com/azure/cognitive-services/speech-service/rest-apis) | | [Node.js](quickstart-nodejs-text-to-speech.md) | Window, macOS, Linux | [Browse](https://docs.microsoft.com/azure/cognitive-services/speech-service/rest-apis) | @@ -59,6 +74,7 @@ We offer quickstarts designed to have you running code in less than 10 minutes. Sample code for text-to-speech is available on GitHub. These samples cover text-to-speech conversion in most popular programming languages. +* [Text-to-speech samples (SDK)](https://github.com/Azure-Samples/cognitive-services-speech-sdk) * [Text-to-speech samples (REST)](https://github.com/Azure-Samples/Cognitive-Speech-TTS) ## Reference docs diff --git a/articles/cognitive-services/Speech-Service/toc.yml b/articles/cognitive-services/Speech-Service/toc.yml index 9ca07f2164c04..b741cb61c10a3 100644 --- a/articles/cognitive-services/Speech-Service/toc.yml +++ b/articles/cognitive-services/Speech-Service/toc.yml @@ -39,10 +39,13 @@ - name: 'C++ (Linux)' href: quickstart-cpp-linux.md displayName: recognize speech, speech recognition, speech-to-text, stt + - name: 'C++ (macOS)' + href: quickstart-cpp-macos.md + displayName: recognize speech, speech recognition, speech-to-text, stt - name: 'Java (Android)' href: quickstart-java-android.md displayName: recognize speech, speech recognition, speech-to-text, stt - - name: 'Java (Windows, Linux)' + - name: 'Java (Windows, macOS, Linux)' href: quickstart-java-jre.md displayName: recognize speech, speech recognition, speech-to-text, stt, jre, jvm - name: 'JavaScript (Browser)' @@ -53,6 +56,9 @@ - name: 'Objective-C (iOS)' href: quickstart-objectivec-ios.md displayName: recognize speech, speech recognition, speech-to-text, stt, xcode + - name: 'Objective-C (macOS)' + href: quickstart-objective-c-macos.md + displayName: recognize speech, speech recognition, speech-to-text, stt, xcode - name: 'Python' href: quickstart-python.md displayName: recognize speech, speech recognition, speech-to-text, stt @@ -69,6 +75,17 @@ href: quickstart-translate-speech-cpp-windows.md - name: 'Java (Windows, Linux)' href: quickstart-translate-speech-java-jre.md + - name: Text-to-speech + items: + - name: 'C# (.NET Framework Windows)' + href: quickstart-text-to-speech-dotnet-windows.md + displayName: synthesize speech, speech synthesis, text-to-speech, tts + - name: 'C++ (Windows)' + href: quickstart-text-to-speech-cpp-windows.md + displayName: synthesize speech, speech synthesis, text-to-speech, tts + - name: 'C++ (Linux)' + href: quickstart-text-to-speech-cpp-linux.md + displayName: synthesize speech, speech synthesis, text-to-speech, tts - name: REST APIs items: - name: List supported voices by region @@ -95,16 +112,22 @@ displayName: recognize intent, intent recognition, language understanding service, luis - name: How-to guides items: - - name: Sign-up for the Speech Services + - name: Sign up for the Speech Services href: get-started.md - name: Batch transcription (REST) href: batch-transcription.md displayName: recognize speech, speech recognition, speech-to-text, stt - name: Consume audio input streams (SDK) href: how-to-use-audio-input-streams.md + - name: Consume compressed audio input streams (SDK) + href: how-to-use-compressed-audio-input-streams.md + displayName: mp3, opus, ogg, flac - name: Select an audio input device (SDK) href: how-to-select-audio-input-devices.md displayName: audio, microphone, input, device + - name: Enable logging (SDK) + href: how-to-use-logging.md + displayName: debug, log, logging - name: Customization items: - name: Speech-to-text @@ -161,7 +184,7 @@ href: https://aka.ms/csspeech/csharpref - name: Java/Android href: https://aka.ms/csspeech/javaref - - name: Javascript/Node.js + - name: JavaScript/Node.js href: https://aka.ms/csspeech/javascriptref - name: Objective-C href: https://aka.ms/csspeech/objectivecref @@ -184,6 +207,11 @@ - name: Batch transcription & customization href: https://westus.cris.ai/swagger/ui/index displayName: Batch transcription, transcription, custom models, customization, model management + - name: Webhooks + href: webhooks.md + displayName: Webhooks + - name: Swagger documentation + href: swagger-documentation.md - name: Speech Synthesis Markup Language (SSML) href: speech-synthesis-markup.md - name: PowerShell diff --git a/articles/cognitive-services/Speech-Service/webhooks.md b/articles/cognitive-services/Speech-Service/webhooks.md new file mode 100644 index 0000000000000..2accde6f8534c --- /dev/null +++ b/articles/cognitive-services/Speech-Service/webhooks.md @@ -0,0 +1,139 @@ +--- +title: Webhooks - Speech Services +titlesuffix: Azure Cognitive Services +description: Webhooks are HTTP call backs ideal for optimizing your solution when dealing with long running processes like imports, adaptation, accuracy tests, or transcriptions of long running files. +services: cognitive-services +author: PanosPeriorellis +manager: nitinme +ms.service: cognitive-services +ms.subservice: speech-service +ms.topic: conceptual +ms.date: 04/11/2019 +ms.author: panosper +ms.custom: seodec18 +--- + +# Webhooks for Speech Services + +Webhooks are like HTTP callbacks that allow your application to accept data from the Speech Services when it becomes available. Using webhooks, you can optimize your use of our REST APIs by eliminating the need to continuously poll for a response. In the next few sections, you'll learn how to use webhooks with the Speech Services. + +## Supported operations + +The Speech Services support webhooks for all long running operations. Each of the operations listed below can trigger an HTTP callback upon completion. + +* DataImportCompletion +* ModelAdaptationCompletion +* AccuracyTestCompletion +* TranscriptionCompletion +* EndpointDeploymentCompletion +* EndpointDataCollectionCompletion + +Next, let's create a webhook. + +## Create a webhook + +Let's create a webhook for an offline transcription. The scenario: a user has a long running audio file that they would like to transcribe asynchronously with the Batch Transcription API. + +Configuration parameters for the request are provided as JSON: + +```json +{ + "configuration": { + "url": "https://your.callback.url/goes/here", + "secret": "" + }, + "events": [ + "TranscriptionCompletion" + ], + "active": true, + "name": "TranscriptionCompletionWebHook", + "description": "This is a Webhook created to trigger an HTTP POST request when my audio file transcription is completed.", + "properties": { + "Active" : "True" + } + +} +``` +All POST requests to the Batch Transcription API require a `name`. The `description` and `properties` parameters are optional. + +The `Active` property is used to switch calling back into your URL on and off without having to delete and re-create the webhook registration. If you only need to call back once after the process has complete, then delete the webhook and switch the `Active` property to false. + +The event type `TranscriptionCompletion` is provided in the events array. It will call back to your endpoint when a transcription gets into a terminal state (`Succeeded` or `Failed`). When calling back to the registered URL, the request will contain an `X-MicrosoftSpeechServices-Event` header containing one of the registered event types. There is one request per registered event type. + +There is one event type that you cannot subscribe to. It is the `Ping` event type. A request with this type is sent to the URL when finished creating a webhook when using the ping URL (see below). + +In the configuration, the `url` property is required. POST requests are sent to this URL. The `secret` is used to create a SHA256 hash of the payload, with the secret as an HMAC key. The hash is set as the `X-MicrosoftSpeechServices-Signature` header when calling back to the registered URL. This header is Base64 encoded. + +This sample illustrates how to validate a payload using C#: + +```csharp + +private const string EventTypeHeaderName = "X-MicrosoftSpeechServices-Event"; +private const string SignatureHeaderName = "X-MicrosoftSpeechServices-Signature"; + +[HttpPost] +public async Task PostAsync([FromHeader(Name = EventTypeHeaderName)]WebHookEventType eventTypeHeader, [FromHeader(Name = SignatureHeaderName)]string signature) +{ + string body = string.Empty; + using (var streamReader = new StreamReader(this.Request.Body)) + { + body = await streamReader.ReadToEndAsync().ConfigureAwait(false); + var secretBytes = Encoding.UTF8.GetBytes("my_secret"); + using (var hmacsha256 = new HMACSHA256(secretBytes)) + { + var contentBytes = Encoding.UTF8.GetBytes(body); + var contentHash = hmacsha256.ComputeHash(contentBytes); + var storedHash = Convert.FromBase64String(signature); + var validated = contentHash.SequenceEqual(storedHash); + } + } + + switch (eventTypeHeader) + { + case WebHookEventType.Ping: + // Do your ping event related stuff here (or ignore this event) + break; + case WebHookEventType.TranscriptionCompletion: + // Do your subscription related stuff here. + break; + default: + break; + } + + return this.Ok(); +} + +``` +In this code snippet, the `secret` is decoded and validated. You'll also notice that the webhook event type has been switched. Currently there is one event per completed transcription. The code retries five times for each event (with a one second delay) before giving up. + +### Other webhook operations + +To get all registered webhooks: +GET https://westus.cris.ai/api/speechtotext/v2.1/transcriptions/hooks + +To get one specific webhook: +GET https://westus.cris.ai/api/speechtotext/v2.1/transcriptions/hooks/:id + +To remove one specific webhook: +DELETE https://westus.cris.ai/api/speechtotext/v2.1/transcriptions/hooks/:id + +> [!Note] +> In the example above, the region is 'westus'. This should be replaced by the region where you've created your Speech Services resource in the Azure portal. + +POST https://westus.cris.ai/api/speechtotext/v2.1/transcriptions/hooks/:id/ping +Body: empty + +Sends a POST request to the registered URL. The request contains an `X-MicrosoftSpeechServices-Event` header with a value ping. If the webhook was registered with a secret, it will contain an `X-MicrosoftSpeechServices-Signature` header with an SHA256 hash of the payload with the secret as HMAC key. The hash is Base64 encoded. + +POST https://westus.cris.ai/api/speechtotext/v2.1/transcriptions/hooks/:id/test +Body: empty + +Sends a POST request to the registered URL if an entity for the subscribed event type (transcription) is present in the system and is in the appropriate state. The payload will be generated from the last entity that would have invoked the web hook. If no entity is present, the POST will respond with 204. If a test request can be made, it will respond with 200. The request body is of the same shape as in the GET request for a specific entity the web hook has subscribed for (for instance transcription). The request will have the `X-MicrosoftSpeechServices-Event` and `X-MicrosoftSpeechServices-Signature` headers as described before. + +### Run a test + +A quick test can be done using the website https://bin.webhookrelay.com. From there, you can obtain call back URLs to pass as parameter to the HTTP POST for creating a webhook described earlier in the document. + +## Next steps + +* [Get your Speech trial subscription](https://azure.microsoft.com/try/cognitive-services/) diff --git a/articles/cognitive-services/Translator/index.yml b/articles/cognitive-services/Translator/index.yml index f91ec70255b5d..ac36c017bb087 100644 --- a/articles/cognitive-services/Translator/index.yml +++ b/articles/cognitive-services/Translator/index.yml @@ -94,7 +94,7 @@ sections: - type: paragraph text: "Learn how to develop applications using the Translator Text API:" - type: paragraph - text: Write a WPF application for Translator Text using C# + text:
  • Create a WPF app for Translator Text, C#
  • Create a Flask translation app, Python
    • - title: Reference items: - type: paragraph diff --git a/articles/cognitive-services/Translator/language-support.md b/articles/cognitive-services/Translator/language-support.md index c7f5c0990c684..53bbf5211c041 100644 --- a/articles/cognitive-services/Translator/language-support.md +++ b/articles/cognitive-services/Translator/language-support.md @@ -17,6 +17,8 @@ The Translator Text API supports the following languages for text to text transl [Learn more about how machine translation works](https://www.microsoft.com/translator/mt.aspx) +## Translation + **V2 Translator API** > [!NOTE] @@ -28,7 +30,10 @@ The Translator Text API supports the following languages for text to text transl * Neural only: Only neural translation is available. **V3 Translator API** -The V3 Translator API is neural by default and statistical systems are only available when no neural system exists. Custom Translator can only be used with neural languages. [View languages currently available in Custom Translator](#customization). +The V3 Translator API is neural by default and statistical systems are only available when no neural system exists. + +> [!NOTE] +> Currently, a subset of the neural languages are available in Custom Translator and we are gradually adding additional ones. [View languages currently available in Custom Translator](#customization). |Language| Language code| V2 API| V3 API| |:-----|:-----:|:-----|:-----| @@ -183,77 +188,8 @@ The dictionary supports the following languages to or from English using the Loo ## Detect -The following languages are supported by the Detect method. Detect may identify languages that the Microsoft Translator can't translate. +Translator Text API detects all languages available for translation and transliteration. -| Language | -|:----------- | -| Afrikaans | -| Albanian | -| Arabic | -| Basque | -| Belarusian | -| Bulgarian | -| Catalan | -| Chinese | -| Chinese (Simplified) | -| Chinese (Traditional) | -| Croatian | -| Czech | -| Danish | -| Dutch | -| English | -| Esperanto | -| Estonian | -| Finnish | -| French | -| Galician | -| German | -| Greek | -| Haitian Creole | -| Hebrew | -| Hindi | -| Hungarian | -| Icelandic | -| Indonesian | -| Irish | -| Italian | -| Japanese | -| Korean | -| Kurdish (Arabic) | -| Kurdish (Latin) | -| Latin | -| Latvian | -| Lithuanian | -| Macedonian | -| Malay | -| Maltese | -| Norwegian | -| Norwegian (Nynorsk) | -| Pashto | -| Persian | -| Polish | -| Portuguese | -| Romanian | -| Russian | -| Serbian (Cyrillic) | -| Serbian (Latin) | -| Slovak | -| Slovenian | -| Somali | -| Spanish | -| Swahili | -| Swedish | -| Tagalog | -| Telugu | -| Thai | -| Turkish | -| Ukrainian | -| Urdu | -| Uzbek (Cyrillic) | -| Uzbek (Latin) | -| Vietnamese | -| Welsh | -| Yiddish | ## Access the Translator Text API language list programmatically @@ -286,6 +222,7 @@ The following languages are available for customization to or from English using | Hindi | `hi` | | Hungarian | `hu` | | Icelandic | `is` | +| Indonesian| `id` | | Italian | `it` | | Japanese | `ja` | | Korean | `ko` | diff --git a/articles/cognitive-services/Translator/reference/v2-0-reference.md b/articles/cognitive-services/Translator/reference/v2-0-reference.md index 5faeeffa6f7e5..a9ab83aef4048 100644 --- a/articles/cognitive-services/Translator/reference/v2-0-reference.md +++ b/articles/cognitive-services/Translator/reference/v2-0-reference.md @@ -41,7 +41,7 @@ If you want to avoid getting profanity in the translation, regardless of the pre |ProfanityAction |Action |Example Source (Japanese) |Example Translation (English) | |:--|:--|:--|:--| |NoAction |Default. Same as not setting the option. Profanity will pass from source to target. |彼はジャッカスです。 |He is a jackass. | -|Marked |Profane words will be surrounded by XML tags and . |彼はジャッカスです。 |He is a jackass. | +|Marked |Profane words will be surrounded by XML tags \ and \. |彼はジャッカスです。 |He is a \jackass\. | |Deleted |Profane words will be removed from the output without replacement. |彼はジャッカスです。 |He is a. | diff --git a/articles/cognitive-services/Translator/reference/v3-0-break-sentence.md b/articles/cognitive-services/Translator/reference/v3-0-break-sentence.md index 439b6a885684f..c128a6c02a795 100644 --- a/articles/cognitive-services/Translator/reference/v3-0-break-sentence.md +++ b/articles/cognitive-services/Translator/reference/v3-0-break-sentence.md @@ -52,8 +52,8 @@ Request headers include: Headers Description - _One authorization_
    _header_ - *Required request header*.
    See [available options for authentication](./v3-0-reference.md#authentication). + Authentication header(s) + Required request header.
    See available options for authentication. Content-Type diff --git a/articles/cognitive-services/Translator/reference/v3-0-detect.md b/articles/cognitive-services/Translator/reference/v3-0-detect.md index 236829cc928c3..f2fc63185f27e 100644 --- a/articles/cognitive-services/Translator/reference/v3-0-detect.md +++ b/articles/cognitive-services/Translator/reference/v3-0-detect.md @@ -44,8 +44,8 @@ Request headers include: Headers Description - _One authorization_
    _header_ - *Required request header*.
    See [available options for authentication](./v3-0-reference.md#authentication). + Authentication header(s) + Required request header.
    See available options for authentication. Content-Type diff --git a/articles/cognitive-services/Translator/reference/v3-0-dictionary-examples.md b/articles/cognitive-services/Translator/reference/v3-0-dictionary-examples.md index b4892244c8845..06e14bfd10a34 100644 --- a/articles/cognitive-services/Translator/reference/v3-0-dictionary-examples.md +++ b/articles/cognitive-services/Translator/reference/v3-0-dictionary-examples.md @@ -52,8 +52,8 @@ Request headers include: Headers Description - _One authorization_
    _header_ - *Required request header*.
    See [available options for authentication](./v3-0-reference.md#authentication). + Authentication header(s) + Required request header.
    See available options for authentication. Content-Type diff --git a/articles/cognitive-services/Translator/reference/v3-0-dictionary-lookup.md b/articles/cognitive-services/Translator/reference/v3-0-dictionary-lookup.md index eff05ea2f423b..08b2790a82854 100644 --- a/articles/cognitive-services/Translator/reference/v3-0-dictionary-lookup.md +++ b/articles/cognitive-services/Translator/reference/v3-0-dictionary-lookup.md @@ -52,8 +52,8 @@ Request headers include: Headers Description - _One authorization_
    _header_ - *Required request header*.
    See [available options for authentication](./v3-0-reference.md#authentication). + Authentication header(s) + Required request header.
    See available options for authentication. Content-Type diff --git a/articles/cognitive-services/Translator/reference/v3-0-translate.md b/articles/cognitive-services/Translator/reference/v3-0-translate.md index 7305a94490cc9..3d126e9500770 100644 --- a/articles/cognitive-services/Translator/reference/v3-0-translate.md +++ b/articles/cognitive-services/Translator/reference/v3-0-translate.md @@ -93,8 +93,8 @@ Request headers include: Headers Description - _One authorization_
    _header_ - Required request header.
    See [available options for authentication](./v3-0-reference.md#authentication). + Authentication header(s) + Required request header.
    See available options for authentication. Content-Type diff --git a/articles/cognitive-services/Translator/reference/v3-0-transliterate.md b/articles/cognitive-services/Translator/reference/v3-0-transliterate.md index 3a43c81bf7481..405b8970b300b 100644 --- a/articles/cognitive-services/Translator/reference/v3-0-transliterate.md +++ b/articles/cognitive-services/Translator/reference/v3-0-transliterate.md @@ -56,8 +56,8 @@ Request headers include: Headers Description - _One authorization_
    _header_ - *Required request header*.
    See [available options for authentication](./v3-0-reference.md#authentication). + Authentication header(s) + Required request header.
    See available options for authentication. Content-Type diff --git a/articles/cognitive-services/Translator/toc.yml b/articles/cognitive-services/Translator/toc.yml index c4eb2a88653ce..e0cf519bb94e7 100644 --- a/articles/cognitive-services/Translator/toc.yml +++ b/articles/cognitive-services/Translator/toc.yml @@ -108,6 +108,8 @@ items: - name: Create a WPF app for Translator Text href: tutorial-wpf-translation-csharp.md + - name: Create a Flask translation app + href: tutorial-build-flask-app-translation-synthesis.md - name: Concepts items: - name: Customize and improve text translation diff --git a/articles/cognitive-services/Translator/tutorial-build-flask-app-translation-synthesis.md b/articles/cognitive-services/Translator/tutorial-build-flask-app-translation-synthesis.md new file mode 100644 index 0000000000000..7b3b05e3284f1 --- /dev/null +++ b/articles/cognitive-services/Translator/tutorial-build-flask-app-translation-synthesis.md @@ -0,0 +1,960 @@ +--- +title: "Tutorial: Build a Flask app to translate, synthesize, and analyze text - Translator Text API" +titleSuffix: Azure Cognitive Services +description: In this tutorial, you'll build a Flask-based web app that uses Azure Cognitive Services to translate text, analyze sentiment, and synthesize translated text into speech. Our focus is on the Python code and Flask routes that enable our application. We won’t spend much time on the Javascript that controls the app, but provide all the files for you to inspect. +services: cognitive-services +author: erhopf +manager: nitinme +ms.service: cognitive-services +ms.subservice: translator-text +ms.topic: tutorial +ms.date: 04/02/2019 +ms.author: erhopf +--- + +# Tutorial: Build a Flask app with Azure Cognitive Services + +In this tutorial, you'll build a Flask web app that uses Azure Cognitive Services to translate text, analyze sentiment, and synthesize translated text into speech. Our focus is on the Python code and Flask routes that enable our application, however, we will help you out with the HTML and Javascript that pulls the app together. If you run into any issues let us know using the feedback button below. + +Here's what this tutorial covers: + +> [!div class="checklist"] +> * Get Azure subscription keys +> * Set up your development environment and install dependencies +> * Create a Flask app +> * Use the Translator Text API to translate text +> * Use Text Analytics to analyze positive/negative sentiment of input text and translations +> * Use Speech Services to convert translated text into synthesized speech +> * Run your Flask app locally + +> [!TIP] +> If you'd like to skip ahead and see all the code at once, the entire sample, along with build instructions are available on [GitHub](https://github.com/MicrosoftTranslator/Text-Translation-API-V3-Flask-App-Tutorial). + +## What is Flask? + +Flask is a microframework for creating web applications. This means Flask provides you with tools, libraries, and technologies that allow you to build a web application. This web application can be some web pages, a blog, a wiki or go as substantive as a web-based calendar application or a commercial website. + +For those of you who want to deep dive after this tutorial here are a few helpful links: + +* [Flask documentation](http://flask.pocoo.org/) +* [Flask for Dummies - A Beginner's Guide to Flask](https://codeburst.io/flask-for-dummies-a-beginners-guide-to-flask-part-uno-53aec6afc5b1) + +## Prerequisites + +Let's review the software and subscription keys that you'll need for this tutorial. + +* [Python 3.5.2 or later](https://www.python.org/downloads/) +* [Git tools](https://git-scm.com/downloads) +* An IDE or text editor, such as [Visual Studio Code](https://code.visualstudio.com/) or [Atom](https://atom.io/) +* [Chrome](https://www.google.com/chrome/browser/) or [Firefox](https://www.mozilla.org/firefox) +* A **Translator Text** subscription key (Note that you aren't required to select a region.) +* A **Text Analytics** subscription key in the **West US** region. +* A **Speech Services** subscription key in the **West US** region. + +## Create an account and subscribe to resources + +As previously mentioned, you're going to need three subscription keys for this tutorial. This means that you need to create a resource within your Azure account for: +* Translator Text +* Text Analytics +* Speech Services + +Use [Create a Cognitive Services Account in the Azure portal](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-apis-create-account) for step-by-step instructions to create resources. + +> [!IMPORTANT] +> For this tutorial, please create your resources in the West US region. If using a different region, you'll need to adjust the base URL in each of your Python files. + +## Set up your dev environment + +Before you build your Flask web app, you'll need to create a working directory for your project and install a few Python packages. + +### Create a working directory + +1. Open command line (Windows) or terminal (macOS/Linux). Then, create a working directory and sub directories for your project: + + ``` + mkdir -p flask-cog-services/static/scripts && mkdir flask-cog-services/templates + ``` +2. Change to your project's working directory: + + ``` + cd flask-cog-services + ``` + +### Create and activate your virtual environment with `virtualenv` + +Let's create a virtual environment for our Flask app using `virtualenv`. Using a virtual environment ensures that you have a clean environment to work from. + +1. In your working directory, run this command to create a virtual environment: + **macOS/Linux:** + ``` + virtualenv venv --python=python3 + ``` + We've explicitly declared that the virtual environment should use Python 3. This ensures that users with multiple Python installations are using the correct version. + + **Windows CMD / Windows Bash:** + ``` + virtualenv venv + ``` + To keep things simple, we're naming your virtual environment venv. + +2. The commands to activate your virtual environment will vary depending on your platform/shell: + + | Platform | Shell | Command | + |----------|-------|---------| + | macOS/Linux | bash/zsh | `source venv/bin/activate` | + | Windows | bash | `source venv/Scripts/activate` | + | | Command Line | `venv\Scripts\activate.bat` | + | | PowerShell | `venv\Scripts\Activate.ps1` | + + After running this command, your command line or terminal session should be prefaced with `venv`. + +3. You can deactivate the session at any time by typing this into the command line or terminal: `deactivate`. + +> [!NOTE] +> Python has extensive documentation for creating and managing virtual environments, see [virtualenv](https://virtualenv.pypa.io/en/latest/). + +### Install requests + +Requests is a popular module that is used to send HTTP 1.1 requests. There’s no need to manually add query strings to your URLs, or to form-encode your POST data. + +1. To install requests, run: + + ``` + pip install requests + ``` + +> [!NOTE] +> If you'd like to learn more about requests, see [Requests: HTTP for Humans](http://docs.python-requests.org/en/master/). + +### Install and configure Flask + +Next we need to install Flask. Flask handles the routing for our web app, and allows us to make server-to-server calls that hide our subscription keys from the end user. + +1. To install Flask, run: + ``` + pip install Flask + ``` + Let's make sure Flask was installed. Run: + ``` + flask --version + ``` + The version should be printed to terminal. Anything else means something went wrong. + +2. To run the Flask app, you can either use the flask command or Python’s -m switch with Flask. Before you can do that you need to tell your terminal which app to work with by exporting the `FLASK_APP` environment variable: + + **macOS/Linux**: + ``` + export FLASK_APP=app.py + ``` + + **Windows**: + ``` + set FLASK_APP=app.py + ``` + +## Create your Flask app + +In this section, you're going to create a barebones Flask app that returns an HTML file when users hit the root of your app. Don't spend too much time trying to pick apart the code, we'll come back to update this file later. + +### What is a Flask route? + +Let's take a minute to talk about "[routes](http://flask.pocoo.org/docs/1.0/api/#flask.Flask.route)". Routing is used to bind a URL to a specific function. Flask uses route decorators to register functions to specific URLs. For example, when a user navigates to the root (`/`) of our web app, `index.html` is rendered. + +```python +@app.route('/') +def index(): + return render_template('index.html') +``` + +Let's take a look at one more example to hammer this home. + +```python +@app.route('/about') +def about(): + return render_template('about.html') +``` + +This code ensures that when a user navigates to `http://your-web-app.com/about` that the `about.html` file is rendered. + +While these samples illustrate how to render html pages for a user, routes can also be used to call APIs when a button is pressed, or take any number of actions without having to navigate away from the homepage. You'll see this in action when you create routes for translation, sentiment, and speech synthesis. + +### Get started + +1. Open the project in your IDE, then create a file named `app.py` in the root of your working directory. Next, copy this code into `app.py` and save: + + ```python + from flask import Flask, render_template, url_for, jsonify, request + + app = Flask(__name__) + app.config['JSON_AS_ASCII'] = False + + @app.route('/') + def index(): + return render_template('index.html') + ``` + + This code block tells the app to display `index.html` whenever a user navigates to the root of your web app (`/`). + +2. Next, let's create the front-end for our web app. Create a file named `index.html` in the `templates` directory. Then copy this code into `templates/index.html`. + + ```html + + + + + + + + + + Translate and analyze text with Azure Cognitive Services + + +
    +

    Translate, synthesize, and analyze text with Azure

    +

    This simple web app uses Azure for text translation, text-to-speech conversion, and sentiment analysis of input text and translations. Learn more about Azure Cognitive Services. +

    + + + +
    + + + + + + + + + + ``` + +3. Let's test the Flask app. From the terminal, run: + + ``` + flask run + ``` + +4. Open a browser and navigate to the URL provided. You should see your single page app. Press **Ctrl + c** to kill the app. + +## Translate text + +Now that you have an idea of how a simple Flask app works, let's: + +* Write some Python to call the Translator Text API and return a response +* Create a Flask route to call your Python code +* Update the HTML with an area for text input and translation, a language selector, and translate button +* Write Javascript that allows users to interact with your Flask app from the HTML + +### Call the Translator Text API + +The first thing you need to do is write a function to call the Translator Text API. This function will take two arguments: `text_input` and `language_output`. This function is called whenever a user presses the translate button in your app. The text area in the HTML is sent as the `text_input`, and the language selection value in the HTML is sent as `language_output`. + +1. Let's start by creating a file called `translate.py` in the root of your working directory. +2. Next, add this code to `translate.py`. This function takes two arguments: `text_input` and `language_output`. + ```python + import os, requests, uuid, json + + # Don't forget to replace with your Cog Services subscription key! + # If you prefer to use environment variables, see Extra Credit for more info. + subscription_key = 'YOUR_TRANSLATOR_TEXT_SUBSCRIPTION_KEY' + + # Our Flask route will supply two arguments: text_input and language_output. + # When the translate text button is pressed in our Flask app, the Ajax request + # will grab these values from our web app, and use them in the request. + # See main.js for Ajax calls. + def get_translation(text_input, language_output): + base_url = 'https://api.cognitive.microsofttranslator.com' + path = '/translate?api-version=3.0' + params = '&to=' + language_output + constructed_url = base_url + path + params + + headers = { + 'Ocp-Apim-Subscription-Key': subscription_key, + 'Content-type': 'application/json', + 'X-ClientTraceId': str(uuid.uuid4()) + } + + # You can pass more than one object in body. + body = [{ + 'text' : text_input + }] + response = requests.post(constructed_url, headers=headers, json=body) + return response.json() + ``` +3. Add your Translator Text subscription key and save. + +### Add a route to `app.py` + +Next, you'll need to create a route in your Flask app that calls `translate.py`. This route will be called each time a user presses the translate button in your app. + +For this app, your route is going to accept `POST` requests. This is because the function expects the text to translate and an output language for the translation. + +Flask provides helper functions to help you parse and manage each request. In the code provided, `get_json()` returns the data from the `POST` request as JSON. Then using `data['text']` and `data['to']`, the text and output language values are passed to `get_translation()` function available from `translate.py`. The last step is to return the response as JSON, since you'll need to display this data in your web app. + +In the following sections, you'll repeat this process as you create routes for sentiment analysis and speech synthesis. + +1. Open `app.py` and locate the import statement at the top of `app.py` and add the following line: + + ```python + import translate + ``` + Now our Flask app can use the method available via `translate.py`. + +2. Copy this code to the end of `app.py` and save: + + ```python + @app.route('/translate-text', methods=['POST']) + def translate_text(): + data = request.get_json() + text_input = data['text'] + translation_output = data['to'] + response = translate.get_translation(text_input, translation_output) + return jsonify(response) + ``` + +### Update `index.html` + +Now that you have a function to translate text, and a route in your Flask app to call it, the next step is to start building the HTML for your app. The HTML below does a few things: + +* Provides a text area where users can input text to translate. +* Includes a language selector. +* Includes HTML elements to render the detected language and confidence scores returned during translation. +* Provides a read-only text area where the translation output is displayed. +* Includes placeholders for sentiment analysis and speech synthesis code that you'll add to this file later in the tutorial. + +Let's update `index.html`. + +1. Open `index.html` and locate these code comments: + ```html + + + + ``` + +2. Replace the code comments with this HTML block: + ```html +
    +
    +
    + +
    + + +
    + +
    + + +
    +
    + + + + + + +
    +
    +
    + +
    +
    + + +
    + + + + + +
    + + + + + +
    +
    + ``` + +The next step is to write some Javascript. This is the bridge between your HTML and Flask route. + +### Create `main.js` + +The `main.js` file is the bridge between your HTML and Flask route. Your app will use a combination of jQuery, Ajax, and XMLHttpRequest to render content, and make `POST` requests to your Flask routes. + +In the code below, content from the HTML is used to construct a request to your Flask route. Specifically, the contents of the text area and the language selector are assigned to variables, and then passed along in the request to `translate-text`. + +The code then iterates through the response, and updates the HTML with the translation, detected language, and confidence score. + +1. From your IDE, create a file named `main.js` in the `static/scripts` directory. +2. Copy this code into `static/scripts/main.js`: + ```javascript + //Initiate jQuery on load. + $(function() { + //Translate text with flask route + $("#translate").on("click", function(e) { + e.preventDefault(); + var translateVal = document.getElementById("text-to-translate").value; + var languageVal = document.getElementById("select-language").value; + var translateRequest = { 'text': translateVal, 'to': languageVal } + + if (translateVal !== "") { + $.ajax({ + url: '/translate-text', + method: 'POST', + headers: { + 'Content-Type':'application/json' + }, + dataType: 'json', + data: JSON.stringify(translateRequest), + success: function(data) { + for (var i = 0; i < data.length; i++) { + document.getElementById("translation-result").textContent = data[i].translations[0].text; + document.getElementById("detected-language-result").textContent = data[i].detectedLanguage.language; + if (document.getElementById("detected-language-result").textContent !== ""){ + document.getElementById("detected-language").style.display = "block"; + } + document.getElementById("confidence").textContent = data[i].detectedLanguage.score; + } + } + }); + }; + }); + // In the following sections, you'll add code for sentiment analysis and + // speech synthesis here. + }) + ``` + +### Test translation + +Let's test translation in the app. + +``` +flask run +``` + +Navigate to the provided server address. Type text into the input area, select a language, and press translate. You should get a translation. If it doesn't work, make sure that you've added your subscription key. + +> [!TIP] +> If the changes you've made aren't showing up, or the app doesn't work the way you expect it to, try clearing your cache or opening a private/incognito window. + +Press **CTRL + c** to kill the app, then head to the next section. + +## Analyze sentiment + +The [Text Analytics API](https://docs.microsoft.com/azure/cognitive-services/text-analytics/overview) can be used to perform sentiment analysis, extract key phrases from text, or detect the source language. In this app, we're going to use sentiment analysis to determine if the provided text is positive, neutral, or negative. The API returns a numeric score between 0 and 1. Scores close to 1 indicate positive sentiment, and scores close to 0 indicate negative sentiment. + +In this section, you're going to do a few things: + +* Write some Python to call the Text Analytics API to perform sentiment analysis and return a response +* Create a Flask route to call your Python code +* Update the HTML with an area for sentiment scores, and a button to perform analysis +* Write Javascript that allows users to interact with your Flask app from the HTML + +### Call the Text Analytics API + +Let's write a function to call the Text Analytics API. This function will take four arguments: `input_text`, `input_language`, `output_text`, and `output_language`. This function is called whenever a user presses the run sentiment analysis button in your app. Data provided by the user from the text area and language selector, as well as the detected language and translation output are provided with each request. The response object includes sentiment scores for the source and translation. In the following sections, you're going to write some Javascript to parse the response and use it in your app. For now, let's focus on call the Text Analytics API. + +1. Let's create a file called `sentiment.py` in the root of your working directory. +2. Next, add this code to `sentiment.py`. + ```python + import os, requests, uuid, json + + # Don't forget to replace with your Cog Services subscription key! + subscription_key = 'YOUR_TEXT_ANALYTICS_SUBSCRIPTION_KEY' + + # Our Flask route will supply four arguments: input_text, input_language, + # output_text, output_language. + # When the run sentiment analysis button is pressed in our Flask app, + # the Ajax request will grab these values from our web app, and use them + # in the request. See main.js for Ajax calls. + + def get_sentiment(input_text, input_language, output_text, output_language): + base_url = 'https://westus.api.cognitive.microsoft.com/text/analytics' + path = '/v2.0/sentiment' + constructed_url = base_url + path + + headers = { + 'Ocp-Apim-Subscription-Key': subscription_key, + 'Content-type': 'application/json', + 'X-ClientTraceId': str(uuid.uuid4()) + } + + # You can pass more than one object in body. + body = { + 'documents': [ + { + 'language': input_language, + 'id': '1', + 'text': input_text + }, + { + 'language': output_language, + 'id': '2', + 'text': output_text + } + ] + } + response = requests.post(constructed_url, headers=headers, json=body) + return response.json() + ``` +3. Add your Text Analytics subscription key and save. + +### Add a route to `app.py` + +Let's create a route in your Flask app that calls `sentiment.py`. This route will be called each time a user presses the run sentiment analysis button in your app. Like the route for translation, this route is going to accept `POST` requests since the function expects arguments. + +1. Open `app.py` and locate the import statement at the top of `app.py` and update it: + + ```python + import translate, sentiment + ``` + Now our Flask app can use the method available via `sentiment.py`. + +2. Copy this code to the end of `app.py` and save: + ```python + @app.route('/sentiment-analysis', methods=['POST']) + def sentiment_analysis(): + data = request.get_json() + input_text = data['inputText'] + input_lang = data['inputLanguage'] + output_text = data['outputText'] + output_lang = data['outputLanguage'] + response = sentiment.get_sentiment(input_text, input_lang, output_text, output_lang) + return jsonify(response) + ``` + +### Update `index.html` + +Now that you have a function to run sentiment analysis, and a route in your Flask app to call it, the next step is to start writing the HTML for your app. The HTML below does a few things: + +* Adds a button to your app to run sentiment analysis +* Adds an element that explains sentiment scoring +* Adds an element to display the sentiment scores + +1. Open `index.html` and locate these code comments: + ```html + + + + ``` + +2. Replace the code comments with this HTML block: + ```html +
    + + ``` + +### Update `main.js` + +In the code below, content from the HTML is used to construct a request to your Flask route. Specifically, the contents of the text area and the language selector are assigned to variables, and then passed along in the request to the `sentiment-analysis` route. + +The code then iterates through the response, and updates the HTML with the sentiment scores. + +1. From your IDE, create a file named `main.js` in the `static` directory. + +2. Copy this code into `static/scripts/main.js`: + ```javascript + //Run sentinment analysis on input and translation. + $("#sentiment-analysis").on("click", function(e) { + e.preventDefault(); + var inputText = document.getElementById("text-to-translate").value; + var inputLanguage = document.getElementById("detected-language-result").innerHTML; + var outputText = document.getElementById("translation-result").value; + var outputLanguage = document.getElementById("select-language").value; + + var sentimentRequest = { "inputText": inputText, "inputLanguage": inputLanguage, "outputText": outputText, "outputLanguage": outputLanguage }; + + if (inputText !== "") { + $.ajax({ + url: "/sentiment-analysis", + method: "POST", + headers: { + "Content-Type":"application/json" + }, + dataType: "json", + data: JSON.stringify(sentimentRequest), + success: function(data) { + for (var i = 0; i < data.documents.length; i++) { + if (typeof data.documents[i] !== "undefined"){ + if (data.documents[i].id === "1") { + document.getElementById("input-sentiment").textContent = data.documents[i].score; + } + if (data.documents[i].id === "2") { + document.getElementById("translation-sentiment").textContent = data.documents[i].score; + } + } + } + for (var i = 0; i < data.errors.length; i++) { + if (typeof data.errors[i] !== "undefined"){ + if (data.errors[i].id === "1") { + document.getElementById("input-sentiment").textContent = data.errors[i].message; + } + if (data.errors[i].id === "2") { + document.getElementById("translation-sentiment").textContent = data.errors[i].message; + } + } + } + if (document.getElementById("input-sentiment").textContent !== '' && document.getElementById("translation-sentiment").textContent !== ""){ + document.getElementById("sentiment").style.display = "block"; + } + } + }); + } + }); + // In the next section, you'll add code for speech synthesis here. + ``` + +### Test sentiment analysis + +Let's test sentiment analysis in the app. + +``` +flask run +``` + +Navigate to the provided server address. Type text into the input area, select a language, and press translate. You should get a translation. Next, press the run sentiment analysis button. You should see two scores. If it doesn't work, make sure that you've added your subscription key. + +> [!TIP] +> If the changes you've made aren't showing up, or the app doesn't work the way you expect it to, try clearing your cache or opening a private/incognito window. + +Press **CTRL + c** to kill the app, then head to the next section. + +## Convert text-to-speech + +The [Text-to-speech API](https://docs.microsoft.com/azure/cognitive-services/speech-service/text-to-speech) enables your app to convert text into natural human-like synthesized speech. The service supports standard, neural, and custom voices. Our sample app uses a handful of the available voices, for a full list, see [supported languages](https://docs.microsoft.com/azure/cognitive-services/speech-service/language-support#text-to-speech). + +In this section, you're going to do a few things: + +* Write some Python to convert text-to-speech with the Text-to-speech API +* Create a Flask route to call your Python code +* Update the HTML with a button to convert text-to-speech, and an element for audio playback +* Write Javascript that allows users to interact with your Flask app + +### Call the Text-to-Speech API + +Let's write a function to convert text-to-speech. This function will take two arguments: `input_text` and `voice_font`. This function is called whenever a user presses the convert text-to-speech button in your app. `input_text` is the translation output returned by the call to translate text, `voice_font` is the value from the voice font selector in the HTML. + +1. Let's create a file called `synthesize.py` in the root of your working directory. + +2. Next, add this code to `synthesize.py`. + ```Python + import os, requests, time + from xml.etree import ElementTree + + class TextToSpeech(object): + def __init__(self, input_text, voice_font): + subscription_key = 'YOUR_SPEECH_SERVICES_SUBSCRIPTION_KEY' + self.subscription_key = subscription_key + self.input_text = input_text + self.voice_font = voice_font + self.timestr = time.strftime('%Y%m%d-%H%M') + self.access_token = None + + # This function performs the token exchange. + def get_token(self): + fetch_token_url = 'https://westus.api.cognitive.microsoft.com/sts/v1.0/issueToken' + headers = { + 'Ocp-Apim-Subscription-Key': self.subscription_key + } + response = requests.post(fetch_token_url, headers=headers) + self.access_token = str(response.text) + + # This function calls the TTS endpoint with the access token. + def save_audio(self): + base_url = 'https://westus.tts.speech.microsoft.com/' + path = 'cognitiveservices/v1' + constructed_url = base_url + path + headers = { + 'Authorization': 'Bearer ' + self.access_token, + 'Content-Type': 'application/ssml+xml', + 'X-Microsoft-OutputFormat': 'riff-24khz-16bit-mono-pcm', + 'User-Agent': 'YOUR_RESOURCE_NAME', + } + # Build the SSML request with ElementTree + xml_body = ElementTree.Element('speak', version='1.0') + xml_body.set('{http://www.w3.org/XML/1998/namespace}lang', 'en-us') + voice = ElementTree.SubElement(xml_body, 'voice') + voice.set('{http://www.w3.org/XML/1998/namespace}lang', 'en-US') + voice.set('name', 'Microsoft Server Speech Text to Speech Voice {}'.format(self.voice_font)) + voice.text = self.input_text + # The body must be encoded as UTF-8 to handle non-ascii characters. + body = ElementTree.tostring(xml_body, encoding="utf-8") + + #Send the request + response = requests.post(constructed_url, headers=headers, data=body) + + # Write the response as a wav file for playback. The file is located + # in the same directory where this sample is run. + return response.content + ``` +3. Add your Speech Services subscription key and save. + +### Add a route to `app.py` + +Let's create a route in your Flask app that calls `synthesize.py`. This route will be called each time a user presses the convert text-to-speech button in your app. Like the routes for translation and sentiment analysis, this route is going to accept `POST` requests since the function expects two arguments: the text to synthesize, and the voice font for playback. + +1. Open `app.py` and locate the import statement at the top of `app.py` and update it: + + ```python + import translate, sentiment, synthesize + ``` + Now our Flask app can use the method available via `synthesize.py`. + +2. Copy this code to the end of `app.py` and save: + + ```Python + @app.route('/text-to-speech', methods=['POST']) + def text_to_speech(): + data = request.get_json() + text_input = data['text'] + voice_font = data['voice'] + tts = synthesize.TextToSpeech(text_input, voice_font) + tts.get_token() + audio_response = tts.save_audio() + return audio_response + ``` + +### Update `index.html` + +Now that you have a function to convert text-to-speech, and a route in your Flask app to call it, the next step is to start writing the HTML for your app. The HTML below does a few things: + +* Provides a voice selection drop-down +* Adds a button to convert text-to-speech +* Adds an audio element, which is used to play back the synthesized speech + +1. Open `index.html` and locate these code comments: + ```html + + + + ``` + +2. Replace the code comments with this HTML block: + ```html +
    + + +
    + ``` + +3. Next, locate these code comments: + ```html + + + + ``` + +4. Replace the code comments with this HTML block: + +```html + +
    + +
    +``` + +5. Make sure to save your work. + +### Update `main.js` + +In the code below, content from the HTML is used to construct a request to your Flask route. Specifically, the translation and the voice font are assigned to variables, and then passed along in the request to the `text-to-speech` route. + +The code then iterates through the response, and updates the HTML with the sentiment scores. + +1. From your IDE, create a file named `main.js` in the `static` directory. +2. Copy this code into `static/scripts/main.js`: + ```javascript + // Convert text-to-speech + $("#text-to-speech").on("click", function(e) { + e.preventDefault(); + var ttsInput = document.getElementById("translation-result").value; + var ttsVoice = document.getElementById("select-voice").value; + var ttsRequest = { 'text': ttsInput, 'voice': ttsVoice } + + var xhr = new XMLHttpRequest(); + xhr.open("post", "/text-to-speech", true); + xhr.setRequestHeader("Content-Type", "application/json"); + xhr.responseType = "blob"; + xhr.onload = function(evt){ + if (xhr.status === 200) { + audioBlob = new Blob([xhr.response], {type: "audio/mpeg"}); + audioURL = URL.createObjectURL(audioBlob); + if (audioURL.length > 5){ + var audio = document.getElementById("audio"); + var source = document.getElementById("audio-source"); + source.src = audioURL; + audio.load(); + audio.play(); + }else{ + console.log("An error occurred getting and playing the audio.") + } + } + } + xhr.send(JSON.stringify(ttsRequest)); + }); + // Code for automatic language selection goes here. + ``` +3. You're almost done. The last thing you're going to do is add some code to `main.js` to automatically select a voice font based on the language selected for translation. Add this code block to `main.js`: + ```javascript + // Automatic voice font selection based on translation output. + $('select[id="select-language"]').change(function(e) { + if ($(this).val() == "ar"){ + document.getElementById("select-voice").value = "(ar-SA, Naayf)"; + } + if ($(this).val() == "ca"){ + document.getElementById("select-voice").value = "(ca-ES, HerenaRUS)"; + } + if ($(this).val() == "zh-Hans"){ + document.getElementById("select-voice").value = "(zh-HK, Tracy, Apollo)"; + } + if ($(this).val() == "zh-Hant"){ + document.getElementById("select-voice").value = "(zh-HK, Tracy, Apollo)"; + } + if ($(this).val() == "hr"){ + document.getElementById("select-voice").value = "(hr-HR, Matej)"; + } + if ($(this).val() == "en"){ + document.getElementById("select-voice").value = "(en-US, Jessa24kRUS)"; + } + if ($(this).val() == "fr"){ + document.getElementById("select-voice").value = "(fr-FR, HortenseRUS)"; + } + if ($(this).val() == "de"){ + document.getElementById("select-voice").value = "(de-DE, HeddaRUS)"; + } + if ($(this).val() == "el"){ + document.getElementById("select-voice").value = "(el-GR, Stefanos)"; + } + if ($(this).val() == "he"){ + document.getElementById("select-voice").value = "(he-IL, Asaf)"; + } + if ($(this).val() == "hi"){ + document.getElementById("select-voice").value = "(hi-IN, Kalpana, Apollo)"; + } + if ($(this).val() == "it"){ + document.getElementById("select-voice").value = "(it-IT, LuciaRUS)"; + } + if ($(this).val() == "ja"){ + document.getElementById("select-voice").value = "(ja-JP, HarukaRUS)"; + } + if ($(this).val() == "ko"){ + document.getElementById("select-voice").value = "(ko-KR, HeamiRUS)"; + } + if ($(this).val() == "pt"){ + document.getElementById("select-voice").value = "(pt-BR, HeloisaRUS)"; + } + if ($(this).val() == "ru"){ + document.getElementById("select-voice").value = "(ru-RU, EkaterinaRUS)"; + } + if ($(this).val() == "es"){ + document.getElementById("select-voice").value = "(es-ES, HelenaRUS)"; + } + if ($(this).val() == "th"){ + document.getElementById("select-voice").value = "(th-TH, Pattara)"; + } + if ($(this).val() == "tr"){ + document.getElementById("select-voice").value = "(tr-TR, SedaRUS)"; + } + if ($(this).val() == "vi"){ + document.getElementById("select-voice").value = "(vi-VN, An)"; + } + }); + ``` + +### Test your app + +Let's test speech synthesis in the app. + +``` +flask run +``` + +Navigate to the provided server address. Type text into the input area, select a language, and press translate. You should get a translation. Next, select a voice, then press the convert text-to-speech button. the translation should be played back as synthesized speech. If it doesn't work, make sure that you've added your subscription key. + +> [!TIP] +> If the changes you've made aren't showing up, or the app doesn't work the way you expect it to, try clearing your cache or opening a private/incognito window. + +That's it, you have a working app that performs translations, analyzes sentiment, and synthesized speech. Press **CTRL + c** to kill the app. Be sure to check out the other [Azure Cognitive Services](https://docs.microsoft.com/azure/cognitive-services/). + +## Get the source code + +The source code for this project is available on [GitHub](https://github.com/MicrosoftTranslator/Text-Translation-API-V3-Flask-App-Tutorial). + +## Next steps + +* [Translator Text API reference](https://docs.microsoft.com/azure/cognitive-services/Translator/reference/v3-0-reference) +* [Text Analytics API reference](https://westus.dev.cognitive.microsoft.com/docs/services/TextAnalytics.V2.0/operations/56f30ceeeda5650db055a3c7) +* [Text-to-speech API reference](https://docs.microsoft.com/azure/cognitive-services/speech-service/rest-text-to-speech) diff --git a/articles/cognitive-services/bing-visual-search/bing-insights-usage.md b/articles/cognitive-services/bing-visual-search/bing-insights-usage.md index f29644e109657..1e1d5b88fbc7b 100644 --- a/articles/cognitive-services/bing-visual-search/bing-insights-usage.md +++ b/articles/cognitive-services/bing-visual-search/bing-insights-usage.md @@ -9,7 +9,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: conceptual -ms.date: 04/17/2018 +ms.date: 04/03/2019 ms.author: scottwhi --- @@ -19,67 +19,59 @@ This article contains examples of how Bing might use and display image insights ## PagesIncluding insight example -The following displays a link to the first webpage and lets the user expand and collapse the list of other webpages that include the image. +The following displays a link to the first webpage and lets the user expand and collapse the list of other webpages that include the image: ![Expanded pages including](./media/pages-including.PNG) - ## ShoppingSources insight example -The following shows how Bing might display shopping sources for products seen in the image. +The following shows how Bing might display shopping sources for products seen in the image: ![Shopping sources](./media/shopping-sources.PNG) - ## VisualSearch insight example -The following shows how Bing might display visually similar images (see **Related images** in the example). +The following shows how Bing might display visually similar images (see **Related images** in the example): ![Visually similar images](./media/similar-images.PNG) ## Recipes insight example -The following shows how Bing might display recipes for the food shown in the image. The example lets the user know there are recipes available. +The following shows how Bing might display recipes for the food shown in the image. The example lets the user know there are recipes available: ![Recipes and pages including](./media/recipes-pages-including.PNG) - And provides the link to the recipes when the user expands the list. + And provides the link to the recipes when the user expands the list: ![Expanded recipe pages including](./media/expanded-recipes-pages-including.PNG) - ## RelatedSearches insight example The following shows how Bing might display related searches of images made by others. If the user clicks the image, the user is taken to the Bing.com/images search results page for that related query. ![Related searches for images](./media/bordered-related-searches.PNG) - ## Entity insight example -The following shows how Bing might display information about the entity (person, place, or thing) shown in the image. If the user clicks the entity link, the user is taken to the Bing.com search results page for the entity. +The following shows how Bing might display information about the entity (person, place, or thing) shown in the image. If the user clicks the entity link, the user is taken to the Bing.com search results page for the entity: ![Entity shown in image](./media/entity.PNG) - ## Displaying other insights that the user might explore The following shows how Bing might display other information about the image that the user can explore. ![Explore other insights about the image](./media/apple-pie-more-tags.PNG) - ## Bounding boxes and hot spots -Non-default tags include the bounding box that identifies the area of interest in the image that the tag applies to. If the bounding box does not identify the entire image, use the bounding box to create a hot spot on the image. The user can click the hot spot to get information related to the content found under the hot spot (or rectangle). For example, if the image is a high fashion image, the results may contain tags (and bounding boxes) for accessories shown in the image, such as a purse, jewelry, scarfs, etc. The following example shows a hot spot rectangle for the sunglasses shown in the image. +Non-default tags include the bounding box that identifies the area of interest in the image that the tag applies to. If the bounding box does not identify the entire image, use the bounding box to create a hot spot on the image. The user can click the hot spot to get information related to the content found under the hot spot (or rectangle). For example, if the image is a high-fashion image, the results may contain tags (and bounding boxes) for accessories shown in the image, such as a purse, jewelry, scarfs, and so on. The following example shows a hot-spot rectangle for the sunglasses shown in the image: ![Bounding box and hot spot](./media/click-to-search.PNG) - - ## Next steps -To get started quickly with your first request, see the quickstarts: [C#](quickstarts/csharp.md) | [Java](quickstarts/java.md) | [node.js](quickstarts/nodejs.md) | [Python](quickstarts/python.md) +To get started with your first request, see the quickstarts: [C#](quickstarts/csharp.md) | [Java](quickstarts/java.md) | [node.js](quickstarts/nodejs.md) | [Python](quickstarts/python.md) diff --git a/articles/cognitive-services/bing-visual-search/concepts/sending-queries.md b/articles/cognitive-services/bing-visual-search/concepts/sending-queries.md index 1d4fd0a3337f1..730d802695569 100644 --- a/articles/cognitive-services/bing-visual-search/concepts/sending-queries.md +++ b/articles/cognitive-services/bing-visual-search/concepts/sending-queries.md @@ -9,7 +9,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: article -ms.date: 12/18/2018 +ms.date: 4/03/2019 ms.author: aahi --- @@ -17,16 +17,15 @@ ms.author: aahi This article describes the parameters and attributes of requests sent to the Bing Visual Search API, as well as the response object. -You can get insights about an image in three ways: +You can get insights about an image in three ways: -- using an insights token that you get from an image in a previous call to one of the [Bing Image Search API](https://docs.microsoft.com/rest/api/cognitiveservices/bing-images-api-v7-reference) endpoints. +- Using an insights token that you get from an image in a previous call to one of the [Bing Image Search API](https://docs.microsoft.com/rest/api/cognitiveservices/bing-images-api-v7-reference) endpoints. - Sending the URL of an image. -- Uploading an image (in binary) - +- Uploading an image (in binary format). ## Bing Visual Search requests -If you send Visual Search an image token or URL, the following shows the JSON object that you must include in the body of the POST. +If you send Visual Search an image token or URL, the following snippet shows the JSON object that you must include in the body of the POST: ```json { @@ -48,68 +47,62 @@ If you send Visual Search an image token or URL, the following shows the JSON ob } ``` -The `imageInfo` object must include either the `url` or `imageInsightsToken` field but not both. Set the `url` field to the URL of an Internet accessible image. The maximum supported image size is 1 MB. +The `imageInfo` object must include either the `url` or `imageInsightsToken` field but not both. Set the `url` field to the URL of an Internet-accessible image. The maximum supported image size is 1 MB. The `imageInsightsToken` must be set to an insights token. To get an insights token, call the Bing Image API. The response contains a list of `Image` objects. Each `Image` object contains an `imageInsightsToken` field, which contains the token. -The `cropArea` field is optional. The crop area specifies the top, left corner and bottom, right corner of a region of interest. Specify the values in the range 0.0 through 1.0. The values are a percentage of the overall width or height. For example, the above example marks the right half of the image as the region of interest. Include it if you want to limit the insights request to the region of interest. +The `cropArea` field is optional. The crop area specifies the top-left corner and bottom-right corner of a region of interest. Specify the values in the range 0.0 through 1.0. The values are a percentage of the overall width or height. For example, the above example marks the right half of the image as the region of interest. Include it if you want to limit the insights request to the region of interest. -The `filters` object contains a site filter (see the `site` field) that you can use to restrict the similar images and similar products results to a specific domain. For example, if the image is of a Surface Book, you can set `site` to www.microsoft.com. +The `filters` object contains a site filter (see the `site` field) that you can use to restrict the similar images and similar products results to a specific domain. For example, if the image is of a Surface Book, you can set `site` to www.microsoft.com. If you want to get insights about a local copy of an image, upload the image as binary data. For details about including these options in the body of the POST, see [Content form types](#content-form-types). - ### Search endpoint The Visual Search endpoint is: https:\/\/api.cognitive.microsoft.com/bing/v7.0/images/visualsearch. -Requests must be sent as HTTP POST requests only. - +Requests must be sent as HTTP POST requests only. ### Query parameters -The following are the query parameters your request should specify. At a minimum, you should include the `mkt` query parameter. +The following are the query parameters your request should specify. At a minimum, you should include the `mkt` query parameter: -| Name | Value | Type | Required | -|-----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|----------| -| cc | A 2-character country code of the country where the results come from.

    If you set this parameter, you must also specify the [Accept-Language](#acceptlanguage) header. Bing uses the first supported language it finds from the list of languages, and combines the language with the country code that you specify to determine the market to return results from. If the languages list does not include a supported language, Bing finds the closest language and market that supports the request. Or it may use an aggregated or default market for the results instead of the specified one.

    You should use this query parameter and the `Accept-Language` query parameter only if you specify multiple languages; otherwise, you should use the `mkt` and `setLang` query parameters.

    This parameter and the [mkt](#mkt) query parameter are mutually exclusive—do not specify both. | String | No | -|     mkt | The market where the results come from.

    **NOTE:** You are encouraged to always specify the market, if known. Specifying the market helps Bing route the request and return an appropriate and optimal response.

    This parameter and the [cc](#cc) query parameter are mutually exclusive—do not specify both. | String | Yes | -|     safeSearch | A filter used to filter adult content. The following are the possible case-insensitive filter values.
    • Off—Return webpages with adult text or images.

    • Moderate—Return webpages with adult text, but not adult images.

    • Strict—Do not return webpages with adult text or images.

    The default is Moderate.

    **NOTE:** If the request comes from a market that Bing's adult policy requires that `safeSearch` be set to Strict, Bing ignores the `safeSearch` value and uses Strict.

    **NOTE:** If you use the `site:` query operator, there is the chance that the response may contain adult content regardless of what the `safeSearch` query parameter is set to. Use `site:` only if you are aware of the content on the site and your scenario supports the possibility of adult content. | String | No | -|     setLang | The language to use for user interface strings. Specify the language using the ISO 639-1 2-letter language code. For example, the language code for English is EN. The default is EN (English).

    Although optional, you should always specify the language. Typically, you set `setLang` to the same language specified by `mkt` unless the user wants the user interface strings displayed in a different language.

    This parameter and the [Accept-Language](#acceptlanguage) header are mutually exclusive—do not specify both.

    A user interface string is a string that's used as a label in a user interface. There are few user interface strings in the JSON response objects. Also, any links to Bing.com properties in the response objects apply the specified language. | String | No | +| Name | Value | Type | Required | +| --- | --- | --- | --- | +|     cc | A two-character country code that represents where the results come from.

    If you set this parameter, you must also specify the [Accept-Language](#acceptlanguage) header. Bing uses the first supported language it finds from the list of languages, and combines the language with the country code that you specify to determine the market to return results from. If the languages list does not include a supported language, Bing finds the closest language and market that supports the request. Or it may use an aggregated or default market for the results instead of the specified one.

    You should use this query parameter and the `Accept-Language` query parameter only if you specify multiple languages; otherwise, you should use the `mkt` and `setLang` query parameters.

    This parameter and the [mkt](#mkt) query parameter are mutually exclusive—do not specify both. | String | No | +|     mkt | The market where the results come from.

    **NOTE:** You should always specify the market, if known. Specifying the market helps Bing route the request and return an appropriate and optimal response.

    This parameter and the [cc](#cc) query parameter are mutually exclusive—do not specify both. | String | Yes | +|     safeSearch | A filter for adult content. The following are the possible case-insensitive filter values.
    • Off—Return webpages with adult text or images.

    • Moderate—Return webpages with adult text, but not adult images.

    • Strict—Do not return webpages with adult text or images.

    The default is Moderate.

    **NOTE:** If the request comes from a market that Bing's adult policy requires that `safeSearch` be set to Strict, Bing ignores the `safeSearch` value and uses Strict.

    **NOTE:** If you use the `site:` query operator, there is a chance that the response may contain adult content regardless of what the `safeSearch` query parameter is set to. Use `site:` only if you are aware of the content on the site and your scenario supports the possibility of adult content. | String | No | +|     setLang | The language to use for user interface strings. Specify the language using the ISO 639-1 two-letter language code. For example, the language code for English is EN. The default is EN (English).

    Although optional, you should always specify the language. Typically, you set `setLang` to the same language specified by `mkt` unless the user wants the user interface strings displayed in a different language.

    This parameter and the [Accept-Language](#acceptlanguage) header are mutually exclusive—do not specify both.

    A user interface string is a string that's used as a label in a user interface. There are few user interface strings in the JSON response objects. Also, any links to Bing.com properties in the response objects apply the specified language. | String | No | ## Headers -The following are the headers that your request should specify. The Content-Type and Ocp-Apim-Subscription-Key headers are the only required headers but you should also include User-Agent, X-MSEdge-ClientID, X-MSEdge-ClientIP, and X-Search-Location. - +The following are the headers that your request should specify. The `Content-Type` and `Ocp-Apim-Subscription-Key` headers are the only required headers, but you should also include `User-Agent`, `X-MSEdge-ClientID`, `X-MSEdge-ClientIP`, and `X-Search-Location`. -| Header | Description | -|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|     Accept-Language | Optional request header.

    A comma-delimited list of languages to use for user interface strings. The list is in decreasing order of preference. For more information, including expected format, see [RFC2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

    This header and the [setLang](#setlang) query parameter are mutually exclusive—do not specify both.

    If you set this header, you must also specify the [cc](#cc) query parameter. To determine the market to return results for, Bing uses the first supported language it finds from the list and combines it with the `cc` parameter value. If the list does not include a supported language, Bing finds the closest language and market that supports the request or it uses an aggregated or default market for the results. To determine the market that Bing used, see the BingAPIs-Market header.

    Use this header and the `cc` query parameter only if you specify multiple languages. Otherwise, use the [mkt](#mkt) and [setLang](#setlang) query parameters.

    A user interface string is a string that's used as a label in a user interface. There are few user interface strings in the JSON response objects. Any links to Bing.com properties in the response objects apply the specified language. | -|     Content-Type | | -| BingAPIs-Market | Response header.

    The market used by the request. The form is \-\. For example, en-US. | -|     BingAPIs-TraceId | Response header.

    The ID of the log entry that contains the details of the request. When an error occurs, capture this ID. If you are not able to determine and resolve the issue, include this ID along with the other information that you provide the Support team. | -|     Ocp-Apim-Subscription-Key | Required request header.

    The subscription key that you received when you signed up for this service in [Cognitive Services](https://www.microsoft.com/cognitive-services/). | -|     Pragma | | -| User-Agent | Optional request header.

    The user agent originating the request. Bing uses the user agent to provide mobile users with an optimized experience. Although optional, you are encouraged to always specify this header.

    The user-agent should be the same string that any commonly used browser sends. For information about user agents, see [RFC 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

    The following are examples of user-agent strings.
    • Windows Phone—Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 822)

    • Android—Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; SCH-I500 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML; like Gecko) Version/4.0 Mobile Safari/533.1

    • iPhone—Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML; like Gecko) Mobile/10B142 iPhone4;1 BingWeb/3.03.1428.20120423

    • PC—Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko

    • iPad—Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53
    | -|     X-MSEdge-ClientID | Optional request and response header.

    Bing uses this header to provide users with consistent behavior across Bing API calls. Bing often flights new features and improvements, and it uses the client ID as a key for assigning traffic on different flights. If you do not use the same client ID for a user across multiple requests, then Bing may assign the user to multiple conflicting flights. Being assigned to multiple conflicting flights can lead to an inconsistent user experience. For example, if the second request has a different flight assignment than the first, the experience may be unexpected. Also, Bing can use the client ID to tailor web results to that client ID’s search history, providing a richer experience for the user.

    Bing also uses this header to help improve result rankings by analyzing the activity generated by a client ID. The relevance improvements help with better quality of results delivered by Bing APIs and in turn enables higher click-through rates for the API consumer.

    **IMPORTANT:** Although optional, you should consider this header required. Persisting the client ID across multiple requests for the same end user and device combination enables 1) the API consumer to receive a consistent user experience, and 2) higher click-through rates via better quality of results from the Bing APIs.

    The following are the basic usage rules that apply to this header.
    • Each user that uses your application on the device must have a unique, Bing generated client ID.

      If you do not include this header in the request, Bing generates an ID and returns it in the X-MSEdge-ClientID response header. The only time that you should NOT include this header in a request is the first time the user uses your app on that device.

    • **ATTENTION:** You must ensure that this Client ID is not linkable to any authenticated user account information.
    • Use the client ID for each Bing API request that your app makes for this user on the device.

    • Persist the client ID. To persist the ID in a browser app, use a persistent HTTP cookie to ensure the ID is used across all sessions. Do not use a session cookie. For other apps such as mobile apps, use the device's persistent storage to persist the ID.

      The next time the user uses your app on that device, get the client ID that you persisted.

    **NOTE:** Bing responses may or may not include this header. If the response includes this header, capture the client ID and use it for all subsequent Bing requests for the user on that device.

    **NOTE:** If you include the X-MSEdge-ClientID, you must not include cookies in the request. | -|     X-MSEdge-ClientIP | Optional request header.

    The IPv4 or IPv6 address of the client device. The IP address is used to discover the user's location. Bing uses the location information to determine safe search behavior.

    **NOTE:** Although optional, you are encouraged to always specify this header and the X-Search-Location header.

    Do not obfuscate the address (for example, by changing the last octet to 0). Obfuscating the address results in the location not being anywhere near the device's actual location, which may result in Bing serving erroneous results. | -|     X-Search-Location | Optional request header.

    A semicolon-delimited list of key/value pairs that describe the client's geographical location. Bing uses the location information to determine safe search behavior and to return relevant local content. Specify the key/value pair as \:\. The following are the keys that you use to specify the user's location.

    • lat—Required. The latitude of the client's location, in degrees. The latitude must be greater than or equal to -90.0 and less than or equal to +90.0. Negative values indicate southern latitudes and positive values indicate northern latitudes.

    • long—Required. The longitude of the client's location, in degrees. The longitude must be greater than or equal to -180.0 and less than or equal to +180.0. Negative values indicate western longitudes and positive values indicate eastern longitudes.

    • re—Required. The radius, in meters, which specifies the horizontal accuracy of the coordinates. Pass the value returned by the device's location service. Typical values might be 22m for GPS/Wi-Fi, 380m for cell tower triangulation, and 18,000m for reverse IP lookup.

    • ts—Optional. The UTC UNIX timestamp of when the client was at the location. (The UNIX timestamp is the number of seconds since January 1, 1970.)

    • head—Optional. The client's relative heading or direction of travel. Specify the direction of travel as degrees from 0 through 360, counting clockwise relative to true north. Specify this key only if the `sp` key is nonzero.

    • sp—Optional. The horizontal velocity (speed), in meters per second, that the client device is traveling.

    • alt—Optional. The altitude of the client device, in meters.

    • are—Optional. The radius, in meters, that specifies the vertical accuracy of the coordinates. Specify this key only if you specify the `alt` key.

    **NOTE:** Although many of the keys are optional, the more information that you provide, the more accurate the location results are.

    **NOTE:** Although optional, you are encouraged to always specify the user's geographical location. Providing the location is especially important if the client's IP address does not accurately reflect the user's physical location (for example, if the client uses VPN). For optimal results, you should include this header and the X-MSEdge-ClientIP header, but at a minimum, you should include this header. | - -> [!NOTE] -> Remember that the Terms of Use require compliance with all applicable laws, including regarding use of these headers. For example, in certain jurisdictions, such as Europe, there are requirements to obtain user consent before placing certain tracking devices on user devices. +| Header | Description | +| --- | --- | +|     Accept-Language | Optional request header.

    A comma-delimited list of languages to use for user interface strings. The list is in decreasing order of preference. For more information, including expected format, see [RFC2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

    This header and the [setLang](#setlang) query parameter are mutually exclusive—do not specify both.

    If you set this header, you must also specify the [cc](#cc) query parameter. To determine the market to return results for, Bing uses the first supported language it finds from the list and combines it with the `cc` parameter value. If the list does not include a supported language, Bing finds the closest language and market that supports the request or it uses an aggregated or default market for the results. To determine the market that Bing used, see the `BingAPIs-Market` header.

    Use this header and the `cc` query parameter only if you specify multiple languages. Otherwise, use the [mkt](#mkt) and [setLang](#setlang) query parameters.

    A user interface string is a string that's used as a label in a user interface. There are few user interface strings in the JSON response objects. Any links to Bing.com properties in the response objects apply the specified language. | +|     Content-Type | | +| BingAPIs-Market | Response header.

    The market used by the request. The form is \-\. For example, en-US. | +|     BingAPIs-TraceId | Response header.

    The ID of the log entry that contains the details of the request. When an error occurs, capture this ID. If you are not able to determine and resolve the issue, include this ID along with the other information that you provide the Support team. | +|     Ocp-Apim-Subscription-Key | Required request header.

    The subscription key that you received when you signed up for this service in [Cognitive Services](https://www.microsoft.com/cognitive-services/). | +|     Pragma | | +| User-Agent | Optional request header.

    The user agent originating the request. Bing uses the user agent to provide mobile users with an optimized experience. Although optional, you are encouraged to always specify this header.

    The user-agent should be the same string that any commonly used browser sends. For information about user-agents, see [RFC 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

    The following are examples of user-agent strings.
    • Windows Phone—Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 822)

    • Android—Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; SCH-I500 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML; like Gecko) Version/4.0 Mobile Safari/533.1

    • iPhone—Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML; like Gecko) Mobile/10B142 iPhone4;1 BingWeb/3.03.1428.20120423

    • PC—Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko

    • iPad—Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53
    | +|     X-MSEdge-ClientID | Optional request and response header.

    Bing uses this header to provide users with consistent behavior across Bing API calls. Bing often flights new features and improvements, and it uses the client ID as a key for assigning traffic on different flights. If you do not use the same client ID for a user across multiple requests, then Bing may assign the user to multiple conflicting flights. Being assigned to multiple conflicting flights can lead to an inconsistent user experience. For example, if the second request has a different flight assignment than the first, the experience may be unexpected. Also, Bing can use the client ID to tailor web results to that client ID’s search history, providing a richer experience for the user.

    Bing also uses this header to help improve result rankings by analyzing the activity generated by a client ID. The relevance improvements help with better quality of results delivered by Bing APIs and in turn enables higher click-through rates for the API consumer.

    **IMPORTANT:** Although optional, you should consider this header required. Persisting the client ID across multiple requests for the same end user and device combination enables 1) the API consumer to receive a consistent user experience, and 2) higher click-through rates via better quality of results from the Bing APIs.

    The following are the basic usage rules that apply to this header.
    • Each user that uses your application on the device must have a unique, Bing generated client ID.

      If you do not include this header in the request, Bing generates an ID and returns it in the X-MSEdge-ClientID response header. The only time that you should NOT include this header in a request is the first time the user uses your app on that device.

    • **ATTENTION:** You must ensure that this Client ID is not linkable to any authenticated user account information.
    • Use the client ID for each Bing API request that your app makes for this user on the device.

    • Persist the client ID. To persist the ID in a browser app, use a persistent HTTP cookie to ensure the ID is used across all sessions. Do not use a session cookie. For other apps such as mobile apps, use the device's persistent storage to persist the ID.

      The next time the user uses your app on that device, get the client ID that you persisted.

    **NOTE:** Bing responses may or may not include this header. If the response includes this header, capture the client ID and use it for all subsequent Bing requests for the user on that device.

    **NOTE:** If you include the X-MSEdge-ClientID, you must not include cookies in the request. | +|     X-MSEdge-ClientIP | Optional request header.

    The IPv4 or IPv6 address of the client device. The IP address is used to discover the user's location. Bing uses the location information to determine safe search behavior.

    **NOTE:** Although optional, you are encouraged to always specify this header and the X-Search-Location header.

    Do not obfuscate the address (for example, by changing the last octet to 0). Obfuscating the address results in the location not being anywhere near the device's actual location, which may result in Bing serving erroneous results. | +|     X-Search-Location | Optional request header.

    A semicolon-delimited list of key/value pairs that describe the client's geographical location. Bing uses the location information to determine safe search behavior and to return relevant local content. Specify the key/value pair as \:\. The following are the keys that you use to specify the user's location.

    • lat—Required. The latitude of the client's location, in degrees. The latitude must be greater than or equal to -90.0 and less than or equal to +90.0. Negative values indicate southern latitudes and positive values indicate northern latitudes.

    • long—Required. The longitude of the client's location, in degrees. The longitude must be greater than or equal to -180.0 and less than or equal to +180.0. Negative values indicate western longitudes and positive values indicate eastern longitudes.

    • re—Required. The radius, in meters, which specifies the horizontal accuracy of the coordinates. Pass the value returned by the device's location service. Typical values might be 22 m for GPS/Wi-Fi, 380 m for cell tower triangulation, and 18,000 m for reverse IP lookup.

    • ts—Optional. The UTC UNIX timestamp of when the client was at the location. (The UNIX timestamp is the number of seconds since January 1, 1970.)

    • head—Optional. The client's relative heading or direction of travel. Specify the direction of travel as degrees from 0 through 360, counting clockwise relative to true north. Specify this key only if the `sp` key is nonzero.

    • sp—Optional. The horizontal velocity (speed), in meters per second, that the client device is traveling.

    • alt—Optional. The altitude of the client device, in meters.

    • are—Optional. The radius, in meters, that specifies the vertical accuracy of the coordinates. Specify this key only if you specify the `alt` key.

    **NOTE:** Although many of the keys are optional, the more information that you provide, the more accurate the location results are.

    **NOTE:** Although optional, you are encouraged to always specify the user's geographical location. Providing the location is especially important if the client's IP address does not accurately reflect the user's physical location (for example, if the client uses VPN). For optimal results, you should include this header and the `X-MSEdge-ClientIP` header, but at a minimum, you should include this header. | +> [!NOTE] +> Remember that the [Bing Search API use and display requirements](/../bing-web-search/use-display-requirements.md) require compliance with all applicable laws, including regarding use of these headers. For example, in certain jurisdictions, such as Europe, there are requirements to obtain user consent before placing certain tracking devices on user devices.     ### Content form types -Each request must include the Content-Type header. The header must be set to: multipart/form-data; boundary=\, where \ is a unique, opaque string that identifies the boundary of the form data. For example, boundary=boundary_1234-abcd. - - -If you send Visual Search an image token or URL, the following shows the form data you must include in the body of the POST. The form data must include the Content-Disposition header and its `name` parameter must be set to "knowledgeRequest." For details about the `imageInfo` object, see The request. +Each request must include the `Content-Type` header. The header must be set to: `multipart/form-data; boundary=\`, where \ is a unique, opaque string that identifies the boundary of the form data. For example, `boundary=boundary_1234-abcd`. +If you send Visual Search an image token or URL, the following snippet shows the form data you must include in the body of the POST. The form data must include the `Content-Disposition` header and you must set its `name` parameter to "knowledgeRequest". For details about the `imageInfo` object, see the request. ``` --boundary_1234-abcd @@ -124,8 +117,7 @@ Content-Disposition: form-data; name="knowledgeRequest" --boundary_1234-abcd-- ``` -If you upload a local image, the following shows the form data you must include in the body of the POST. The form data must include the Content-Disposition header. Its `name` parameter must be set to "image" and the `filename` parameter may be set to any string. The Content-Type header may be set to any commonly used image mime type. The contents of the form is the binary of the image. The maximum image size you may upload is 1 MB. The largest of the width or height should be 1,500 pixels or less. - +If you upload a local image, the following snippet shows the form data you must include in the body of the POST. The form data must include the `Content-Disposition` header. Its `name` parameter must be set to "image" and the `filename` parameter may be set to any string. The `Content-Type` header may be set to any commonly used image mime type. The contents of the form is the binary data of the image. The maximum image size you may upload is 1 MB. The largest of the width or height should be 1,500 pixels or less. ``` --boundary_1234-abcd @@ -137,7 +129,7 @@ Content-Type: image/jpeg --boundary_1234-abcd-- ``` -The following shows how to specify the region of interest of an uploaded image. +The following snippet shows how to specify the region of interest of an uploaded image: ``` --boundary_1234-abcd @@ -164,12 +156,9 @@ Content-Type: image/jpeg --boundary_1234-abcd-- ``` - - ### Example request -The following shows a complete image insights request that passes an image token and region of interest. You get the insights token from a previous call to /images/search. - +The following snippet shows a complete image insights request that passes an image token and region of interest. You get the insights token from a previous call to /images/search: ``` POST https://api.cognitive.microsoft.com/bing/v7.0/images/visualsearch?mkt=en-us HTTP/1.1 @@ -198,10 +187,9 @@ Content-Disposition: form-data; name="knowledgeRequest" --boundary_1234-abcd-- ``` - ## Bing Visual Search responses -If there are insights available for the image, the response contains one or more `tags` that contain the insights. The `image` field contains the insights token for the input image. +If there are insights available for the image, the response contains one or more `tags` that contain the insights. The `image` field contains the insights token for the input image: ```json { @@ -219,8 +207,7 @@ If there are insights available for the image, the response contains one or more } ``` -The `tags` field contains a display name and list of actions (insights). One of the tags contains a `displayName` field that is set to an empty string. This tag contains the default insights such as webpages that include the image, visually similar images, and shopping sources for items found in the image. Because the entire image is of interest, the default insights tag doesn't include bounding boxes for the regions of interest. - +The `tags` field contains a display name and list of actions (insights). One of the tags contains a `displayName` field that is set to an empty string. This tag contains the default insights such as webpages that include the image, visually similar images, and shopping sources for items found in the image. Because the entire image is of interest, the default insights tag doesn't include bounding boxes for the regions of interest: ```json { @@ -246,11 +233,9 @@ The `tags` field contains a display name and list of actions (insights). One of } ``` -For a list of the default insights, see [Default insights](../default-insights-tag.md). - +For a list of the default insights, see [Default insights tag](../default-insights-tag.md). - -The remaining tags contain other insights that may be of interest to the user. For example, if the image contains text, one of the tags may include a TextResults insight, which contains the recognized text. Or, if Bing recognizes an entity (person, place, or thing) in the image, one of the tags may identify the entity. Visual Search also returns a diverse set of terms (tags) derived from the input image. These tags allow users to explore concepts found in the image. For example, if the input image is of a famous athlete, one of the tags might be Sports, which contains links to images of sports. +The remaining tags contain other insights that may be of interest to the user. For example, if the image contains text, one of the tags may include a TextResults insight, which contains the recognized text. Or, if Bing recognizes an entity (that is, a person, place, or thing) in the image, one of the tags may identify the entity. Visual Search also returns a diverse set of terms (tags) derived from the input image. These tags enable users to explore concepts found in the image. For example, if the input image is of a famous athlete, one of the tags might be Sports, which contains links to images of sports. Each tag includes a display name that you can use to categorize the insight, bounding box that identifies the region of interest that the insight applies to, the insights themselves, and a thumbnail of the image. For example, if the image is of a person wearing a sports jersey, one of the tags might include a bounding box that bounds the jersey and includes VisualSearch and ProductVisualSearch insights. And another tag might include an ImageResults insight that contains a URL for an /images/search API request to get images that are topically related or a Bing.com search URL that takes the user to the Bing.com image search results. @@ -258,7 +243,7 @@ All tags other than the default insights tag include bounding boxes that identif ### Text recognition -If the image contains text that the service recognizes, one of the tags will contain a TextResults insight (action). The insight's `displayName` contains the recognized text. +If the image contains text that the service recognizes, one of the tags will contain a TextResults insight (action). The insight's `displayName` contains the recognized text: ```json { @@ -288,10 +273,9 @@ If the image contains text that the service recognizes, one of the tags will con } ``` -Because the tag's `displayName` field contains ##TextRecognition, do not use it as a category title in the UX. That goes for any display name that starts with ##. Instead use the action's display name. - +Because the tag's `displayName` field contains ##TextRecognition, do not use it as a category title in the UX. That goes for any display name that starts with ##. Instead, use the action's display name. -Text recognition can also recognize the contact information on business cards, such as phone numbers and email addresses. The bounding box identifies the location of the contact information on the card. +Text recognition can also recognize the contact information on business cards, such as phone numbers and email addresses. The bounding box identifies the location of the contact information on the card. ```json { @@ -377,7 +361,7 @@ Text recognition can also recognize the contact information on business cards, s } ``` -If the image contains a recognized entity such as a person, place, or thing, one of the tags may include an Entity insight. +If the image contains a recognized entity such as a person, place, or thing, one of the tags may include an Entity insight. ```json { @@ -412,5 +396,5 @@ If the image contains a recognized entity such as a person, place, or thing, one ## See also -* [What is the Bing Visual Search API](../overview.md) -* [Tutorial: Build a single-page Web app - Bing Visual Search](../tutorial-bing-visual-search-single-page-app.md) +- [What is the Bing Visual Search API?](../overview.md) +- [Tutorial: Create a Visual Search single-page web app](../tutorial-bing-visual-search-single-page-app.md) diff --git a/articles/cognitive-services/bing-visual-search/default-insights-tag.md b/articles/cognitive-services/bing-visual-search/default-insights-tag.md index 8168f55643187..e70fbc8a20d36 100644 --- a/articles/cognitive-services/bing-visual-search/default-insights-tag.md +++ b/articles/cognitive-services/bing-visual-search/default-insights-tag.md @@ -9,7 +9,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: conceptual -ms.date: 04/17/2018 +ms.date: 04/04/2019 ms.author: scottwhi --- @@ -96,7 +96,7 @@ The default insights tag is the one with the `displayName` field set to an empty ## PagesIncluding insight -The PagesIncluding insight provides a list of webpages that include this image. It's actually a list of Image objects and the `hostPageUrl` field contains the URL to the webpage that includes the image. For example usage, see [PagesIncluding example](./bing-insights-usage.md#pagesincluding-insight-example). +The PagesIncluding insight provides a list of webpages that include this image. It's actually a list of `Image` objects, and the `hostPageUrl` field contains the URL to the webpage that includes the image. For example usage, see [PagesIncluding insight example](./bing-insights-usage.md#pagesincluding-insight-example). ```json { @@ -135,7 +135,7 @@ The PagesIncluding insight provides a list of webpages that include this image. ## ShoppingSources insight -The ShoppingSources insight provides a list of websites where the user can buy the item shown in the image. The list of offers include the URL of the webpage where the user may buy the item, the price of the item, and rating or review details. For example usage, see [ShoppingSources example](./bing-insights-usage.md#shoppingsources-insight-example). +The ShoppingSources insight provides a list of websites where the user can buy the item shown in the image. The list of offers includes the URL of the webpage where the user can buy the item, the price of the item, and rating or review details. For example usage, see [ShoppingSources example](./bing-insights-usage.md#shoppingsources-insight-example). ```json { @@ -162,10 +162,9 @@ The ShoppingSources insight provides a list of websites where the user can buy t } ``` - ## MoreSizes insight -The MoreSizes insight identifies the number of sizes (larger or smaller) of the image that Bing found on the Internet (see the `availableSizesCount` field). +The MoreSizes insight identifies the number of sizes (larger or smaller) of the image that Bing found on the Internet (see the `availableSizesCount` field): ```json { @@ -200,7 +199,7 @@ The MoreSizes insight identifies the number of sizes (larger or smaller) of the ## VisualSearch insight -The VisualSearch insight provides a list of images that are visually similar to the original image (contains content that's similar to the content shown in the original image). For example usage, see [VisualSearch example](./bing-insights-usage.md#visualsearch-insight-example). +The VisualSearch insight provides a list of images that are visually similar to the original image (contains content that's similar to the content shown in the original image). For example usage, see [VisualSearch insight example](./bing-insights-usage.md#visualsearch-insight-example). ```json { @@ -240,7 +239,7 @@ The VisualSearch insight provides a list of images that are visually similar to ## Recipes insight -The Recipes insight provides a list of webpages that include a recipe for making the food shown in the image. For example usage, see [Recipes example](./bing-insights-usage.md#recipes-insight-example). +The Recipes insight provides a list of webpages that include a recipe for making the food shown in the image. For example usage, see [Recipes insight example](./bing-insights-usage.md#recipes-insight-example). ```json { @@ -275,7 +274,7 @@ The Recipes insight provides a list of webpages that include a recipe for making ## ImageById insight -The ImageById insight provides an `Image` object of the image that you requested insights of. +The ImageById insight provides an `Image` object of the image that you requested insights for: ```json { @@ -308,10 +307,9 @@ The ImageById insight provides an `Image` object of the image that you requested }, ``` - ## ProductVisualSearch insight -The ProductVisualSearch insight provides a list of images of products that are visually similar to products shown in the original image. The `insightsMetadata` field may contain information about offers where you can buy the product and the price of the product. +The ProductVisualSearch insight provides a list of images of products that are visually similar to products shown in the original image. The `insightsMetadata` field may contain information about offers where you can buy the product and the price of the product. ```json { @@ -373,11 +371,9 @@ The ProductVisualSearch insight provides a list of images of products that are v } ``` - ## RelatedSearches insight -The RelatedSearches insight provides a list of related searches made by others (based on other users' search terms). For example usage, see [RelatedSearches example](./bing-insights-usage.md#relatedsearches-insight-example). - +The RelatedSearches insight provides a list of related searches made by others (based on other users' search terms). For example usage, see [RelatedSearches insight example](./bing-insights-usage.md#relatedsearches-insight-example). ```json { @@ -398,10 +394,9 @@ The RelatedSearches insight provides a list of related searches made by others ( } ``` - ## DocumentLevelSuggestions insight -The DocumentLevelSuggestions insight provides a list of suggested search terms based on the contents of the image. +The DocumentLevelSuggestions insight provides a list of suggested search terms based on the contents of the image: ```json { @@ -422,10 +417,8 @@ The DocumentLevelSuggestions insight provides a list of suggested search terms b } ``` - - ## Next steps -Check out examples of how Bing might display the visual insights (see [Examples of Bing insights usage](bing-insights-usage.md)). +Check out [Examples of Bing insights usage](bing-insights-usage.md) to see how Bing might display the visual insights. To get started quickly with your first request, see the quickstarts: [C#](quickstarts/csharp.md) | [Java](quickstarts/java.md) | [node.js](quickstarts/nodejs.md) | [Python](quickstarts/python.md). diff --git a/articles/cognitive-services/bing-visual-search/quickstarts/go.md b/articles/cognitive-services/bing-visual-search/quickstarts/go.md index d9f0865166114..a27357b3d9e2c 100644 --- a/articles/cognitive-services/bing-visual-search/quickstarts/go.md +++ b/articles/cognitive-services/bing-visual-search/quickstarts/go.md @@ -9,24 +9,24 @@ manager: rosh ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: quickstart -ms.date: 2/20/2019 +ms.date: 4/02/2019 ms.author: rosh --- # Quickstart: Get image insights using the Bing Visual Search REST API and Go -This quickstart uses the Go programming language to call the Bing Visual Search API and display results. A Post request uploads an image to the API endpoint. The results include URLs and descriptive information about images similar to the uploaded image. +This quickstart uses the Go programming language to call the Bing Visual Search API and display results. A POST request uploads an image to the API endpoint. The results include URLs and descriptive information about images similar to the uploaded image. ## Prerequisites + * Install the [Go binaries](https://golang.org/dl/). -* The go-spew deep pretty printer is useful for display of results. - * Install this libarary: `$ go get -u https://github.com/davecgh/go-spew`. +* The go-spew deep pretty printer is used to display results. You can install go-spew with the `$ go get -u https://github.com/davecgh/go-spew` command. [!INCLUDE [bing-web-search-quickstart-signup](../../../../includes/bing-web-search-quickstart-signup.md)] ## Project and libraries -Create a new Go project in your IDE or editor. Then import `net/http` for requests, `ioutil` to read the response, and `encoding/json` to handle the JSON text of results. The `go-spew` library is used to parse JSON results. +Create a Go project in your IDE or editor. Then import `net/http` for requests, `ioutil` to read the response, and `encoding/json` to handle the JSON text of results. The `go-spew` library is used to parse JSON results. ``` package main @@ -48,7 +48,7 @@ import ( ## Struct to format results -The `BingAnswer` struct formats data returned in the JSON response, which is multilevel and quite complex. The following implementation covers some of the essentials. +The `BingAnswer` structure formats data returned in the JSON response, which is multilevel and complex. The following implementation covers some of the essentials: ``` type BingAnswer struct { @@ -105,7 +105,7 @@ type BingAnswer struct { ## Main function and variables -The following code declares the main function and assigns required variables. Confirm that the endpoint is correct and replace the `token` value with a valid subscription key from your Azure account. The `batchNumber` is a GUID required for leading and trailing boundaries of the Post data. The `fileName` variable identifies the image file for the Post. Following sections explain the details of the code. +The following code declares the main function and assigns required variables. Confirm that the endpoint is correct and replace the `token` value with a valid subscription key from your Azure account. The `batchNumber` is a GUID required for leading and trailing boundaries of the POST data. The `fileName` variable identifies the image file for the POST. The following sections explain the details of the code: ``` func main() { @@ -153,9 +153,9 @@ func main() { ``` -## Boundaries of Post body +## Boundaries of POST body -A Post request to the Visual Search endpoint requires leading and trailing boundaries enclosing the Post data. The leading boundary includes a batch number, the content type identifier `Content-Disposition: form-data; name="image"; filename=`, plus the filename of the image to Post. The trailing boundary is simply the batch number. These functions are not included in the `main` block. +A POST request to the Visual Search endpoint requires leading and trailing boundaries enclosing the POST data. The leading boundary includes a batch number, the content type identifier `Content-Disposition: form-data; name="image"; filename=`, plus the filename of the image to POST. The trailing boundary is simply the batch number. These functions are not included in the `main` block: ``` func BuildFormDataStart(batNum string, fileName string) string{ @@ -172,9 +172,9 @@ func BuildFormDataEnd(batNum string) string{ } ``` -## Add image bytes to Post body +## Add image bytes to POST body -This code segment creates the Post request that contains image data. +This code segment creates the POST request that contains image data: ``` func createRequestBody(fileName string, batchNumber string) (*bytes.Buffer, string) { @@ -203,7 +203,7 @@ func createRequestBody(fileName string, batchNumber string) (*bytes.Buffer, stri ## Send the request -The following code sends the request and reads results. +The following code sends the request and reads the results: ``` resp, err := client.Do(req) @@ -222,7 +222,7 @@ resp, err := client.Do(req) ## Handle the response -The `Unmarshall` function extracts information from the JSON text returned by the Visual Search API. The `go-spew` pretty printer displays results. +The `Unmarshall` function extracts information from the JSON text returned by the Visual Search API. The `go-spew` pretty printer displays the results: ``` // Create a new answer. @@ -245,7 +245,7 @@ The `Unmarshall` function extracts information from the JSON text returned by th ## Results -The results identify images similar to the image contained in the Post body. The useful fields are `WebSearchUrl` and `Name`. +The results identify images similar to the image contained in the POST body. The useful fields are `WebSearchUrl` and `Name`: ``` Value: ([]struct { WebSearchUrl string "json:\"webSearchUrl\""; Name string "json:\"name\"" }) (len=66 cap=94) { @@ -283,5 +283,5 @@ The results identify images similar to the image contained in the Post body. Th ## Next steps > [!div class="nextstepaction"] -> [What is Bing Visual Search](../overview.md) +> [What is the Bing Visual Search API?](../overview.md) > [Bing Web Search quickstart in Go](../../Bing-Web-Search/quickstarts/go.md) diff --git a/articles/cognitive-services/bing-visual-search/quickstarts/java.md b/articles/cognitive-services/bing-visual-search/quickstarts/java.md index 566959af478b6..1682790c58808 100644 --- a/articles/cognitive-services/bing-visual-search/quickstarts/java.md +++ b/articles/cognitive-services/bing-visual-search/quickstarts/java.md @@ -9,15 +9,15 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: quickstart -ms.date: 5/16/2018 +ms.date: 4/02/2019 ms.author: scottwhi --- # Quickstart: Get image insights using the Bing Visual Search REST API and Java -Use this quickstart to make your first call to the Bing Visual Search API and view the search results. This simple C# application uploads an image to the API, and displays the information returned about it. While this application is written in Java, the API is a RESTful Web service compatible with most programming languages. +Use this quickstart to make your first call to the Bing Visual Search API and view the results. This Java application uploads an image to the API and displays the information it returns. Though this application is written in Java, the API is a RESTful Web service compatible with most programming languages. -When uploading a local image, the form data must include the Content-Disposition header. Its `name` parameter must be set to "image" and the `filename` parameter may be set to any string. The contents of the form is the binary of the image. The maximum image size you may upload is 1 MB. +When you upload a local image, the form data must include the `Content-Disposition` header. You must set its `name` parameter to "image", and you can set the `filename` parameter to any string. The contents of the form include the binary data of the image. The maximum image size you can upload is 1 MB. ``` --boundary_1234-abcd @@ -30,16 +30,15 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Prerequisites -* The [Java Development Kit(JDK) 7 or 8](https://aka.ms/azure-jdks) -* The [Gson library](https://github.com/google/gson) +* The [Java Development Kit (JDK) 7 or 8](https://aka.ms/azure-jdks) +* The [Gson Java library](https://github.com/google/gson) * [Apache HttpComponents](https://hc.apache.org/downloads.cgi) - [!INCLUDE [cognitive-services-bing-visual-search-signup-requirements](../../../../includes/cognitive-services-bing-visual-search-signup-requirements.md)] ## Create and initialize a project -1. Create a new Java project in your favorite IDE or editor, and import the following libraries. +1. Create a new Java project in your favorite IDE or editor, and import the following libraries: ```java import java.util.*; @@ -60,7 +59,7 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" import org.apache.http.impl.client.HttpClientBuilder; ``` -2. Create variables for your API endpoint, subscription key, and the path to your image. +2. Create variables for your API endpoint, subscription key, and the path to your image: ```java static String endpoint = "https://api.cognitive.microsoft.com/bing/v7.0/images/visualsearch"; @@ -70,7 +69,7 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Create the JSON parser -Create a method to make the JSON response from the API more readable using `JsonParser`. +Create a method to make the JSON response from the API more readable using `JsonParser`: ```java public static String prettify(String json_text) { @@ -83,13 +82,13 @@ Create a method to make the JSON response from the API more readable using `Json ## Construct the search request and query -1. In the main method of your application, create a Http Client using `HttpClientBuilder.create().build();`. +1. In the main method of your application, create an HTTP client using `HttpClientBuilder.create().build();`: ```java CloseableHttpClient httpClient = HttpClientBuilder.create().build(); ``` -2. Create an `HttpEntity` to upload your image to the API. +2. Create an `HttpEntity` object to upload your image to the API: ```java HttpEntity entity = MultipartEntityBuilder @@ -98,7 +97,7 @@ Create a method to make the JSON response from the API more readable using `Json .build(); ``` -3. Create a `httpPost` object with your endpoint, and set the header to use your subscription key. +3. Create an `httpPost` object with your endpoint, and set the header to use your subscription key: ```java HttpPost httpPost = new HttpPost(endpoint); @@ -108,14 +107,14 @@ Create a method to make the JSON response from the API more readable using `Json ## Receive and process the JSON response -1. Use `HttpClient.execute()` to send a request to the API, and store the response in an `InputStream` object. +1. Use the `HttpClient.execute()` method to send a request to the API, and store the response in an `InputStream` object: ```java HttpResponse response = httpClient.execute(httpPost); InputStream stream = response.getEntity().getContent(); ``` -2. Store the JSON string, and print out the response. +2. Store the JSON string, and print the response: ```java String json = new Scanner(stream).useDelimiter("\\A").next(); @@ -126,4 +125,4 @@ System.out.println(prettify(json)); ## Next steps > [!div class="nextstepaction"] -> [Build a Custom Search web app](../tutorial-bing-visual-search-single-page-app.md) +> [Build a Visual Search single-page web app](../tutorial-bing-visual-search-single-page-app.md) diff --git a/articles/cognitive-services/bing-visual-search/quickstarts/nodejs.md b/articles/cognitive-services/bing-visual-search/quickstarts/nodejs.md index 9e2480df79e4b..2d738981354a7 100644 --- a/articles/cognitive-services/bing-visual-search/quickstarts/nodejs.md +++ b/articles/cognitive-services/bing-visual-search/quickstarts/nodejs.md @@ -9,7 +9,7 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: quickstart -ms.date: 5/16/2018 +ms.date: 4/02/2019 ms.author: scottwhi --- @@ -17,7 +17,7 @@ ms.author: scottwhi Use this quickstart to make your first call to the Bing Visual Search API and view the search results. This simple JavaScript application uploads an image to the API, and displays the information returned about it. While this application is written in JavaScript, the API is a RESTful Web service compatible with most programming languages. -When uploading a local image, the form data must include the Content-Disposition header. Its `name` parameter must be set to "image" and the `filename` parameter may be set to any string. The contents of the form is the binary of the image. The maximum image size you may upload is 1 MB. +When uploading a local image, the form data must include the `Content-Disposition` header. You must set its `name` parameter to "image", and the `filename` parameter can be set to any string. The contents of the form include the binary data of the image. The maximum image size you may upload is 1 MB. ``` --boundary_1234-abcd @@ -31,18 +31,14 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Prerequisites * [Node.js](https://nodejs.org/en/download/) -* The Request module for JavaScript - * You can install this module using `npm install request` -* The form-data module - * You can install this module using `npm install form-data` - +* The Request module for JavaScript. You can use `npm install request` command to install the module. +* The form-data module. You can use the `npm install form-data` command to install the module. [!INCLUDE [cognitive-services-bing-visual-search-signup-requirements](../../../../includes/cognitive-services-bing-image-search-signup-requirements.md)] - ## Initialize the application -1. Create a new JavaScript file in your favorite IDE or editor, and set the following requirements: +1. Create a JavaScript file in your favorite IDE or editor, and set the following requirements: ```javascript var request = require('request'); @@ -50,7 +46,7 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" var fs = require('fs'); ``` -2. Create variables for your API endpoint, subscription key, and the path to your image. +2. Create variables for your API endpoint, subscription key, and the path to your image: ```javascript var baseUri = 'https://api.cognitive.microsoft.com/bing/v7.0/images/visualsearch'; @@ -58,7 +54,7 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" var imagePath = "path-to-your-image"; ``` -3. Create a function called `requestCallback()` to print the response from the API. +3. Create a function named `requestCallback()` to print the response from the API: ```javascript function requestCallback(err, res, body) { @@ -68,14 +64,14 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Construct and send the search request -1. Create a new form-data using `FormData()`, and append your image path to it, using `fs.createReadStream()`. +1. Create a new **FormData** object using `FormData()`, and append your image path to it, using `fs.createReadStream()`: ```javascript var form = new FormData(); form.append("image", fs.createReadStream(imagePath)); ``` -2. Use the request library to upload the image, calling `requestCallback()` to print the response. Be sure to add your subscription key to the request header. +2. Use the request library to upload the image, and call `requestCallback()` to print the response. Be sure to add your subscription key to the request header: ```javascript form.getLength(function(err, length){ @@ -91,4 +87,4 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Next steps > [!div class="nextstepaction"] -> [Build a Custom Search web app](../tutorial-bing-visual-search-single-page-app.md) +> [Build a Visual Search single-page web app](../tutorial-bing-visual-search-single-page-app.md) diff --git a/articles/cognitive-services/bing-visual-search/quickstarts/python.md b/articles/cognitive-services/bing-visual-search/quickstarts/python.md index 48ab9d8ab0cde..8e942472b0975 100644 --- a/articles/cognitive-services/bing-visual-search/quickstarts/python.md +++ b/articles/cognitive-services/bing-visual-search/quickstarts/python.md @@ -9,15 +9,15 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: quickstart -ms.date: 5/16/2018 +ms.date: 4/02/2019 ms.author: scottwhi --- -# Quickstart: Your first Bing Visual Search query in Python +# Quickstart: Get image insights using the Bing Visual Search REST API and Python -Use this quickstart to make your first call to the Bing Visual Search API and view the search results. This simple JavaScript application uploads an image to the API, and displays the information returned about it. While this application is written in JavaScript, the API is a RESTful Web service compatible with most programming languages. +Use this quickstart to make your first call to the Bing Visual Search API and view the results. This Python application uploads an image to the API and displays the information it returns. Though this application is written in Python, the API is a RESTful Web service compatible with most programming languages. -When uploading a local image, the POST form data must include the Content-Disposition header. Its `name` parameter must be set to "image" and the `filename` parameter may be set to any string. The contents of the form is the binary of the image. The maximum image size you may upload is 1 MB. +When you upload a local image, the form data must include the `Content-Disposition` header. You must set its `name` parameter to "image", and you can set the `filename` parameter to any string. The contents of the form include the binary data of the image. The maximum image size you can upload is 1 MB. ``` --boundary_1234-abcd @@ -32,18 +32,17 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" * [Python 3.x](https://www.python.org/) - [!INCLUDE [cognitive-services-bing-visual-search-signup-requirements](../../../../includes/cognitive-services-bing-image-search-signup-requirements.md)] ## Initialize the application -1. Create a new Python file in your favorite IDE or editor, and add the following import statement. +1. Create a new Python file in your favorite IDE or editor, and add the following `import` statement: ```python import requests, json ``` -2. Create variables for your subscription key, endpoint, and the path to the image you're uploading. +2. Create variables for your subscription key, endpoint, and the path to the image you're uploading: ```python @@ -52,13 +51,13 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" imagePath = 'your-image-path' ``` -3. Create a dictionary object to hold your requests' header information. Bind your subscription key to the string `Ocp-Apim-Subscription-Key`, as shown below. +3. Create a dictionary object to hold your request's header information. Bind your subscription key to the string `Ocp-Apim-Subscription-Key`, as shown below: ```python HEADERS = {'Ocp-Apim-Subscription-Key': SUBSCRIPTION_KEY} ``` -4. Create another dictionary to contain your image, which will be opened and uploaded when you send the request. +4. Create another dictionary to contain your image, which is opened and uploaded when you send the request: ```python file = {'image' : ('myfile', open(imagePath, 'rb'))} @@ -66,7 +65,7 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Parse the JSON response -1. Create a method called `print_json()` to take in the API response, and print the JSON. +1. Create a method called `print_json()` to take in the API response, and print the JSON: ```python def print_json(obj): @@ -76,7 +75,7 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Send the request -1. Use `requests.post()` to send a request to the Bing Visual Search API. Include the string for your endpoint, header, and file information. Print `response.json()` with `print_json()` +1. Use `requests.post()` to send a request to the Bing Visual Search API. Include the string for your endpoint, header, and file information. Print `response.json()` with `print_json()`: ```python try: @@ -91,4 +90,4 @@ Content-Disposition: form-data; name="image"; filename="myimagefile.jpg" ## Next steps > [!div class="nextstepaction"] -> [Build a Custom Search web app](../tutorial-bing-visual-search-single-page-app.md) +> [Create a Visual Search single-page web app](../tutorial-bing-visual-search-single-page-app.md) diff --git a/articles/cognitive-services/bing-visual-search/quickstarts/ruby.md b/articles/cognitive-services/bing-visual-search/quickstarts/ruby.md index c802358a075ec..341213abba81e 100644 --- a/articles/cognitive-services/bing-visual-search/quickstarts/ruby.md +++ b/articles/cognitive-services/bing-visual-search/quickstarts/ruby.md @@ -9,13 +9,13 @@ manager: rosh ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: quickstart -ms.date: 2/27/2019 +ms.date: 4/02/2019 ms.author: rosh --- # Quickstart: Get image insights using the Bing Visual Search REST API and Ruby -This quickstart uses the Ruby programming language to call Bing Visual Search and display results. A Post request uploads an image to the API endpoint. The results include URLs and descriptive information about images similar to the uploaded image. +This quickstart uses the Ruby programming language to call Bing Visual Search and display results. A POST request uploads an image to the API endpoint. The results include URLs and descriptive information about images similar to the uploaded image. ## Prerequisites @@ -28,7 +28,7 @@ To run this quickstart: ## Project and required modules -Create a new Ruby project in your IDE or editor. Import `net/http`, `uri` , and `json` to handle the JSON text of results. The `base64` library is used to encode the file name string. +Create a new Ruby project in your IDE or editor. Import `net/http`, `uri` , and `json` to handle the JSON text of results. The `base64` library is used to encode the file name string: ``` require 'net/https' @@ -40,7 +40,7 @@ require 'base64' ## Define variables -The following code assigns required variables. Confirm that the endpoint is correct and replace the `accessKey` value with a subscription key from your Azure account. The `batchNumber` is a guid required for leading and trailing boundaries of the Post data. The `fileName` variable identifies the image file for the Post. The `if` block tests for a valid subscription key. +The following code assigns required variables. Confirm that the endpoint is correct and replace the `accessKey` value with a subscription key from your Azure account. The `batchNumber` is a GUID required for leading and trailing boundaries of the POST data. The `fileName` variable identifies the image file for the POST. The `if` block tests for a valid subscription key. ``` accessKey = "ACCESS-KEY" @@ -57,9 +57,9 @@ end ``` -## Form data for Post request +## Form data for POST request -The image data to Post is enclosed by leading and trailing boundaries. The following functions set the boundaries. +The image data to POST is enclosed by leading and trailing boundaries. The following functions set the boundaries: ``` def BuildFormDataStart(batNum, fileName) @@ -70,10 +70,9 @@ end def BuildFormDataEnd(batNum) return "\r\n\r\n" + "--batch_" + batNum + "--" + "\r\n" end - ``` -Next construct the endpoint URI and an array to contain the Post body. Use the previous function to load the start boundary into the array. Read the image file into the array. Then, read the end boundary into the array. +Next, construct the endpoint URI and an array to contain the POST body. Use the previous function to load the start boundary into the array. Read the image file into the array. Then, read the end boundary into the array: ``` uri = URI(uri + path) @@ -87,12 +86,11 @@ post_body << BuildFormDataStart(batchNumber, fileName) post_body << File.read(fileName) #Base64.encode64(File.read(fileName)) post_body << BuildFormDataEnd(batchNumber) - ``` ## Create the HTTP request -Set the `Ocp-Apim-Subscription-Key` header. Create the request. Then, assign the header and content type. Join the Post body created previously to the request. +Set the `Ocp-Apim-Subscription-Key` header. Create the request. Then, assign the header and content type. Join the POST body created previously to the request: ``` header = {'Ocp-Apim-Subscription-Key': accessKey} @@ -106,7 +104,7 @@ request.body = post_body.join ## Request and response -Ruby sends the request and gets the response with the following line of code. +Ruby sends the request and gets the response with the following line of code: ``` response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http| @@ -117,7 +115,7 @@ end ## Print the results -Print the headers of the response. Then use the JSON library to format output. +Print the headers of the response, and use the JSON library to format output: ``` puts "\nRelevant Headers:\n\n" @@ -134,7 +132,7 @@ puts JSON::pretty_generate(JSON(response.body)) ## Results -The following JSON is a segment of the output. +The following JSON is a segment of the output: ``` Relevant Headers: @@ -283,4 +281,4 @@ JSON Response: > [!div class="nextstepaction"] > [Bing Visual Search overview](../overview.md) -> [Build a Custom Search web app](../tutorial-bing-visual-search-single-page-app.md) \ No newline at end of file +> [Build a Visual Search single-page web app](../tutorial-bing-visual-search-single-page-app.md) \ No newline at end of file diff --git a/articles/cognitive-services/bing-visual-search/resize-and-crop-thumbnails.md b/articles/cognitive-services/bing-visual-search/resize-and-crop-thumbnails.md index 852097312e70a..d7128d58e0996 100644 --- a/articles/cognitive-services/bing-visual-search/resize-and-crop-thumbnails.md +++ b/articles/cognitive-services/bing-visual-search/resize-and-crop-thumbnails.md @@ -9,10 +9,10 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: conceptual -ms.date: 04/10/2018 +ms.date: 04/05/2019 ms.author: scottwhi --- -# Resizing and cropping thumbnail images +# Resize and crop thumbnail images [!INCLUDE [cognitive-services-bing-resize-crop-thumbnails](../../../includes/cognitive-services-bing-resize-crop-thumbnails.md)] diff --git a/articles/cognitive-services/bing-visual-search/tutorial-bing-visual-search-single-page-app.md b/articles/cognitive-services/bing-visual-search/tutorial-bing-visual-search-single-page-app.md index 6fd5767e5ea40..c608d9633372a 100644 --- a/articles/cognitive-services/bing-visual-search/tutorial-bing-visual-search-single-page-app.md +++ b/articles/cognitive-services/bing-visual-search/tutorial-bing-visual-search-single-page-app.md @@ -9,14 +9,14 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: article -ms.date: 03/04/2019 +ms.date: 04/05/2019 ms.author: aahi --- -# Create a Visual Search single-page web app +# Create a Visual Search single-page web app -The Bing Visual Search API provides an experience similar to the image details shown on Bing.com/images. With Visual Search, you can specify an image and get back insights about the image such as visually similar images, shopping sources, webpages that include the image, and more. +The Bing Visual Search API returns insights for an image. You can either upload an image or provide a URL to one. Insights are visually similar images, shopping sources, webpages that include the image, and more. Insights returned by the Bing Visual Search API are similar to ones shown on Bing.com/images. -This article explains how to extend a single-page web app for the Bing Image Search API. To view that tutorial or get the source code used here, see [Tutorial: Create a single-page app for the Bing Image Search API](../Bing-Image-Search/tutorial-bing-image-search-single-page-app.md). +This tutorial explains how to extend a single-page web app for the Bing Image Search API. To view that tutorial or get the source code used here, see [Tutorial: Create a single-page app for the Bing Image Search API](../Bing-Image-Search/tutorial-bing-image-search-single-page-app.md). The full source code for this application (after extending it to use the Bing Visual Search API), is available on [GitHub](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/Tutorials/Bing-Visual-Search/BingVisualSearchApp.html). @@ -26,7 +26,7 @@ The full source code for this application (after extending it to use the Bing Vi ## Call the Bing Visual Search API and handle the response -Edit the Bing Image Search tutorial and add the following code to the end of the `` tag). The following code handles a visual search response from the API, iterates through the results, and displays them. +Edit the Bing Image Search tutorial and add the following code to the end of the `` tag). The following code handles a visual search response from the API, iterates through the results, and displays them: ``` javascript function handleVisualSearchResponse(){ @@ -58,8 +58,7 @@ function handleVisualSearchResponse(){ } ``` -The following code sends a search request to the API, using an event listener to call `handleVisualSearchResponse()`. - +The following code sends a search request to the API, using an event listener to call `handleVisualSearchResponse()`: ```javascript function bingVisualSearch(insightsToken){ @@ -78,8 +77,8 @@ function bingVisualSearch(insightsToken){ let requestBody = startBoundary + newLine; requestBody += bodyHeader; requestBody += JSON.stringify(postBody) + newLine + newLine; - requestBody += endBoundary + newLine; - + requestBody += endBoundary + newLine; + let request = new XMLHttpRequest(); try { @@ -97,7 +96,7 @@ function bingVisualSearch(insightsToken){ ## Capture insights token -Add the following code into the `searchItemsRenderer` object. This code adds a **find similar** link that calls the `bingVisualSearch` function when clicked. The function receives the imageInsightsToken as an argument. +Add the following code to the `searchItemsRenderer` object. This code adds a **find similar** link that calls the `bingVisualSearch` function when clicked. The function receives the `imageInsightsToken` as an argument. ``` javascript html.push("find similar
    "); @@ -105,7 +104,7 @@ html.push(" WebSearchUrl: " The complete application returns: - |ActionType |URL | | |---------|---------|---------| -|PagesIncluding WebSearchURL | | -|MoreSizes WebSearchURL | | -|VisualSearch WebSearchURL | | -|ImageById WebSearchURL | | -|RelatedSearches WebSearchURL | | -|Entity -> WebSearchUrl | https://www.bing.com/cr?IG=E40D0E1A13404994ACB073504BC937A4&CID=03DCF882D7386A442137F49BD6596BEF&rd=1&h=BvvDoRtmZ35Xc_UZE4lZx6_eg7FHgcCkigU1D98NHQo&v=1&r=https%3a%2f%2fwww.bing.com%2fsearch%3fq%3dSatya%2bNadella&p=DevEx,5380.1 | -|TopicResults -> WebSearchUrl | https://www.bing.com/cr?IG=E40D0E1A13404994ACB073504BC937A4&CID=03DCF882D7386A442137F49BD6596BEF&rd=1&h=3QGtxPb3W9LemuHRxAlW4CW7XN4sPkUYCUynxAqI9zQ&v=1&r=https%3a%2f%2fwww.bing.com%2fdiscover%2fnadella%2bsatya&p=DevEx,5382.1 | -|ImageResults -> WebSearchUrl | https://www.bing.com/cr?IG=E40D0E1A13404994ACB073504BC937A4&CID=03DCF882D7386A442137F49BD6596BEF&rd=1&h=l-WNHO89Kkw69AmIGe2MhlUp6MxR6YsJszgOuM5sVLs&v=1&r=https%3a%2f%2fwww.bing.com%2fimages%2fsearch%3fq%3dSatya%2bNadella&p=DevEx,5384.1 | - -As shown above, the `Entity` ActionType contains a Bing search query that returns information about a recognizable person, place, or thing. The `TopicResults` and `ImageResults` types contain queries for related images. The URLs in the list link to Bing search results. +|PagesIncluding WebSearchURL | | +|MoreSizes WebSearchURL | | +|VisualSearch WebSearchURL | | +|ImageById WebSearchURL | | +|RelatedSearches WebSearchURL | | +|Entity -> WebSearchUrl | https://www.bing.com/cr?IG=E40D0E1A13404994ACB073504BC937A4&CID=03DCF882D7386A442137F49BD6596BEF&rd=1&h=BvvDoRtmZ35Xc_UZE4lZx6_eg7FHgcCkigU1D98NHQo&v=1&r=https%3a%2f%2fwww.bing.com%2fsearch%3fq%3dSatya%2bNadella&p=DevEx,5380.1 | +|TopicResults -> WebSearchUrl | https://www.bing.com/cr?IG=E40D0E1A13404994ACB073504BC937A4&CID=03DCF882D7386A442137F49BD6596BEF&rd=1&h=3QGtxPb3W9LemuHRxAlW4CW7XN4sPkUYCUynxAqI9zQ&v=1&r=https%3a%2f%2fwww.bing.com%2fdiscover%2fnadella%2bsatya&p=DevEx,5382.1 | +|ImageResults -> WebSearchUrl | https://www.bing.com/cr?IG=E40D0E1A13404994ACB073504BC937A4&CID=03DCF882D7386A442137F49BD6596BEF&rd=1&h=l-WNHO89Kkw69AmIGe2MhlUp6MxR6YsJszgOuM5sVLs&v=1&r=https%3a%2f%2fwww.bing.com%2fimages%2fsearch%3fq%3dSatya%2bNadella&p=DevEx,5384.1 | +As shown above, the `Entity` ActionType contains a Bing search query that returns information about a recognizable person, place, or thing. The `TopicResults` and `ImageResults` types contain queries for related images. The URLs in the list link to Bing search results. -## Get URLs for PagesIncluding ActionType images +## Get URLs for `PagesIncluding` `ActionType` images -Getting the actual image URLs requires a cast that reads an `ActionType` as `ImageModuleAction`, which contains a `Data` element with a list of values. Each value is the URL of an image. The following casts the `PagesIncluding` action type to `ImageModuleAction` and reads the values. +Getting the actual image URLs requires a cast that reads an `ActionType` as `ImageModuleAction`, which contains a `Data` element with a list of values. Each value is the URL of an image. The following casts the `PagesIncluding` action type to `ImageModuleAction` and reads the values: ```csharp if (i.ActionType == "PagesIncluding") @@ -106,6 +105,7 @@ Getting the actual image URLs requires a cast that reads an `ActionType` as `Ima ## Next steps > [!div class="nextstepaction"] -> [Build a single-page web app](tutorial-bing-visual-search-single-page-app.md) +> [Create a Visual Search single-page web app](tutorial-bing-visual-search-single-page-app.md) -[Visual Search response](https://docs.microsoft.com/azure/cognitive-services/bing-visual-search/overview) +## See also +> [What is the Bing Visual Search API?](https://docs.microsoft.com/azure/cognitive-services/bing-visual-search/overview) diff --git a/articles/cognitive-services/bing-visual-search/tutorial-visual-search-image-upload.md b/articles/cognitive-services/bing-visual-search/tutorial-visual-search-image-upload.md index 8f2b69152226b..fd2a3326cf3ef 100644 --- a/articles/cognitive-services/bing-visual-search/tutorial-visual-search-image-upload.md +++ b/articles/cognitive-services/bing-visual-search/tutorial-visual-search-image-upload.md @@ -9,15 +9,15 @@ manager: nitinme ms.service: cognitive-services ms.subservice: bing-visual-search ms.topic: tutorial -ms.date: 07/10/2018 +ms.date: 04/03/2019 ms.author: scottwhi --- -# Tutorial: Uploading images to the Bing Visual Search API +# Tutorial: Upload images to the Bing Visual Search API -The Bing Visual Search API enables you to search the web for images similar to ones you upload. Use this tutorial to create a web application that can send an image to the API, and display the insights it returns within the webpage. Note that this application does not adhere to all [Bing Use and Display Requirements](./use-and-display-requirements.md) for using the API. +The Bing Visual Search API enables you to search the web for images similar to ones you upload. Use this tutorial to create a web application that can send an image to the API, and display the insights it returns within the webpage. Note that this application does not adhere to all [Bing Use and Display Requirements](../bing-web-search/use-display-requirements.md) for using the API. -The full source code for this sample can be found with additional error handling and annotations on [GitHub](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/Tutorials/Bing-Visual-Search/BingVisualSearchUploadImage.html). +You can find the full source code for this sample with additional error handling and annotations on [GitHub](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/Tutorials/Bing-Visual-Search/BingVisualSearchUploadImage.html). The tutorial app illustrates how to: @@ -26,13 +26,13 @@ The tutorial app illustrates how to: > * Display image search results in a web application > * Explore the different insights provided by the API -## Prerequisites +## Prerequisites [!INCLUDE [cognitive-services-bing-image-search-signup-requirements](../../../includes/cognitive-services-bing-visual-search-signup-requirements.md)] ## Create and structure the webpage -Create an HTML page that sends Bing an image and gets back insights and displays them. In your favorite editor or IDE, create a file named, `uploaddemo.html`. Add the following basic HTML structure to the file. +Create an HTML page that sends an image to the Bing Visual Search API, receives insights, and displays them. In your favorite editor or IDE, create a file named "uploaddemo.html". Add the following basic HTML structure to the file: ```html @@ -43,18 +43,18 @@ Create an HTML page that sends Bing an image and gets back insights and displays - + ``` -Divide the page into a request section, where the user provides all the information needed to make the request, and a response section where the insights are displayed. Add the following `
    ` tags to the ``. The `
    ` tag visually separates the request section from the response section. +Divide the page into a request section, where the user provides all the information required for the request, and a response section where the insights are displayed. Add the following `
    ` tags to the ``. The `
    ` tag visually separates the request section from the response section: ```html
    -
    +
    ``` -Add a ` - + diff --git a/includes/active-directory-develop-guidedsetup-javascriptspa-test.md b/includes/active-directory-develop-guidedsetup-javascriptspa-test.md index 7d92c35485ae6..c0eb063ca8900 100644 --- a/includes/active-directory-develop-guidedsetup-javascriptspa-test.md +++ b/includes/active-directory-develop-guidedsetup-javascriptspa-test.md @@ -32,7 +32,7 @@ If you're not using Visual Studio, make sure your web server is started. ``` 1. Open the browser and type http://localhost:30662 or http://localhost:{port} where **port** is the port that your web server is listening to. You should see the contents of your index.html file and the **Sign In** button. -

    +

    ### Test with Visual Studio @@ -40,7 +40,7 @@ If you're using Visual Studio, make sure to select the project solution and pres ## Test your application -After the browser loads your index.html file, click **Sign In**. You will be prompted to sign in with the Microsoft Azure Active Directory (Azure AD) v2.0 endpoint: +After the browser loads your index.html file, click **Sign In**. You will be prompted to sign in with the Microsoft identity platform endpoint: ![Sign in to your JavaScript SPA account](media/active-directory-develop-guidedsetup-javascriptspa-test/javascriptspascreenshot1.png) diff --git a/includes/active-directory-develop-guidedsetup-javascriptspa-use.md b/includes/active-directory-develop-guidedsetup-javascriptspa-use.md index a54627f8052b7..7d70d55a8f511 100644 --- a/includes/active-directory-develop-guidedsetup-javascriptspa-use.md +++ b/includes/active-directory-develop-guidedsetup-javascriptspa-use.md @@ -120,19 +120,19 @@ if (!isIE) { ### More Information -After a user clicks the **Sign In** button for the first time, the `signIn` method calls `loginPopup` to sign in the user. This method results in opening a popup window with the *Microsoft Azure Active Directory v2.0 endpoint* to prompt and validate the user's credentials. As a result of a successful sign-in, the user is redirected back to the original *index.html* page, and a token is received, processed by `msal.js` and the information contained in the token is cached. This token is known as the *ID token* and contains basic information about the user, such as the user display name. If you plan to use any data provided by this token for any purposes, you need to make sure this token is validated by your backend server to guarantee that the token was issued to a valid user for your application. +After a user clicks the **Sign In** button for the first time, the `signIn` method calls `loginPopup` to sign in the user. This method results in opening a popup window with the *Microsoft identity platform endpoint* to prompt and validate the user's credentials. As a result of a successful sign-in, the user is redirected back to the original *index.html* page, and a token is received, processed by `msal.js` and the information contained in the token is cached. This token is known as the *ID token* and contains basic information about the user, such as the user display name. If you plan to use any data provided by this token for any purposes, you need to make sure this token is validated by your backend server to guarantee that the token was issued to a valid user for your application. The SPA generated by this guide calls `acquireTokenSilent` and/or `acquireTokenPopup` to acquire an *access token* used to query the Microsoft Graph API for user profile info. If you need a sample that validates the ID token, take a look at [this](https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2 "GitHub active-directory-javascript-singlepageapp-dotnet-webapi-v2 sample") sample application in GitHub – the sample uses an ASP.NET Web API for token validation. #### Getting a user token interactively -After the initial sign-in, you do not want to ask users to reauthenticate every time they need to request a token to access a resource – so *acquireTokenSilent* should be used most of the time to acquire tokens. There are situations however that you need to force users to interact with Azure Active Directory v2.0 endpoint – some examples include: +After the initial sign-in, you do not want to ask users to reauthenticate every time they need to request a token to access a resource – so *acquireTokenSilent* should be used most of the time to acquire tokens. There are situations however that you need to force users to interact with Microsoft identity platform endpoint – some examples include: - Users may need to reenter their credentials because the password has expired - Your application is requesting access to a resource that the user needs to consent to - Two factor authentication is required -Calling the *acquireTokenPopup(scope)* results in a popup window (or *acquireTokenRedirect(scope)* results in redirecting users to the Azure Active Directory v2.0 endpoint) where users need to interact by either confirming their credentials, giving the consent to the required resource, or completing the two factor authentication. +Calling the *acquireTokenPopup(scope)* results in a popup window (or *acquireTokenRedirect(scope)* results in redirecting users to the Microsoft identity platform endpoint) where users need to interact by either confirming their credentials, giving the consent to the required resource, or completing the two factor authentication. #### Getting a user token silently diff --git a/includes/active-directory-develop-guidedsetup-windesktop-configure.md b/includes/active-directory-develop-guidedsetup-windesktop-configure.md index a93ffc32ce2ee..159b1d1ecac51 100644 --- a/includes/active-directory-develop-guidedsetup-windesktop-configure.md +++ b/includes/active-directory-develop-guidedsetup-windesktop-configure.md @@ -12,7 +12,7 @@ ms.devlang: na ms.topic: include ms.tgt_pltfrm: na ms.workload: identity -ms.date: 09/17/2018 +ms.date: 04/10/2019 ms.author: jmprieur ms.custom: include file --- @@ -24,33 +24,25 @@ You can register your application in either of two ways. ### Option 1: Express mode You can quickly register your application by doing the following: -1. Go to the [Microsoft Application Registration Portal](https://apps.dev.microsoft.com/portal/register-app?appType=mobileAndDesktopApp&appTech=windowsDesktop&step=configure). - -2. Select **Add an app**. - -3. In the **Application Name** box, enter a name for your application. - -4. Ensure that the **Guided Setup** check box is selected, and then select **Create**. - -5. Follow the instructions for obtaining the application ID, and paste it into your code. +1. Go to the [Azure portal - Application Registration](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/WinDesktopQuickstartPage/sourceType/docs). +1. Enter a name for your application and select **Register**. +1. Follow the instructions to download and automatically configure your new application with just one click. ### Option 2: Advanced mode To register your application and add your application registration information to your solution, do the following: -1. If you haven't already registered your application, go to the [Microsoft Application Registration Portal](https://apps.dev.microsoft.com/portal/register-app). - -2. Select **Add an app**. - -3. In the **Application Name** box, enter a name for your application. - -4. Ensure that the **Guided Setup** check box is cleared, and then select **Create**. - -5. Select **Add Platform**, select **Native Application**, and then select **Save**. - -6. In the **Application ID** box, copy the GUID. - -7. Go to Visual Studio, open the *App.xaml.cs* file, and then replace `your_client_id_here` with the application ID that you just registered and copied. +1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account or a personal Microsoft account. +1. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant. +1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page. +1. Select **New registration**. + - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `Win-App-calling-MsGraph`. + - In the **Supported account types** section, select **Accounts in any organizational directory and personal Microsoft accounts (for example, Skype, Xbox, Outlook.com)**. + - Select **Register** to create the application. +1. In the list of pages for the app, select **Authentication**. +1. In the **Redirect URIs** section, locate the **Suggested Redirect URIs for public clients (mobile, desktop)** section, and select **"urn:ietf:wg:oauth:2.0:oob**. +1. Select **Save**. +1. Go to Visual Studio, open the *App.xaml.cs* file, and then replace `Enter_the_Application_Id_here` with the application ID that you just registered and copied. ```csharp - private static string ClientId = "your_application_id_here"; + private static string ClientId = "Enter_the_Application_Id_here"; ``` diff --git a/includes/active-directory-develop-guidedsetup-windesktop-introduction.md b/includes/active-directory-develop-guidedsetup-windesktop-introduction.md index 9e3f342644a40..7b96f940623e9 100644 --- a/includes/active-directory-develop-guidedsetup-windesktop-introduction.md +++ b/includes/active-directory-develop-guidedsetup-windesktop-introduction.md @@ -12,14 +12,14 @@ ms.devlang: na ms.topic: include ms.tgt_pltfrm: na ms.workload: identity -ms.date: 03/20/2019 +ms.date: 04/10/2019 ms.author: jmprieur ms.custom: include file --- # Call the Microsoft Graph API from a Windows Desktop app -This guide demonstrates how a native Windows Desktop .NET (XAML) application can get an access token and call the Microsoft Graph API or other APIs that require access tokens from an Azure Active Directory v2.0 endpoint. +This guide demonstrates how a native Windows Desktop .NET (XAML) application can get an access token and call the Microsoft Graph API or other APIs that require access tokens from an Microsoft identity platform for developers (formerly named Azure AD) v2.0 endpoint. When you've completed the guide, your application will be able to call a protected API that uses personal accounts (including outlook.com, live.com, and others). The application will also use work and school accounts from any company or organization that uses Azure Active Directory. @@ -28,13 +28,13 @@ When you've completed the guide, your application will be able to call a protect ## How the sample app generated by this guide works -![Shows how the sample app generated by this tutorials works](./media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks-updated.png) +![Shows how the sample app generated by this tutorials works](./media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks.svg) -The sample application that you create with this guide enables a Windows Desktop application that queries the Microsoft Graph API or a Web API that accepts tokens from an Azure Active Directory v2.0 endpoint. For this scenario, you add a token to HTTP requests via the Authorization header. Microsoft Authentication Library (MSAL) handles token acquisition and renewal. +The sample application that you create with this guide enables a Windows Desktop application that queries the Microsoft Graph API or a Web API that accepts tokens from a Microsoft identity platform endpoint. For this scenario, you add a token to HTTP requests via the Authorization header. Microsoft Authentication Library (MSAL) handles token acquisition and renewal. ## Handling token acquisition for accessing protected Web APIs -After the user is authenticated, the sample application receives a token that can be used to query Microsoft Graph API or a Web API that's secured by Azure Active Directory v2. +After the user is authenticated, the sample application receives a token that can be used to query Microsoft Graph API or a Web API that's secured by Microsoft identity platform for developers. APIs such as Microsoft Graph require a token to allow access to specific resources. For example, a token is required to read a user’s profile, access a user’s calendar, or send email. Your application can request an access token by using MSAL to access these resources by specifying API scopes. This access token is then added to the HTTP Authorization header for every call that's made against the protected resource. @@ -46,4 +46,4 @@ This guide uses the following NuGet packages: |Library|Description| |---|---| -|[Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)|Microsoft Authentication Library (MSAL)| +|[Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)|Microsoft Authentication Library (MSAL.NET)| diff --git a/includes/active-directory-develop-guidedsetup-windesktop-setup.md b/includes/active-directory-develop-guidedsetup-windesktop-setup.md index 42b359b99fcb4..c87326913c62e 100644 --- a/includes/active-directory-develop-guidedsetup-windesktop-setup.md +++ b/includes/active-directory-develop-guidedsetup-windesktop-setup.md @@ -12,7 +12,7 @@ ms.devlang: na ms.topic: include ms.tgt_pltfrm: na ms.workload: identity -ms.date: 09/17/2018 +ms.date: 04/10/2019 ms.author: jmprieur ms.custom: include file --- @@ -24,7 +24,7 @@ In this section you create a new project to demonstrate how to integrate a Windo The application that you create with this guide displays a button that's used to call a graph, an area to show the results on the screen, and a sign-out button. > [!NOTE] -> Prefer to download this sample's Visual Studio project instead? [Download a project](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/archive/master.zip), and skip to the [Configuration step](#register-your-application) to configure the code sample before you execute it. +> Prefer to download this sample's Visual Studio project instead? [Download a project](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/archive/msal3x.zip), and skip to the [Configuration step](#register-your-application) to configure the code sample before you execute it. > To create your application, do the following: @@ -39,7 +39,7 @@ To create your application, do the following: 2. In the Package Manager Console window, paste the following Azure PowerShell command: ```powershell - Install-Package Microsoft.Identity.Client + Install-Package Microsoft.Identity.Client -Pre ``` > [!NOTE] @@ -62,12 +62,28 @@ In this step, you create a class to handle interaction with MSAL, such as handli ```csharp public partial class App : Application { - //Below is the clientId of your app registration. - //You have to replace the below with the Application Id for your app registration - private static string ClientId = "your_client_id_here"; - - public static PublicClientApplication PublicClientApp = new PublicClientApplication(ClientId); - + static App() + { + _clientApp = PublicClientApplicationBuilder.Create(ClientId) + .WithAuthority(AzureCloudInstance.AzurePublic, Tenant) + .Build(); + } + + // Below are the clientId (Application Id) of your app registration and the tenant information. + // You have to replace: + // - the content of ClientID with the Application Id for your app registration + // - Te content of Tenant by the information about the accounts allowed to sign-in in your application: + // - For Work or School account in your org, use your tenant ID, or domain + // - for any Work or School accounts, use `organizations` + // - for any Work or School accounts, or Microsoft personal account, use `common` + // - for Microsoft Personal account, use consumers + private static string ClientId = "0b8b0665-bc13-4fdc-bd72-e0227b9fc011"; + + private static string Tenant = "common"; + + private static IPublicClientApplication _clientApp ; + + public static IPublicClientApplication PublicClientApp { get { return _clientApp; } } } ``` diff --git a/includes/active-directory-develop-guidedsetup-windesktop-test.md b/includes/active-directory-develop-guidedsetup-windesktop-test.md index 3e05c3b95aaed..b9ca8ba1d8634 100644 --- a/includes/active-directory-develop-guidedsetup-windesktop-test.md +++ b/includes/active-directory-develop-guidedsetup-windesktop-test.md @@ -12,7 +12,7 @@ ms.devlang: na ms.topic: include ms.tgt_pltfrm: na ms.workload: identity -ms.date: 09/17/2018 +ms.date: 04/10/2019 ms.author: jmprieur ms.custom: include file --- @@ -35,14 +35,14 @@ The first time that you sign in to your application, you're also prompted to pro ### View application results -After you sign in, you should see the user profile information that's returned by the call to the Microsoft Graph API. The results are displayed in the **API Call Results** box. Basic information about the token that was acquired via the call to `AcquireTokenAsync` or `AcquireTokenSilentAsync` should be visible in the **Token Info** box. The results contain the following properties: +After you sign in, you should see the user profile information that's returned by the call to the Microsoft Graph API. The results are displayed in the **API Call Results** box. Basic information about the token that was acquired via the call to `AcquireTokenInteractive` or `AcquireTokenSilent` should be visible in the **Token Info** box. The results contain the following properties: |Property |Format |Description | |---------|---------|---------| -|**Name** |User's full name |The user’s first and last name.| + |**Username** |user@domain.com |The username that is used to identify the user.| |**Token Expires** |DateTime |The time at which the token expires. MSAL extends the expiration date by renewing the token as necessary.| -|**Access Token** |String |The token string that is sent to HTTP requests that require an *Authorization header*.| + ### More information about scopes and delegated permissions diff --git a/includes/active-directory-develop-guidedsetup-windesktop-use.md b/includes/active-directory-develop-guidedsetup-windesktop-use.md index e667ee7529b65..cecfa00d4fcd1 100644 --- a/includes/active-directory-develop-guidedsetup-windesktop-use.md +++ b/includes/active-directory-develop-guidedsetup-windesktop-use.md @@ -12,7 +12,7 @@ ms.devlang: na ms.topic: include ms.tgt_pltfrm: na ms.workload: identity -ms.date: 09/17/2018 +ms.date: 04/11/2019 ms.author: jmprieur ms.custom: include file --- @@ -33,41 +33,47 @@ In this section, you use MSAL to get a token for the Microsoft Graph API. public partial class MainWindow : Window { //Set the API Endpoint to Graph 'me' endpoint - string _graphAPIEndpoint = "https://graph.microsoft.com/v1.0/me"; + string graphAPIEndpoint = "https://graph.microsoft.com/v1.0/me"; //Set the scope for API call to user.read - string[] _scopes = new string[] { "user.read" }; + string[] scopes = new string[] { "user.read" }; + public MainWindow() { InitializeComponent(); } - ///

    - /// Call AcquireTokenAsync - to acquire a token requiring user to sign-in + /// + /// Call AcquireToken - to acquire a token requiring user to sign-in /// private async void CallGraphButton_Click(object sender, RoutedEventArgs e) { AuthenticationResult authResult = null; - var app = App.PublicClientApp; ResultText.Text = string.Empty; TokenInfoText.Text = string.Empty; var accounts = await app.GetAccountsAsync(); + var firstAccount = accounts.FirstOrDefault(); try { - authResult = await app.AcquireTokenSilentAsync(_scopes, accounts.FirstOrDefault()); + authResult = await app.AcquireTokenSilent(scopes, firstAccount) + .ExecuteAsync(); } catch (MsalUiRequiredException ex) { - // A MsalUiRequiredException happened on AcquireTokenSilentAsync. This indicates you need to call AcquireTokenAsync to acquire a token + // A MsalUiRequiredException happened on AcquireTokenSilent. + // This indicates you need to call AcquireTokenInteractive to acquire a token System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}"); try { - authResult = await App.PublicClientApp.AcquireTokenAsync(_scopes); + authResult = await app.AcquireTokenInteractive(scopes) + .WithAccount(accounts.FirstOrDefault()) + .WithPrompt(Prompt.SelectAccount) + .ExecuteAsync(); } catch (MsalException msalex) { @@ -82,12 +88,11 @@ In this section, you use MSAL to get a token for the Microsoft Graph API. if (authResult != null) { - ResultText.Text = await GetHttpContentWithToken(_graphAPIEndpoint, authResult.AccessToken); + ResultText.Text = await GetHttpContentWithToken(graphAPIEndpoint, authResult.AccessToken); DisplayBasicTokenInfo(authResult); this.SignOutButton.Visibility = Visibility.Visible; } } - } ``` @@ -95,21 +100,21 @@ In this section, you use MSAL to get a token for the Microsoft Graph API. #### Get a user token interactively -Calling the `AcquireTokenAsync` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time they need to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails (for example, when a user’s password is expired). +Calling the `AcquireTokenInteractive` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time they need to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails (for example, when a user’s password is expired). #### Get a user token silently -The `AcquireTokenSilentAsync` method handles token acquisitions and renewals without any user interaction. After `AcquireTokenAsync` is executed for the first time, `AcquireTokenSilentAsync` is the usual method to use to obtain tokens that access protected resources for subsequent calls, because calls to request or renew tokens are made silently. +The `AcquireTokenSilent` method handles token acquisitions and renewals without any user interaction. After `AcquireTokenInteractive` is executed for the first time, `AcquireTokenSilent` is the usual method to use to obtain tokens that access protected resources for subsequent calls, because calls to request or renew tokens are made silently. -Eventually, the `AcquireTokenSilentAsync` method will fail. Reasons for failure might be that the user has either signed out or changed their password on another device. When MSAL detects that the issue can be resolved by requiring an interactive action, it fires an `MsalUiRequiredException` exception. Your application can handle this exception in two ways: +Eventually, the `AcquireTokenSilent` method will fail. Reasons for failure might be that the user has either signed out or changed their password on another device. When MSAL detects that the issue can be resolved by requiring an interactive action, it fires an `MsalUiRequiredException` exception. Your application can handle this exception in two ways: -* It can make a call against `AcquireTokenAsync` immediately. This call results in prompting the user to sign in. This pattern is usually used in online applications where there is no available offline content for the user. The sample generated by this guided setup follows this pattern, which you can see in action the first time you execute the sample. +* It can make a call against `AcquireTokenInteractive` immediately. This call results in prompting the user to sign in. This pattern is usually used in online applications where there is no available offline content for the user. The sample generated by this guided setup follows this pattern, which you can see in action the first time you execute the sample. * Because no user has used the application, `PublicClientApp.Users.FirstOrDefault()` contains a null value, and an `MsalUiRequiredException` exception is thrown. -* The code in the sample then handles the exception by calling `AcquireTokenAsync`, which results in prompting the user to sign in. +* The code in the sample then handles the exception by calling `AcquireTokenInteractive`, which results in prompting the user to sign in. -* It can instead present a visual indication to users that an interactive sign-in is required, so that they can select the right time to sign in. Or the application can retry `AcquireTokenSilentAsync` later. This pattern is frequently used when users can use other application functionality without disruption--for example, when offline content is available in the application. In this case, users can decide when they want to sign in to either access the protected resource or refresh the outdated information. Alternatively, the application can decide to retry `AcquireTokenSilentAsync` when the network is restored after having been temporarily unavailable. +* It can instead present a visual indication to users that an interactive sign-in is required, so that they can select the right time to sign in. Or the application can retry `AcquireTokenSilent` later. This pattern is frequently used when users can use other application functionality without disruption--for example, when offline content is available in the application. In this case, users can decide when they want to sign in to either access the protected resource or refresh the outdated information. Alternatively, the application can decide to retry `AcquireTokenSilent` when the network is restored after having been temporarily unavailable. ## Call the Microsoft Graph API by using the token you just obtained @@ -165,7 +170,7 @@ private async void SignOutButton_Click(object sender, RoutedEventArgs e) { try { - await App.PublicClientApp.RemoveAsync(accounts.FirstOrDefault()); + await App.PublicClientApp.RemoveAsync(accounts.FirstOrDefault()); this.ResultText.Text = "User has signed-out"; this.CallGraphButton.Visibility = Visibility.Visible; this.SignOutButton.Visibility = Visibility.Collapsed; @@ -201,7 +206,6 @@ private void DisplayBasicTokenInfo(AuthenticationResult authResult) { TokenInfoText.Text += $"Username: {authResult.Account.Username}" + Environment.NewLine; TokenInfoText.Text += $"Token Expires: {authResult.ExpiresOn.ToLocalTime()}" + Environment.NewLine; - TokenInfoText.Text += $"Access Token: {authResult.AccessToken}" + Environment.NewLine; } } ``` diff --git a/includes/active-directory-ds-prerequisites.md b/includes/active-directory-ds-prerequisites.md index 5987342a1f757..628f0755343d4 100644 --- a/includes/active-directory-ds-prerequisites.md +++ b/includes/active-directory-ds-prerequisites.md @@ -24,6 +24,6 @@ ms.author: maheshu > > Follow the instructions below, depending on the type of users in your Azure > AD directory. Complete both sets of instructions if you have a mix of cloud-only -> and synced user accounts in your Azure AD directory. +> and synced user accounts in your Azure AD directory. You may not be able to carry out the following operations in case you are trying to use a B2B Guest account (example , your gmail or MSA from a different Identity provider which we allow) becasue we do not have the password for these users synced to managed domain as these are guest accounts in the directory. The complete information about these accounts including their passwords would be outside of Azure AD and as this information is not in Azure AD hence it does not even get synced to the managed domain. > - [Instructions for cloud-only user accounts](../articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync.md) > - [Instructions for user accounts synchronized from an on-premises directory](../articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync-synced-tenant.md) diff --git a/includes/app-service-web-create-web-app-dotnetcore-linux-no-h.md b/includes/app-service-web-create-web-app-dotnetcore-linux-no-h.md index c08871342fc26..9ebb847f31cf6 100644 --- a/includes/app-service-web-create-web-app-dotnetcore-linux-no-h.md +++ b/includes/app-service-web-create-web-app-dotnetcore-linux-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `DOTNETCORE|2.1`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `DOTNETCORE|2.1`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "DOTNETCORE|2.1" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "DOTNETCORE|2.1" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "DOTNETCORE|2.1" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "DOTNETCORE|2.1" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty web app in a Linux container, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-dotnetcore-no-h.md b/includes/app-service-web-create-web-app-dotnetcore-no-h.md index 3cf1ec4054522..551995cce4301 100644 --- a/includes/app-service-web-create-web-app-dotnetcore-no-h.md +++ b/includes/app-service-web-create-web-app-dotnetcore-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `dotnetcore|1.1`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-list-runtimes). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `dotnetcore|1.1`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-list-runtimes). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "dotnetcore|1.1" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "dotnetcore|1.1" --deployment-local-git # Powershell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "dotnetcore|1.1" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "dotnetcore|1.1" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty web app in a Linux container, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-dotnetcore-win-no-h.md b/includes/app-service-web-create-web-app-dotnetcore-win-no-h.md index 3bb0b1b5651c4..6fb9085b30b67 100644 --- a/includes/app-service-web-create-web-app-dotnetcore-win-no-h.md +++ b/includes/app-service-web-create-web-app-dotnetcore-win-no-h.md @@ -12,16 +12,16 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). ```azurecli-interactive -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -29,13 +29,13 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } ``` > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-no-h.md b/includes/app-service-web-create-web-app-no-h.md index 6a5f80ce1f595..ca80811153c63 100644 --- a/includes/app-service-web-create-web-app-no-h.md +++ b/includes/app-service-web-create-web-app-no-h.md @@ -10,16 +10,16 @@ ms.author: cephalin ms.custom: "include file" --- -In the Cloud Shell, create a [web app](../articles/app-service/overview.md) in the `myAppServicePlan` App Service plan. You can do it by using the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_create) command. In the following example, replace *\* with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). +In the Cloud Shell, create a [web app](../articles/app-service/overview.md) in the `myAppServicePlan` App Service plan. You can do it by using the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_create) command. In the following example, replace *\* with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). ```azurecli-interactive -az webapp create --name --resource-group myResourceGroup --plan myAppServicePlan --deployment-local-git +az webapp create --name --resource-group myResourceGroup --plan myAppServicePlan --deployment-local-git ``` When the web app has been created, the Azure CLI shows information similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -27,8 +27,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -37,13 +37,13 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > Browse to the newly created web app. ``` -http://.azurewebsites.net +http://.azurewebsites.net ``` Here is what your new web app should look like: diff --git a/includes/app-service-web-create-web-app-nodejs-linux-no-h.md b/includes/app-service-web-create-web-app-nodejs-linux-no-h.md index b8ab826b6e1e7..4ba5326ad1c76 100644 --- a/includes/app-service-web-create-web-app-nodejs-linux-no-h.md +++ b/includes/app-service-web-create-web-app-nodejs-linux-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `NODE|6.9`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `NODE|6.9`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-nodejs-no-h.md b/includes/app-service-web-create-web-app-nodejs-no-h.md index 0247e61750614..d5c37d20c39b9 100644 --- a/includes/app-service-web-create-web-app-nodejs-no-h.md +++ b/includes/app-service-web-create-web-app-nodejs-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `NODE|6.9`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-list-runtimes). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `NODE|6.9`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-list-runtimes). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "NODE|6.9" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-php-linux-no-h.md b/includes/app-service-web-create-web-app-php-linux-no-h.md index 0a53c87d6b21e..5e179dc5e80b2 100644 --- a/includes/app-service-web-create-web-app-php-linux-no-h.md +++ b/includes/app-service-web-create-web-app-php-linux-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.0`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-list-runtimes). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.0`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest#az-webapp-list-runtimes). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty new web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-php-no-h.md b/includes/app-service-web-create-web-app-php-no-h.md index 2d0b04afaec42..bd8200267a8e3 100644 --- a/includes/app-service-web-create-web-app-php-no-h.md +++ b/includes/app-service-web-create-web-app-php-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.0`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.0`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PHP|7.0" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty new web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-python-linux-no-h.md b/includes/app-service-web-create-web-app-python-linux-no-h.md index cf4519ad595f4..b77537f13584a 100644 --- a/includes/app-service-web-create-web-app-python-linux-no-h.md +++ b/includes/app-service-web-create-web-app-python-linux-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PYTHON|3.7`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PYTHON|3.7`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PYTHON|3.7" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PYTHON|3.7" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PYTHON|3.7" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "PYTHON|3.7" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty new web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-python-no-h.md b/includes/app-service-web-create-web-app-python-no-h.md index 9dc3fcf335fbc..2c3f4091f3e76 100644 --- a/includes/app-service-web-create-web-app-python-no-h.md +++ b/includes/app-service-web-create-web-app-python-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `python|3.4`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_list_runtimes). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_create) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `python|3.4`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp?view=azure-cli-latest#az_webapp_list_runtimes). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "python|3.4" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "python|3.4" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "python|3.4" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "python|3.4" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty new web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-create-web-app-ruby-linux-no-h.md b/includes/app-service-web-create-web-app-ruby-linux-no-h.md index 5dfd61b5d2376..d1216d1853b9f 100644 --- a/includes/app-service-web-create-web-app-ruby-linux-no-h.md +++ b/includes/app-service-web-create-web-app-ruby-linux-no-h.md @@ -12,19 +12,19 @@ ms.custom: "include file" Create a [web app](../articles/app-service/containers/app-service-linux-intro.md) in the `myAppServicePlan` App Service plan. -In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `RUBY|2.3`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). +In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp?view=azure-cli-latest) command. In the following example, replace `` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `RUBY|2.3`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp?view=azure-cli-latest). ```azurecli-interactive # Bash -az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "RUBY|2.3" --deployment-local-git +az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "RUBY|2.3" --deployment-local-git # PowerShell -az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "RUBY|2.3" --deployment-local-git +az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name --runtime "RUBY|2.3" --deployment-local-git ``` When the web app has been created, the Azure CLI shows output similar to the following example: ```json -Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' +Local git is configured with url of 'https://@.scm.azurewebsites.net/.git' { "availabilityState": "Normal", "clientAffinityEnabled": true, @@ -32,8 +32,8 @@ Local git is configured with url of 'https://@.scm.azurewebs "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, - "defaultHostName": ".azurewebsites.net", - "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", + "defaultHostName": ".azurewebsites.net", + "deploymentLocalGitUrl": "https://@.scm.azurewebsites.net/.git", "enabled": true, < JSON data removed for brevity. > } @@ -42,5 +42,5 @@ Local git is configured with url of 'https://@.scm.azurewebs You’ve created an empty new web app, with git deployment enabled. > [!NOTE] -> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. +> The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://@.scm.azurewebsites.net/.git`. Save this URL as you need it later. > diff --git a/includes/app-service-web-logs-access-no-h.md b/includes/app-service-web-logs-access-no-h.md new file mode 100644 index 0000000000000..989d6b256aacc --- /dev/null +++ b/includes/app-service-web-logs-access-no-h.md @@ -0,0 +1,30 @@ +--- +title: "include file" +description: "include file" +services: app-service +author: cephalin +ms.service: app-service +ms.topic: "include" +ms.date: 03/27/2019 +ms.author: cephalin +ms.custom: "include file" +--- + +You can access the console logs generated from inside the container. First, turn on container logging by running the following command in the Cloud Shell: + +```azurecli-interactive +az webapp log config --name --resource-group myResourceGroup --docker-container-logging filesystem +``` + +Once container logging is turned on, run the following command to see the log stream: + +```azurecli-interactive +az webapp log tail --name --resource-group myResourceGroup +``` + +If you don't see console logs immediately, check again in 30 seconds. + +> [!NOTE] +> You can also inspect the log files from the browser at `https://.scm.azurewebsites.net/api/logs/docker`. + +To stop log streaming at any time, type `Ctrl`+`C`. diff --git a/includes/app-service-web-ssh-connect-builtin-no-h.md b/includes/app-service-web-ssh-connect-builtin-no-h.md new file mode 100644 index 0000000000000..d51a6c2b5dd24 --- /dev/null +++ b/includes/app-service-web-ssh-connect-builtin-no-h.md @@ -0,0 +1,19 @@ +--- +title: "include file" +description: "include file" +services: app-service +author: cephalin +ms.service: app-service +ms.topic: "include" +ms.date: 03/29/2019 +ms.author: cephalin +ms.custom: "include file" +--- + +[!INCLUDE [Open SSH session in browser](app-service-web-ssh-connect-no-h.md)] + +> [!NOTE] +> Any changes you make outside the */home* directory are stored in the container itself and don't persist beyond an app restart. +> + +To open a remote SSH session from your local machine, see [Open SSH session from remote shell](../articles/app-service/containers/app-service-linux-ssh-support.md#open-ssh-session-from-remote-shell). \ No newline at end of file diff --git a/includes/app-service-web-ssh-connect-no-h.md b/includes/app-service-web-ssh-connect-no-h.md new file mode 100644 index 0000000000000..7cb1bc5ef91ba --- /dev/null +++ b/includes/app-service-web-ssh-connect-no-h.md @@ -0,0 +1,23 @@ +--- +title: "include file" +description: "include file" +services: app-service +author: cephalin +ms.service: app-service +ms.topic: "include" +ms.date: 03/29/2019 +ms.author: cephalin +ms.custom: "include file" +--- + +To make open a direct SSH session with your container, your app should be running. + +Paste the following URL into your browser and replace \ with your app name: + +``` +https://.scm.azurewebsites.net/webssh/host +``` + +If you're not yet authenticated, you're required to authenticate with your Azure subscription to connect. Once authenticated, you see an in-browser shell, where you can run commands inside your container. + +![SSH connection](./media/app-service-web-ssh-connect-no-h/app-service-linux-ssh-connection.png) diff --git a/includes/azure-storage-limits-premium.md b/includes/azure-storage-limits-premium.md index 5c6159e2a49e6..2fc1afde3ccb4 100644 --- a/includes/azure-storage-limits-premium.md +++ b/includes/azure-storage-limits-premium.md @@ -12,11 +12,25 @@ ms.custom: include file ### Premium performance block blob storage -A premium performance block blob storage account is optimized for applications that use smaller, kilobyte range, objects. It's ideal for applications that require very high transaction rates or consistent low-latency storage. Premium performance block blob storage is designed to scale with your applications. If you plan to deploy application(s) that require hundreds of thousands of requests per second or petabytes of storage capacity, please contact us by submitting a support request in the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). +A premium performance block blob storage account is optimized for applications that use smaller, kilobyte range, objects. It's ideal for applications that require high transaction rates or consistent low-latency storage. Premium performance block blob storage is designed to scale with your applications. If you plan to deploy application(s) that require hundreds of thousands of requests per second or petabytes of storage capacity, please contact us by submitting a support request in the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). + +### Premium performance FileStorage (preview) + +Premium files use a unique storage account called **FileStorage (preview)**. This account type is designed for workloads with high IOPS, high throughput with consistent low-latency. Premium file storage scales with the provisioned share size. + +|Area |Target | +|---------|---------| +|Max provisioned size |5 TiB (public preview), 100 TiB (limited public preview) | +|Shares |Unlimited | +|IOPS |100,000 (limited public preview) | +|Ingress|4,136 MiB/s | +|Egress|6,204 MiB/s | + + For premium file share scale targets, see the [Premium files scale targets](../articles/storage/common/storage-scalability-targets.md#premium-files-scale-targets) section. ### Premium performance page blob storage -Premium performance, general-purpose v1 or v2 storage accounts have the following scalability targets: +Premium performance, general-purpose v1, or v2 storage accounts have the following scalability targets: | Total account capacity | Total bandwidth for a locally redundant storage account | | ------------------------------------------------- | --------------------------------------------------------------------------- | diff --git a/includes/azure-storage-limits.md b/includes/azure-storage-limits.md index 72ce92989ed18..89a8de039ce7e 100644 --- a/includes/azure-storage-limits.md +++ b/includes/azure-storage-limits.md @@ -10,7 +10,7 @@ ms.custom: include file --- -The following table describes default limits for Azure Storage. The *ingress* limit refers to all data from requests that are sent to a storage account. The *egress* limit refers to all data from responses that are received from a storage account. +The following table describes default limits for Azure general-purpose v1, v2, and Blob storage accounts. The *ingress* limit refers to all data from requests that are sent to a storage account. The *egress* limit refers to all data from responses that are received from a storage account. | Resource | Default limit | | --- | --- | diff --git a/includes/azure-subscription-limits.md b/includes/azure-subscription-limits.md index c532e83667883..04036038bbd84 100644 --- a/includes/azure-subscription-limits.md +++ b/includes/azure-subscription-limits.md @@ -20,7 +20,7 @@ | DNS servers per subscription |9 |100 | | Reserved IPs per subscription |20 |100 | | [Affinity groups](../articles/virtual-network/virtual-networks-migrate-to-regional-vnet.md) per subscription |256 |256 | - +| Subscription name length (characters) | 64 | 64 | 1Extra small instances count as one vCPU toward the vCPU limit despite using a partial CPU core. diff --git a/includes/azure-virtual-network-limits.md b/includes/azure-virtual-network-limits.md index 3d43de69093ed..ee0ed3713b168 100644 --- a/includes/azure-virtual-network-limits.md +++ b/includes/azure-virtual-network-limits.md @@ -2,11 +2,11 @@ title: include file description: include file services: networking - author: jimdial + author: anavinahar ms.service: networking ms.topic: include - ms.date: 02/07/2019 - ms.author: jdial + ms.date: 04/10/2019 + ms.author: anavin ms.custom: include file --- @@ -40,7 +40,7 @@ The following limits apply only for networking resources managed through Azure R | --- | --- | | Virtual networks |1,000 | | Subnets per virtual network |3,000 | -| Virtual network peerings per virtual network |100 | +| Virtual network peerings per virtual network |500 | | DNS servers per virtual network |20 | | Private IP addresses per virtual network |65,536 | | Private IP addresses per network interface |256 | @@ -64,7 +64,7 @@ The following limits apply only for networking resources managed through Azure R | Resource | Default limit | Maximum limit | | --- | --- | --- | | Public IP addresses - dynamic | 1,000 for Basic. |Contact support. | -| Public IP addresses - static | 200 for Basic. |Contact support. | +| Public IP addresses - static | 1,000 for Basic. |Contact support. | | Public IP addresses - static | 200 for Standard.|Contact support. | | Public IP prefix size (preview) | /28 | /28 | diff --git a/includes/cognitive-services-luis-roles-not-supported-in-batch-testing.md b/includes/cognitive-services-luis-roles-not-supported-in-batch-testing.md new file mode 100644 index 0000000000000..ecf39a1812876 --- /dev/null +++ b/includes/cognitive-services-luis-roles-not-supported-in-batch-testing.md @@ -0,0 +1,18 @@ +--- +title: include file +description: include file +services: cognitive-services +author: diberry +manager: cjgronlund +ms.service: cognitive-services +ms.subservice: luis +ms.topic: include +ms.custom: include file +ms.date: 03/29/2019 +ms.author: diberry +--- + +## Roles in batch testing + +> [!CAUTION] +> Entity roles are not supported in batch testing. diff --git a/includes/cognitive-services-speech-service-endpoints-text-to-speech.md b/includes/cognitive-services-speech-service-endpoints-text-to-speech.md index 89d20dd1c2938..8697c40241f70 100644 --- a/includes/cognitive-services-speech-service-endpoints-text-to-speech.md +++ b/includes/cognitive-services-speech-service-endpoints-text-to-speech.md @@ -26,7 +26,6 @@ Standard voices are available in these regions: | Region | Endpoint | |--------|----------| | Australia East | https://australiaeast.tts.speech.microsoft.com/cognitiveservices/v1 | -| Brazil South | https://brazilsouth.tts.speech.microsoft.com/cognitiveservices/v1 | | Canada Central | https://canadacentral.tts.speech.microsoft.com/cognitiveservices/v1 | | Central US | https://centralus.tts.speech.microsoft.com/cognitiveservices/v1 | | East Asia | https://eastasia.tts.speech.microsoft.com/cognitiveservices/v1 | @@ -52,7 +51,6 @@ If you've created a custom voice font, use the endpoint that you've created, not | Region | Endpoint | |--------|----------| | Australia East | https://australiaeast.voice.speech.microsoft.com | -| Brazil South | https://brazilsouth.voice.speech.microsoft.com | | Canada Central | https://canadacentral.voice.speech.microsoft.com | | Central US | https://centralus.voice.speech.microsoft.com | | East Asia | https://eastasia.voice.speech.microsoft.com | diff --git a/includes/cognitive-services-speech-service-quickstart-cpp-create-proj.md b/includes/cognitive-services-speech-service-quickstart-cpp-create-proj.md index c3cf137d2b876..f87283ca7ec42 100644 --- a/includes/cognitive-services-speech-service-quickstart-cpp-create-proj.md +++ b/includes/cognitive-services-speech-service-quickstart-cpp-create-proj.md @@ -37,7 +37,7 @@ ms.author: erhopf ![Screenshot of Manage Packages for Solution dialog box](../articles/cognitive-services/Speech-Service/media/sdk/qs-cpp-windows-04-nuget-install-1.0.0.png) > [!NOTE] - > The current version of the Cognitive Services Speech SDK is `1.3.1`. + > The current version of the Cognitive Services Speech SDK is `1.4.0`. 1. Accept the displayed license to begin installation of the NuGet package. diff --git a/includes/cognitive-services-speech-service-quickstart-java-create-proj.md b/includes/cognitive-services-speech-service-quickstart-java-create-proj.md index ac7a8cb7a3583..70f6b864ee94d 100644 --- a/includes/cognitive-services-speech-service-quickstart-java-create-proj.md +++ b/includes/cognitive-services-speech-service-quickstart-java-create-proj.md @@ -40,7 +40,7 @@ ms.author: erhopf [!code-xml[POM Repositories](~/samples-cognitive-services-speech-sdk/quickstart/java-jre/pom.xml#repositories)] - * Also add a `dependencies` element, with the Speech SDK version 1.3.1 as a dependency: + * Also add a `dependencies` element, with the Speech SDK version 1.4.0 as a dependency: [!code-xml[POM Dependencies](~/samples-cognitive-services-speech-sdk/quickstart/java-jre/pom.xml#dependencies)] diff --git a/includes/cognitive-services-speech-service-quickstart-selector.md b/includes/cognitive-services-speech-service-quickstart-selector.md index 8a854df0ef5fe..98e5c790c8271 100644 --- a/includes/cognitive-services-speech-service-quickstart-selector.md +++ b/includes/cognitive-services-speech-service-quickstart-selector.md @@ -13,9 +13,11 @@ ms.author: wolfma > - [C#: Unity](~/articles/cognitive-services/speech-service/quickstart-csharp-unity.md) > - [C++: Windows](~/articles/cognitive-services/speech-service/quickstart-cpp-windows.md) > - [C++: Linux](~/articles/cognitive-services/speech-service/quickstart-cpp-linux.md) +> - [C++: macOS](~/articles/cognitive-services/speech-service/quickstart-cpp-macos.md) > - [Java: Android](~/articles/cognitive-services/speech-service/quickstart-java-android.md) > - [Java: JRE](~/articles/cognitive-services/speech-service/quickstart-java-jre.md) > - [JavaScript: Browser](~/articles/cognitive-services/speech-service/quickstart-js-browser.md) > - [JavaScript: Node.js](~/articles/cognitive-services/speech-service/quickstart-js-node.md) > - [Objective-C: iOS](~/articles/cognitive-services/speech-service/quickstart-objectivec-ios.md) +> - [Objective-C: macOS](~/articles/cognitive-services/speech-service/quickstart-objective-c-macos.md) > - [Python](~/articles/cognitive-services/speech-service/quickstart-python.md) diff --git a/includes/cognitive-services-speech-service-quickstart-uwp-create-proj.md b/includes/cognitive-services-speech-service-quickstart-uwp-create-proj.md index f968dd5b4c2a7..63c17852a76ee 100644 --- a/includes/cognitive-services-speech-service-quickstart-uwp-create-proj.md +++ b/includes/cognitive-services-speech-service-quickstart-uwp-create-proj.md @@ -44,7 +44,7 @@ ms.author: erhopf 1. The following output line appears in the Package Manager console. ```text - Successfully installed 'Microsoft.CognitiveServices.Speech 1.3.1' to helloworld + Successfully installed 'Microsoft.CognitiveServices.Speech 1.4.0' to helloworld ``` 1. Because the application uses the microphone for speech input, add the **Microphone** capability to the project. In Solution Explorer, double-click **Package.appxmanifest** to edit your application manifest. Then switch to the **Capabilities** tab, select the box for the **Microphone** capability, and save your changes. diff --git a/includes/configure-deployment-user-no-h.md b/includes/configure-deployment-user-no-h.md index dafc604631df4..362964bfb0952 100644 --- a/includes/configure-deployment-user-no-h.md +++ b/includes/configure-deployment-user-no-h.md @@ -18,7 +18,7 @@ In the following example, replace *\* and *\*, including the az webapp deployment user set --user-name --password ``` -You get a JSON output with the password shown as `null`. If you get a `'Conflict'. Details: 409` error, change the username. If you get a ` 'Bad Request'. Details: 400` error, use a stronger password. The deployment username must not contain ‘@’ symbol for local Git pushes. +You get a JSON output with the password shown as `null`. If you get a `'Conflict'. Details: 409` error, change the username. If you get a `'Bad Request'. Details: 400` error, use a stronger password. The deployment username must not contain ‘@’ symbol for local Git pushes. You configure this deployment user only once. You can use it for all your Azure deployments. diff --git a/includes/cosmos-db-create-collection.md b/includes/cosmos-db-create-collection.md index 8db4fe6a35af1..33f6c8eeb5997 100644 --- a/includes/cosmos-db-create-collection.md +++ b/includes/cosmos-db-create-collection.md @@ -24,7 +24,7 @@ You can now use the Data Explorer tool in the Azure portal to create a database ---|---|--- Database id|Tasks|Enter *Tasks* as the name for the new database. Database names must contain from 1 through 255 characters, and they cannot contain `/, \\, #, ?`, or a trailing space. Collection id|Items|Enter *Items* as the name for your new collection. Collection ids have the same character requirements as database names. - Partition key| | Enter a partition key such as */userid*. + Partition key| ``| Enter a partition key such as */userid*. Throughput|400 RU|Change the throughput to 400 request units per second (RU/s). If you want to reduce latency, you can scale up the throughput later. In addition to the preceding settings, you can optionally add **Unique keys** for the collection. Let's leave the field empty in this example. Unique keys provide developers with the ability to add a layer of data integrity to the database. By creating a unique key policy while creating a collection, you ensure the uniqueness of one or more values per partition key. To learn more, refer to the [Unique keys in Azure Cosmos DB](../articles/cosmos-db/unique-keys.md) article. diff --git a/includes/cosmos-db-create-dbaccount.md b/includes/cosmos-db-create-dbaccount.md index d621e754797b1..c7a41efa43dc4 100644 --- a/includes/cosmos-db-create-dbaccount.md +++ b/includes/cosmos-db-create-dbaccount.md @@ -2,34 +2,37 @@ title: include file description: include file services: cosmos-db - author: SnehaGunda + author: rimman ms.service: cosmos-db ms.topic: include - ms.date: 04/13/2018 - ms.author: sngun + ms.date: 04/08/2019 + ms.author: rimman ms.custom: include file --- -1. In a new browser window, sign in to the [Azure portal](https://portal.azure.com/). -2. Select **Create a resource** > **Databases** > **Azure Cosmos DB**. +1. Sign in to the [Azure portal](https://portal.azure.com/). +1. Select **Create a resource** > **Databases** > **Azure Cosmos DB**. ![The Azure portal Databases pane](./media/cosmos-db-create-dbaccount/create-nosql-db-databases-json-tutorial-1.png) -3. On the **Create Azure Cosmos DB Account** page, enter the basic settings for the new Azure Cosmos DB account. +1. On the **Create Azure Cosmos DB Account** page, enter the basic settings for the new Azure Cosmos account. - Setting|Value|Description - ---|---|--- - Subscription|Your subscription|Select the Azure subscription that you want to use for this Azure Cosmos DB account. - Resource Group|Create new

    Then enter the same unique name as provided in ID|Select **Create new**. Then enter a new resource-group name for your account. For simplicity, use the same name as your ID. - Account Name|Enter a unique name|Enter a unique name to identify your Azure Cosmos DB account. Because *documents.azure.com* is appended to the ID that you provide to create your URI, use a unique ID.

    The ID can only contain lowercase letters, numbers, and the hyphen (-) character. It must be between 3 and 31 characters in length. - API|Core(SQL)|The API determines the type of account to create. Azure Cosmos DB provides five APIs: Core(SQL) for document databases, Gremlin for graph databases, MongoDB for document databases, Azure Table, and Cassandra. Currently, you must create a separate account for each API.

    Select **Core(SQL)** because in this article you create a document database and query by using SQL syntax.

    [Learn more about the SQL API](../articles/cosmos-db/documentdb-introduction.md).| - Location|Select the region closest to your users|Select a geographic location to host your Azure Cosmos DB account. Use the location that's closest to your users to give them the fastest access to the data. - - Select **Review+Create**. You can skip the **Network** and **Tags** section. + |Setting|Value|Description | + |---|---|---| + |Subscription|Subscription name|Select the Azure subscription that you want to use for this Azure Cosmos account. | + |Resource Group|Resource group name|Select a resource group, or select **Create new**, then enter a unique name for the new resource group. | + | Account Name|Enter a unique name|Enter a name to identify your Azure Cosmos account. Because *documents.azure.com* is appended to the ID that you provide to create your URI, use a unique ID.

    The ID can only contain lowercase letters, numbers, and the hyphen (-) character. It must be between 3-31 characters in length.| + | API|Core (SQL)|The API determines the type of account to create. Azure Cosmos DB provides five APIs: Core (SQL) and MongoDB for document data, Gremlin for graph data, Azure Table, and Cassandra. Currently, you must create a separate account for each API.

    Select **Core (SQL)** to create a document database and query by using SQL syntax.

    [Learn more about the SQL API](../articles/cosmos-db/documentdb-introduction.md).| + | Location|Select the region closest to your users|Select a geographic location to host your Azure Cosmos DB account. Use the location that is closest to your users to give them the fastest access to the data.| + + ![The new account page for Azure Cosmos DB](./media/cosmos-db-create-dbaccount/azure-cosmos-db-create-new-account.png) - ![The new account page for Azure Cosmos DB](./media/cosmos-db-create-dbaccount/azure-cosmos-db-create-new-account.png) +1. Select **Review + create**. You can skip the **Network** and **Tags** sections. -4. The account creation takes a few minutes. Wait for the portal to display the **Congratulations! Your Azure Cosmos DB account was created** page. +1. Review the account settings, and then select **Create**. It takes a few minutes to create the account. Wait for the portal page to display **Your deployment is complete**. ![The Azure portal Notifications pane](./media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created.png) +1. Select **Go to resource** to go to the Azure Cosmos DB account page. + + ![The Azure Cosmos DB account page](./media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created-2.png) diff --git a/includes/cosmos-db-create-sql-api-query-data.md b/includes/cosmos-db-create-sql-api-query-data.md index d6c1505e3b282..1360013829fbd 100644 --- a/includes/cosmos-db-create-sql-api-query-data.md +++ b/includes/cosmos-db-create-sql-api-query-data.md @@ -5,20 +5,25 @@ author: SnehaGunda ms.service: cosmos-db ms.topic: include - ms.date: 04/13/2018 + ms.date: 04/05/2019 ms.author: sngun ms.custom: include file --- -You can now use queries in Data Explorer to retrieve and filter your data. +You can use queries in Data Explorer to retrieve and filter your data. -1. See that by default, the query is set to `SELECT * FROM c`. This default query retrieves and displays all documents in the collection. +1. At the top of the **Documents** tab in Data Explorer, review the default query `SELECT * FROM c`. This query retrieves and displays all documents in the collection in ID order. + + ![Default query in Data Explorer is `SELECT * FROM c`](./media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-query.png) + +1. To change the query, select **Edit Filter**, replace the default query with `ORDER BY c._ts DESC`, and then select **Apply Filter**. + + ![Change the default query by adding ORDER BY c._ts DESC and clicking Apply Filter](./media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edit-query.png) - ![Default query in Data Explorer is `SELECT * FROM c`](./media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-query.png) + The modified query displays the documents in descending order based on their time stamp, so now your second document is listed first. + + ![Changed query to ORDER BY c._ts DESC and clicking Apply Filter](./media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edited-query.png) -2. Stay on the **Documents** tab, and change the query by clicking the **Edit Filter** button, adding `ORDER BY c._ts DESC` to the query predicate box, and then clicking **Apply Filter**. +If you're familiar with SQL syntax, you can enter any supported [SQL queries](../articles/cosmos-db/sql-api-sql-query.md) in the query predicate box. You can also use Data Explorer to create stored procedures, UDFs, and triggers for server-side business logic. - ![Change the default query by adding ORDER BY c._ts DESC and clicking Apply Filter](./media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edit-query.png) +Data Explorer provides easy Azure portal access to all of the built-in programmatic data access features available in the APIs. You also use the portal to scale throughput, get keys and connection strings, and review metrics and SLAs for your Azure Cosmos DB account. -This modified query lists the documents in descending order based on their time stamp, so now your second document is listed first. If you're familiar with SQL syntax, you can enter any of the supported [SQL queries](../articles/cosmos-db/sql-api-sql-query.md) in this box. - -That completes our work in Data Explorer. Before we move on to working with code, note that you can also use Data Explorer to create stored procedures, UDFs, and triggers to perform server-side business logic as well as scale throughput. Data Explorer exposes all of the built-in programmatic data access available in the APIs, but provides easy access to your data in the Azure portal. \ No newline at end of file diff --git a/includes/cosmos-db-delete-resource-group.md b/includes/cosmos-db-delete-resource-group.md index ebaef8e582825..b299554a7fe9e 100644 --- a/includes/cosmos-db-delete-resource-group.md +++ b/includes/cosmos-db-delete-resource-group.md @@ -2,20 +2,20 @@ author: SnehaGunda ms.service: cosmos-db ms.topic: include -ms.date: 11/09/2018 +ms.date: 03/23/2019 ms.author: sngun --- -If you're not going to continue to use this app, delete all resources created by this quickstart with the following steps so you don't incur any charges: +When you're done with your web app and Azure Cosmos DB account, you can delete the Azure resources you created so you don't incur more charges. To delete the resources: -1. In the Azure portal, select **Resource groups** on the far left, and then select the resource group you created. +1. In the Azure portal, select **Resource groups** on the far left. If the left menu is collapsed, select ![Expand button](./media/cosmos-db-delete-resource-group/expand.png) to expand it. - If the left menu is collapsed, click ![Expand button](./media/cosmos-db-delete-resource-group/expand.png) to expand it. +2. Select the resource group you created for this quickstart. ![Metrics in the Azure portal](./media/cosmos-db-delete-resource-group/delete-resources-select.png) -2. In the new window select the resource group, and then click **Delete resource group**. +2. In the new window, select **Delete resource group**. ![Metrics in the Azure portal](./media/cosmos-db-delete-resource-group/delete-resources.png) -3. In the new window, type the name of the resource group to delete, and then click **Delete**. +3. In the next window, type the name of the resource group to delete, and then select **Delete**. diff --git a/includes/cosmos-db-tutorial-review-slas.md b/includes/cosmos-db-tutorial-review-slas.md index 89d86271e5f46..89edc0995d5d5 100644 --- a/includes/cosmos-db-tutorial-review-slas.md +++ b/includes/cosmos-db-tutorial-review-slas.md @@ -2,17 +2,18 @@ author: SnehaGunda ms.service: cosmos-db ms.topic: include -ms.date: 11/09/2018 +ms.date: 03/22/2019 ms.author: sngun --- -The throughput, storage, availability, latency, and consistency of the resources in your account are monitored in the Azure portal. Let's take a quick look at these metrics. +The Azure portal monitors your Cosmos DB account throughput, storage, availability, latency, and consistency. Charts for metrics associated with an [Azure Cosmos DB Service Level Agreement (SLA)](https://azure.microsoft.com/support/legal/sla/cosmos-db/) show the SLA value compared to actual performance. This suite of metrics makes monitoring your SLAs transparent. -1. Click **Metrics** in the navigation menu. +To review metrics and SLAs: - ![Metrics in the Azure portal](./media/cosmos-db-tutorial-review-slas/metrics.png) +1. Select **Metrics** in your Cosmos DB account's navigation menu. + +2. Select a tab such as **Latency**, and select a timeframe on the right. Compare the **Actual** and **SLA** lines on the charts. + + ![Azure Cosmos DB metrics suite](./media/cosmos-db-tutorial-review-slas/metrics-suite.png) + +3. Review the metrics on the other tabs. -2. Click through each of the tabs so you're aware of the metrics Azure Cosmos DB provides. - - Each chart that's associated with the [Azure Cosmos DB Service Level Agreements (SLAs)](https://azure.microsoft.com/support/legal/sla/cosmos-db/) provides a line that shows if any of the SLAs have been violated. Azure Cosmos DB makes monitoring your SLAs transparent with this suite of metrics. - - ![Azure Cosmos DB metrics suite](./media/cosmos-db-tutorial-review-slas/metrics-suite.png) \ No newline at end of file diff --git a/includes/functions-connect-new-app-insights.md b/includes/functions-connect-new-app-insights.md new file mode 100644 index 0000000000000..db718396d98fb --- /dev/null +++ b/includes/functions-connect-new-app-insights.md @@ -0,0 +1,32 @@ +--- +title: include file +description: include file +services: functions +author: ggailey777 +ms.service: functions +ms.topic: include +ms.date: 04/06/2019 +ms.author: glenga +ms.custom: include file +--- + +Functions makes it simple to add Application Insights integration to a function app from the [Azure portal]. + +1. In the [portal][Azure Portal], select **All services > Function Apps**, select your function app, and then choose the **Application Insights** banner at the top of the window + + ![Enable Application Insights from the portal](media/functions-connect-new-app-insights/enable-application-insights.png) + +1. Create an Application Insights resource by using the settings specified in the table below the image: + + ![Create an Application Insights resource](media/functions-connect-new-app-insights/ai-general.png) + + | Setting | Suggested value | Description | + | ------------ | ------- | -------------------------------------------------- | + | **Name** | Unique app name | It's easiest to use the same name as your function app, which must be unique in your subscription. | + | **Location** | West Europe | If possible, use the same [region](https://azure.microsoft.com/regions/) as your function app, or near to it. | + +1. Choose **OK**. The Application Insights resource is created in the same resource group and subscription as your function app. After creation completes, close the Application Insights window. + +1. Back in your function app, select **Application settings**, and scroll down to **Application settings**. When you see a setting named `APPINSIGHTS_INSTRUMENTATIONKEY`, it means that Application Insights integration is enabled for your function app running in Azure. + +[Azure Portal]: https://portal.azure.com diff --git a/includes/functions-create-function-app-portal.md b/includes/functions-create-function-app-portal.md index cfed13466f5b2..5d7318ee25712 100644 --- a/includes/functions-create-function-app-portal.md +++ b/includes/functions-create-function-app-portal.md @@ -28,7 +28,7 @@ ms.custom: include file | **Location** | West Europe | Choose a [region](https://azure.microsoft.com/regions/) near you or near other services your functions access. | | **Runtime stack** | Preferred language | Choose a runtime that supports your favorite function programming language. Choose **.NET** for C# and F# functions. | | **[Storage](../articles/storage/common/storage-quickstart-create-account.md)** | Globally unique name | Create a storage account used by your function app. Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. You can also use an existing account, which must meets the [storage account requirements](../articles/azure-functions/functions-scale.md#storage-account-requirements). | - | **[Application Insights](../articles/azure-functions/functions-monitoring.md)** | Default | When you choose a *Location* that supports Application Insights, integration with your function app is enabled by default. If disabled, choose an Application Insights location near your function app. | + | **[Application Insights](../articles/azure-functions/functions-monitoring.md)** | Default | Creates an Application Insights resource of the same *App name* in the nearest supported region. By expanding this setting, you can change the **New resource name** or choose a different **Location** in an [Azure geography](https://azure.microsoft.com/global-infrastructure/geographies/) where you want to store your data. | 3. Select **Create** to provision and deploy the function app. diff --git a/includes/functions-runtime-preview-note.md b/includes/functions-runtime-preview-note.md new file mode 100644 index 0000000000000..aa51b1d35bdad --- /dev/null +++ b/includes/functions-runtime-preview-note.md @@ -0,0 +1,15 @@ +--- +title: include file +description: include file +services: functions +author: ggailey777 +manager: jeconnoc +ms.service: azure-functions +ms.topic: include +ms.date: 4/10/2019 +ms.author: glenga +ms.custom: include file +--- + +> [!IMPORTANT] +> The Azure Functions Runtime preview 2 supports only version 1.x of the Azure Functions runtime. This preview feature is not being updated to support version 2.x of the runtime, and no future updates are planned. If you need to host the Azure Functions runtime outside of Azure, consider [using a customer Linux container](../articles/azure-functions/functions-create-function-linux-custom-image.md). \ No newline at end of file diff --git a/includes/hdinsight-sdk-additional-functionality.md b/includes/hdinsight-sdk-additional-functionality.md new file mode 100644 index 0000000000000..1a2492d73eb46 --- /dev/null +++ b/includes/hdinsight-sdk-additional-functionality.md @@ -0,0 +1,14 @@ +--- +author: tylerfox +ms.service: hdinsight +ms.topic: include +ms.date: 04/15/2019 +ms.author: tyfox +--- +## Additional SDK functionality + +* List clusters +* Delete clusters +* Resize clusters +* Monitoring +* Script Actions \ No newline at end of file diff --git a/includes/iot-central-howto-connection-string.md b/includes/iot-central-howto-connection-string.md new file mode 100644 index 0000000000000..ba2b1197b5b81 --- /dev/null +++ b/includes/iot-central-howto-connection-string.md @@ -0,0 +1,26 @@ +--- + title: include file + description: include file + services: iot-central + author: dominicbetts + ms.service: iot-central + ms.topic: include + ms.date: 04/09/2019 + ms.author: dobett + ms.custom: include file +--- +1. Use the `dps-keygen` command-line utility to generate a connection string: + + To install the [key generator utility](https://github.com/Azure/dps-keygen), run the following command: + + ```cmd/sh + npm i -g dps-keygen + ``` + +1. To generate a connection string, run the following command using the connection details you noted previously: + + ```cmd/sh + dps-keygen -di: -dk: -si: + ``` + +1. Copy the connection string from the `dps-keygen` output to use in your device code. \ No newline at end of file diff --git a/includes/iot-dps-limits.md b/includes/iot-dps-limits.md index c46e2cc5689d1..3ac963f54bb55 100644 --- a/includes/iot-dps-limits.md +++ b/includes/iot-dps-limits.md @@ -10,8 +10,8 @@ The following table lists the limits that apply to Azure IoT Hub Device Provisio | Resource | Limit | | --- | --- | | Maximum device provisioning services per Azure subscription | 10 | -| Maximum number of enrollments | 500,000 | -| Maximum number of registrations | 500,000 | +| Maximum number of enrollments | 1,000,000 | +| Maximum number of registrations | 1,000,000 | | Maximum number of enrollment groups | 100 | | Maximum number of CAs | 25 | diff --git a/includes/iot-hub-file-upload-selector.md b/includes/iot-hub-file-upload-selector.md index 2983abcb6cd64..ed9c09392254c 100644 --- a/includes/iot-hub-file-upload-selector.md +++ b/includes/iot-hub-file-upload-selector.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 diff --git a/includes/iot-hub-get-access-token.md b/includes/iot-hub-get-access-token.md index d0ab3f75e4727..1c5dcc32f26d4 100644 --- a/includes/iot-hub-get-access-token.md +++ b/includes/iot-hub-get-access-token.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 diff --git a/includes/iot-hub-get-started-create-consumer-group.md b/includes/iot-hub-get-started-create-consumer-group.md index 8cfef1ba07d97..399a265ae5ad0 100644 --- a/includes/iot-hub-get-started-create-consumer-group.md +++ b/includes/iot-hub-get-started-create-consumer-group.md @@ -1,7 +1,7 @@ --- author: robinsh manager: philmea -ms.author: robin.shahan +ms.author: robinsh ms.topic: include ms.date: 10/26/2018 --- diff --git a/includes/iot-hub-get-started-note.md b/includes/iot-hub-get-started-note.md index b1232b750dd64..79764836ef590 100644 --- a/includes/iot-hub-get-started-note.md +++ b/includes/iot-hub-get-started-note.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 diff --git a/includes/iot-hub-limits.md b/includes/iot-hub-limits.md index 0c570b498efa6..83b514b61717f 100644 --- a/includes/iot-hub-limits.md +++ b/includes/iot-hub-limits.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 diff --git a/includes/iot-hub-pii-note-naming-device.md b/includes/iot-hub-pii-note-naming-device.md index c0f8973dab6c4..bef8d09c809ab 100644 --- a/includes/iot-hub-pii-note-naming-device.md +++ b/includes/iot-hub-pii-note-naming-device.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 diff --git a/includes/iot-hub-pii-note-naming-hub.md b/includes/iot-hub-pii-note-naming-hub.md index 28ecf5a551582..9715af5320f28 100644 --- a/includes/iot-hub-pii-note-naming-hub.md +++ b/includes/iot-hub-pii-note-naming-hub.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 diff --git a/includes/iot-hub-prepare-resource-manager.md b/includes/iot-hub-prepare-resource-manager.md index be7a5c1411cbc..4a3dc36ff388f 100644 --- a/includes/iot-hub-prepare-resource-manager.md +++ b/includes/iot-hub-prepare-resource-manager.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 @@ -63,4 +63,4 @@ You have now finished creating the Azure AD application that enables you to auth * Password [lnk-authenticate-arm]: https://msdn.microsoft.com/library/azure/dn790557.aspx -[lnk-powershell-install]: https://docs.microsoft.com/powershell/azure/azurerm/install-Az-ps +[lnk-powershell-install]: /powershell/azure/install-Az-ps diff --git a/includes/iot-hub-resource-manager-selector.md b/includes/iot-hub-resource-manager-selector.md index a20afd39cbab6..51ace22caa9b7 100644 --- a/includes/iot-hub-resource-manager-selector.md +++ b/includes/iot-hub-resource-manager-selector.md @@ -1,6 +1,6 @@ --- author: robinsh -ms.author: robin.shahan +ms.author: robinsh ms.service: iot-hub ms.topic: include ms.date: 10/26/2018 diff --git a/includes/media/active-directory-develop-guidedsetup-android-intro/android-intro-updated.png b/includes/media/active-directory-develop-guidedsetup-android-intro/android-intro-updated.png deleted file mode 100644 index 33fa1b1d04684..0000000000000 Binary files a/includes/media/active-directory-develop-guidedsetup-android-intro/android-intro-updated.png and /dev/null differ diff --git a/includes/media/active-directory-develop-guidedsetup-android-intro/android-intro.svg b/includes/media/active-directory-develop-guidedsetup-android-intro/android-intro.svg index ef7b1f2fce526..bda071a9bd690 100644 --- a/includes/media/active-directory-develop-guidedsetup-android-intro/android-intro.svg +++ b/includes/media/active-directory-develop-guidedsetup-android-intro/android-intro.svg @@ -1,2494 +1,183 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + android-intro + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/includes/media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral-updated.png b/includes/media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral-updated.png deleted file mode 100644 index de52c1d4453cf..0000000000000 Binary files a/includes/media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral-updated.png and /dev/null differ diff --git a/includes/media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral.svg b/includes/media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral.svg index dd5f753f58956..894a2cd4394fc 100644 --- a/includes/media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral.svg +++ b/includes/media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral.svg @@ -1,2632 +1,218 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + aspnetbrowsergeneral + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/includes/media/active-directory-develop-guidedsetup-ios-introduction/iosintro-updated.png b/includes/media/active-directory-develop-guidedsetup-ios-introduction/iosintro-updated.png deleted file mode 100644 index 7458a32c637d0..0000000000000 Binary files a/includes/media/active-directory-develop-guidedsetup-ios-introduction/iosintro-updated.png and /dev/null differ diff --git a/includes/media/active-directory-develop-guidedsetup-ios-introduction/iosintro.svg b/includes/media/active-directory-develop-guidedsetup-ios-introduction/iosintro.svg index 22b22bd64d31b..a3675bb10bc57 100644 --- a/includes/media/active-directory-develop-guidedsetup-ios-introduction/iosintro.svg +++ b/includes/media/active-directory-develop-guidedsetup-ios-introduction/iosintro.svg @@ -1,2504 +1,192 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + iosintro + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/includes/media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro-updated.png b/includes/media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro-updated.png deleted file mode 100644 index 5da7f3ce0585c..0000000000000 Binary files a/includes/media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro-updated.png and /dev/null differ diff --git a/includes/media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro.svg b/includes/media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro.svg index 66b831fb83a6e..ebc62f66c8e29 100644 --- a/includes/media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro.svg +++ b/includes/media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro.svg @@ -1,2673 +1,228 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + javascriptspa-intro + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/includes/media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks-updated.png b/includes/media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks-updated.png deleted file mode 100644 index 37f0c3309423d..0000000000000 Binary files a/includes/media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks-updated.png and /dev/null differ diff --git a/includes/media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks.svg b/includes/media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks.svg index 6447ba69efec9..cb2674c4faa0b 100644 --- a/includes/media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks.svg +++ b/includes/media/active-directory-develop-guidedsetup-windesktop-intro/windesktophowitworks.svg @@ -1,2505 +1,192 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + windesktophowitworks + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/articles/app-service/containers/media/app-service-linux-ssh-support/app-service-linux-ssh-connection.png b/includes/media/app-service-web-ssh-connect-no-h/app-service-linux-ssh-connection.png similarity index 100% rename from articles/app-service/containers/media/app-service-linux-ssh-support/app-service-linux-ssh-connection.png rename to includes/media/app-service-web-ssh-connect-no-h/app-service-linux-ssh-connection.png diff --git a/includes/media/cosmos-db-create-dbaccount-mongodb/azure-cosmos-db-create-new-account.png b/includes/media/cosmos-db-create-dbaccount-mongodb/azure-cosmos-db-create-new-account.png index cf9a4bccca3f8..b3f5010b3e245 100644 Binary files a/includes/media/cosmos-db-create-dbaccount-mongodb/azure-cosmos-db-create-new-account.png and b/includes/media/cosmos-db-create-dbaccount-mongodb/azure-cosmos-db-create-new-account.png differ diff --git a/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created-2.png b/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created-2.png new file mode 100644 index 0000000000000..1e1b77783b4d5 Binary files /dev/null and b/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created-2.png differ diff --git a/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created.png b/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created.png index 02d0213683544..393b13fdd4c8a 100644 Binary files a/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created.png and b/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-account-created.png differ diff --git a/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-create-new-account.png b/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-create-new-account.png index 174903104d974..e660e86ba34cf 100644 Binary files a/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-create-new-account.png and b/includes/media/cosmos-db-create-dbaccount/azure-cosmos-db-create-new-account.png differ diff --git a/includes/media/cosmos-db-create-dbaccount/create-nosql-db-databases-json-tutorial-1.png b/includes/media/cosmos-db-create-dbaccount/create-nosql-db-databases-json-tutorial-1.png index b88bcf8594624..199419adb4114 100644 Binary files a/includes/media/cosmos-db-create-dbaccount/create-nosql-db-databases-json-tutorial-1.png and b/includes/media/cosmos-db-create-dbaccount/create-nosql-db-databases-json-tutorial-1.png differ diff --git a/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edit-query.png b/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edit-query.png index 347ac8c1aed13..332c6edc3e8aa 100644 Binary files a/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edit-query.png and b/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edit-query.png differ diff --git a/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edited-query.png b/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edited-query.png new file mode 100644 index 0000000000000..8798bfc432536 Binary files /dev/null and b/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-edited-query.png differ diff --git a/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-query.png b/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-query.png index 7846150fee70b..cf4e5cabcd987 100644 Binary files a/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-query.png and b/includes/media/cosmos-db-create-sql-api-query-data/azure-cosmosdb-data-explorer-query.png differ diff --git a/includes/media/cosmos-db-delete-resource-group/delete-resources-select.png b/includes/media/cosmos-db-delete-resource-group/delete-resources-select.png index 4409ca79012f1..aeb6ca60299d3 100644 Binary files a/includes/media/cosmos-db-delete-resource-group/delete-resources-select.png and b/includes/media/cosmos-db-delete-resource-group/delete-resources-select.png differ diff --git a/includes/media/cosmos-db-delete-resource-group/delete-resources.png b/includes/media/cosmos-db-delete-resource-group/delete-resources.png index 7ba870611ddc9..86bbee6f55ff2 100644 Binary files a/includes/media/cosmos-db-delete-resource-group/delete-resources.png and b/includes/media/cosmos-db-delete-resource-group/delete-resources.png differ diff --git a/includes/media/cosmos-db-tutorial-review-slas/metrics-suite.png b/includes/media/cosmos-db-tutorial-review-slas/metrics-suite.png index 920903b42ee46..72f621d4e2c6c 100644 Binary files a/includes/media/cosmos-db-tutorial-review-slas/metrics-suite.png and b/includes/media/cosmos-db-tutorial-review-slas/metrics-suite.png differ diff --git a/includes/media/functions-connect-new-app-insights/ai-general.png b/includes/media/functions-connect-new-app-insights/ai-general.png new file mode 100644 index 0000000000000..952b7edf4bddd Binary files /dev/null and b/includes/media/functions-connect-new-app-insights/ai-general.png differ diff --git a/includes/media/functions-connect-new-app-insights/copy-ai-key.png b/includes/media/functions-connect-new-app-insights/copy-ai-key.png new file mode 100644 index 0000000000000..bd0afb56e67e1 Binary files /dev/null and b/includes/media/functions-connect-new-app-insights/copy-ai-key.png differ diff --git a/includes/media/functions-connect-new-app-insights/enable-application-insights.png b/includes/media/functions-connect-new-app-insights/enable-application-insights.png new file mode 100644 index 0000000000000..c31dac62e42f9 Binary files /dev/null and b/includes/media/functions-connect-new-app-insights/enable-application-insights.png differ diff --git a/includes/media/virtual-machines-managed-disks-overview/disk-types.png b/includes/media/virtual-machines-managed-disks-overview/disk-types.png new file mode 100644 index 0000000000000..6ffbac8252a11 Binary files /dev/null and b/includes/media/virtual-machines-managed-disks-overview/disk-types.png differ diff --git a/includes/resource-manager-tutorials-quickstarts.md b/includes/resource-manager-tutorials-quickstarts.md index 196114d2a7cf2..c2490ace4613e 100644 --- a/includes/resource-manager-tutorials-quickstarts.md +++ b/includes/resource-manager-tutorials-quickstarts.md @@ -35,7 +35,6 @@ Use the following quickstarts and tutorials to learn how to develop resource man |------|-----| |[Utilize template reference](../articles/azure-resource-manager/resource-manager-tutorial-create-encrypted-storage-accounts.md)|Utilize the template reference documentation to develop templates. In the tutorial, you find the storage account schema, and use the information to create an encrypted storage account.| |[Create multiple instances](../articles/azure-resource-manager/resource-manager-tutorial-create-multiple-instances.md)|Create multiple instances of Azure resources. In the tutorial, you create multiple instances of storage account.| - |[Move resources](../articles/azure-resource-manager/resource-manager-tutorial-move-resources.md)|Move resources from one resource group to another resource group. In the tutorial, you run an existing template to create two resource groups and one storage account, and then run an Azure PowerShell cmdlet to move the storage account to the other resource group.| |[Set resource deployment order](../articles/azure-resource-manager/resource-manager-tutorial-create-templates-with-dependent-resources.md)|Define resource dependencies. In the tutorial, you create a virtual network, a virtual machine, and the dependent Azure resources. You learn how the dependencies are defined.| |[Use conditions](../articles/azure-resource-manager/resource-manager-tutorial-use-conditions.md)|Deploy resources based on some parameter values. In the tutorial, you define a template to create a new storage account or use an existing storage account based on the value of a parameter.| |[Integrate key vault](../articles/azure-resource-manager/resource-manager-tutorial-use-key-vault.md)|Retrieve secrets/passwords from Azure Key Vault. In the tutorial, you create a virtual machine. The virtual machine administrator password is retrieved from a Key Vault.| diff --git a/includes/security-attributes-backup.md b/includes/security-attributes-backup.md index 9aa3f552e83b6..479f3a8855bc0 100644 --- a/includes/security-attributes-backup.md +++ b/includes/security-attributes-backup.md @@ -2,7 +2,7 @@ author: msmbaldwin ms.service: backup ms.topic: include -ms.date: 01/31/2019 +ms.date: 03/15/2019 ms.author: mbaldwin --- @@ -29,14 +29,14 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes| |---|---|--| -| Azure monitoring support (Log analytics, App insights etc)| Yes | Log Analytics is supported via diagnostic logs. See Monitor Azure Backup protected workloads using Log Analytics (https://azure.microsoft.com/blog/monitor-all-azure-backup-protected-workloads-using-log-analytics/) for more information. | +| Azure monitoring support (Log analytics, App insights, etc.)| Yes | Log Analytics is supported via diagnostic logs. See Monitor Azure Backup protected workloads using Log Analytics (https://azure.microsoft.com/blog/monitor-all-azure-backup-protected-workloads-using-log-analytics/) for more information. | ## IAM Support | Security Attribute | Yes/No | Notes| |---|---|--| | Access management - Authentication| Yes | Authentication is through Azure Active Directory. | -| Access management - Authorization| Yes | Customer created and built-in RBAC roles are used. See Use Role-Based Access Control to manage Azure Backup recovery points (https://docs.microsoft.com/azure/backup/backup-rbac-rs-vault) for more information. | +| Access management - Authorization| Yes | Customer created and built-in RBAC roles are used. See Use Role-Based Access Control to manage Azure Backup recovery points (/azure/backup/backup-rbac-rs-vault) for more information. | ## Audit Trail @@ -50,4 +50,4 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes| |---|---|--| -| Configuration management support (versioning of configuration etc)| Yes| | \ No newline at end of file +| Configuration management support (versioning of configuration, etc.)| Yes| | \ No newline at end of file diff --git a/includes/security-attributes-header.md b/includes/security-attributes-header.md new file mode 100644 index 0000000000000..59f0107b22829 --- /dev/null +++ b/includes/security-attributes-header.md @@ -0,0 +1,20 @@ +--- +author: msmbaldwin +ms.service: security +ms.topic: include +ms.date: 03/15/2019 +ms.author: mbaldwin +--- + +A security attribute is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities. + +Security attributes are categorized as: +* Preventative +* Network segmentation +* Detection +* Identity and access management support +* Audit trail +* Access controls (if used) +* Configuration management (if used) + +In each category, we identify if an attribute is used or not (yes/no). For some services, an attribute may not be applicable and is shown as N/A. A note or a link to more information about an attribute may also be provided. diff --git a/includes/security-attributes-key-vault.md b/includes/security-attributes-key-vault.md index 5d22987c1208a..6ad83251c87a1 100644 --- a/includes/security-attributes-key-vault.md +++ b/includes/security-attributes-key-vault.md @@ -2,7 +2,7 @@ author: msmbaldwin ms.service: key-vault ms.topic: include -ms.date: 01/31/2019 +ms.date: 03/15/2019 ms.author: mbaldwin --- @@ -12,7 +12,7 @@ ms.author: mbaldwin |---|---|--| | Encryption at rest:
    • Server-side encryption
    • Server-side encryption with customer-managed keys
    • Other encryption features (such as client-side, always encrypted, etc.)
    | Yes | All objects are encrypted. | | Encryption in Transit:
    • Express route encryption
    • In Vnet encryption
    • VNet-VNet encryption
    | Yes | All communication is via encrypted API calls | -| Encryption Key Handling (CMK, BYOK, etc.)| Yes | Customer controls all keys in their Key Vault. When hardware security module (HSM) backed keys are specifiecd, a FIPS Level 2 HSM protects the key, certificate, or secret. | +| Encryption Key Handling (CMK, BYOK, etc.)| Yes | Customer controls all keys in their Key Vault. When hardware security module (HSM) backed keys are specified, a FIPS Level 2 HSM protects the key, certificate, or secret. | | Column Level Encryption (Azure Data Services)| N/A | | | API calls encrypted| Yes | Using HTTPS. | @@ -29,7 +29,7 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes| |---|---|--| -| Azure monitoring support (Log analytics, App insights etc)| Yes | Using Log Analytics. | +| Azure monitoring support (Log analytics, App insights, etc.)| Yes | Using Log Analytics. | ## IAM Support diff --git a/includes/security-attributes-service-fabric.md b/includes/security-attributes-service-fabric.md index a3e7bb52f6252..cb851b2a50b1b 100644 --- a/includes/security-attributes-service-fabric.md +++ b/includes/security-attributes-service-fabric.md @@ -2,7 +2,7 @@ author: msmbaldwin ms.service: service-fabric ms.topic: include -ms.date: 01/31/2019 +ms.date: 04/03/2019 ms.author: mbaldwin --- @@ -10,9 +10,9 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes | |---|---|--| -| Encryption at rest:
    • Server-side encryption
    • Server-side encryption with customer-managed keys
    • Other encryption features (such as client-side, always encrypted, etc.)
    | Yes | The customer owns the cluster and the virtual machine (VM) scale set the cluster is built on. Azure disk encryption can be enabled on the VM scale set. | +| Encryption at rest:
    • Server-side encryption
    • Server-side encryption with customer-managed keys
    • Other encryption features (such as client-side, always encrypted, etc.)
    | Yes | The customer owns the cluster and the virtual machine (VM) scale set the cluster is built on. Azure disk encryption can be enabled on the virtual machine scale set. | | Encryption in Transit:
    • Express route encryption
    • In Vnet encryption
    • VNet-VNet encryption
    | Yes | | -| Encryption Key Handling (CMK, BYOK, etc.)| Yes | The customer owns the cluster and the virtual machine (VM) scale set the cluster is built on. Azure disk encryption can be enabled on the VM scale set. | +| Encryption Key Handling (CMK, BYOK, etc.)| Yes | The customer owns the cluster and the virtual machine (VM) scale set the cluster is built on. Azure disk encryption can be enabled on the virtual machine scale set. | | Column Level Encryption (Azure Data Services)| N/A | | | API calls encrypted| Yes | Service Fabric API calls are made through Azure Resource Manager. A valid JSON web token (JWT) is required. | @@ -29,7 +29,7 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes| |---|---|--| -| Azure monitoring support (Log analytics, App insights etc)| Yes | Using Azure monitoring support and third party support. | +| Azure monitoring support (Log analytics, App insights, etc.)| Yes | Using Azure monitoring support and third-party support. | ## IAM Support @@ -50,5 +50,5 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes| |---|---|--| -| Configuration management support (versioning of configuration etc)| Yes | The service configuration is versioned and deployed using Azure Deploy. The code (application and runtime) is versioned using Azure Build. +| Configuration management support (versioning of configuration, etc.)| Yes | The service configuration is versioned and deployed using Azure Deploy. The code (application and runtime) is versioned using Azure Build. | diff --git a/includes/security-attributes-storage.md b/includes/security-attributes-storage.md index f2ca889b77ad8..74063ec4c3020 100644 --- a/includes/security-attributes-storage.md +++ b/includes/security-attributes-storage.md @@ -1,8 +1,8 @@ --- author: msmbaldwin -ms.service: key-vault +ms.service: storage ms.topic: include -ms.date: 01/31/2019 +ms.date: 03/15/2019 ms.author: mbaldwin --- @@ -29,7 +29,7 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes| |---|---|--| -| Azure monitoring support (Log analytics, App insights etc)| Yes | Azure Monitor Metrics available now, Logs starting preview | +| Azure monitoring support (Log analytics, App insights, etc.)| Yes | Azure Monitor Metrics available now, Logs starting preview | ## IAM Support @@ -50,4 +50,4 @@ ms.author: mbaldwin | Security Attribute | Yes/No | Notes| |---|---|--| -| Configuration management support (versioning of configuration etc)| Yes | Support Resource Provider versioning through Azure Resource Manager APIs | \ No newline at end of file +| Configuration management support (versioning of configuration, etc.)| Yes | Support Resource Provider versioning through Azure Resource Manager APIs | \ No newline at end of file diff --git a/includes/storage-account-types-include.md b/includes/storage-account-types-include.md index 81a3c7ddd4099..2143b73b2af09 100644 --- a/includes/storage-account-types-include.md +++ b/includes/storage-account-types-include.md @@ -15,6 +15,7 @@ Azure Storage offers several types of storage accounts. Each type supports diffe - **General-purpose v2 accounts**: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage. - **General-purpose v1 accounts**: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible. - **Block blob storage accounts**: Blob-only storage accounts with premium performance characteristics. Recommended for scenarios with high transactions rates, using smaller objects, or requiring consistently low storage latency. +- **FileStorage (preview) storage accounts**: Files-only storage accounts with premium performance characteristics. Recommended for enterprise or high performance scale applications. - **Blob storage accounts**: Blob-only storage accounts. Use general-purpose v2 accounts instead when possible. The following table describes the types of storage accounts and their capabilities: @@ -24,6 +25,7 @@ The following table describes the types of storage accounts and their capabiliti | General-purpose V2 | Blob, File, Queue, Table, and Disk | Standard, Premium5 | Hot, Cool, Archive3 | LRS, ZRS4, GRS, RA-GRS | Resource Manager | Encrypted | | General-purpose V1 | Blob, File, Queue, Table, and Disk | Standard, Premium5 | N/A | LRS, GRS, RA-GRS | Resource Manager, Classic | Encrypted | | Block blob storage | Blob (block blobs and append blobs only) | Premium | N/A | LRS | Resource Manager | Encrypted | +| FileStorage (preview) | Files only | Premium | N/A | LRS | Resource Manager | Encrypted | | Blob storage | Blob (block blobs and append blobs only) | Standard | Hot, Cool, Archive3 | LRS, GRS, RA-GRS | Resource Manager | Encrypted | 1Using the Azure Resource Manager deployment model is recommended. Storage accounts using the classic deployment model can still be created in some locations, and existing classic accounts continue to be supported. For more information, see [Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources](../articles/azure-resource-manager/resource-manager-deployment-model.md). diff --git a/includes/storage-blob-concepts-include.md b/includes/storage-blob-concepts-include.md index bc8053d94c2a0..7facfa735a334 100644 --- a/includes/storage-blob-concepts-include.md +++ b/includes/storage-blob-concepts-include.md @@ -10,7 +10,7 @@ ms.author: tamram ms.custom: "include file" --- -Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that does not adhere to a particular data model or definition, such as text or binary data. +Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that does not adhere to a particular data model or definition, such as text or binary data. ## About Blob storage @@ -25,8 +25,8 @@ Blob storage is designed for: Users or client applications can access objects in Blob storage via HTTP/HTTPS, from anywhere in the world. Objects in Blob storage are accessible via the [Azure Storage REST API](https://docs.microsoft.com/rest/api/storageservices/blob-service-rest-api), [Azure PowerShell](https://docs.microsoft.com/powershell/module/azure.storage), [Azure CLI](https://docs.microsoft.com/cli/azure/storage), or an Azure Storage client library. Client libraries are available for a variety of languages, including [.NET](https://docs.microsoft.com/dotnet/api/overview/azure/storage/client), [Java](https://docs.microsoft.com/java/api/overview/azure/storage/client), [Node.js](http://azure.github.io/azure-storage-node), [Python](https://docs.microsoft.com/python/azure/), [Go](https://github.com/azure/azure-storage-blob-go/), [PHP](http://azure.github.io/azure-storage-php/), and [Ruby](http://azure.github.io/azure-storage-ruby). -## About Azure Data Lake Storage Gen2 +## About Azure Data Lake Storage Gen2 -Blob storage supports Azure Data Lake Storage Gen2, Microsoft's enterprise big data analytics solution for the cloud. Azure Data Lake Storage Gen2 offers a hierarchical file system as well as the advantages of Blob storage, including low-cost, tiered storage; high availability; strong consistency; and disaster recovery capabilities. +Blob storage supports Azure Data Lake Storage Gen2, Microsoft's enterprise big data analytics solution for the cloud. Azure Data Lake Storage Gen2 offers a hierarchical file system as well as the advantages of Blob storage, including low-cost, tiered storage; high availability; strong consistency; and disaster recovery capabilities. -For more information about Data Lake Storage Gen2, see [Introduction to Azure Data Lake Storage Gen2 Preview](../articles/storage/data-lake-storage/introduction.md). \ No newline at end of file +For more information about Data Lake Storage Gen2, see [Introduction to Azure Data Lake Storage Gen2](../articles/storage/data-lake-storage/introduction.md). \ No newline at end of file diff --git a/includes/storage-files-scale-targets.md b/includes/storage-files-scale-targets.md index 606ca61b86e0b..b2ffe8564b79a 100644 --- a/includes/storage-files-scale-targets.md +++ b/includes/storage-files-scale-targets.md @@ -7,13 +7,15 @@ ms.author: tamram --- | Resource | Standard file shares | Premium file shares (preview) | |----------|---------------|------------------------------------------| -| Minimum size of a file share | No minimum; pay as you go | 100 GiB | -| Maximum size of a file share | 5 TiB | 5 TiB | +| Minimum size of a file share | No minimum; pay as you go | 100 GiB; provisioned | +| Maximum size of a file share | 5 TiB | 5 TiB (public preview), 100 TiB (limited public preview) | | Maximum size of a file in a file share | 1 TiB | 1 TiB | | Maximum number of files in a file share | No limit | No limit | -| Maximum IOPS per share | 1,000 IOPS | 5,120 IOPS baseline
    15,360 IOPS with burst | +| Maximum IOPS per share | 1,000 IOPS | 5,120 base IOPS with 15,360 burst limit (public preview), 100,000 IOPS (limited public preview)| | Maximum number of stored access policies per file share | 5 | 5 | -| Target throughput for a single file share | Up to 60 MiB/sec | Up to 612 MiB/sec (provisioned) | +| Target throughput for a single file share | Up to 60 MiB/sec | See premium file share ingress and egress values| +| Maximum egress for a single file share | See standard file share target throughput | Up to 368 MiB/s (public preview), Up to 6,204 MiB/s (limited public preview) | +| Maximum ingress for a single file share | See standard file share target throughput | Up to 245 MiB/s (public preview), Up to 4,136 MiB/s (limited public preview) | | Maximum open handles per file | 2,000 open handles | 2,000 open handles | | Maximum number of share snapshots | 200 share snapshots | 200 share snapshots | | Maximum object (directories and files) name length | 2,048 characters | 2,048 characters | diff --git a/includes/storage-import-export-ship-drives.md b/includes/storage-import-export-ship-drives.md index ed967ee94188d..8fc48e83e941e 100644 --- a/includes/storage-import-export-ship-drives.md +++ b/includes/storage-import-export-ship-drives.md @@ -6,13 +6,13 @@ services: storage ms.service: storage ms.topic: include -ms.date: 12/13/2018 +ms.date: 04/08/2019 ms.author: alkohli ms.custom: include file --- -FedEx, UPS, or DHL can be used to ship the package to Azure datacenter. +FedEx, UPS, or DHL can be used to ship the package to Azure datacenter. If you want to use a carrier other than FedEx/DHL, contact Azure Data Box Operations team at `adbops@microsoft.com` - Provide a valid FedEx, UPS, or DHL carrier account number that Microsoft will use to ship the drives back. diff --git a/includes/virtual-machines-common-classic-resource-manager-migration-common-errors.md b/includes/virtual-machines-common-classic-resource-manager-migration-common-errors.md index 8f9bed5a02176..fb6b7510b5ea4 100644 --- a/includes/virtual-machines-common-classic-resource-manager-migration-common-errors.md +++ b/includes/virtual-machines-common-classic-resource-manager-migration-common-errors.md @@ -17,7 +17,7 @@ This article catalogs the most common errors and mitigations during the migratio | Internal server error |In some cases, this is a transient error that goes away with a retry. If it continues to persist, [contact Azure support](../articles/azure-supportability/how-to-create-azure-support-request.md) as it needs investigation of platform logs.

    **NOTE:** Once the incident is tracked by the support team, please do not attempt any self-mitigation as this might have unintended consequences on your environment. | | Migration is not supported for Deployment {deployment-name} in HostedService {hosted-service-name} because it is a PaaS deployment (Web/Worker). |This happens when a deployment contains a web/worker role. Since migration is only supported for Virtual Machines, please remove the web/worker role from the deployment and try migration again. | | Template {template-name} deployment failed. CorrelationId={guid} |In the backend of migration service, we use Azure Resource Manager templates to create resources in the Azure Resource Manager stack. Since templates are idempotent, usually you can safely retry the migration operation to get past this error. If this error continues to persist, please [contact Azure support](../articles/azure-supportability/how-to-create-azure-support-request.md) and give them the CorrelationId.

    **NOTE:** Once the incident is tracked by the support team, please do not attempt any self-mitigation as this might have unintended consequences on your environment. | -| The virtual network {virtual-network-name} does not exist. |This can happen if you created the Virtual Network in the new Azure portal. The actual Virtual Network name follows the pattern "Group * " | +| The virtual network {virtual-network-name} does not exist. |This can happen if you created the Virtual Network in the new Azure portal. The actual Virtual Network name follows the pattern "Group * \" | | VM {vm-name} in HostedService {hosted-service-name} contains Extension {extension-name} which is not supported in Azure Resource Manager. It is recommended to uninstall it from the VM before continuing with migration. |XML extensions such as BGInfo 1.\* are not supported in Azure Resource Manager. Therefore, these extensions cannot be migrated. If these extensions are left installed on the virtual machine, they are automatically uninstalled before completing the migration. | | VM {vm-name} in HostedService {hosted-service-name} contains Extension VMSnapshot/VMSnapshotLinux, which is currently not supported for Migration. Uninstall it from the VM and add it back using Azure Resource Manager after the Migration is Complete |This is the scenario where the virtual machine is configured for Azure Backup. Since this is currently an unsupported scenario, please follow the workaround at https://aka.ms/vmbackupmigration | | VM {vm-name} in HostedService {hosted-service-name} contains Extension {extension-name} whose Status is not being reported from the VM. Hence, this VM cannot be migrated. Ensure that the Extension status is being reported or uninstall the extension from the VM and retry migration.

    VM {vm-name} in HostedService {hosted-service-name} contains Extension {extension-name} reporting Handler Status: {handler-status}. Hence, the VM cannot be migrated. Ensure that the Extension handler status being reported is {handler-status} or uninstall it from the VM and retry migration.

    VM Agent for VM {vm-name} in HostedService {hosted-service-name} is reporting the overall agent status as Not Ready. Hence, the VM may not be migrated, if it has a migratable extension. Ensure that the VM Agent is reporting overall agent status as Ready. Refer to https://aka.ms/classiciaasmigrationfaqs. |Azure guest agent & VM Extensions need outbound internet access to the VM storage account to populate their status. Common causes of status failure include
  • a Network Security Group that blocks outbound access to the internet
  • If the VNET has on premises DNS servers and DNS connectivity is lost

    If you continue to see an unsupported status, you can uninstall the extensions to skip this check and move forward with migration. | diff --git a/includes/virtual-machines-common-infrastructure-automation.md b/includes/virtual-machines-common-infrastructure-automation.md index 4e289a67bb1f8..63b4ea60175a5 100644 --- a/includes/virtual-machines-common-infrastructure-automation.md +++ b/includes/virtual-machines-common-infrastructure-automation.md @@ -2,7 +2,7 @@ author: cynthn ms.service: virtual-machines ms.topic: include -ms.date: 10/26/2018 +ms.date: 04/11/2019 ms.author: cynthn --- # Use infrastructure automation tools with virtual machines in Azure @@ -51,16 +51,7 @@ Learn how to: Cloud-init also works across distributions. For example, you don't use **apt-get install** or **yum install** to install a package. Instead you can define a list of packages to install. Cloud-init automatically uses the native package management tool for the distro you select. - We are actively working with our endorsed Linux distro partners in order to have cloud-init enabled images available in the Azure marketplace. These images make your cloud-init deployments and configurations work seamlessly with VMs and virtual machine scale sets. The following table outlines the current cloud-init enabled images availability on the Azure platform: - -| Publisher | Offer | SKU | Version | cloud-init ready -|:--- |:--- |:--- |:--- |:--- -|Canonical |UbuntuServer |16.04-LTS |latest |yes | -|Canonical |UbuntuServer |14.04.5-LTS |latest |yes | -|CoreOS |CoreOS |Stable |latest |yes | -|OpenLogic |CentOS |7-CI |latest |preview | -|RedHat |RHEL |7-RAW-CI |latest |preview | - +We are actively working with our endorsed Linux distro partners in order to have cloud-init enabled images available in the Azure marketplace. These images make your cloud-init deployments and configurations work seamlessly with VMs and virtual machine scale sets. Learn more details about cloud-init on Azure: - [Cloud-init support for Linux virtual machines in Azure](../articles/virtual-machines/linux/using-cloud-init.md) diff --git a/includes/virtual-machines-common-mitigate-se.md b/includes/virtual-machines-common-mitigate-se.md index 1c88ebd582515..5608406461183 100644 --- a/includes/virtual-machines-common-mitigate-se.md +++ b/includes/virtual-machines-common-mitigate-se.md @@ -17,7 +17,7 @@ The disclosure of a [new class of CPU vulnerabilities](https://portal.msrc.micro Microsoft has deployed mitigations across all our cloud services. The infrastructure that runs Azure and isolates customer workloads from each other is protected. This means that a potential attacker using the same infrastructure can’t attack your application using these vulnerabilities. -Azure is using [memory preserving maintenance](https://docs.microsoft.com/azure/virtual-machines/windows/maintenance-and-updates#memory-preserving-maintenance) whenever possible, to minimize customer impact and eliminate the need for reboots. Azure will continue utilizing these methods when making systemwide updates to the host and protect our customers. +Azure is using [memory preserving maintenance](https://docs.microsoft.com/azure/virtual-machines/windows/maintenance-and-updates#maintenance-not-requiring-a-reboot) whenever possible, to minimize customer impact and eliminate the need for reboots. Azure will continue utilizing these methods when making systemwide updates to the host and protect our customers. More information about how security is integrated into every aspect of Azure is available on the [Azure Security Documentation](https://docs.microsoft.com/azure/security/) site. diff --git a/includes/virtual-machines-common-planned-maintenance.md b/includes/virtual-machines-common-planned-maintenance.md index 4b4d1b059ffa1..9f79c2b067dda 100644 --- a/includes/virtual-machines-common-planned-maintenance.md +++ b/includes/virtual-machines-common-planned-maintenance.md @@ -22,9 +22,9 @@ You can get in-VM notification about upcoming maintenance by using the Scheduled For "how-to" information on managing planned maintenance, see "Handling planned maintenance notifications" for [Linux](../articles/virtual-machines/linux/maintenance-notifications.md) or [Windows](../articles/virtual-machines/windows/maintenance-notifications.md). -## Memory preserving maintenance +## Maintenance not requiring a reboot -The goal for most non-rebootful updates is less than 10 seconds pause for the VM. In certain cases memory preserving maintenance mechanisms are used, which pauses the VM for up to 30 seconds and preserves the memory in RAM. The virtual machine is then resumed and the clock of the virtual machine is automatically synchronized. Azure is increasingly using live migration technologies and improving memory preserving maintenance mechanism to reduce the pause duration. +The goal for most maintenance that doesn't require a reboot is less than 10 seconds pause for the VM. In certain cases memory preserving maintenance mechanisms are used, which pauses the VM for up to 30 seconds and preserves the memory in RAM. The virtual machine is then resumed and the clock of the virtual machine is automatically synchronized. Azure is increasingly using live migration technologies and improving memory preserving maintenance mechanism to reduce the pause duration. These non-rebootful maintenance operations are applied fault domain by fault domain, and progress is stopped if any warning health signals are received. diff --git a/includes/virtual-machines-common-reserved-vm-instance-size-flexibility.md b/includes/virtual-machines-common-reserved-vm-instance-size-flexibility.md index 854583067835a..7a1cf03957e2f 100644 --- a/includes/virtual-machines-common-reserved-vm-instance-size-flexibility.md +++ b/includes/virtual-machines-common-reserved-vm-instance-size-flexibility.md @@ -104,7 +104,7 @@ For more information, see [Previous generations of virtual machine sizes](../art |Standard_DS4_v2|8| |Standard_DS5_v2|16| -For more information, see [General purpose virtual machine sizes](../articles/virtual-machines/windows/sizes-general.md#dv2-series). +For more information, see [Previous generations of virtual machine sizes](../articles/virtual-machines/windows/sizes-previous-gen.md). ## DSv2-series high memory @@ -123,7 +123,7 @@ For more information, see [General purpose virtual machine sizes](../articles/vi |Standard_DS14-8_v2|8| |Standard_DS15_v2|10| -For more information, see [Memory optimized virtual machine sizes](../articles/virtual-machines/windows/sizes-memory.md#dsv2-series-11-15). +For more information, see [Previous generations of virtual machine sizes](../articles/virtual-machines/windows/sizes-previous-gen.md). ## DSv3-series @@ -148,7 +148,7 @@ For more information, see [General purpose virtual machine sizes](../articles/vi |Standard_D4_v2|8| |Standard_D5_v2|16| -For more information, see [General purpose virtual machine sizes](../articles/virtual-machines/windows/sizes-general.md#dv2-series). +For more information, see [Previous generations of virtual machine sizes](../articles/virtual-machines/windows/sizes-previous-gen.md). ## Dv2-series high memory @@ -160,7 +160,7 @@ For more information, see [General purpose virtual machine sizes](../articles/vi |Standard_D14_v2|8| |Standard_D15_v2|10| -For more information, see [Memory optimized virtual machine sizes](../articles/virtual-machines/windows/sizes-memory.md#dv2-series-11-15). +For more information, see [Previous generations of virtual machine sizes](../articles/virtual-machines/windows/sizes-previous-gen.md). ## Dv3-series @@ -222,7 +222,7 @@ For more information, see [Memory optimized virtual machine sizes](../articles/v |Standard_F8|8| Standard_F16|16| -For more information, see [Compute optimized virtual machine sizes](../articles/virtual-machines/windows/sizes-compute.md#f-series). +For more information, see [Previous generations of virtual machine sizes](../articles/virtual-machines/windows/sizes-previous-gen.md). ## FS-series @@ -234,7 +234,7 @@ For more information, see [Compute optimized virtual machine sizes](../articles/ |Standard_F8s|8| |Standard_F16s|16| -For more information, see [Compute optimized virtual machine sizes](../articles/virtual-machines/windows/sizes-compute.md#fs-series-1). +For more information, see [Previous generations of virtual machine sizes](../articles/virtual-machines/windows/sizes-previous-gen.md). ## Fsv2-series diff --git a/includes/virtual-machines-common-sizes-compute.md b/includes/virtual-machines-common-sizes-compute.md index 696aeaa97de1c..17af39b37cbba 100644 --- a/includes/virtual-machines-common-sizes-compute.md +++ b/includes/virtual-machines-common-sizes-compute.md @@ -5,7 +5,7 @@ author: jonbeck7 ms.service: virtual-machines ms.topic: include - ms.date: 11/06/2018 + ms.date: 04/02/2019 ms.author: azcspmt;jonbeck;cynthn ms.custom: include file --- @@ -16,13 +16,7 @@ Compute optimized VM sizes have a high CPU-to-memory ratio and are good for medi Fsv2-series is based on the Intel® Xeon® Platinum 8168 processor, featuring a sustained all core Turbo clock speed of 3.4GHz and a maximum single-core turbo frequency of 3.7 GHz. Intel® AVX-512 instructions, which are new on Intel Scalable Processors, will provide up to a 2X performance boost to vector processing workloads on both single and double precision floating point operations. In other words, they are really fast for any computational workload. -At a lower per-hour list price, the Fsv2-series is the best value in price-performance in the Azure portfolio based on the Azure Compute Unit (ACU) per vCPU. - -F-series is based on the 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) processor, which can achieve clock speeds as high as 3.1 GHz with the Intel Turbo Boost Technology 2.0. This is the same CPU performance as the Dv2-series of VMs. - -F-series VMs are an excellent choice for workloads that demand faster CPUs but do not need as much memory or temporary storage per vCPU. Workloads such as analytics, gaming servers, web servers, and batch processing will benefit from the value of the F-series. - -The Fs-series provides all the advantages of the F-series, in addition to Premium storage. +At a lower per-hour list price, the Fsv2-series is the best value in price-performance in the Azure portfolio based on the Azure Compute Unit (ACU) per vCPU. ## Fsv2-series 1 @@ -47,48 +41,4 @@ Premium Storage Caching: Supported 2 More than 64 vCPU’s require one of these supported guest OSes: Windows Server 2016, Ubuntu 16.04 LTS, SLES 12 SP2, and Red Hat Enterprise Linux, CentOS 7.3, or Oracle Linux 7.3 with LIS 4.2.1 -3 Instance is isolated to hardware dedicated to a single customer. - -## Fs-series 1 - -ACU: 210 - 250 - -Premium Storage: Supported - -Premium Storage Caching: Supported - -| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS / MBps (cache size in GiB) | Max uncached disk throughput: IOPS / MBps | Max NICs / Expected network bandwidth (Mbps) | -| --- | --- | --- | --- | --- | --- | --- | --- | -| Standard_F1s |1 |2 |4 |4 |4,000 / 32 (12) |3,200 / 48 |2 / 750 | -| Standard_F2s |2 |4 |8 |8 |8,000 / 64 (24) |6,400 / 96 |2 / 1500 | -| Standard_F4s |4 |8 |16 |16 |16,000 / 128 (48) |12,800 / 192 |4 / 3000 | -| Standard_F8s |8 |16 |32 |32 |32,000 / 256 (96) |25,600 / 384 |8 / 6000 | -| Standard_F16s |16 |32 |64 |64 |64,000 / 512 (192) |51,200 / 768 |8 / 12000 | - -MBps = 10^6 bytes per second, and GiB = 1024^3 bytes. - -1 The maximum disk throughput (IOPS or MBps) possible with a Fs series VM may be limited by the number, size, and striping of the attached disk(s). For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). - - -
    - -## F-series - -ACU: 210 - 250 - -Premium Storage: Not Supported - -Premium Storage Caching: Not Supported - -| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max temp storage throughput: IOPS / Read MBps / Write MBps | Max data disks / throughput: IOPS | Max NICs / Expected network bandwidth (Mbps) | -|--------------|-----------|-------------|----------------|----------------------------------------------------------|-----------------------------------|------------------------------| -| Standard_F1 | 1 | 2 | 16 | 3000 / 46 / 23 | 4 / 4x500 | 2 / 750 | -| Standard_F2 | 2 | 4 | 32 | 6000 / 93 / 46 | 8 / 8x500 | 2 / 1500 | -| Standard_F4 | 4 | 8 | 64 | 12000 / 187 / 93 | 16 / 16x500 | 4 / 3000 | -| Standard_F8 | 8 | 16 | 128 | 24000 / 375 / 187 | 32 / 32x500 | 8 / 6000 | -| Standard_F16 | 16 | 32 | 256 | 48000 / 750 / 375 | 64 / 64x500 | 8 / 12000 | - - -
    - - +3 Instance is isolated to hardware dedicated to a single customer. \ No newline at end of file diff --git a/includes/virtual-machines-common-sizes-general.md b/includes/virtual-machines-common-sizes-general.md index 8d3e608329e75..39bbf4b04af1b 100644 --- a/includes/virtual-machines-common-sizes-general.md +++ b/includes/virtual-machines-common-sizes-general.md @@ -18,13 +18,12 @@ General purpose VM sizes provide balanced CPU-to-memory ratio. Ideal for testing Example use cases include development and test servers, low traffic web servers, small to medium databases, proof-of-concepts, and code repositories. -- Dv2-series, a follow-on to the original D-series, features a more powerful CPU and optimal CPU-to-memory configuration making them suitable for most production workloads. The Dv2-series CPU is about 35% faster than the D-series CPU. It is based on the latest generation Intel Xeon® E5-2673 v3 2.4 GHz (Haswell) or E5-2673 v4 2.3 GHz (Broadwell) processors, and with the Intel Turbo Boost Technology 2.0, can go up to 3.1 GHz. The Dv2-series has the same memory and disk configurations as the D-series. +- Dv2-series, a follow-on to the original D-series, features a more powerful CPU and optimal CPU-to-memory configuration making them suitable for most production workloads. The Dv2-series CPU is about 35% faster than the D-series CPU. It is based on the latest generation Intel Xeon® E5-2673 v3 2.4 GHz (Haswell) or E5-2673 v4 2.3 GHz (Broadwell) processors, and with the Intel Turbo Boost Technology 2.0, can go up to 3.1 GHz. The Dv2-series has the same memory and disk configurations as the D-series. - The Dv3-series features the 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) processor or the latest 2.3 GHz Intel XEON ® E5-2673 v4 (Broadwell) processor in a hyper-threaded configuration, providing a better value proposition for most general purpose workloads. Memory has been expanded (from ~3.5 GiB/vCPU to 4 GiB/vCPU) while disk and network limits have been adjusted on a per core basis to align with the move to hyperthreading. The Dv3 no longer has the high memory VM sizes of the D/Dv2 families, those have been moved to the new Ev3 family. - Example D-series use cases include enterprise-grade applications, relational databases, in-memory caching, and analytics. + Example D-series use cases include enterprise-grade applications, relational databases, in-memory caching, and analytics. - ## B-series Premium Storage: Supported @@ -94,7 +93,6 @@ Data disk storage is billed separately from virtual machines. To use premium sto 1 Dv3-series VM’s feature Intel® Hyper-Threading Technology - ## DSv2-series ACU: 210-250 @@ -111,8 +109,6 @@ Premium Storage Caching: Supported | Standard_DS4_v2 |8 |28 |56 |32 |32,000 / 256 (344) |25,600 / 384 |8 / 6000 | | Standard_DS5_v2 |16 |56 |112 |64 |64,000 / 512 (688) |51,200 / 768 |8 / 12000 | - - ## Dv2-series ACU: 210-250 @@ -129,7 +125,6 @@ Premium Storage Caching: Not Supported | Standard_D4_v2 | 8 | 28 | 400 | 24000 / 375 / 187 | 32 | 32x500 | 8 / 6000 | | Standard_D5_v2 | 16 | 56 | 800 | 48000 / 750 / 375 | 64 | 64x500 | 8 / 12000 | - ## Av2-series ACU: 100 @@ -149,9 +144,6 @@ Premium Storage Caching: Not Supported | Standard_A4m_v2 | 4 | 32 | 40 | 4000 / 80 / 40 | 8 / 8x500 | 4 / 1000 | | Standard_A8m_v2 | 8 | 64 | 80 | 8000 / 160 / 80 | 16 / 16x500 | 8 / 2000 | -
    - - ## DC-series Premium Storage: Supported diff --git a/includes/virtual-machines-common-sizes-memory.md b/includes/virtual-machines-common-sizes-memory.md index 2b702bacbbe01..66dc00843a0a7 100644 --- a/includes/virtual-machines-common-sizes-memory.md +++ b/includes/virtual-machines-common-sizes-memory.md @@ -14,10 +14,9 @@ Memory optimized VM sizes offer a high memory-to-CPU ratio that are great for re * The M-Series offers the highest vCPU count (up to 128 vCPUs) and largest memory (up to 3.8 TiB) of any VM in the cloud. It’s ideal for extremely large databases or other applications that benefit from high vCPU counts and large amounts of memory. -* Dv2-series, G-series, and the DSv2/GS counterparts are ideal for applications that demand faster vCPUs, better temporary storage performance, or have higher memory demands. They offer a powerful combination for many enterprise-grade applications. +* Dv2-series, G-series, and the DSv2/GS counterparts are ideal for applications that demand faster vCPUs, better temporary storage performance, or have higher memory demands. They offer a powerful combination for many enterprise-grade applications. - -* Dv2-series, a follow-on to the original D-series, features a more powerful CPU. The Dv2-series CPU is about 35% faster than the D-series CPU. It is based on the latest generation 2.4 GHz Intel Xeon® E5-2673 v3 2.4 GHz (Haswell) or E5-2673 v4 2.3 GHz (Broadwell) processors, and with the Intel Turbo Boost Technology 2.0, can go up to 3.1 GHz. The Dv2-series has the same memory and disk configurations as the D-series. +* Dv2-series, a follow-on to the original D-series, features a more powerful CPU. The Dv2-series CPU is about 35% faster than the D-series CPU. It is based on the latest generation 2.4 GHz Intel Xeon® E5-2673 v3 2.4 GHz (Haswell) or E5-2673 v4 2.3 GHz (Broadwell) processors, and with the Intel Turbo Boost Technology 2.0, can go up to 3.1 GHz. The Dv2-series has the same memory and disk configurations as the D-series. * The Ev3-series features the E5-2673 v4 2.3 GHz (Broadwell) processor in a hyper-threaded configuration, providing a better value proposition for most general purpose workloads, and bringing the Ev3 into alignment with the general purpose VMs of most other clouds. Memory has been expanded (from 7 GiB/vCPU to 8 GiB/vCPU) while disk and network limits have been adjusted on a per core basis to align with the move to hyperthreading. The Ev3 is the follow up to the high memory VM sizes of the D/Dv2 families. @@ -165,7 +164,6 @@ Premium Storage Caching: Not Supported 1 Instance is isolated to hardware dedicated to a single customer.
    - ## DSv2-series 11-15 ACU: 210 - 250 1 @@ -182,14 +180,10 @@ Premium Storage Caching: Supported | Standard_DS14_v2 3|16 |112 |224 |64 |64,000 / 512 (576) |51,200 / 768 |8 / 12000 | | Standard_DS15_v2 2 |20 |140 |280 |64 |80,000 / 640 (720) |64,000 / 960 |8 / 25000 4 - -1 The maximum disk throughput (IOPS or MBps) possible with a DSv2 series VM may be limited by the number, size and striping of the attached disk(s). For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). - -2 Instance is isolated to hardware dedicated to a single customer. - -3 Constrained core sizes available. - -4 25000 Mbps with Accelerated Networking. +1 The maximum disk throughput (IOPS or MBps) possible with a DSv2 series VM may be limited by the number, size and striping of the attached disk(s). For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). +2 Instance is isolated to hardware dedicated to a single customer. +3 Constrained core sizes available. +4 25000 Mbps with Accelerated Networking.
    @@ -209,13 +203,5 @@ Premium Storage Caching: Not Supported | Standard_D14_v2 | 16 | 112 | 800 | 48000 / 750 / 375 | 64 / 64x500 | 8 / 12000 | | Standard_D15_v2 1 | 20 | 140 | 1,000 | 60000 / 937 / 468 | 64 / 64x500 | 8 / 25000 2 | -1 Instance is isolated to hardware dedicated to a single customer. - -2 25000 Mbps with Accelerated Networking. - - - -
    - - - +1 Instance is isolated to hardware dedicated to a single customer. +2 25000 Mbps with Accelerated Networking. \ No newline at end of file diff --git a/includes/virtual-machines-common-sizes-older.md b/includes/virtual-machines-common-sizes-older.md new file mode 100644 index 0000000000000..c849d9ca68a15 --- /dev/null +++ b/includes/virtual-machines-common-sizes-older.md @@ -0,0 +1,170 @@ +--- + title: include file + description: include file + services: virtual-machines-windows, virtual-machines-linux + author: laurenhughes + ms.service: multiple + ms.topic: include + ms.date: 04/11/2019 + ms.author: lahugh + ms.custom: include file +--- + +This section provides information on older generations of virtual machine sizes. These sizes are still supported but will not receive additional capacity. There are newer or alternative sizes that are generally available. Please refer to [Sizes for Windows virtual machines in Azure](../articles/virtual-machines/windows/sizes.md) or [Sizes for Linux virtual machines in Azure](../articles/virtual-machines/linux/sizes.md) to choose the VM sizes that will best fit your need. + +For more information on resizing a Linux VM, see [Resize a Linux virtual machine using Azure CLI](../articles/virtual-machines/linux/change-vm-size.md). If you're using Windows VMs and prefer to use PowerShell, see [Resize a Windows VM](../articles/virtual-machines/windows/resize-vm.md). + +
    + +### Basic A + +**Newer size recommendation**: [Av2-series](../articles/virtual-machines/windows/sizes-general.md#av2-series) + +Premium Storage: Not Supported + +Premium Storage Caching: Not Supported + +The basic tier sizes are primarily for development workloads and other applications that don't require load balancing, auto-scaling, or memory-intensive virtual machines. + +|Size – Size\Name | vCPU |Memory|NICs (Max)|Max temporary disk size |Max. data disks (1023 GB each)|Max. IOPS (300 per disk)| +|---|---|---|---|---|---|---| +|A0\Basic_A0|1|768 MB|2| 20 GB|1|1x300| +|A1\Basic_A1|1|1.75 GB|2| 40 GB |2|2x300| +|A2\Basic_A2|2|3.5 GB|2| 60 GB|4|4x300| +|A3\Basic_A3|4|7 GB|2| 120 GB |8|8x300| +|A4\Basic_A4|8|14 GB|2| 240 GB |16|16x300| + +
    + +### A-series + +**Newer size recommendation**: [Av2-series](../articles/virtual-machines/windows/sizes-general.md#av2-series) + +ACU: 50-100 + +Premium Storage: Not Supported + +Premium Storage Caching: Not Supported + +| Size | vCPU | Memory: GiB | Temp storage (HDD): GiB | Max data disks | Max data disk throughput: IOPS | Max NICs / Expected network bandwidth (Mbps) | +| --- | --- | --- | --- | --- | --- | --- | +| Standard_A0 1 |1 |0.768 |20 |1 |1x500 |2 / 100 | +| Standard_A1 |1 |1.75 |70 |2 |2x500 |2 / 500 | +| Standard_A2 |2 |3.5 |135 |4 |4x500 |2 / 500 | +| Standard_A3 |4 |7 |285 |8 |8x500 |2 / 1000 | +| Standard_A4 |8 |14 |605 |16 |16x500 |4 / 2000 | +| Standard_A5 |2 |14 |135 |4 |4x500 |2 / 500 | +| Standard_A6 |4 |28 |285 |8 |8x500 |2 / 1000 | +| Standard_A7 |8 |56 |605 |16 |16x500 |4 / 2000 | + +1 The A0 size is over-subscribed on the physical hardware. For this specific size only, other customer deployments may impact the performance of your running workload. The relative performance is outlined below as the expected baseline, subject to an approximate variability of 15 percent. + +
    + +### A-series - compute-intensive instances + +**Newer size recommendation**: [Av2-series](../articles/virtual-machines/windows/sizes-general.md#av2-series) + +ACU: 225 + +Premium Storage: Not Supported + +Premium Storage Caching: Not Supported + +The A8-A11 and H-series sizes are also known as *compute-intensive instances*. The hardware that runs these sizes is designed and optimized for compute-intensive and network-intensive applications, including high-performance computing (HPC) cluster applications, modeling, and simulations. The A8-A11 series uses Intel Xeon E5-2670 @ 2.6 GHZ and the H-series uses Intel Xeon E5-2667 v3 @ 3.2 GHz. + +| Size | vCPU | Memory: GiB | Temp storage (HDD): GiB | Max data disks | Max data disk throughput: IOPS | Max NICs| +| --- | --- | --- | --- | --- | --- | --- | +| Standard_A8 1 |8 |56 |382 |32 |32x500 |2 | +| Standard_A9 1 |16 |112 |382 |64 |64x500 |4 | +| Standard_A10 |8 |56 |382 |32 |32x500 |2 | +| Standard_A11 |16 |112 |382 |64 |64x500 |4 | + +1For MPI applications, dedicated RDMA backend network is enabled by FDR InfiniBand network, which delivers ultra-low-latency and high bandwidth. + +
    + +### D-series + +**Newer size recommendation**: [Dv3-series](../articles/virtual-machines/windows/sizes-general.md#dv3-series-1) + +ACU: 160-250 1 + +Premium Storage: Not Supported + +Premium Storage Caching: Not Supported + +| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max temp storage throughput: IOPS / Read MBps / Write MBps | Max data disks / throughput: IOPS | Max NICs / Expected network bandwidth (Mbps) | +|--------------|-----------|-------------|----------------|----------------------------------------------------------|-----------------------------------|------------------------------| +| Standard_D1 | 1         | 3.5         | 50             | 3000 / 46 / 23                                           | 4 / 4x500                         | 2 / 500                 | +| Standard_D2 | 2 | 7 | 100 | 6000 / 93 / 46 | 8 / 8x500 | 2 / 1000 | +| Standard_D3 | 4 | 14 | 200 | 12000 / 187 / 93 | 16 / 16x500 | 4 / 2000 | +| Standard_D4 | 8 | 28 | 400 | 24000 / 375 / 187 | 32 / 32x500 | 8 / 4000 | + +1 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) + +
    + +### D-series - memory optimized + +**Newer size recommendation**: [Dv3-series](../articles/virtual-machines/windows/sizes-general.md#dv3-series-1) + +ACU: 160-250 1 + +Premium Storage: Not Supported + +Premium Storage Caching: Not Supported + +| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max temp storage throughput: IOPS / Read MBps / Write MBps | Max data disks / throughput: IOPS | Max NICs / Expected network bandwidth (Mbps) | +|--------------|-----------|-------------|----------------|----------------------------------------------------------|-----------------------------------|------------------------------| +| Standard_D11 | 2 | 14 | 100 | 6000 / 93 / 46 | 8 / 8x500 | 2 / 1000 | +| Standard_D12 | 4 | 28 | 200 | 12000 / 187 / 93 | 16 / 16x500 | 4 / 2000 | +| Standard_D13 | 8 | 56 | 400 | 24000 / 375 / 187 | 32 / 32x500 | 8 / 4000 | +| Standard_D14 | 16 | 112 | 800 | 48000 / 750 / 375 | 64 / 64x500 | 8 / 8000 | + +1 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) + +
    + +### DS-series + +**Newer size recommendation**: [DSv3-series](https://docs.microsoft.com/azure/virtual-machines/windows/sizes-general#dsv3-series-1) + +ACU: 160-250 1 + +Premium Storage: Supported + +Premium Storage Caching: Supported + +| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS / MBps (cache size in GiB) | Max uncached disk throughput: IOPS / MBps | Max NICs / Expected network bandwidth (Mbps) | +| --- | --- | --- | --- | --- | --- | --- | --- | +| Standard_DS1 |1 |3.5 |7 |4 |4,000 / 32 (43) |3,200 / 32 |2 / 500 | +| Standard_DS2 |2 |7 |14 |8 |8,000 / 64 (86) |6,400 / 64 |2 / 1000 | +| Standard_DS3 |4 |14 |28 |16 |16,000 / 128 (172) |12,800 / 128 |4 / 2000 | +| Standard_DS4 |8 |28 |56 |32 |32,000 / 256 (344) |25,600 / 256 |8 / 4000 | + +1 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) + +
    + +### DS-series - memory optimized + +**Newer size recommendation**: [DSv3-series](https://docs.microsoft.com/azure/virtual-machines/windows/sizes-general#dsv3-series-1) + +ACU: 160-250 1,2 + +Premium Storage: Supported + +Premium Storage Caching: Supported + +| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS / MBps (cache size in GiB) | Max uncached disk throughput: IOPS / MBps | Max NICs / Expected network bandwidth (Mbps) | +| --- | --- | --- | --- | --- | --- | --- | --- | +| Standard_DS11 |2 |14 |28 |8 |8,000 / 64 (72) |6,400 / 64 |2 / 1000 | +| Standard_DS12 |4 |28 |56 |16 |16,000 / 128 (144) |12,800 / 128 |4 / 2000 | +| Standard_DS13 |8 |56 |112 |32 |32,000 / 256 (288) |25,600 / 256 |8 / 4000 | +| Standard_DS14 |16 |112 |224 |64 |64,000 / 512 (576) |51,200 / 512 |8 / 8000 | + +1 The maximum disk throughput (IOPS or MBps) possible with a DS series VM may be limited by the number, size and striping of the attached disk(s). For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). +2 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) + +
    diff --git a/includes/virtual-machines-common-sizes-previous-gen.md b/includes/virtual-machines-common-sizes-previous-gen.md index bd9d131fb47cb..613951f6e50ba 100644 --- a/includes/virtual-machines-common-sizes-previous-gen.md +++ b/includes/virtual-machines-common-sizes-previous-gen.md @@ -5,55 +5,20 @@ author: cynthn ms.service: multiple ms.topic: include - ms.date: 07/06/2018 + ms.date: 04/11/2019 ms.author: cynthn;azcspmt;jonbeck ms.custom: include file --- +This section provides information on previous generations of virtual machine sizes. These sizes can still be used, but there are newer generations available. -This article provides information on previous generations of virtual machine sizes. These sizes can still be used, but there are newer generations available. +## F-series +F-series is based on the 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) processor, which can achieve clock speeds as high as 3.1 GHz with the Intel Turbo Boost Technology 2.0. This is the same CPU performance as the Dv2-series of VMs. -## DS-series +F-series VMs are an excellent choice for workloads that demand faster CPUs but do not need as much memory or temporary storage per vCPU. Workloads such as analytics, gaming servers, web servers, and batch processing will benefit from the value of the F-series. -ACU: 160-250 1 - -Premium Storage: Supported - -Premium Storage Caching: Supported - -| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS / MBps (cache size in GiB) | Max uncached disk throughput: IOPS / MBps | Max NICs / Expected network bandwidth (Mbps) | -| --- | --- | --- | --- | --- | --- | --- | --- | -| Standard_DS1 |1 |3.5 |7 |4 |4,000 / 32 (43) |3,200 / 32 |2 / 500 | -| Standard_DS2 |2 |7 |14 |8 |8,000 / 64 (86) |6,400 / 64 |2 / 1000 | -| Standard_DS3 |4 |14 |28 |16 |16,000 / 128 (172) |12,800 / 128 |4 / 2000 | -| Standard_DS4 |8 |28 |56 |32 |32,000 / 256 (344) |25,600 / 256 |8 / 4000 | - -1 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) -
    - -## DS-series - memory optimized - -ACU: 160-250 1,2 - -Premium Storage: Supported - -Premium Storage Caching: Supported - -| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS / MBps (cache size in GiB) | Max uncached disk throughput: IOPS / MBps | Max NICs / Expected network bandwidth (Mbps) | -| --- | --- | --- | --- | --- | --- | --- | --- | -| Standard_DS11 |2 |14 |28 |8 |8,000 / 64 (72) |6,400 / 64 |2 / 1000 | -| Standard_DS12 |4 |28 |56 |16 |16,000 / 128 (144) |12,800 / 128 |4 / 2000 | -| Standard_DS13 |8 |56 |112 |32 |32,000 / 256 (288) |25,600 / 256 |8 / 4000 | -| Standard_DS14 |16 |112 |224 |64 |64,000 / 512 (576) |51,200 / 512 |8 / 8000 | - -1 The maximum disk throughput (IOPS or MBps) possible with a DS series VM may be limited by the number, size and striping of the attached disk(s). For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). - -2 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) - -## D-series - -ACU: 160-250 1 +ACU: 210 - 250 Premium Storage: Not Supported @@ -61,101 +26,63 @@ Premium Storage Caching: Not Supported | Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max temp storage throughput: IOPS / Read MBps / Write MBps | Max data disks / throughput: IOPS | Max NICs / Expected network bandwidth (Mbps) | |--------------|-----------|-------------|----------------|----------------------------------------------------------|-----------------------------------|------------------------------| -| Standard_D1 | 1         | 3.5         | 50             | 3000 / 46 / 23                                           | 4 / 4x500                         | 2 / 500                 | -| Standard_D2 | 2 | 7 | 100 | 6000 / 93 / 46 | 8 / 8x500 | 2 / 1000 | -| Standard_D3 | 4 | 14 | 200 | 12000 / 187 / 93 | 16 / 16x500 | 4 / 2000 | -| Standard_D4 | 8 | 28 | 400 | 24000 / 375 / 187 | 32 / 32x500 | 8 / 4000 | - -1 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) -
    - -## D-series - memory optimized - -ACU: 160-250 1 - -Premium Storage: Not Supported +| Standard_F1 | 1 | 2 | 16 | 3000 / 46 / 23 | 4 / 4x500 | 2 / 750 | +| Standard_F2 | 2 | 4 | 32 | 6000 / 93 / 46 | 8 / 8x500 | 2 / 1500 | +| Standard_F4 | 4 | 8 | 64 | 12000 / 187 / 93 | 16 / 16x500 | 4 / 3000 | +| Standard_F8 | 8 | 16 | 128 | 24000 / 375 / 187 | 32 / 32x500 | 8 / 6000 | +| Standard_F16 | 16 | 32 | 256 | 48000 / 750 / 375 | 64 / 64x500 | 8 / 12000 | -Premium Storage Caching: Not Supported +## Fs-series 1 -| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max temp storage throughput: IOPS / Read MBps / Write MBps | Max data disks / throughput: IOPS | Max NICs / Expected network bandwidth (Mbps) | -|--------------|-----------|-------------|----------------|----------------------------------------------------------|-----------------------------------|------------------------------| -| Standard_D11 | 2 | 14 | 100 | 6000 / 93 / 46 | 8 / 8x500 | 2 / 1000 | -| Standard_D12 | 4 | 28 | 200 | 12000 / 187 / 93 | 16 / 16x500 | 4 / 2000 | -| Standard_D13 | 8 | 56 | 400 | 24000 / 375 / 187 | 32 / 32x500 | 8 / 4000 | -| Standard_D14 | 16 | 112 | 800 | 48000 / 750 / 375 | 64 / 64x500 | 8 / 8000 | +The Fs-series provides all the advantages of the F-series, in addition to Premium storage. -1 VM Family can run on one of the following CPU's: 2.2 GHz Intel Xeon® E5-2660 v2, 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) or 2.3 GHz Intel XEON® E5-2673 v4 (Broadwell) -
    +ACU: 210 - 250 -## A-series - compute-intensive instances - -ACU: 225 +Premium Storage: Supported -Premium Storage: Not Supported +Premium Storage Caching: Supported -Premium Storage Caching: Not Supported +| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS / MBps (cache size in GiB) | Max uncached disk throughput: IOPS / MBps | Max NICs / Expected network bandwidth (Mbps) | +| --- | --- | --- | --- | --- | --- | --- | --- | +| Standard_F1s |1 |2 |4 |4 |4,000 / 32 (12) |3,200 / 48 |2 / 750 | +| Standard_F2s |2 |4 |8 |8 |8,000 / 64 (24) |6,400 / 96 |2 / 1500 | +| Standard_F4s |4 |8 |16 |16 |16,000 / 128 (48) |12,800 / 192 |4 / 3000 | +| Standard_F8s |8 |16 |32 |32 |32,000 / 256 (96) |25,600 / 384 |8 / 6000 | +| Standard_F16s |16 |32 |64 |64 |64,000 / 512 (192) |51,200 / 768 |8 / 12000 | -The A8-A11 and H-series sizes are also known as *compute-intensive instances*. The hardware that runs these sizes is designed and optimized for compute-intensive and network-intensive applications, including high-performance computing (HPC) cluster applications, modeling, and simulations. The A8-A11 series uses Intel Xeon E5-2670 @ 2.6 GHZ and the H-series uses Intel Xeon E5-2667 v3 @ 3.2 GHz. +MBps = 10^6 bytes per second, and GiB = 1024^3 bytes. -| Size | vCPU | Memory: GiB | Temp storage (HDD): GiB | Max data disks | Max data disk throughput: IOPS | Max NICs| -| --- | --- | --- | --- | --- | --- | --- | -| Standard_A8 1 |8 |56 |382 |32 |32x500 |2 | -| Standard_A9 1 |16 |112 |382 |64 |64x500 |4 | -| Standard_A10 |8 |56 |382 |32 |32x500 |2 | -| Standard_A11 |16 |112 |382 |64 |64x500 |4 | +1 The maximum disk throughput (IOPS or MBps) possible with a Fs series VM may be limited by the number, size, and striping of the attached disk(s). For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). -1For MPI applications, dedicated RDMA backend network is enabled by FDR InfiniBand network, which delivers ultra-low-latency and high bandwidth. +## Ls-series -
    +The Ls-series offers up to 32 vCPUs, using the [Intel® Xeon® processor E5 v3 family](http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-solutions.html). The Ls-series gets the same CPU performance as the G/GS-Series and comes with 8 GiB of memory per vCPU. -## A-series +The Ls-series does not support the creation of a local cache to increase the IOPS achievable by durable data disks. The high throughput and IOPS of the local disk makes Ls-series VMs ideal for NoSQL stores such as Apache Cassandra and MongoDB which replicate data across multiple VMs to achieve persistence in the event of the failure of a single VM. -ACU: 50-100 +ACU: 180-240 -Premium Storage: Not Supported +Premium Storage: Supported Premium Storage Caching: Not Supported + +| Size | vCPU | Memory (GiB) | Temp storage (GiB) | Max data disks | Max temp storage throughput (IOPS / MBps) | Max uncached disk throughput (IOPS / MBps) | Max NICs / Expected network bandwidth (Mbps) | +|----------------|-----------|-------------|--------------------------|----------------|-------------------------------------------------------------|-------------------------------------------|------------------------------| +| Standard_L4s | 4 | 32 | 678 | 16 | 20,000 / 200 | 5,000 / 125 | 2 / 4,000 | +| Standard_L8s | 8 | 64 | 1,388 | 32 | 40,000 / 400 | 10,000 / 250 | 4 / 8,000 | +| Standard_L16s | 16 | 128 | 2,807 | 64 | 80,000 / 800 | 20,000 / 500 | 8 / 16,000 | +| Standard_L32s 1 | 32 | 256 | 5,630 | 64 | 160,000 / 1,600 | 40,000 / 1,000 | 8 / 20,000 | -| Size | vCPU | Memory: GiB | Temp storage (HDD): GiB | Max data disks | Max data disk throughput: IOPS | Max NICs / Expected network bandwidth (Mbps) | -| --- | --- | --- | --- | --- | --- | --- | -| Standard_A0 1 |1 |0.768 |20 |1 |1x500 |2 / 100 | -| Standard_A1 |1 |1.75 |70 |2 |2x500 |2 / 500 | -| Standard_A2 |2 |3.5 |135 |4 |4x500 |2 / 500 | -| Standard_A3 |4 |7 |285 |8 |8x500 |2 / 1000 | -| Standard_A4 |8 |14 |605 |16 |16x500 |4 / 2000 | -| Standard_A5 |2 |14 |135 |4 |4x500 |2 / 500 | -| Standard_A6 |4 |28 |285 |8 |8x500 |2 / 1000 | -| Standard_A7 |8 |56 |605 |16 |16x500 |4 / 2000 | - -
    +The maximum disk throughput possible with Ls-series VMs may be limited by the number, size, and striping of any attached disks. For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). -1 The A0 size is over-subscribed on the physical hardware. For this specific size only, other customer deployments may impact the performance of your running workload. The relative performance is outlined below as the expected baseline, subject to an approximate variability of 15 percent. +1 Instance is isolated to hardware dedicated to a single customer. ### Standard A0 - A4 using CLI and PowerShell In the classic deployment model, some VM size names are slightly different in CLI and PowerShell: -* Standard_A0 is ExtraSmall +* Standard_A0 is ExtraSmall * Standard_A1 is Small * Standard_A2 is Medium * Standard_A3 is Large * Standard_A4 is ExtraLarge - -## Basic A - -Premium Storage: Not Supported - -Premium Storage Caching: Not Supported - -The basic tier sizes are primarily for development workloads and other applications that don't require load balancing, auto-scaling, or memory-intensive virtual machines. - -|Size – Size\Name | vCPU |Memory|NICs (Max)|Max temporary disk size |Max. data disks (1023 GB each)|Max. IOPS (300 per disk)| -|---|---|---|---|---|---|---| -|A0\Basic_A0|1|768 MB|2| 20 GB|1|1x300| -|A1\Basic_A1|1|1.75 GB|2| 40 GB |2|2x300| -|A2\Basic_A2|2|3.5 GB|2| 60 GB|4|4x300| -|A3\Basic_A3|4|7 GB|2| 120 GB |8|8x300| -|A4\Basic_A4|8|14 GB|2| 240 GB |16|16x300| - - - diff --git a/includes/virtual-machines-common-sizes-storage.md b/includes/virtual-machines-common-sizes-storage.md index 841f4798613a2..b3bb8457b7b92 100644 --- a/includes/virtual-machines-common-sizes-storage.md +++ b/includes/virtual-machines-common-sizes-storage.md @@ -5,7 +5,7 @@ author: jonbeck7 ms.service: virtual-machines ms.topic: include - ms.date: 07/06/2018 + ms.date: 04/02/2019 ms.author: azcspmt;jonbeck;cynthn ms.custom: include file --- @@ -14,54 +14,32 @@ Storage optimized VM sizes offer high disk throughput and IO, and are ideal for The Lsv2-series features high throughput, low latency, directly mapped local NVMe storage running on the [AMD EPYC ™ 7551 processor](https://www.amd.com/en/products/epyc-7000-series) with an all core boost of 2.55GHz and a max boost of 3.0GHz. The Lsv2-series VMs come in sizes from 8 to 80 vCPU in a simultaneous multi-threading configuration. There is 8 GiB of memory per vCPU, and one 1.92TB NVMe SSD M.2 device per 8 vCPUs, with up to 19.2TB (10x1.92TB) available on the L80s v2. -The Ls-series offers up to 32 vCPUs, using the [Intel® Xeon® processor E5 v3 family](http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-solutions.html). The Ls-series gets the same CPU performance as the G/GS-Series and comes with 8 GiB of memory per vCPU. - > [!NOTE] -> The Lsv2-series VMs are optimized to use the local disk on the node attached directly to the VM rather than using durable data disks. This allows for greater IOPs / throughput for your workloads. The Lsv2 and Ls-series do not support the creation of a local cache to increase the IOPS achievable by durable data disks. The high throughput and IOPS of the local disk makes the Lsv2 and Ls-series VMs ideal for NoSQL stores such as Apache Cassandra and MongoDB which replicate data across multiple VMs to achieve persistence in the event of the failure of a single VM. +> The Lsv2-series VMs are optimized to use the local disk on the node attached directly to the VM rather than using durable data disks. This allows for greater IOPs / throughput for your workloads. The Lsv2-series does not support the creation of a local cache to increase the IOPS achievable by durable data disks. The high throughput and IOPS of the local disk makes the Lsv2-series VMs ideal for NoSQL stores such as Apache Cassandra and MongoDB which replicate data across multiple VMs to achieve persistence in the event of the failure of a single VM. ## Lsv2-series + ACU: 150-175 Premium Storage: Supported Premium Storage Caching: Not Supported -| Size | vCPU | Memory (GiB) | Temp disk1 (GiB) | NVMe Disks2 | NVMe Disk throughput3 (Read IOPS / MBps) | Max uncached data disk throughput (IOPs/MBps)4 | Max Data Disks | Max NICs / Expected network bandwidth (Mbps) | +| Size | vCPU | Memory (GiB) | Temp disk1 (GiB) | NVMe Disks2 | NVMe Disk throughput3 (Read IOPS / MBps) | Max uncached data disk throughput (IOPs/MBps)4 | Max Data Disks | Max NICs / Expected network bandwidth (Mbps) | |---------------|-----------|-------------|--------------------------|----------------|---------------------------------------------------|-------------------------------------------|------------------------------|------------------------------| | Standard_L8s_v2 | 8 | 64 | 80 | 1x1.92 TB | 400,000 / 2,000 | 8,000/160 | 16 | 2 / 3,200 | | Standard_L16s_v2 | 16 | 128 | 160 | 2x1.92 TB | 800,000 / 4,000 | 16,000/320 | 32 | 4 / 6,400 | | Standard_L32s_v2 | 32 | 256 | 320 | 4x1.92 TB | 1.5M / 8,000 | 32,000/640 | 32 | 8 / 12,800 | | Standard_L64s_v2 | 64 | 512 | 640 | 8x1.92 TB | 2.9M / 16,000 | 64,000/1,280 | 32 | 8 / 25,600 | | Standard_L80s_v2 | 80 | 640 | 800 | 10x1.92TB | 3.8M / 20,000 | 80,000/1,400 | 32 | 8 / 32,000 | - + 1 Lsv2-series VMs have a standard SCSI based temp resource disk for OS paging/swap file use (D: on Windows, /dev/sdb on Linux). This disk provides 80 GiB of storage, 4,000 IOPS, and 80 MBps transfer rate for every 8 vCPUs (e.g. Standard_L80s_v2 provides 800 GiB at 40,000 IOPS and 800 MBPS). This ensures the NVMe drives can be fully dedicated to application use. This disk is Ephemeral, and all data will be lost on stop/deallocate. 2 Local NVMe Disks are ephemeral, data will be lost on these disks if you stop/deallocate your VM. 3 Hyper-V NVMe Direct technology provides unthrottled access to local NVMe drives mapped securely into the guest VM space. Achieving maximum performance requires using either the latest WS2019 build or Ubuntu 18.04 or 16.04 from the Azure Marketplace. Write performance varies based on IO size, drive load, and capacity utilization. -4 Lsv2-series VMs do not provide host cache for data disk as it does not benefit the Lsv2 workloads. However, Lsv2 VMs can accommodate Azure’s Ephemeral VM OS disk option (up to 30 GiB). - - - -## Ls-series -ACU: 180-240 - -Premium Storage: Supported - -Premium Storage Caching: Not Supported - -| Size | vCPU | Memory (GiB) | Temp storage (GiB) | Max data disks | Max temp storage throughput (IOPS / MBps) | Max uncached disk throughput (IOPS / MBps) | Max NICs / Expected network bandwidth (Mbps) | -|----------------|-----------|-------------|--------------------------|----------------|-------------------------------------------------------------|-------------------------------------------|------------------------------| -| Standard_L4s | 4 | 32 | 678 | 16 | 20,000 / 200 | 5,000 / 125 | 2 / 4,000 | -| Standard_L8s | 8 | 64 | 1,388 | 32 | 40,000 / 400 | 10,000 / 250 | 4 / 8,000 | -| Standard_L16s | 16 | 128 | 2,807 | 64 | 80,000 / 800 | 20,000 / 500 | 8 / 16,000 | -| Standard_L32s 1 | 32 | 256 | 5,630 | 64 | 160,000 / 1,600 | 40,000 / 1,000 | 8 / 20,000 | - - -The maximum disk throughput possible with Ls-series VMs may be limited by the number, size, and striping of any attached disks. For details, see [Designing for high performance](../articles/virtual-machines/windows/premium-storage-performance.md). - -1 Instance is isolated to hardware dedicated to a single customer. +4 Lsv2-series VMs do not provide host cache for data disk as it does not benefit the Lsv2 workloads. However, Lsv2 VMs can accommodate Azure’s Ephemeral VM OS disk option (up to 30 GiB). ## Size table definitions diff --git a/includes/virtual-machines-managed-disks-overview.md b/includes/virtual-machines-managed-disks-overview.md index cb18dc3c56a09..a2d137ac5ee50 100644 --- a/includes/virtual-machines-managed-disks-overview.md +++ b/includes/virtual-machines-managed-disks-overview.md @@ -26,6 +26,10 @@ Using managed disks, you can create up to 50,000 VM **disks** of a type in a sub Managed disks are integrated with availability sets to ensure that the disks of [VMs in an availability set](../articles/virtual-machines/windows/manage-availability.md#use-managed-disks-for-vms-in-an-availability-set) are sufficiently isolated from each other to avoid a single point of failure. Disks are automatically placed in different storage scale units (stamps). If a stamp fails due to hardware or software failure, only the VM instances with disks on those stamps fail. For example, let's say you have an application running on five VMs, and the VMs are in an Availability Set. The disks for those VMs won't all be stored in the same stamp, so if one stamp goes down, the other instances of the application continue to run. +### Integration with Availability Zones + +Managed disks supports [Availability Zones](../articles/availability-zones/az-overview.md), which is a high-availability offering that protects your applications from datacenter failures. Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions. With Availability Zones, Azure offers industry best 99.99% VM uptime SLA. + ### Azure Backup support To protect against regional disasters, [Azure Backup](../articles/backup/backup-introduction-to-azure-backup.md) can be used to create a backup job with time-based backups and backup retention policies. This allows you to perform easy VM restorations at will. Currently Azure Backup supports disk sizes up to four tebibyte (TiB) disks. For more information, see [Using Azure Backup for VMs with managed disks](../articles/backup/backup-introduction-to-azure-backup.md#using-managed-disk-vms-with-azure-backup). @@ -36,11 +40,15 @@ You can use [Azure role-based access control (RBAC)](../articles/role-based-acce ## Disk roles -### Data disks +There are three main disk roles in Azure: the data disk, the OS disk, and the temporary disk. These roles map to disks that are attached to your virtual machine. + +![Disk roles in action](media/virtual-machines-managed-disks-overview/disk-types.png) + +### Data disk A data disk is a managed disk that's attached to a virtual machine to store application data, or other data you need to keep. Data disks are registered as SCSI drives and are labeled with a letter that you choose. Each data disk has a maximum capacity of 32,767 gibibytes (GiB). The size of the virtual machine determines how many data disks you can attach to it and the type of storage you can use to host the disks. -### OS disks +### OS disk Every virtual machine has one attached operating system disk. That OS disk has a pre-installed OS, which was selected when the VM was created. diff --git a/includes/virtual-networks-create-vnet-classic-netcfg-ps-include.md b/includes/virtual-networks-create-vnet-classic-netcfg-ps-include.md index f45abc46df06a..f13655aef2fcf 100644 --- a/includes/virtual-networks-create-vnet-classic-netcfg-ps-include.md +++ b/includes/virtual-networks-create-vnet-classic-netcfg-ps-include.md @@ -31,8 +31,8 @@ To create a virtual network with a netcfg file using PowerShell, complete the fo ... ``` -3. Open the file you saved in step 2 using any XML or text editor application, and look for the **** element. If you have any networks already created, each network is displayed as its own **** element. -4. To create the virtual network described in this scenario, add the following XML just under the **** element: +3. Open the file you saved in step 2 using any XML or text editor application, and look for the **\** element. If you have any networks already created, each network is displayed as its own **\** element. +4. To create the virtual network described in this scenario, add the following XML just under the **\** element: ```xml diff --git a/includes/vpn-gateway-faq-p2s-all-include.md b/includes/vpn-gateway-faq-p2s-all-include.md index 0bdc52b32821b..79ee18881b219 100644 --- a/includes/vpn-gateway-faq-p2s-all-include.md +++ b/includes/vpn-gateway-faq-p2s-all-include.md @@ -64,7 +64,7 @@ No. You can only use the native VPN client on Windows for SSTP, and the native V ### Does Azure support IKEv2 VPN with Windows? -IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2, you must install updates and set a registry key value locally. OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN protocol. +IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2, you must install updates and set a registry key value locally. OS versions prior to Windows 10 are not supported and can only use SSTP or **OpenVPN® Protocol**. To prepare Windows 10 or Server 2016 for IKEv2: diff --git a/portal-articles/SqlAzureExtension/Database/Overview.md b/portal-articles/SqlAzureExtension/Database/Overview.md index 5dc2217669c1a..bfa6100d977a9 100644 --- a/portal-articles/SqlAzureExtension/Database/Overview.md +++ b/portal-articles/SqlAzureExtension/Database/Overview.md @@ -7,19 +7,19 @@ manager: lwelicki ms.service: sql-database ms.topic: article -ms.date: 04/27/2017 -ms.author: sewatson +ms.date: 04/09/2019 +ms.author: ninarn --- # SQL Database Documentation -Azure SQL Database is a relational database-as-a service using the Microsoft SQL Server Engine. SQL Database is a high-performance, reliable, and secure database you can use to build data-driven applications and websites in the programming language of your choice, without needing to manage infrastructure. Learn how to use SQL Database with our quickstarts, tutorials, and samples. +Azure SQL Database is a general-purpose relational database-as-a-service (DBaaS) based on the latest stable version of Microsoft SQL Server Database Engine. SQL Database is a high-performance, reliable, and secure cloud database that you can use to build data-driven applications and websites in the programming language of your choice, without needing to manage infrastructure. Learn how to use SQL Database with our quickstarts, tutorials, and samples. ## 5-Minute Quickstarts -Learn how to create a SQL Database, manage it using SQL Management Studio, and develop with it in C#, Java, Python, Node.js, and Ruby: +Azure SQL Database enables you to easily perform basic management tasks using the Azure portal, Azure CLI, and Azure PowerShell. Learn how to perform basic management tasks using the following quickstart samples: -- [Azure Portal](/azure/sql-database/sql-database-get-started-portal) +- [Azure portal](/azure/sql-database/sql-database-single-database-get-started) - [Azure PowerShell](/azure/sql-database/sql-database-get-started-powershell) - [Azure CLI](/azure/sql-database/sql-database-get-started-cli) @@ -27,8 +27,9 @@ Learn how to create a SQL Database, manage it using SQL Management Studio, and d Learn how to create, manage, and migrate databases using SQL DB. -- [Create and design the schema for a new SQL Database](/azure/sql-database/sql-database-design-first-database) -- [Migrate an existing SQL Server Database to use Azure SQL Database](/azure/sql-database/sql-database-migrate-your-sql-server-database) +- Get started with a [single database](/azure/sql-database/sql-database-single-database-quickstart-guide) using our quickstart guide +- Create and design the schema for a new single database using [SSMS](/azure/sql-database/sql-database-design-first-database) or [.NET](/azure/sql-database/sql-database-design-first-database-csharp) +- Migrate an existing database to Azure using [the Database Migration Assistant](/azure/dms/tutorial-sql-server-to-azure-sql) or [by importing a BACPAC file](/azure/sql-database/sql-database-import) - [Secure your SQL Database](/azure/sql-database/sql-database-security-tutorial) - [Improve SQL Database performance](/azure/sql-database/sql-database-performance-tutorial) - [Implement a multi-tenant SaaS application using SQL DB](/azure/sql-database/sql-database-multi-tenant-application) @@ -37,7 +38,7 @@ Learn how to create, manage, and migrate databases using SQL DB. - [Developing with .NET](https://www.pluralsight.com/courses/developing-dotnet-microsoft-azure-getting-started?twoid=d6abac77-7dcc-4d33-9e03-f85e78989f02) -## Samples +## Samples Find scripts to manage common tasks. @@ -47,4 +48,4 @@ Find scripts to manage common tasks. ## More - [Visit documentation to learn more](/azure/sql-database/index) -- [Learn about all Azure Services](https://aka.ms/j3wr7y) \ No newline at end of file +- [Learn about all Azure Services](https://aka.ms/j3wr7y)