Merge pull request MicrosoftDocs#80064 from msmimart/mm-addappsso

[App Mgmt] Restructure and simplify How-to sections: Add a cloud app and Configure SSO

articles/active-directory/manage-apps/add-application-portal.md

@@ -132,9 +132,8 @@ To use a custom logo:
 
 ## Next steps
 
-In this quickstart, you've learned how to add a gallery application to your Azure AD tenant. You learned how to edit the properties for an application.
+Now that you've added the application to your Azure AD organization, [choose a single sign-on method](what-is-single-sign-on.md#choosing-a-single-sign-on-method) you want to use and refer to the appropriate article below:
 
-Now, you're ready to configure the application for single sign-on.
-
-> [!div class="nextstepaction"]
-> [Configure single sign-on](configure-single-sign-on-portal.md)
+- [Configure SAML-based single sign-on](configure-single-sign-on-portal.md)
+- [Configure password single sign-on](configure-password-single-sign-on-non-gallery-applications.md)
+- [Configure linked sign-on](configure-linked-sign-on.md)

articles/active-directory/manage-apps/add-gallery-app.md

@@ -0,0 +1,103 @@
+---
+title: Add a gallery app - Azure Active Directory | Microsoft Docs
+description: Learn how to add an app from the Azure AD gallery to your Azure enterprise applications. 
+services: active-directory
+author: msmimart
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.topic: tutorial
+ms.workload: identity
+ms.date: 06/18/2019
+ms.author: mimart
+ms.reviewer: arvinh,luleon
+ms.collection: M365-identity-device-management
+---
+
+# Add a gallery app to your Azure AD organization
+
+Azure Active Directory (Azure AD) has a gallery that contains thousands of pre-integrated applications that are enabled with Enterprise single sign-on. This article describes the general steps for adding an app from the gallery to your Azure AD organization.
+
+> [!IMPORTANT]
+> First, check for your app in the [List of tutorials on how to integrate SaaS apps with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-saas-tutorial-list/). You'll likely find step-by-step guidance for adding and configuring the gallery app you want to add.
+
+## Add a gallery application
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as a global admin for your Azure AD tenant, a cloud application admin, or an application admin.
+
+1. In the [Azure portal](https://portal.azure.com), on the left navigation panel, select **Azure Active Directory**.
+
+1. In the **Azure Active Directory** pane, select **Enterprise applications**.
+
+ ![Open enterprise applications](media/add-application-portal/open-enterprise-apps.png)
+
+1. Select **New application**.
+
+ ![New application](media/add-application-portal/new-application.png)
+
+1. Under **Add from the gallery**, in the search box, enter the name of the application you want to add. 
+
+ ![Search by name or category](media/add-application-portal/categories.png)
+
+1. Select the application from the results.
+
+1. (Optional) In the application-specific form, you can edit the name of the application to match the needs of your organization.
+
+1. Select **Add**. The application **Overview** page opens.
+
+## Configure user sign-in properties
+
+1. Select **Properties** to open the properties pane for editing.
+
+ ![Edit properties pane](media/add-application-portal/edit-properties.png)
+
+1. Set the following options to determine how users who are assigned or unassigned to the application can sign into the application and if a user can see the application in the access panel.
+
+ - **Enabled for users to sign-in** determines whether users assigned to the application can sign in.
+ - **User assignment required** determines whether users who aren't assigned to the application can sign in.
+ - **Visible to user** determines whether users assigned to an app can see it in the access panel and O365 launcher.
+
+ Behavior for **assigned** users:
+
+ | Application property settings | | | Assigned-user experience | |
+ |---|---|---|---|---|
+ | Enabled for users to sign-in? | User assignment required? | Visible to users? | Can assigned users sign in? | Can assigned users see the application?* |
+ | yes | yes | yes | yes | yes |
+ | yes | yes | no | yes | no |
+ | yes | no | yes | yes | yes |
+ | yes | no | no | yes | no |
+ | no | yes | yes | no | no |
+ | no | yes | no | no | no |
+ | no | no | yes | no | no |
+ | no | no | no | no | no |
+
+ Behavior for **unassigned** users:
+
+ | Application property settings | | | Unassigned-user experience | |
+ |---|---|---|---|---|
+ | Enabled for users to sign in? | User assignment required? | Visible to users? | Can unassigned users sign in? | Can unassigned users see the application?* |
+ | yes | yes | yes | no | no |
+ | yes | yes | no | no | no |
+ | yes | no | yes | yes | no |
+ | yes | no | no | yes | no |
+ | no | yes | yes | no | no |
+ | no | yes | no | no | no |
+ | no | no | yes | no | no |
+ | no | no | no | no | no |
+
+ *Can the user see the application in the access panel and the Office 365 app launcher?
+
+1. To use a custom logo, create a logo that is 215 by 215 pixels, and save it in PNG format. Then browse to your logo and upload it.
+
+ ![Change the logo](media/add-application-portal/change-logo.png)
+
+1. When you're finished, select **Save**.
+
+## Next steps
+
+Now that you've added the application to your Azure AD organization, [choose a single sign-on method](what-is-single-sign-on.md#choosing-a-single-sign-on-method) you want to use and refer to the appropriate article below:
+
+- [Configure SAML-based single sign-on](configure-single-sign-on-portal.md)
+- [Configure password single sign-on](configure-password-single-sign-on-non-gallery-applications.md)
+- [Configure linked sign-on](configure-linked-sign-on.md)
+

articles/active-directory/manage-apps/add-non-gallery-app.md

@@ -0,0 +1,93 @@
+---
+title: Add a non-gallery application - Microsoft identity platform | Microsoft Docs
+description: Add a non-gallery application to your Azure AD tenant.
+services: active-directory
+author: msmimart
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.topic: article
+ms.workload: identity
+ms.date: 06/18/2019
+ms.author: mimart
+ms.reviewer: arvinh,luleon
+ms.collection: M365-identity-device-management
+---
+
+# Add an unlisted (non-gallery) application to your Azure AD organization
+
+In addition to the choices in the [Azure AD application gallery](https://azure.microsoft.com/documentation/articles/active-directory-saas-tutorial-list/), you have the option to add a **non-gallery application**. You can add any application that already exists in your organization, or any third-party application from a vendor who is not already part of the Azure AD gallery. Depending on your [license agreement](https://azure.microsoft.com/pricing/details/active-directory/), the following capabilities are available:
+
+- Self-service integration of any application that supports [Security Assertion Markup Language (SAML) 2.0](https://wikipedia.org/wiki/SAML_2.0) identity providers (SP-initiated or IdP-initiated)
+- Self-service integration of any web application that has an HTML-based sign-in page using [password-based SSO](what-is-single-sign-on.md#password-based-sso)
+- Self-service connection of applications that use the [System for Cross-Domain Identity Management (SCIM) protocol for user provisioning](use-scim-to-provision-users-and-groups.md)
+- Ability to add links to any application in the [Office 365 app launcher](https://www.microsoft.com/microsoft-365/blog/2014/10/16/organize-office-365-new-app-launcher-2/) or the [Azure AD access panel](what-is-single-sign-on.md#linked-sign-on)
+
+This article describes how to add a non-gallery application to **Enterprise Applications** in the Azure portal without writing code. If instead you're looking for developer guidance on how to integrate custom apps with Azure AD, see [Authentication Scenarios for Azure AD](../develop/authentication-scenarios.md). When you develop an app that uses a modern protocol like [OpenId Connect/OAuth](../develop/active-directory-v2-protocols.md) to authenticate users, you can register it with the Microsoft identity platform by using the [App registrations](../develop/quickstart-register-app.md) experience in the Azure portal.
+
+## Add a non-gallery application
+
+1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/) using your Microsoft identity platform administrator account.
+1. Select **Enterprise Applications** > **New application**.
+2. (Optional but recommended) In the **Add from the gallery** search box, enter the display name of the application. If the application appears in the search results, select it and skip the rest of this procedure.
+3. Select **Non-gallery application**. The **Add your own application** page appears.
+
+ ![Add application](./media/configure-single-sign-on-non-gallery-applications/add-your-own-application.png)
+5. Enter the display name for your new application.
+6. Select **Add**. The application **Overview** page opens.
+
+## Configure user sign-in properties
+
+1. Select **Properties** to open the properties pane for editing.
+
+ ![Edit properties pane](media/add-application-portal/edit-properties.png)
+
+1. Set the following options to determine how users who are assigned or unassigned to the application can sign into the application and if a user can see the application in the access panel.
+
+ - **Enabled for users to sign-in** determines whether users assigned to the application can sign in.
+ - **User assignment required** determines whether users who aren't assigned to the application can sign in.
+ - **Visible to user** determines whether users assigned to an app can see it in the access panel and O365 launcher.
+
+ Behavior for **assigned** users:
+
+ | Application property settings | | | Assigned-user experience | |
+ |---|---|---|---|---|
+ | Enabled for users to sign-in? | User assignment required? | Visible to users? | Can assigned users sign in? | Can assigned users see the application?* |
+ | yes | yes | yes | yes | yes |
+ | yes | yes | no | yes | no |
+ | yes | no | yes | yes | yes |
+ | yes | no | no | yes | no |
+ | no | yes | yes | no | no |
+ | no | yes | no | no | no |
+ | no | no | yes | no | no |
+ | no | no | no | no | no |
+
+ Behavior for **unassigned** users:
+
+ | Application property settings | | | Unassigned-user experience | |
+ |---|---|---|---|---|
+ | Enabled for users to sign in? | User assignment required? | Visible to users? | Can unassigned users sign in? | Can unassigned users see the application?* |
+ | yes | yes | yes | no | no |
+ | yes | yes | no | no | no |
+ | yes | no | yes | yes | no |
+ | yes | no | no | yes | no |
+ | no | yes | yes | no | no |
+ | no | yes | no | no | no |
+ | no | no | yes | no | no |
+ | no | no | no | no | no |
+
+ *Can the user see the application in the access panel and the Office 365 app launcher?
+
+1. To use a custom logo, create a logo that is 215 by 215 pixels, and save it in PNG format. Then browse to your logo and upload it.
+
+ ![Change the logo](media/add-application-portal/change-logo.png)
+
+1. When you're finished, select **Save**.
+
+## Next steps
+
+Now that you've added the application to your Azure AD organization, [choose a single sign-on method](what-is-single-sign-on.md#choosing-a-single-sign-on-method) you want to use and refer to the appropriate article below:
+
+- [Configure SAML-based single sign-on](configure-single-sign-on-portal.md)
+- [Configure password single sign-on](configure-password-single-sign-on-non-gallery-applications.md)
+- [Configure linked sign-on](configure-linked-sign-on.md)

articles/active-directory/manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md

@@ -46,7 +46,7 @@ The protocol diagrams below describe the single sign-on sequence for both a serv
 
 5. Select **SAML** as the single sign-on method.
 
-6. First set up SAML SSO to work while on the corporate network. In the **Set up Single Sign-On with SAML** page, go to the **Basic SAML Configuration** heading and select its **Edit** icon (a pencil). Follow the steps in [Enter basic SAML configuration](configure-single-sign-on-non-gallery-applications.md#saml-based-single-sign-on) to configure SAML-based authentication for the application.
+6. First set up SAML SSO to work while on the corporate network. In the **Set up Single Sign-On with SAML** page, go to the **Basic SAML Configuration** heading and select its **Edit** icon (a pencil). Follow the steps in [Enter basic SAML configuration](configure-single-sign-on-non-gallery-applications.md#step-1-edit-the-basic-saml-configuration) to configure SAML-based authentication for the application.
 
 7. Add at least one user to the application and make sure the test account has access to the application. While connected to the corporate network, use the test account to see if you have single sign-on to the application.