etherscan-io
diff --git a/‎articles/active-directory/saas-apps/carbonite-endpoint-backup-tutorial.md
Lines changed: 16 additions & 8 deletions b/‎articles/active-directory/saas-apps/carbonite-endpoint-backup-tutorial.md
Lines changed: 16 additions & 8 deletions
diff --git a/‎articles/active-directory/saas-apps/media/carbonite-endpoint-backup-tutorial/configure4.png
335 Bytes b/‎articles/active-directory/saas-apps/media/carbonite-endpoint-backup-tutorial/configure4.png
335 Bytes
diff --git a/‎articles/active-directory/users-groups-roles/media/roles-custom-overview/rbac-overview.png
27 KB b/‎articles/active-directory/users-groups-roles/media/roles-custom-overview/rbac-overview.png
27 KB
diff --git a/‎articles/active-directory/users-groups-roles/roles-custom-overview.md
Lines changed: 13 additions & 14 deletions b/‎articles/active-directory/users-groups-roles/roles-custom-overview.md
Lines changed: 13 additions & 14 deletions
@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: tutorial
-ms.date: 07/30/2019
+ms.date: 08/06/2019
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
@@ -122,27 +122,35 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 ### Configure Carbonite Endpoint Backup SSO
 
-1. In a different web browser window, sign in to your Carbonite Endpoint Backup company site as an administrator.
+1. To automate the configuration within Carbonite Endpoint Backup, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+	![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Setup Carbonite Endpoint Backup** will direct you to the Carbonite Endpoint Backup application. From there, provide the admin credentials to sign into Carbonite Endpoint Backup. The browser extension will automatically configure the application for you and automate steps 3-7.
+
+	![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup Carbonite Endpoint Backup manually, open a new web browser window and sign into your Carbonite Endpoint Backup company site as an administrator and perform the following steps:
 
-1. Click on the **Company** from the left pane.
+4. Click on the **Company** from the left pane.
 
     ![Carbonite Endpoint Backup configuration ](media/carbonite-endpoint-backup-tutorial/configure1.png)
 
-1. Click on **Single sign-on**.
+5. Click on **Single sign-on**.
 
     ![Carbonite Endpoint Backup configuration ](media/carbonite-endpoint-backup-tutorial/configure2.png)
 
-1. Click on **Enable** and then click **Edit settings** to configure.
+6. Click on **Enable** and then click **Edit settings** to configure.
 
     ![Carbonite Endpoint Backup configuration ](media/carbonite-endpoint-backup-tutorial/configure3.png)
 
-1. On the **Single sign-on** settings page, perform the following steps:
+7. On the **Single sign-on** settings page, perform the following steps:
 
     ![Carbonite Endpoint Backup configuration ](media/carbonite-endpoint-backup-tutorial/configure4.png)
 
-    1. In the **Identity provider name** textbox, enter the name of identity provider like **Microsoft Azure AD**.
+    1. In the **Identity provider name** textbox, paste the **Azure AD Identifier** value, which you have copied from the Azure portal.
 
-    1. In the **Identity provider URL** textbox, paste the **Azure AD Identifier** value, which you have copied from the Azure portal.
+    1. In the **Identity provider URL** textbox, paste the **Login URL** value, which you have copied from the Azure portal.
 
     1. Click on **Choose file** to upload the downloaded **Certificate(Base64)** file from the Azure portal.
 
 
@@ -18,37 +18,36 @@ ms.collection: M365-identity-device-management
 
 # Custom administrator roles in Azure Active Directory (preview)
 
-This article describes how to understand the new custom RBAC (roles-based access control) and resource scopes in Azure Active Directory (Azure AD). Custom RBAC roles surfaces the underlying permissions of the [built-in roles](directory-assign-admin-roles.md) , so you can create and organize your own custom roles. Resource scopes gives you a way to assign the custom role to manage some resources (e.g. one application) without giving access to all resources (all applications).
+This article describes how to understand the new custom roles-based access control (RBAC) and resource scopes in Azure Active Directory (Azure AD). Custom RBAC roles surfaces the underlying permissions of the [built-in roles](directory-assign-admin-roles.md) , so you can create and organize your own custom roles. This approach allows you to grant access in a more granular way than built-in roles, when needed. This first release of custom RBAC roles includes the ability to create a role to assign permissions for managing app registrations. Over time, additional permissions for organization resources like enterprise applications, users, and devices will be added.  
 
-Granting permission using custom RBAC roles is a two-step process. First, you create a custom role definition and add permissions to it from the preset list. These are the same permissions used in the built-in roles. Once you’ve created your role, you assign it to someone by creating a role assignment. This two-step process allows you to create one role and assign it many times at different scopes. A custom role can be assigned at directory scope, or it can be assigned at an object scope. An example of an object scope would be a single application. This way the same role can be assigned to Sally over all applications in the directory and then Naveen over just the Contoso Expense Reports app.
-
-This first release of custom RBAC roles includes the ability to create a role to assign permissions for managing app registrations. Over time, additional permissions for organization resources like enterprise applications, users, and devices will be added.
+Additionally, custom RBAC roles support assignments on a per-resource basis, in addition to the more traditional organization-wide assignments. This approach gives you the ability to grant access to manage some resources (for example, one app registration) without giving access to all resources (all app registrations).
 
 Azure AD role-based access control is a public preview feature of Azure AD and is available with any paid Azure AD license plan. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 ## Understand Azure AD role-based access control
 
-Azure AD role-based access control allows you to assign roles that are customized to allow permitted actions on only a single type of Azure AD resource. Azure AD role-based access operates on concepts similar to Azure role-based access control ([Azure RBAC](../../role-based-access-control/overview.md) for Azure resource access, but Azure AD role-based access control is based on Microsoft Graph and Azure RBAC is based on Azure Resource Manager. However, both systems base their functions on role assignments.
+Granting permission using custom RBAC roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.  
 
-### Role assignments
+Once you’ve created your role definition, you can assign it to someone by creating a role assignment. A role assignment grants someone the permissions in a role definition at a specific scope. This two-step process allows you to create one role definition and assign it many times at different scopes. A scope defines the set of resources the role member has access to. The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. This way the same role can be assigned to Sally over all applications in the organization and then Naveen over just the Contoso Expense Reports app.  
 
-The way you control access using Azure AD role-based access control is to create **role assignments**, which are used to enforce permissions. A role assignment consists of three elements:
+Azure AD RBAC operates on concepts similar to [Azure role-based access control](../../role-based-access-control/overview.md). The difference being Azure RBAC controls access to Azure resources such as virtual machines and websites, and Azure AD RBAC controls access to Azure AD. Both systems leverage the concept of role definitions and role assignments.
 
-- Security principal
+### Role assignments
+
+A role assignment is the process of attaching a role definition to a user at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment. A role assignment consists of three elements:
+- User
 - Role definition
 - Resource scope
 
-Access is granted by creating a role assignment, and access is revoked by removing a role assignment. You can [create role assignments](roles-create-custom.md) using the Azure portal, Azure AD PowerShell, and Graph API. You can separately [view the assignments for a custom role](roles-view-assignments.md#view-the-assignments-of-a-role-with-single-application-scope-using-the-azure-ad-portal-preview).
+You can [create role assignments](roles-create-custom.md) using the Azure portal, Azure AD PowerShell, or Graph API. You can also [view the assignments for a custom role](roles-view-assignments.md#view-the-assignments-of-a-role-with-single-application-scope-using-the-azure-ad-portal-preview).
 
-The following diagram shows an example of a role assignment. In this example, Chris Green has been assigned the [Application administrator](directory-assign-admin-roles.md#application-administrator) role in the scope of the SalesForce application. Chris doesn't have access to manage any other application, unless they are part of a different role assignment.
+The following diagram shows an example of a role assignment. In this example, Chris Green has been assigned the App registration administrator custom role at the scope of the Contoso Widget Builder app registration. This assignment grants Chris the permissions of the App registration administrator role only on this specific app registration.
 
 ![Role assignment is how permissions are enforced and has three parts](./media/roles-custom-overview/rbac-overview.png)
 
 ### Security principal
 
-A security principal represents the user or service principal that is to be assigned access to Azure AD resources. A *user* is an individual who has a user profile in Azure Active Directory. A *service principal* is a security identity used by applications or services to access specific Azure AD resources.
-
-A security principal is similar to a user identity in that it represents a username and password or certificate, but for an application or service instead of a user.
+A security principal represents the user that is to be assigned access to Azure AD resources. A *user* is an individual who has a user profile in Azure Active Directory.
 
 ### Role
 
@@ -59,7 +58,7 @@ A role definition, or role, is a collection of permissions. A role definition li
 
 ### Scope
 
-A scope is the restriction of permitted actions to a particular Azure AD resource. When you assign a role, you can specify a scope that limits the administrator's allowable actions to a specific resource. For example, if you want grant a developer a custom role, but only to manage a specific application registration, you can include the specific application registration as a scope in the role assignment.
+A scope is the restriction of permitted actions to a particular Azure AD resource as part of a role assignment. When you assign a role, you can specify a scope that limits the administrator's access to a specific resource. For example, if you want to grant a developer a custom role, but only to manage a specific application registration, you can include the specific application registration as a scope in the role assignment.
 
   > [!Note]
   > Custom roles can be assigned at directory scope and resource scoped. They cannot yet be assigned at Administrative Unit scope.