Merge pull request #176602 from MicrosoftDocs/master

10/20 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -46532,6 +46532,11 @@
       "source_path_from_root": "/articles/azure-monitor/app/how-do-i.md",
       "redirect_url": "/azure/azure-monitor/faq",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/app-service/web-sites-integrate-with-vnet.md",
+      "redirect_url": "/azure/app-service/overview-vnet-integration",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/tutorial-create-tenant.md

@@ -46,11 +46,11 @@ You learn how to register an application in the next tutorial.
 1. Select the directory that contains your subscription:
     1. In the Azure portal toolbar, select the **Directories + subscriptions** filter icon. 
 
-    ![Directories + subscriptions filter icon](media/tutorial-create-tenant/directories-subscription-filter-icon.png)
+        ![Directories + subscriptions filter icon](media/tutorial-create-tenant/directories-subscription-filter-icon.png)
 
     1. Find the directory that contains your subscription and select the **Switch** button next to it. Switching a directory reloads the portal.
 
-    ![Directories + subscriptions with Switch button](media/tutorial-create-tenant/switch-directory.png)
+        ![Directories + subscriptions with Switch button](media/tutorial-create-tenant/switch-directory.png)
 
 1. Add **Microsoft.AzureActiveDirectory** as a resource provider for the Azure subscription your're using ([learn more](../azure-resource-manager/management/resource-providers-and-types.md?WT.mc_id=Portal-Microsoft_Azure_Support#register-resource-provider-1)):
 
@@ -119,4 +119,4 @@ In this article, you learned how to:
 Next, learn how to register a web application in your new tenant.
 
 > [!div class="nextstepaction"]
-> [Register your applications >](tutorial-register-applications.md)
+> [Register your applications >](tutorial-register-applications.md)

articles/active-directory-domain-services/tutorial-create-forest-trust.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 07/26/2021
+ms.date: 10/19/2021
 ms.author: justinha
 
 #Customer intent: As an identity administrator, I want to create a one-way outbound forest from an Azure Active Directory Domain Services resource forest to an on-premises Active Directory Domain Services forest to provide authentication and resource access between forests.
@@ -72,9 +72,20 @@ Before you configure a forest trust in Azure AD DS, make sure your networking be
 To correctly resolve the managed domain from the on-premises environment, you may need to add forwarders to the existing DNS servers. If you haven't configured the on-premises environment to communicate with the managed domain, complete the following steps from a management workstation for the on-premises AD DS domain:
 
 1. Select **Start** > **Administrative Tools** > **DNS**.
-1. Right-select DNS server, such as *myAD01*, then select **Properties**.
-1. Choose **Forwarders**, then **Edit** to add additional forwarders.
-1. Add the IP addresses of the managed domain, such as *10.0.2.4* and *10.0.2.5*.
+1. Select your DNS zone, such as *aaddscontoso.com*.
+1. Select **Conditional Forwarders**, then right-select and choose **New Conditional Forwarder...**
+1. Enter your other **DNS Domain**, such as *contoso.com*, then enter the IP addresses of the DNS servers for that namespace, as shown in the following example:
+
+    ![Screenshot of how to add and configure a conditional forwarder for the DNS server.](./media/manage-dns/create-conditional-forwarder.png)
+
+1. Check the box for **Store this conditional forwarder in Active Directory, and replicate it as follows**, then select the option for *All DNS servers in this domain*, as shown in the following example:
+
+    ![Screenshot of how to select All DNS servers in this domain.](./media/manage-dns/store-in-domain.png)
+
+    > [!IMPORTANT]
+    > If the conditional forwarder is stored in the *forest* instead of the *domain*, the conditional forwarder fails.
+
+1. To create the conditional forwarder, select **OK**.
 
 ## Create inbound forest trust in the on-premises domain
 

articles/active-directory/fundamentals/media/multi-tenant-common-solutions/app-access-scenario.png

@@ -0,0 +1,122 @@
+---
+title: Common solutions for multi-tenant user management in Azure Active Directory
+description: Learn about common solutions used to configure user access across Azure Active Directory tenants with guest accounts 
+services: active-directory
+author: BarbaraSelden
+manager: martinco
+ms.service: active-directory
+ms.workload: identity
+ms.subservice: fundamentals
+ms.topic: conceptual
+ms.date: 09/25/2021
+ms.author: baselden
+ms.custom: "it-pro, seodec18"
+ms.collection: M365-identity-device-management
+---
+
+# Common solutions for multi-tenant user management
+
+There are two specific challenges our customers have solved using current tools. Their solutions are detailed below. Microsoft recommends a single tenant wherever possible and is working on tools to resolve these challenges more easily. If single tenancy does not work for your scenario, these solutions have worked for customers today. 
+
+## Automatic User Lifecycle Management and resource allocation across tenants
+
+A customer acquires a competitor they previously had close business relationships with. The organizations will maintain their corporate identities.
+
+### Current state
+
+Currently, the organizations are synchronizing each other’s users as contact-mail objects so that they show in each other’s directories. 
+
+* Each resource tenant has a mail-contact object enabled for all users in the other tenant.
+
+* No access to applications is possible across tenants.
+
+### Goals
+
+This customer had the following goals:
+
+* Every user continues to be shown in each organization’s GAL.
+
+   * User account lifecycle changes in the home tenant automatically reflected in the resource tenant GAL. 
+
+   * Attribute changes in home tenants (such as department, name, SMTP address) automatically reflected in resource tenant GAL and the home GAL.
+
+* Users can access applications and resources in the resource tenant.
+
+* Users can self-serve access requests to resources.
+
+### Solution architecture 
+
+The organizations will use a point-to-point architecture with a synchronization engine such as MIM.
+
+![Example of a point-to-point architecture](media/multi-tenant-common-solutions/point-to-point-sync.png)
+
+Each tenant admin does the following to create the user objects:
+
+1. Ensure that their database of users is up to date.
+
+1. [Deploy and configure MIM](/microsoft-identity-manager/microsoft-identity-manager-deploy).
+
+   1. Address existing contact objects.
+
+   1. Create B2B External Member objects for the other tenant’s members.
+
+   1. Synchronize user object attributes.
+
+1. Deploy and configure [Entitlement Management](../governance/entitlement-management-overview.md) access packages.
+
+   1. Resources to be shared
+
+   1. Expiration and access review policies
+
+## Sharing on-premises apps across tenants
+
+This customer, with multiple peer organizations, has a need to share on-premises applications from one of the tenants.
+
+### Current state
+
+Multiple peer organizations are synchronizing B2B Guest users in a mesh topology, enabling resource allocation to their cloud applications across tenants. They currently
+
+* Share applications in Azure AD.
+
+* Ensure user Lifecycle Management in resource tenant is automated based on home tenant. That is, add, modify, delete is reflected.
+
+* Only member users in Company A access Company A’s on-premises apps.
+
+![Multi-tenant scenario](media/multi-tenant-user-management-scenarios/mesh.png)
+
+### Goals
+
+Along with the current functionality, they would like to
+
+* Provide access to Company A’s on-premises resources for the external guest users. 
+
+* Apps with SAML authentication
+
+* Apps with Integrated Windows Authentication and Kerberos
+
+### Solution architecture
+
+Company A is currently providing SSO to on premises apps for its own members via Azure Application Proxy.
+
+![Example of appliction access](media/multi-tenant-common-solutions/app-access-scenario.png)
+
+To enable their guest users to access the same on-premises applications Admins in tenet A will:
+
+1. [Configure access to SAML apps](../external-identities/hybrid-cloud-to-on-premises.md#access-to-saml-apps).
+
+2. [Configure access to other applications](../external-identities/hybrid-cloud-to-on-premises.md#access-to-iwa-and-kcd-apps).
+
+3. Create on-premises guest users through [MIM](../external-identities/hybrid-cloud-to-on-premises.md#create-b2b-guest-user-objects-through-mim) or [PowerShell](https://www.microsoft.com/en-us/download/details.aspx?id=51495).
+
+For more information about B2B collaboration, see
+
+[Grant B2B users in Azure AD access to your on-premises resources](../external-identities/hybrid-cloud-to-on-premises.md)
+
+[Azure Active Directory B2B collaboration for hybrid organizations](../external-identities/hybrid-organizations.md)
+
+## Next steps
+[Multi-tenant user management introduction](multi-tenant-user-management-introduction.md)
+
+[Multi-tenant end user management scenarios](multi-tenant-user-management-scenarios.md)
+
+[Multi-tenant common considerations](multi-tenant-common-considerations.md)