Merge pull request #88284 from iainfoulds/azureadds-freshness091219

[AzureADDS] Freshness updates and edits

Author: v-albemi

articles/active-directory-domain-services/TOC.yml

@@ -89,7 +89,7 @@
       items:
         - name: Deploy Azure AD Application Proxy
           href: deploy-azure-app-proxy.md
-        - name: Configure support for profile synchronization for SharePoint Server
+        - name: Enable profile synchronization for SharePoint Server
           href: deploy-sp-profile-sync.md
     - name: Troubleshoot
       items:

articles/active-directory-domain-services/deploy-sp-profile-sync.md

@@ -1,51 +1,79 @@
 ---
-title: 'Azure Active Directory Domain Services: Enable SharePoint User Profile service | Microsoft Docs'
-description: Configure Azure Active Directory Domain Services managed domains to support profile synchronization for SharePoint Server
+title: Enable SharePoint User Profile service with Azure AD DS | Microsoft Docs
+description: Learn how to configure an Azure Active Directory Domain Services managed domain to support profile synchronization for SharePoint Server
 services: active-directory-ds
-documentationcenter: ''
 author: iainfoulds
 manager: daveba
-editor: curtand
 
 ms.assetid: 938a5fbc-2dd1-4759-bcce-628a6e19ab9d
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
 ms.topic: conceptual
-ms.date: 06/22/2018
+ms.date: 09/12/2019
 ms.author: iainfou
 
 ---
+# Configure Azure Active Directory Domain Services to support user profile synchronization for SharePoint Server
 
-# Configure a managed domain to support profile synchronization for SharePoint Server
-SharePoint Server includes a User Profile Service that is used for user profile synchronization. To set up the User Profile Service, appropriate permissions need to be granted on an Active Directory domain. For more information, see [grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013](https://technet.microsoft.com/library/hh296982.aspx).
+SharePoint Server includes a service to synchronize user profiles. This feature lets user profiles be stored in a central location and accessible across multiple SharePoint sites and farms. To configure the SharePoint Server user profile service, the appropriate permissions must be granted in an Azure Active Directory Domain Services (Azure AD DS) managed domain. For more information, see [user profile synchronization in SharePoint Server](https://technet.microsoft.com/library/hh296982.aspx).
 
-This article explains how you can configure Azure AD Domain Services managed domains to deploy the SharePoint Server User Profile Sync service.
+This article shows you how to configure Azure AD DS to allow the SharePoint Server user profile sync service.
 
-[!INCLUDE [active-directory-ds-prerequisites.md](../../includes/active-directory-ds-prerequisites.md)]
+## Before you begin
 
-## The 'AAD DC Service Accounts' group
-A security group called '**AAD DC Service Accounts**' is available within the 'Users' organizational unit on your managed domain. You can see this group in the **Active Directory Users and Computers** MMC snap-in on your managed domain.
+To complete this article, you need the following resources and privileges:
 
-![AAD DC Service Accounts security group](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts.png)
+* An active Azure subscription.
+    * If you don’t have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
+    * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
+* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
+    * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
+* A Windows Server management VM that is joined to the Azure AD DS managed domain.
+    * If needed, complete the tutorial to [create a management VM][tutorial-create-management-vm].
+* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+* A SharePoint service account for the user profile synchronization service.
+    * If needed, see [Plan for administrative and service accounts in SharePoint Server][sharepoint-service-account].
 
-Members of this security group are delegated the following privileges:
-- The 'Replicate Directory Changes' privilege on the root DSE of the managed domain.
-- The 'Replicate Directory Changes' privilege on the Configuration naming context (cn=configuration container) of the managed domain.
+## Service accounts overview
 
-This security group is also a member of the built-in group **Pre-Windows 2000 Compatible Access**.
+In an Azure AD DS managed domain, a security group named **AAD DC Service Accounts** exists as part of the *Users* organizational unit (OU). Members of this security group are delegated the following privileges:
 
-![AAD DC Service Accounts security group](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts-properties.png)
+- **Replicate Directory Changes** privilege on the root DSE.
+- **Replicate Directory Changes** privilege on the *Configuration* naming context (`cn=configuration` container).
 
+The **AAD DC Service Accounts** security group is also a member of the built-in group **Pre-Windows 2000 Compatible Access**.
 
-## Enable your managed domain to support SharePoint Server user profile sync
-You can add the service account used for SharePoint user profile synchronization to the **AAD DC Service Accounts** group. As a result, the synchronization account gets adequate privileges to replicate changes to the directory. This configuration step enables SharePoint Server user profile sync to work correctly.
+When added to this security group, the service account for SharePoint Server user profile synchronization service is granted the required privileges to work correctly.
 
-![AAD DC Service Accounts - add members](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts-add-member.png)
+## Enable support for SharePoint Server user profile sync
 
-![AAD DC Service Accounts - add members](./media/active-directory-domain-services-admin-guide/aad-dc-service-accounts-add-member2.png)
+The service account for SharePoint Server needs adequate privileges to replicate changes to the directory and let SharePoint Server user profile sync work correctly. To provide these privileges, add the service account used for SharePoint user profile synchronization to the **AAD DC Service Accounts** group.
 
-## Related Content
-* [Technical Reference - Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013](https://technet.microsoft.com/library/hh296982.aspx)
+From your Azure AD DS management VM, complete the following steps:
+
+> [!NOTE]
+> To edit group membership in an Azure AD DS managed domain, you must be signed in to a user account that's a member of the *AAD DC Administrators* group.
+
+1. From the Start screen, select **Administrative Tools**. A list of available management tools is shown that were installed in the tutorial to [create a management VM][tutorial-create-management-vm].
+1. To manage group membership, select **Active Directory Administrative Center** from the list of administrative tools.
+1. In the left pane, choose your Azure AD DS managed domain, such as *contoso.com*. A list of existing OUs and resources is shown.
+1. Select the **Users** OU, then choose the *AAD DC Service Accounts* security group.
+1. Select **Members**, then choose **Add...**.
+1. Enter the name of the SharePoint service account, then select **OK**. In the following example, the SharePoint service account is named *spadmin*:
+
+    ![Add the SharePoint service account to the AAD DC Service Accounts security group](./media/deploy-sp-profile-sync/add-member-to-aad-dc-service-accounts-group.png)
+
+## Next steps
+
+For more information, see [Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server](https://technet.microsoft.com/library/hh296982.aspx)
+
+<!-- INTERNAL LINKS -->
+[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
+[create-azure-ad-ds-instance]: tutorial-create-instance.md
+[tutorial-create-management-vm]: tutorial-create-management-vm.md
+
+<!-- EXTERNAL LINKS -->
+[sharepoint-service-account]: /sharepoint/security-for-sharepoint-server/plan-for-administrative-and-service-accounts

articles/active-directory-domain-services/media/active-directory-domain-services-admin-guide/aad-dc-service-accounts-add-member.png

@@ -1,98 +1,85 @@
 ---
-title: 'Azure Active Directory Domain Services: Notification settings | Microsoft Docs'
-description: Notification settings for Azure AD Domain Services
+title: Email notifications for Azure AD Domain Services | Microsoft Docs'
+description: Learn how to configure email notifications to alert you about issues in an Azure Active Directory Domain Services managed domain
 services: active-directory-ds
-documentationcenter: ''
 author: iainfoulds
 manager: daveba
-editor: curtand
 
 ms.assetid: b9af1792-0b7f-4f3e-827a-9426cdb33ba6
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
 ms.topic: article
-ms.date: 05/20/2019
+ms.date: 09/12/2019
 ms.author: iainfou
 
 ---
-# Notification settings in Azure AD Domain Services
+# Configure email notifications for issues in Azure Active Directory Domain Services
 
-Notifications for Azure AD Domain Services allows you to be updated as soon as a health alert is detected on your managed domain.  
+The health of an Azure Active Directory Domain Services (Azure AD DS) managed domain is monitored by the Azure platform. The health status page in the Azure portal shows any alerts for the managed domain. To make sure issues are responded to in a timely manner, email notifications can be configured to report on health alerts as soon as they're detected in the Azure AD DS managed domain.
 
-This feature is only available for managed domains that are not on classic virtual networks.
+This article shows you how to configure email notification recipients for an Azure AD DS managed domain.
 
+## Email notification overview
 
-## How to check your Azure AD Domain Services email notification settings
+To alert you of issues with an Azure AD DS managed domain, you can configure email notifications. These email notifications specify the Azure AD DS managed domain that the alert is present on, as well as giving the time of detection and a link to the health page in the Azure portal. You can then follow the provided troubleshooting advice to resolve the issues.
 
-1. Navigate to the [Azure AD Domain Services page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.AAD%2FdomainServices) on the Azure portal
-2. Choose your managed domain from the table
-3. In the left-hand navigation, choose **Notification settings**
-
-On the page it lists out all of the email recipients for email notifications for Azure AD Domain Services.
-
-## What does an email notification look like?
-
-The following picture is an example of an email notification:
+The following example email notification indicates a critical warning or alert was generated on the Azure AD DS managed domain:
 
 ![Example email notification](./media/active-directory-domain-services-alerts/email-alert.png)
 
-The email specifies the managed domain that the alert is present on, as well as giving the time of detection and a link to the Azure AD Domain Services health page in the Azure portal.
-
 > [!WARNING]
-> Always make sure that the email is coming from a verified Microsoft sender before clicking links in your emails. The emails always come from the email [email protected]
+> Always make sure that the email comes from a verified Microsoft sender before you click the links in the message. The email notifications always come from the `[email protected]` address.
 
+### Why would I receive email notifications?
 
-## Why would I receive email notifications?
+Azure AD DS sends email notifications for important updates about the managed domain. These notifications are only for urgent issues that impact the service and should be addressed immediately. Each email notification is triggered by an alert on the Azure AD DS managed domain. The alerts also appear in the Azure portal and can be viewed on the [Azure AD DS health page][check-health].
 
-Azure AD Domain Services sends email notifications for important updates about your domain.  These notifications are only for urgent matters that will impact your service and should be addressed immediately. Each email notification is triggered by an alert on your managed domain. These alerts will also appear on the Azure portal and can be viewed on the [Azure AD Domain Services health page](check-health.md).
+Azure AD DS doesn't send emails for advertisement, updates, or sales purposes.
 
-Azure AD Domain Services does not send emails to this list for advertisement, updates, or sales purposes.
+### When will I receive email notifications?
 
-## When will I receive email notifications?
+A notification is sent immediately when a [new alert][troubleshoot-alerts] is found on an Azure AD DS managed domain. If the alert isn't resolved, additional email notifications are sent as a reminder every four days.
 
-A notification will be sent immediately when a [new alert](troubleshoot-alerts.md) is found on your managed domain. If the alert is not resolved, an email notification will be sent as a reminder every four days.
+### Who should receive the email notifications?
 
-## Who should receive the email notifications?
+The list of email recipients for Azure AD DS should be composed of people who are able to administer and make changes to the managed domain. This email list should be thought of as your "first responders" to any alerts and issues.
 
+You can add up to five additional emails recipients for email notifications. If you want more than five recipients for email notifications, create a distribution list and add that to the notification list instead.
 
- We recommended the list of email recipients for Azure AD Domain Services to be composed of people who are able to administer and make changes to the managed domain. This email list should be thought of as your "first responders" to any problem found. If you have more than five additional emails you would like to add, we recommend creating a distribution list to add to the notification list instead.
+You can also choose to have all *Global Administrators* of the Azure AD directory and every member of the *AAD DC Administrators* group receive email notifications. Azure AD DS only sends notification to up to 100 email addresses, including the list of global administrators and AAD DC administrators.
 
-You are able to add up to five additional emails for notifications regarding Azure AD Domain Services. In addition, you can also choose to have all Global Administrators of your directory and every member of the group 'AAD DC Administrators' receive Azure AD Domain Services email notifications. Azure AD Domain Services will only send notifications to up to 100 email addresses, including the list of global administrators and AAD DC Administrators.
+## Configure email notifications
 
+To review the existing email notification recipients or add additional recipients, complete the following steps:
 
-## How to add an additional email recipient
+1. In the Azure portal, search for and select **Azure AD Domain Services**.
+1. Select your Azure AD DS managed domain, such as *contoso.com*.
+1. On the left-hand side of the Azure AD DS resource window, select **Notification settings**. The existing recipients for email notifications are shown.
+1. To add an email recipient, enter the email address in the additional recipients table.
+1. When done, select **Save** on the top-hand navigation.
 
 > [!WARNING]
-> When changing the notification settings, you are changing the notification settings for the entire managed domain, not just yourself.
-
-1. Navigate to the [Azure AD Domain Services page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.AAD%2FdomainServices) on the Azure portal.
-2. Click on your managed domain.
-3. On the left-hand navigation, click **Notification settings**.
-4. To add an email, type in the email address in the additional recipients table.
-5. Click "Save" on the top-hand navigation.
+> When you change the notification settings, the notification settings for the entire Azure AD DS managed domain are updated, not just yourself.
 
 ## Frequently asked questions
 
-#### I received an email notification for an alert but when I logged on to the Azure portal there was no alert. What happened?
-
-If an alert is resolved, the alert will disappear from the Azure portal. The most likely reason is that someone else who receives email notifications resolved the alert on your managed domain, or it was auto-resolved by Azure AD Domain Services.
+### I received an email notification for an alert but when I logged on to the Azure portal there was no alert. What happened?
 
+If an alert is resolved, the alert is cleared from the Azure portal. The most likely reason is that someone else who receives email notifications resolved the alert on the Azure AD DS managed domain, or it was autoresolved by Azure platform.
 
-#### Why can I not edit the notification settings?
+### Why can I not edit the notification settings?
 
-If you are unable to access the notification settings page in the Azure portal, you do not have the permissions to edit Azure AD Domain Services. You must contact your global administrator to either get permissions to edit Azure AD Domain Services resources or be removed from the recipient list.
+If you're unable to access the notification settings page in the Azure portal, you don't have the permissions to edit the Azure AD DS managed domain. You must contact a global administrator to either get permissions to edit Azure AD DS resource or be removed from the recipient list.
 
-#### I don't seem to be receiving email notifications even though I provided my email address. Why?
+### I don't seem to be receiving email notifications even though I provided my email address. Why?
 
-Check your spam or junk folder in your email for the notification and make sure to whitelist the sender ([email protected]).
+Check your spam or junk folder in your email for the notification and make sure to allow the sender of `[email protected]`.
 
 ## Next steps
-- [Resolve alerts on your managed domain](troubleshoot-alerts.md)
-- [Read more about Azure AD Domain Services](overview.md)
-- [Contact the product team](contact-us.md)
 
-## Contact us
-Contact the Azure Active Directory Domain Services product team to [share feedback or for support](contact-us.md).
+For more information on troubleshooting some of the issues that may be reported, see [Resolve alerts on an Azure AD DS managed domain][troubleshoot-alerts].
+
+<!-- INTERNAL LINKS -->
+[check-health]: check-health.md
+[troubleshoot-alerts]: troubleshoot-alerts.md