MicrosoftDocs
diff --git a/‎articles/active-directory/cloud-sync/concept-attributes.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/cloud-sync/concept-attributes.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-sso-faq.yml
Lines changed: 20 additions & 20 deletions b/‎articles/active-directory/hybrid/how-to-connect-sso-faq.yml
Lines changed: 20 additions & 20 deletions
@@ -71,7 +71,7 @@ To view the schema and verify it, follow these steps.
 1.  Go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
 1.  Sign in with your global administrator account.
 1.  On the left, select **modify permissions** and ensure that **Directory.ReadWrite.All** is *Consented*.
-1.  Run the query `https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(DisplayName, ‘{sync config name}’)`. This query returns a filtered list of service principals.  This can also be acquire via the App Registration node under Azure Active Directory.
+1.  Run the query `https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(DisplayName, ‘{sync config name}’)`. This query returns a filtered list of service principals.  This can also be acquired via the App Registration node under Azure Active Directory.
 1.  Locate `"appDisplayName": "Active Directory to Azure Active Directory Provisioning"` and note the value for `"id"`.
     ```
     "value": [
@@ -239,7 +239,7 @@ To view the schema and verify it, follow these steps.
     ```
 1. Now run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal Id}/synchronization/jobs/{AD2AAD Provisioning id}/schema`.
  
-    Example: https://graph.microsoft.com/beta/serviceprincipals/653c0018-51f4-4736-a3a3-94da5dcb6862/synchronization/jobs/AD2AADProvisioning.e9287a7367e444c88dc67a531c36d8ec/schema
+
 
    Replace `{Service Principal Id}` and `{AD2ADD Provisioning Id}` with your values.
 
 
@@ -58,7 +58,7 @@ To read more about securing your Active Directory environment, see [Best practic
 #### Installation prerequisites
 
 - Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later - **note that Windows Server 2022 is not yet supported**. You can deploy Azure AD Connect on Windows Server 2016 but since Windows Server 2016 is in extended support, you may require [a paid support program](/lifecycle/policies/fixed#extended-support) if you require support for this configuration. We recommend the usage of domain joined Windows Server 2019.
-- The minimum .Net Framework version required is 4.6.2, and newer versions of .Net are also supported.
+- The minimum .NET Framework version required is 4.6.2, and newer versions of .Net are also supported.
 - Azure AD Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better. 
 - The Azure AD Connect server must have a full GUI installed. Installing Azure AD Connect on Windows Server Core isn't supported. 
 - The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled if you use the Azure AD Connect wizard to manage Active Directory Federation Services (AD FS) configuration. You can enable PowerShell transcription if you use the Azure AD Connect wizard to manage sync configuration. 
@@ -67,7 +67,7 @@ To read more about securing your Active Directory environment, see [Best practic
     - You must configure TLS/SSL certificates. For more information, see [Managing SSL/TLS protocols and cipher suites for AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs) and [Managing SSL certificates in AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap).
     - You must configure name resolution. 
 - It is not supported to break and analyze traffic between Azure AD Connect and Azure AD. Doing so may disrupt the service.
-- If your Hybrid Identity Administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com *must* be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.
+- If your Hybrid Identity Administrators have MFA enabled, the URL `https://secure.aadcdn.microsoftonline-p.com` *must* be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.
 - If you plan to use Azure AD Connect Health for syncing, ensure that the prerequisites for Azure AD Connect Health are also met. For more information, see [Azure AD Connect Health agent installation](how-to-connect-health-agent-install.md).
 
 ### Harden your Azure AD Connect server 
@@ -82,8 +82,8 @@ We recommend that you harden your Azure AD Connect server to decrease the securi
 - Implement dedicated [privileged access workstations](https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/) for all personnel with privileged access to your organization's information systems. 
 - Follow these [additional guidelines](/windows-server/identity/ad-ds/plan/security-best-practices/reducing-the-active-directory-attack-surface) to reduce the attack surface of your Active Directory environment.
 - Follow the [Monitor changes to federation configuration](how-to-connect-monitor-federation-changes.md) to setup alerts to monitor changes to the trust established between your Idp and Azure AD. 
-- Enable Multi Factor Authentication (MFA) for all users that have privileged access in Azure AD or in AD. One security issue with using AADConnect is that if an attacker can get control over the Azure AD Connect server they can manipulate users in Azure AD. To prevent a attacker from using these capabilities to take over Azure AD accounts, MFA offers protections so that even if an attacker manages to e.g. reset a user's password using Azure AD Connect they still cannot bypass the second factor.
-- Disable Soft Matching on your tenant. Soft Matching is a great feature to help transfering source of autority for existing cloud managed objects to Azure AD Connect, but it comes with certain security risks. If you do not require it, you should [disable Soft Matching](how-to-connect-syncservice-features.md#blocksoftmatch).
+- Enable Multi Factor Authentication (MFA) for all users that have privileged access in Azure AD or in AD. One security issue with using Azure AD Connect is that if an attacker can get control over the Azure AD Connect server they can manipulate users in Azure AD. To prevent an attacker from using these capabilities to take over Azure AD accounts, MFA offers protections so that even if an attacker manages to e.g. reset a user's password using Azure AD Connect they still cannot bypass the second factor.
+- Disable Soft Matching on your tenant. Soft Matching is a great feature to help transferring source of authority for existing cloud managed objects to Azure AD Connect, but it comes with certain security risks. If you do not require it, you should [disable Soft Matching](how-to-connect-syncservice-features.md#blocksoftmatch).
 - Disable Hard Match Takeover. Hard match takeover allows Azure AD Connect to take control of a cloud managed object and changing the source of authority for the object to Active Directory. Once the source of authority of an object is taken over by Azure AD Connect, changes made to the Active Directory object that is linked to the Azure AD object will overwrite the original Azure AD data - including the password hash, if Password Hash Sync is enabled. An attacker could use this capability to take over control of cloud managed objects. To mitigate this risk, [disable hard match takeover](/powershell/module/msonline/set-msoldirsyncfeature?view=azureadps-1.0&preserve-view=true#example-3-block-cloud-object-takeover-through-hard-matching-for-the-tenant).
 
 ### SQL Server used by Azure AD Connect
 
@@ -26,7 +26,7 @@ sections:
       - question: |
           What sign-in methods do Seamless SSO work with
         answer: |
-          Seamless SSO can be combined with either the [Password Hash Synchronization](how-to-connect-password-hash-synchronization.md) or [Pass-through Authentication](how-to-connect-pta.md) sign-in methods. However this feature cannot be used with Active Directory Federation Services (ADFS).
+          Seamless SSO can be combined with either the [Password Hash Synchronization](how-to-connect-password-hash-synchronization.md) or [Pass-through Authentication](how-to-connect-pta.md) sign-in methods. However this feature can't be used with Active Directory Federation Services (ADFS).
           
       - question: |
           Is Seamless SSO a free feature?
@@ -36,20 +36,20 @@ sections:
       - question: |
           Is Seamless SSO available in the Microsoft Azure Germany cloud and the Microsoft Azure Government cloud?
         answer: |
-          Seamless SSO is available for the [Azure Government cloud](https://www.microsoft.de/cloud-deutschland). For details, view [Hybrid Identity Considerations for Azure Government](./reference-connect-government-cloud.md).
+          Seamless SSO is available for the [Azure Government cloud](https://www.microsoft.com/de-de/microsoft-cloud). For details, view [Hybrid Identity Considerations for Azure Government](./reference-connect-government-cloud.md).
           
       - question: |
           What applications take advantage of `domain_hint` or `login_hint` parameter capability of Seamless SSO?
         answer: |
-          Listed below is a non-exhaustive list of applications that can send these parameters to Azure AD, and therefore provides users a silent sign-on experience using Seamless SSO (i.e., no need for your users to input their usernames or passwords):
+          The table has a list of applications that can send these parameters to Azure AD. This action provides users a silent sign-on experience using Seamless SSO.:
           
           | Application name | Application URL to be used |
           | -- | -- |
           | Access panel | https:\//myapps.microsoft.com/contoso.com |
           | Outlook on Web | https:\//outlook.office365.com/contoso.com |
           | Office 365 portals | https:\//portal.office.com?domain_hint=contoso.com, https:\//www.office.com?domain_hint=contoso.com |
           
-          In addition, users get a silent sign-on experience if an application sends sign-in requests to Azure AD's endpoints set up as tenants - that is, https:\//login.microsoftonline.com/contoso.com/<..> or https:\//login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is, https:\//login.microsoftonline.com/common/<...>. Listed below is a non-exhaustive list of applications that make these types of sign-in requests.
+          In addition, users get a silent sign-on experience if an application sends sign-in requests to Azure AD's endpoints set up as tenants - that is, https:\//login.microsoftonline.com/contoso.com/<..> or https:\//login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is, https:\//login.microsoftonline.com/common/<...>. The table has a list of applications that make these types of sign-in requests.
           
           | Application name | Application URL to be used |
           | -- | -- |
@@ -70,26 +70,26 @@ sections:
         answer: |
           [Azure AD Join](../devices/overview.md) provides SSO to users if their devices are registered with Azure AD. These devices don't necessarily have to be domain-joined. SSO is provided using *primary refresh tokens* or *PRTs*, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.
           
-          You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
+          You can use Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
           
       - question: |
           I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use Seamless SSO instead?
         answer: |
           Yes, this scenario needs version 2.1 or later of the [workplace-join client](https://www.microsoft.com/download/details.aspx?id=53554).
           
       - question: |
-          How can I roll over the Kerberos decryption key of the `AZUREADSSO` computer account?
+          How can I roll-over the Kerberos decryption key of the `AZUREADSSO` computer account?
         answer: |
-          It is important to frequently roll over the Kerberos decryption key of the `AZUREADSSO` computer account (which represents Azure AD) created in your on-premises AD forest.
+          It's important to frequently roll-over the Kerberos decryption key of the `AZUREADSSO` computer account (which represents Azure AD) created in your on-premises AD forest.
           
           >[!IMPORTANT]
-          >We highly recommend that you roll over the Kerberos decryption key at least every 30 days.
+          >We highly recommend that you roll-over the Kerberos decryption key at least every 30 days.
           
-          Follow these steps on the on-premises server where you are running Azure AD Connect:
+          Follow these steps on the on-premises server where you're running Azure AD Connect:
           
              > [!NOTE]
-             >You will need both domain administrator and global administrator or hybrid identity administrator credentials for the steps below.
-             >If you are not a domain admin and you were assigned permissions by the domain admin, you should call `Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount`
+             >You'll need domain administrator and global administrator/hybrid identity administrator credentials for the steps.
+             >If you're not a domain admin and you were assigned permissions by the domain admin, you should call `Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount`
           
              **Step 1. Get list of AD forests where Seamless SSO has been enabled**
           
@@ -114,10 +114,10 @@ sections:
              3. Repeat the preceding steps for each AD forest that you’ve set up the feature on.
              
             >[!NOTE]
-             >If you are updating a forest, other than the Azure AD Connect one, make sure connectivity to the global catalog server (TCP 3268 and TCP 3269) is available.
+             >If you're updating a forest, other than the Azure AD Connect one, make sure connectivity to the global catalog server (TCP 3268 and TCP 3269) is available.
           
              >[!IMPORTANT]
-             >This does not need to be done on servers running Azure AD Connect in staging mode.
+             >This doesn't need to be done on servers running Azure AD Connect in staging mode.
              >Ensure that you _don't_ run the `Update-AzureADSSOForest` command more than once per forest. Otherwise, the feature stops working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.
           
       - question: |
@@ -132,33 +132,33 @@ sections:
           
              After completing the wizard, Seamless SSO will be disabled on your tenant. However, you will see a message on screen that reads as follows:
           
-             "Single sign-on is now disabled, but there are additional manual steps to perform in order to complete clean-up. [Learn more](tshoot-connect-sso.md#step-3-disable-seamless-sso-for-each-active-directory-forest-where-youve-set-up-the-feature)"
+             "Single sign-on is now disabled, but there are other manual steps to perform in order to complete clean-up. [Learn more](tshoot-connect-sso.md#step-3-disable-seamless-sso-for-each-active-directory-forest-where-youve-set-up-the-feature)"
           
-             To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you are running Azure AD Connect.
+             To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you're running Azure AD Connect.
           
              **Option B: Disable using PowerShell**
           
-             Run the following steps on the on-premises server where you are running Azure AD Connect:
+             Run the following steps on the on-premises server where you're running Azure AD Connect:
           
              1. First, download, and install [Azure AD PowerShell](/powershell/azure/active-directory/overview).
              2. Navigate to the `$env:ProgramFiles"\Microsoft Azure Active Directory Connect"` folder.
              3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Adminstrator credentials.
+             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Administrator credentials.
              5. Call `Enable-AzureADSSO -Enable $false`.
              
              At this point Seamless SSO is disabled but the domains will remain configured in case you would like to enable Seamless SSO back. If you would like to remove the domains from Seamless SSO configuration completely, call the following cmdlet after you completed step 5 above: `Disable-AzureADSSOForest -DomainFqdn <fqdn>`.
           
              >[!IMPORTANT]
-             >Disabling Seamless SSO using PowerShell will not change the state in Azure AD Connect. Seamless SSO will show as enabled in the **Change user sign-in** page.
+             >Disabling Seamless SSO using PowerShell won't change the state in Azure AD Connect. Seamless SSO will show as enabled in the **Change user sign-in** page.
           
              **Step 2. Get list of AD forests where Seamless SSO has been enabled**
           
-             Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5 below.
+             Follow tasks 1 through 4 if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5.
           
              1. First, download, and install [Azure AD PowerShell](/powershell/azure/active-directory/overview).
              2. Navigate to the `$env:ProgramFiles"\Microsoft Azure Active Directory Connect"` folder.
              3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Adminstrator credentials.
+             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Administrator credentials.
              5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
           
              **Step 3. Manually delete the `AZUREADSSO` computer account from each AD forest that you see listed.**