Merge pull request #224778 from MicrosoftDocs/main

1/23 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -998,6 +998,7 @@
     ".openpublishing.redirection.baremetal-infrastructure.json",
     "articles/iot-dps/.openpublishing.redirection.iot-dps.json",
     "articles/cloud-shell/.openpublishing.redirection.cloud-shell.json",
-    ".openpublishing.redirection.azure-vmware.json"
+    ".openpublishing.redirection.azure-vmware.json",
+    ".openpublishing.redirection.openshift.json"
   ]
 }

.openpublishing.redirection.azure-productivity.json

@@ -89,6 +89,11 @@
       "source_path": "articles/lab-services/how-to-enable-nested-virtualization-template-vm.md",
       "redirect_url": "/azure/lab-services/concept-nested-virtualization-template-vm",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/lab-services/troubleshoot.md",
+      "redirect_url": "/azure/lab-services/troubleshoot-lab-creation",
+      "redirect_document_id": true
     }
   ]
 }

.openpublishing.redirection.openshift.json

@@ -0,0 +1,59 @@
+{
+  "redirections": [
+    {
+      "source_path_from_root": "/articles/openshift/cluster-administration-cluster-admin-role.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/cluster-administration-security-context-constraints.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+	  {
+      "source_path_from_root": "/articles/openshift/howto-aad-app-configuration.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/howto-create-private-cluster-3x.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/howto-create-tenant.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/howto-deploy-prometheus.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/howto-manage-projects.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/howto-run-privileged-containers.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/howto-setup-environment.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/migration.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/openshift/supported-resources.md",
+      "redirect_url": "/azure/openshift/intro-openshift",
+      "redirect_document_id": false
+    }
+	  ]
+}

articles/active-directory/app-provisioning/accidental-deletions.md

@@ -1,38 +1,67 @@
 ---
-title: Enable accidental deletions prevention in Application Provisioning in Azure Active Directory
-description: Enable accidental deletions prevention in Application Provisioning in Azure Active Directory.
+title: Enable accidental deletions prevention in the Azure AD provisioning service
+description: Enable accidental deletions prevention in the Azure Active Directory (Azure AD) provisioning service for applications and cross-tenant synchronization.
 services: active-directory
 author: kenwith
 manager: amycolannino
 ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: how-to
 ms.workload: identity
-ms.date: 10/06/2022
+ms.date: 01/23/2023
 ms.author: kenwith
 ms.reviewer: arvinh
+zone_pivot_groups: app-provisioning-cross-tenant-synchronization
 ---
 
 # Enable accidental deletions prevention in the Azure AD provisioning service
 
+::: zone pivot="app-provisioning"
 The Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in an application unexpectedly.
+::: zone-end
+
+::: zone pivot="cross-tenant-synchronization"
+> [!IMPORTANT]
+> [Cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-overview.md) is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+The Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in the target tenant unexpectedly.
+::: zone-end
 
 The feature lets you specify a deletion threshold, above which an admin 
 needs to explicitly choose to allow the deletions to be processed.
 
 ## Configure accidental deletion prevention
+
 To enable accidental deletion prevention:
+
 1.  In the Azure portal, select **Azure Active Directory**.
-2.  Select **Enterprise applications** and then select your app.
+
+::: zone pivot="app-provisioning"
+2.  Select **Enterprise applications** and then select your application.
+
 3.  Select **Provisioning** and then on the provisioning page select **Edit provisioning**.
-4. Under **Settings**, select the **Prevent accidental deletions** checkbox and specify a deletion 
-threshold. Also, be sure the notification email address is completed. If the deletion threshold is met an email will be sent.
-5. Select **Save**, to save the changes.
+::: zone-end
+
+::: zone pivot="cross-tenant-synchronization"
+2.  Select **Cross-tenant synchronization (Preview)** > **Configurations** and then select your configuration.
+
+3.  Select **Provisioning**.
+::: zone-end
+
+4. Under **Settings**, select the **Prevent accidental deletions** check box and specify a deletion 
+threshold.
+
+5. Ensure the **Notification Email** address is completed.
+
+    If the deletion threshold is met, an email will be sent.
+
+6. Select **Save** to save the changes.
 
 When the deletion threshold is met, the job will go into quarantine and a notification email will be sent. The quarantined job can then be allowed or rejected. To learn more about quarantine behavior, see [Application provisioning in quarantine status](application-provisioning-quarantine-status.md).
 
 ## Recovering from an accidental deletion
-If you encounter an accidental deletion you'll see it on the provisioning status page.  It will say **Provisioning has been quarantined. See quarantine details for more information**.
+If you encounter an accidental deletion, you'll see it on the provisioning status page.  It will say **Provisioning has been quarantined. See quarantine details for more information**.
 
 You can click either **Allow deletes** or **View provisioning logs**.
 
@@ -48,8 +77,8 @@ The **Allow deletes** action will delete the objects that triggered the accident
 
 If you don't want to allow the deletions, you need to do the following:
 - Investigate the source of the deletions. You can use the provisioning logs for details.
-- Prevent the deletion by assigning the user / group to the app again, restoring the user / group, or updating your provisioning configuration.
-- Once you've made the necessary changes to prevent the user / group from being deleted, restart provisioning. Please don't restart provisioning until you've made the necessary changes to prevent the users / groups from being deleted. 
+- Prevent the deletion by assigning the user / group to the application (or configuration) again, restoring the user / group, or updating your provisioning configuration.
+- Once you've made the necessary changes to prevent the user / group from being deleted, restart provisioning. Don't restart provisioning until you've made the necessary changes to prevent the users / groups from being deleted. 
 
 
 ### Test deletion prevention
@@ -60,21 +89,21 @@ Let the provisioning job run (20 – 40 mins) and navigate back to the provision
 ## Common de-provisioning scenarios to test
 - Delete a user / put them into the recycle bin.
 - Block sign in for a user.
-- Unassign a user or group from the application.
-- Remove a user from a group that’s providing them access to the app.
+- Unassign a user or group from the application (or configuration).
+- Remove a user from a group that's providing them access to the application (or configuration).
 
 To learn more about de-provisioning scenarios, see [How Application Provisioning Works](how-provisioning-works.md#de-provisioning).
 
 ## Frequently Asked Questions
 
 ### What scenarios count toward the deletion threshold?
-When a user is set to be removed from the target application, it will be counted against the 
+When a user is set to be removed from the target application (or target tenant), it will be counted against the 
 deletion threshold. Scenarios that could lead to a user being removed from the target 
-application could include: unassigning the user from the application and soft / hard deleting a user in the directory. Groups 
+application (or target tenant) could include: unassigning the user from the application (or configuration) and soft / hard deleting a user in the directory. Groups 
 evaluated for deletion count towards the deletion threshold. In addition to deletions, the same functionality also works for disables.
 
 ### What is the interval that the deletion threshold is evaluated on?
-It is evaluated each cycle. If the number of deletions doesn't exceed the threshold during a 
+It's evaluated each cycle. If the number of deletions doesn't exceed the threshold during a 
 single cycle, the “circuit breaker” won’t be triggered. If multiple cycles are needed to reach a 
 steady state, the deletion threshold will be evaluated per cycle.
 

articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md

@@ -1,24 +1,33 @@
 ---
-title: Use scoping filters in Azure Active Directory Application Provisioning
-description: Learn how to use scoping filters to prevent objects in apps that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements in Azure Active Directory Application Provisioning.
+title: Scoping users or groups to be provisioned with scoping filters in Azure Active Directory
+description: Learn how to use scoping filters to define attribute-based rules that determine which users or groups are provisioned in Azure Active Directory.
 services: active-directory
 author: kenwith
 manager: amycolannino
 ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: how-to
-ms.date: 06/15/2022
+ms.date: 01/23/2023
 ms.author: kenwith
 ms.reviewer: arvinh
+zone_pivot_groups: app-provisioning-cross-tenant-synchronization
 ---
 
-# Attribute-based application provisioning with scoping filters
-The objective of this article is to explain how to use scoping filters to define attribute-based rules that determine which users are provisioned to an application.
+# Scoping users or groups to be provisioned with scoping filters
+
+::: zone pivot="cross-tenant-synchronization"
+> [!IMPORTANT]
+> [Cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-overview.md) is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+::: zone-end
+
+This article describes how to use scoping filters in the Azure Active Directory (Azure AD) provisioning service to define attribute-based rules that determine which users or groups are provisioned.
 
 ## Scoping filter use cases
 
-A scoping filter allows the Azure Active Directory (Azure AD) provisioning service to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from Azure AD to a SaaS application used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
+::: zone pivot="app-provisioning"
+You use scoping filters to prevent objects in applications that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements. A scoping filter allows you to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from Azure AD to a SaaS application used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
 
 Scoping filters can be used differently depending on the type of provisioning connector:
 
@@ -29,7 +38,14 @@ Scoping filters can be used differently depending on the type of provisioning co
 
 * **Inbound provisioning from HCM applications to Azure AD and Active Directory**. When an [HCM application such as Workday](../saas-apps/workday-tutorial.md) is the source system, scoping filters are the primary method for determining which users should be provisioned from the HCM application to Active Directory or Azure AD.
 
-By default, Azure AD provisioning connectors do not have any attribute-based scoping filters configured. 
+By default, Azure AD provisioning connectors don't have any attribute-based scoping filters configured. 
+::: zone-end
+
+::: zone pivot="cross-tenant-synchronization"
+When Azure AD is the source system, [user and group assignments](../manage-apps/assign-user-or-group-access-portal.md) are the most common method for determining which users are in scope for provisioning. Reducing the number of users in scope improves performance and synchronizing assigned users and groups instead of synchronizing all users and groups is recommended.
+
+Scoping filters can be used optionally, in addition to scoping by assignment. A scoping filter allows the Azure AD provisioning service to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
+::: zone-end
 
 ## Scoping filter construction
 
@@ -56,19 +72,36 @@ According to this scoping filter, users must satisfy the following criteria to b
 Scoping filters are configured as part of the attribute mappings for each Azure AD user provisioning connector. The following procedure assumes that you already set up automatic provisioning for [one of the supported applications](../saas-apps/tutorial-list.md) and are adding a scoping filter to it.
 
 ### Create a scoping filter
-1. In the [Azure portal](https://portal.azure.com), go to the **Azure Active Directory** > **Enterprise Applications** > **All applications** section.
 
-2. Select the application for which you have configured automatic provisioning: for example, "ServiceNow".
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+::: zone pivot="app-provisioning"
+2. Go to the **Azure Active Directory** > **Enterprise applications** > **All applications**.
+
+3. Select the application for which you have configured automatic provisioning: for example, "ServiceNow".
+::: zone-end
+
+::: zone pivot="cross-tenant-synchronization"
+2. Go to **Azure Active Directory** > **Cross-tenant Synchronization** > **Configurations**
+
+3. Select your configuration.
+::: zone-end
+
+4. Select the **Provisioning** tab.
 
-3. Select the **Provisioning** tab.
+::: zone pivot="app-provisioning"
+5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Azure Active Directory Users to ServiceNow".
+::: zone-end
 
-4. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Azure Active Directory Users to ServiceNow".
+::: zone pivot="cross-tenant-synchronization"
+5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Provision Azure Active Directory Users".
+::: zone-end
 
-5. Select the **Source object scope** menu.
+6. Select the **Source object scope** menu.
 
-6. Select **Add scoping filter**.
+7. Select **Add scoping filter**.
 
-7. Define a clause by selecting a source **Attribute Name**, an **Operator**, and an **Attribute Value** to match against. The following operators are supported:
+8. Define a clause by selecting a source **Attribute Name**, an **Operator**, and an **Attribute Value** to match against. The following operators are supported:
 
    a. **EQUALS**. Clause returns "true" if the evaluated attribute matches the input string value exactly (case sensitive).