Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into mrb_08_02_2023_rbac

Author: mrbullwinkle

.openpublishing.redirection.active-directory.json

@@ -10,6 +10,11 @@
       "redirect_url": "/azure/active-directory/develop/enterprise-app-role-management",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/governance/tutorial-prepare-azure-ad-user-accounts.md",
+      "redirect_url": "/azure/active-directory/governance/tutorial-prepare-user-accounts",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-schema-extensions.md",
       "redirect_url": "/azure/active-directory/develop/schema-extensions",

articles/active-directory/app-provisioning/on-premises-sap-connector-configure.md

@@ -14,7 +14,7 @@ ms.reviewer: arvinh
 ---
 
 # Configuring Azure AD to provision users into SAP ECC 7.0
-The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC) 7.0.  
+The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC) 7.0. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning.   
 
 
 [!INCLUDE [app-provisioning-sap.md](../../../includes/app-provisioning-sap.md)]

articles/active-directory/conditional-access/concept-continuous-access-evaluation-strict-enforcement.md

@@ -24,9 +24,6 @@ Strictly enforce location policies is a new enforcement mode for continuous acce
 | Standard (Default) | Suitable for all topologies | A short-lived token is issued only if Azure AD detects an allowed IP address. Otherwise, access is blocked | Falls back to the pre-CAE location detection mode in split tunnel network deployments where CAE enforcement would affect productivity. CAE still enforces other events and policies. | None (Default Setting) |
 | Strictly enforced location policies | Egress IP addresses are dedicated and enumerable for both Azure AD and all resource provider traffic | Access blocked | Most secure, but requires well understood network paths | 1. Test IP address assumptions with a small population <br><br> 2. Enable “Strictly enforce” under Session controls |
 
-> [!NOTE] 
-> The **IP address (seen by resource)** is blank when that IP matches the IP address.
-
 ## Configure strictly enforced location policies
 
 ### Step 1 - Configure a Conditional Access location based policy for your target users
@@ -77,7 +74,7 @@ Administrators can investigate the Sign-in logs to find cases with **IP address
 1. Sign in to the **Azure portal** as at least a Global Reader.
 1. Browse to **Azure Active Directory** > **Sign-ins**.
 1. Find events to review by adding filters and columns to filter out unnecessary information.
-   1. Add the **IP address (seen by resource)** column and filter out any blank items to narrow the scope.
+   1. Add the **IP address (seen by resource)** column and filter out any blank items to narrow the scope. The **IP address (seen by resource)** is blank when that IP seen by Azure AD matches the IP address seen by the resource.
 
       [ ![Screenshot showing an example of how to find more information in the sign-in logs.](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png) ](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png#lightbox)
 

articles/active-directory/enterprise-users/directory-self-service-signup.md

@@ -69,7 +69,13 @@ For more information on Flow and Power Apps trial sign-ups, see the following ar
 These two parameters can be used in conjunction to define more precise control over self-service sign-up. For example, the following command allows users to perform self-service sign-up, but only if those users already have an account in Azure AD (in other words, users who would need an email-verified account to be created first can't perform self-service sign-up):
 
 ```powershell
-    Set-MsolCompanySettings -AllowEmailVerifiedUsers $false -AllowAdHocSubscriptions $true
+Import-Module Microsoft.Graph.Identity.SignIns
+connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
+$param = @{
+ allowedToSignUpEmailBasedSubscriptions=$true
+ allowEmailVerifiedUsersToJoinOrganization=$false
+ }
+Update-MgPolicyAuthorizationPolicy -BodyParameter $param
 ```
 
 The following flowchart explains the different combinations for these parameters and the resulting conditions for the tenant and self-service sign-up.
@@ -79,10 +85,10 @@ The following flowchart explains the different combinations for these parameters
 This setting's details may be retrieved using the PowerShell cmdlet Get-MsolCompanyInformation. For more information on this, see [Get-MsolCompanyInformation](/powershell/module/msonline/get-msolcompanyinformation).
 
 ```powershell
-    Get-MsolCompanyInformation | Select AllowEmailVerifiedUsers, AllowAdHocSubscriptions
+Get-MgPolicyAuthorizationPolicy | Select-Object AllowedToSignUpEmailBasedSubscriptions, AllowEmailVerifiedUsersToJoinOrganization
 ```
 
-For more information and examples of how to use these parameters, see [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings).
+For more information and examples of how to use these parameters, see [Update-MgPolicyAuthorizationPolicy](/powershell/module/microsoft.graph.identity.signins/update-mgpolicyauthorizationpolicy?view=graph-powershell-1.0&preserve-view=true).
 
 ## Next steps
 

articles/active-directory/fundamentals/media/active-directory-properties-area/active-directory-no-privacy-statement-or-contact.png

@@ -35,8 +35,8 @@ You add your organization's privacy information in the **Properties** area of Az
 
     The **Properties** area appears.
 
-    ![Azure AD Properties area highlighting the privacy info area](media/active-directory-properties-area/properties-area.png)
-
+    :::image type="content" source="media/active-directory-properties-area/properties-area.png" alt-text="Screenshot showing the properties area highlighting the privacy info area.":::
+ 
 3. Add your privacy info for your employees:
 
     - **Technical contact.** Type the email address for the person to contact for technical support within your organization.
@@ -48,7 +48,7 @@ You add your organization's privacy information in the **Properties** area of Az
         >[!Important]
         >If you don't include either your own privacy statement or your privacy contact, your external guests will see text in the **Review Permissions** box that says, **<_your org name_> has not provided links to their terms for you to review**. For example, a guest user will see this message when they receive an invitation to access an organization through B2B collaboration.
 
-        ![B2B Collaboration Review Permissions box with message](media/active-directory-properties-area/active-directory-no-privacy-statement-or-contact.png)
+        :::image type="content" source="media/active-directory-properties-area/no-privacy-statement-or-contact.png" alt-text="Screenshot showing the B2B Collaboration Review Permissions box with message.":::
 
 4. Select **Save**.
 

articles/active-directory/fundamentals/media/active-directory-properties-area/no-privacy-statement-or-contact.png

@@ -280,7 +280,7 @@
     - name: Set EmployeeLeaveDateTime for leaver workflows
       href: /graph/tutorial-lifecycle-workflows-set-employeeleavedatetime?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json
     - name: Preparing user accounts for Lifecycle workflows tutorials
-      href: tutorial-prepare-azure-ad-user-accounts.md 
+      href: tutorial-prepare-user-accounts.md 
     - name: Configure a Logic App for Lifecycle Workflow use
       href: configure-logic-app-lifecycle-workflows.md
 

articles/active-directory/fundamentals/media/active-directory-properties-area/properties-area.png

@@ -20,19 +20,56 @@ ms.author: billmath
 The following tables show the licensing requirements for Microsoft Entra ID Governance features
 
 ## Types of licenses
-The following licenses are available for use with Microsoft Entra ID Governance.  The type of licenses you need will depend on the features you're using.
+The following licenses are available for use with Microsoft Entra ID Governance.  The choice of licenses you need in a tenant will depend on the features you're using in that tenant.
 
-- **Free** - Included with Microsoft cloud subscriptions such as Microsoft Azure, Microsoft 365, and others.1
-- **Microsoft Azure AD P1** - Azure Active Directory P1 (becoming Microsoft Entra ID P1) is available as a standalone or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses. 
-- **Microsoft Azure AD P2** - Azure Active Directory P2 (becoming Microsoft Entra ID P2) is available as a standalone or included with Microsoft 365 E5 for enterprise customers.
-- **Microsoft Entra ID Governance** - Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers.
+- **Free** - Included with Microsoft cloud subscriptions such as Microsoft Azure, Microsoft 365, and others.
+- **Microsoft Azure AD P1** - Azure Active Directory Premium P1 (becoming Microsoft Entra ID P1) is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses. 
+- **Microsoft Azure AD P2** - Azure Active Directory Premium P2 (becoming Microsoft Entra ID P2) is available as a standalone product or included with Microsoft 365 E5 for enterprise customers.
+- **Microsoft Entra ID Governance** - Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers, as two products **Microsoft Entra ID Governance** and **Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2**.
 
 >[!NOTE]
 >Microsoft Entra ID Governance scenarios may depends upon other features that are not covered by Microsoft Entra ID Governance.  These features may have additional licensing requirements.  See [Governance capabilities in other Microsoft Entra features](identity-governance-overview.md#governance-capabilities-in-other-microsoft-entra-features) for more information on governance scenarios that rely on additional features.
 
 
-## Features by license type
-The following table shows what features are available with each license type.
+### Prerequisites
+
+The Microsoft Entra ID Governance capabilities are currently available in two products. These two products provide the same identity governance capabilities. The difference between the two products is that they have different prerequisites.
+
+- A subscription to **Microsoft Entra ID Governance** requires that the tenant also have an active subscription to another product, one that contains the `AAD_PREMIUM` or `AAD_PREMIUM_P2` service plan. Examples of products meeting this prerequisite include **Microsoft Azure Active Directory Premium P1** or **Microsoft 365 E3**.
+- A subscription to **Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2** requires that the tenant also have an active subscription to another product, one that contains the `AAD_PREMIUM_P2` service plan.  Examples of products meeting this prerequisite include **Microsoft Azure Active Directory Premium P2** or **Microsoft 365 E5**.
+
+The [product names and service plan identifiers for licensing](../enterprise-users/licensing-service-plan-reference.md) lists additional products that include the prerequisite service plans.
+
+>[!NOTE]
+>A subscription to a prerequisite for an Microsoft Entra ID Governance product must be active in the tenant. If a prerequisite is not present, or the subscription expires, then Microsoft Entra ID Governance scenarios may not function as expected.  
+
+To check if the prerequisite products for a Microsoft Entra ID Governance product are present in a tenant, you can use the Microsoft Entra admin center or the Microsoft 365 admin center to view the list of products.
+
+1. Sign into the [Microsoft Entra admin center](https://entra.microsoft.com) as a global administrator.
+
+1. In the **Identity** menu, expand **Billing** and select **Licenses**.
+
+1. In the **Manage** menu, select **Licensed features**.  The information bar will indicate the current Azure AD license plan.
+
+1. To view the existing products in the tenant, in the **Manage** menu, select **All products**.
+
+## Starting a trial
+
+A global administrator in a tenant that has an appropriate prerequisite product, such as Microsoft Azure AD Premium P1, already purchased, and is not already using or has previously trialed Microsoft Entra ID Governance, may request a trial of Microsoft Entra ID Governance in their tenant.
+
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home) as a global administrator.
+
+1. In the **Billing** menu, select **Purchase services**.
+
+1. In the **Search all product categories** box, type `"Microsoft Entra ID Governance"`.
+
+1. Select **Details** below **Microsoft Entra ID Governance** to view the trial and purchase information for the product.  If your tenant has Azure AD Premium P2, then select  **Details** below **Microsoft Entra ID Governance Step-Up for Microsoft Entra ID P2**.
+
+1. In the product details page, click **Start free trial**.
+
+
+## Features by license
+The following table shows what features are available with each license.  Note that not all features are available in all clouds; see [Azure Active Directory feature availability](../authentication/feature-availability.md) for Azure Government.
 
 |Feature|Free|Microsoft Entra ID P1|Microsoft Entra ID P2|Microsoft Entra ID Governance|
 |-----|:-----:|:-----:|:-----:|:-----:|