Merge pull request #6754 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 1/31

docs/identity-platform/apple-sso-plugin.md

@@ -200,6 +200,9 @@ To *disable* SSO for Safari or Safari View Service, you must explicitly do so by
 - iOS: `com.apple.mobilesafari`, `com.apple.SafariViewService`
 - macOS: `com.apple.Safari`
 
+>[!NOTE]
+> SSO cannot be disabled for apps that use a Microsoft Authentication Library using this setting.
+
 #### Enable SSO through cookies for a specific application
 
 Some iOS apps that have advanced network settings might experience unexpected issues when they're enabled for SSO. For example, you might see an error indicating that a network request was canceled or interrupted.
@@ -220,6 +223,9 @@ Try this configuration only for applications that have unexpected sign-in failur
 
 #### Summary of keys
 
+>[!NOTE]
+> Keys described in this section only apply to apps that are not using a Microsoft Authentication Library.
+
 | Key | Type | Value |
 |--|--|--|
 | `Enable_SSO_On_All_ManagedApps` | Integer | `1` to enable SSO for all managed apps, `0` to disable SSO for all managed apps. |

docs/identity-platform/tutorial-web-app-python-prepare-app.md

@@ -37,7 +37,7 @@ To complete the rest of the tutorial, you need to create a Python Flask web app
 To build the Python Flask web app from scratch, follow these steps:
 
 1. Create a folder to host your application and name it *flask-web-app*.
-1. Navigate to your project directory and create three files named *app.py*, *app.config.py*, and *requirements.txt*.
+1. Navigate to your project directory and create three files named *app.py*, *app_config.py*, and *requirements.txt*.
 1. Create an .env file in the root folder of the project.
 1. Create a folder named *templates* in your project root directory. Flask looks for rendering templates in this subdirectory. 
 
@@ -51,7 +51,7 @@ python-webapp/
 │     ├── login.html
 ├── .env.sample
 ├── app.py
-├── app.config.py
+├── app_config.py
 │── requirements.txt
 ```
 

docs/identity/devices/troubleshoot-mac-sso-extension-plugin.md

@@ -207,7 +207,20 @@ Sometimes, this command is insufficient and doesn't fully reset the cache. In th
 * Remove or move the Intune Company Portal app to the Trash, then restart your device. After the restart is complete, you can try re-install the Company Portal app. 
 * Re-enroll your device.
 
-If none of above methods resolve your issue, there may be something else in your environment that could be blocking the associated domain validation. If this happens, please reach out to Apple support for further troubleshooting. 
+If none of above methods resolve your issue, there may be something else in your environment that could be blocking the associated domain validation. If this happens, please reach out to Apple support for further troubleshooting.
+
+#### Make sure System Integrity Protection (SIP) is enabled
+
+The Enterprise SSO framework requires successful validation of code signing. If a machine has been explicitly opted out of [System Integrity Protection (SIP)](https://support.apple.com/en-us/102149), code signing might not work properly. If this happens, the machine will encounter sysdiagnose failures like the following error:
+
+```
+Error Domain=com.apple.AppSSO.AuthorizationError Code=-1000 "invalid team identifier of the extension=com.microsoft.CompanyPortalMac.ssoextension" UserInfo={NSLocalizedDescription=invalid team identifier of the extension=com.microsoft.CompanyPortalMac.ssoextension}
+```
+
+To resolve this issue, perform one of the following steps:
+
+1. Re-enable System Integrity Protection on the affected machine.
+2. If re-enabling System Integrity Protection is not possible, ensure that `sudo nvram boot-args` does not have the `amfi_get_out_of_my_way` value set to `1`. If it does, remove that value or set it to `0` to fix the issue.
 
 #### Validate SSO configuration profile on macOS device
 

docs/identity/enterprise-apps/application-properties.md

@@ -8,7 +8,8 @@ ms.service: entra-id
 ms.subservice: enterprise-apps
 ms.topic: concept-article
 
-ms.date: 08/21/2024
+ai-usage: ai-assisted
+ms.date: 01/31/2025
 ms.author: jomondi
 ms.reviewer: ergreenl
 ms.custom: enterprise-apps
@@ -24,7 +25,7 @@ This article describes the properties that you can configure for an enterprise a
 
 If this option is set to **Yes**, then assigned users are able to sign in to the application from the My Apps portal, the User access URL, or by navigating to the application URL directly. If assignment is required, then only users who are assigned to the application are able to sign-in. If assignment is required, applications must be assigned to get a token.
 
-If this option is set to **No**, then no users are able to sign in to the application, even if they're assigned to it. Tokens aren't issued for the application.  
+If this option is set to **No**, then no users are able to sign in to the application, even if they're assigned to it. Tokens aren't issued for the application. This setting not only prevents users from signing in but also restricts service principals from accessing the application using application permissions.
 
 ## Name
 

docs/identity/enterprise-apps/migrate-adfs-discover-scope-apps.md

@@ -8,7 +8,7 @@ ms.service: entra-id
 ms.subservice: enterprise-apps
 ms.topic: concept-article
 
-ms.date: 05/30/2023
+ms.date: 01/31/2025
 ms.author: jomondi
 ms.reviewer: gasinh
 ms.collection: M365-identity-device-management
@@ -37,10 +37,10 @@ Discover applications using ADFS:
  
 ## Using other identity providers (IdPs)
 
-- If you’re currently using Okta, refer to our [Okta to Microsoft Entra migration guide](migrate-applications-from-okta.md).
-
-- If you’re currently using Ping Federate, then consider using the [Ping Administrative API](https://docs.pingidentity.com/r/en-us/pingfederate-112/pf_admin_api) to discover applications.
+If you're using other identity providers, you can use the following approaches to discover applications:
 
+- If you’re currently using Okta, refer to our [Okta to Microsoft Entra migration guide](migrate-applications-from-okta.md).
+- If you’re currently using Ping Federate, then consider using the [Ping Administrative API](https://docs.pingidentity.com/pingfederate/11.2/developers_reference_guide/pf_admin_api.html)
 - If the applications are integrated with Active Directory, search for service principals or service accounts that may be used for applications.  
 
 ## Using cloud discovery tools
@@ -51,7 +51,7 @@ In the cloud environment, you need rich visibility, control over data travel, an
 - **Cloud Discovery** - By configuring [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps), you gain visibility into the cloud app usage, and can discover unsanctioned or Shadow IT apps.
 - **Azure Hosted Applications** - For apps connected to Azure infrastructure, you can use the APIs and tools on those systems to begin to take an inventory of hosted apps. In the Azure environment:
   - Use the [Get-AzureWebsite](/powershell/module/servicemanagement/azure/get-azurewebsite) cmdlet to get information about Azure websites.
-  - Use the [Get-AzureRMWebApp](/powershell/module/azurerm.websites/get-azurermwebapp) cmdlet to get information about your Azure Web Apps.D
+  - Use the [Get-AzWebApp](/powershell/module/Az.websites/get-Azwebapp) cmdlet to get information about your Azure Web Apps.
   - Query Microsoft Entra ID looking for [Applications](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#application-entity) and [Service Principals](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#serviceprincipal-entity).
 
 ## Manual discovery process

docs/identity/saas-apps/ardoq-tutorial.md

@@ -18,7 +18,7 @@ ms.author: jeedes
 
 # Tutorial: Microsoft Entra single sign-on (SSO) integration with Ardoq
 
-In this tutorial, you'll learn how to integrate Ardoq with Microsoft Entra ID. When you integrate Ardoq with Microsoft Entra ID, you can:
+In this tutorial, you learn how to integrate Ardoq with Microsoft Entra ID. When you integrate Ardoq with Microsoft Entra ID, you can:
 
 * Control in Microsoft Entra ID who has access to Ardoq.
 * Enable your users to be automatically signed-in to Ardoq with their Microsoft Entra accounts.
@@ -35,7 +35,7 @@ To get started, you need the following items:
 
 In this tutorial, you configure and test Microsoft Entra SSO in a test environment.
 
-* Ardoq supports **SP and IDP** initiated SSO.
+* Ardoq only supports **SP** initiated SSO. To achieve something similar to an **IDP** initiated SSO, read the guide on [Supporting IDP-Initiated SAML sign in](https://help.ardoq.com/en/articles/109003-supporting-idp-initiated-saml-login).
 * Ardoq supports **Just In Time** user provisioning.
 
 ## Adding Ardoq from the gallery
@@ -47,7 +47,7 @@ To configure the integration of Ardoq into Microsoft Entra ID, you need to add A
 1. In the **Add from the gallery** section, type **Ardoq** in the search box.
 1. Select **Ardoq** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
 
- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
+ Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
 
 
 <a name='configure-and-test-azure-ad-sso-for-ardoq'></a>
@@ -74,7 +74,7 @@ Follow these steps to enable Microsoft Entra SSO.
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Ardoq** > **Single sign-on**.
 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
 
    ![Edit Basic SAML Configuration](common/edit-urls.png)
 
@@ -90,7 +90,7 @@ Follow these steps to enable Microsoft Entra SSO.
     b. In the **Reply URL** text box, type a URL using the following pattern:
     `https://<CustomerName>.ardoq.com/saml/v2`
 
-1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+1. Select **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
 
     In the **Sign-on URL** text box, type a URL using one of the following patterns:
 
@@ -100,7 +100,7 @@ Follow these steps to enable Microsoft Entra SSO.
 	| `https://<CustomerName>.us.ardoq.com/saml/v2` |
 
 	> [!NOTE]
-	> These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Ardoq Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section.
+	> These values aren't real. Update these values with the actual Identifier, Reply URL, and Sign-on URL. Contact [Ardoq Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section.
 
 1. Ardoq application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
 
@@ -123,15 +123,15 @@ Follow these steps to enable Microsoft Entra SSO.
 
 	![The Certificate download link](common/metadataxml.png)
 
-1. On the **Set up Ardoq** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Ardoq** section, copy one or more appropriate URLs based on your requirement.
 
 	![Copy configuration URLs](common/copy-configuration-urls.png)
 
 <a name='create-an-azure-ad-test-user'></a>
 
 ### Create a Microsoft Entra test user
 
-In this section, you'll create a test user called B.Simon.
+In this section, you create a test user called B.Simon.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator).
 1. Browse to **Identity** > **Users** > **All users**.
@@ -147,39 +147,39 @@ In this section, you'll create a test user called B.Simon.
 
 ### Assign the Microsoft Entra test user
 
-In this section, you'll enable B.Simon to use single sign-on by granting access to Ardoq.
+In this section, you enable B.Simon to use single sign-on by granting access to Ardoq.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Ardoq**.
 1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. Select **Add user**, then select **Users and groups** in the **Added Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then select the **Select** button at the bottom of the screen.
 1. If you have setup the roles as explained in the above, you can select it from the **Select a role** dropdown.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+1. In the **Added Assignment** dialog, select the **Assign** button.
 
 ## Configure Ardoq SSO
 
 To configure single sign-on on **Ardoq** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from the application configuration to [Ardoq support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
 
 ### Create Ardoq test user
 
-In this section, a user called Britta Simon is created in Ardoq. Ardoq supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Ardoq, a new one is created after authentication.
+In this section, a user called Britta Simon is created in Ardoq. Ardoq supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Ardoq, a new one is created after authentication.
 
 ## Test SSO 
 
 In this section, you test your Microsoft Entra single sign-on configuration with following options. 
 
 #### SP initiated:
 
-* Click on **Test this application**, this will redirect to Ardoq Sign on URL where you can initiate the login flow.  
+* Select on **Test this application**, this will redirect to Ardoq Sign on URL where you can initiate the sign in flow.  
 
-* Go to Ardoq Sign-on URL directly and initiate the login flow from there.
+* Go to Ardoq Sign-on URL directly and initiate the sign in flow from there.
 
 #### IDP initiated:
 
-* Click on **Test this application**, and you should be automatically signed in to the Ardoq for which you set up the SSO 
+* Select on **Test this application**, and you should be automatically signed in to the Ardoq for which you set up the SSO 
 
-You can also use Microsoft My Apps to test the application in any mode. When you click the Ardoq tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Ardoq for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+You can also use Microsoft My Apps to test the application in any mode. When you select the Ardoq tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the sign in flow and if configured in IDP mode, you should be automatically signed in to the Ardoq for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
 
 
 ## Next steps