Merge branch 'main' into admin-center-app-provisioning-steps-5

Author: kenwith

.openpublishing.redirection.active-directory.json

@@ -3070,6 +3070,11 @@
       "redirect_url": "/azure/active-directory/conditional-access/concept-condition-filters-for-devices",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/conditional-access/policy-migration.md",
+      "redirect_url": "/azure/active-directory/conditional-access/policy-migration-mfa",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/active-directory/conditional-access/best-practices.md",
       "redirect_url": "/azure/active-directory/conditional-access/overview",
@@ -3088,7 +3093,7 @@
     {
       "source_path_from_root": "/articles/active-directory/active-directory-conditional-access-migration-mfa.md",
       "redirect_url": "/azure/active-directory/conditional-access/policy-migration-mfa",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-conditional-access-policy-connected-applications.md",

articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md

@@ -95,5 +95,11 @@ Summary of factors that influence the time it takes to complete an **initial cyc
 
 In most cases, the **incremental cycle** completes in 30 minutes. However, when there are hundreds or thousands of user changes or group membership changes, the incremental cycle time will increase proportionally with the number of changes to process and can take several hours. Using **sync assigned users and groups** and minimizing the number of users / groups in scope for provisioning will help to reduce the sync time.
 
+## Recommendations for reducing the time to provision a user and / or group:
+1. Set the provisioning scope to sync `assigned users and groups`, rather than `sync all users and groups`.
+2. Minimize the number of users and groups in scope for provisioning.
+3. Create multiple provisioning jobs targeting the same system. When doing this, each sync job will operate independently, reducing the time to process changes. Please make sure that the scope of users is distinct between these provisioning jobs to avoid changes from one job impacting another. 
+4. Add scoping filters to further limit the number of users and groups in scope for provisioning.
+
 ## Next steps
 [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](user-provisioning.md)

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -20,7 +20,7 @@ The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu
 
 ## Prerequisites
 - A Microsoft Entra tenant with Microsoft Entra ID P1 or Premium P2 (or EMS E3 or E5). [!INCLUDE [active-directory-p1-license.md](../../../includes/active-directory-p1-license.md)]
-- Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's either a hybrid administrator or a global administrator. 
+- Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's either a Hybrid Identity Administrator or a global administrator. 
 - Administrator role for configuring the application in the cloud (application administrator, cloud application administrator, global administrator, or a custom role with permissions).
 - A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy.
 

articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md

@@ -120,7 +120,8 @@ Cloud sync will automatically discover your extensions in on-premises Active Dir
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).
 2. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect**.
-3. Select **Cloud sync** tab.
+3. Select **Manage Microsoft Entra cloud sync**.
+
 4. Select the configuration you wish to add the extension attribute and mapping.
 5. Under **Manage attributes** select **click to edit mappings**.
 6. Click **Add attribute mapping**.  The attributes will automatically be discovered.

articles/active-directory/architecture/backup-authentication-system-apps.md

@@ -45,7 +45,7 @@ All applications using the OAuth 2.0 and/or OIDC protocols should adhere to the
 
 ##### Native applications 
 
-Native applications are public client applications that run directly on desktop or mobile devices and not in a web browser. They're registered as public clients in their application registration on the Microsoft Entra ID or Azure portal. 
+Native applications are public client applications that run directly on desktop or mobile devices and not in a web browser. They're registered as public clients in their application registration on the Microsoft Entra admin center or Azure portal. 
 
 Native applications are protected by the backup authentication system when all the following are true: 
 

articles/active-directory/architecture/backup-authentication-system.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Microsoft Entra ID's backup authentication system
 
-Users and organizations around the world depend on the high availability of Microsoft Entra authentication of users and services 24 hours a day, seven days a week. We promise a 99.99% Service Level availability for authentication, and we continuously seek to improve it by enhancing the resilience of our authentication service. To further improve resilience during outages, we implemented a backup system in 2021.
+Organizations around the world depend on the high availability of Microsoft Entra authentication for users and services 24 hours a day, seven days a week. We promise a 99.99% service level availability for authentication, and we continuously seek to improve it by enhancing the resilience of our authentication service. To further improve resilience during outages, we implemented a backup system in 2021.
 
 The Microsoft Entra backup authentication system is made up of multiple backup services that work together to increase authentication resilience if there's an outage. This system transparently and automatically handles authentications for supported applications and services if the primary Microsoft Entra service is unavailable or degraded. It adds an extra layer of resilience on top of the multiple levels of existing redundancy. This resilience is described in the blog post [Advancing service resilience in Microsoft Entra ID with its backup authentication service](https://azure.microsoft.com/blog/advancing-service-resilience-in-azure-active-directory-with-its-backup-authentication-service/). This system syncs authentication metadata when the system is healthy and uses that to enable users to continue to access applications during outages of the primary service while still enforcing policy controls.
 
@@ -122,7 +122,7 @@ The backup authentication system is supported in all cloud environments except M
 | Cornerstone Single Sign-on | No | SAML SP-initiated |
 | Docusign | No | SAML SP-initiated |
 | Druva | No | SAML SP-initiated |
-| F5 BIG-IP ARM Microsoft Entra integration | No | SAML SP-initiated |
+| F5 BIG-IP APM Azure AD integration | No | SAML SP-initiated |
 | FortiGate SSL VPN | No | SAML SP-initiated |
 | Freshworks | No | SAML SP-initiated |
 | Gmail | Yes | Protected |

articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication.md

@@ -226,8 +226,8 @@ After you configure the servers, you can add Microsoft Entra multifactor authent
 Now you're ready to enable [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). Staged Rollout helps you to iteratively move your users to either PHS or PTA while also migrating their on-premises MFA settings.
 
 * Be sure to review the [supported scenarios](../hybrid/connect/how-to-connect-staged-rollout.md#supported-scenarios). 
-* First, you'll need to do either the [prework for PHS](../hybrid/connect/how-to-connect-staged-rollout.md#pre-work-for-password-hash-sync) or the [prework for PTA](../hybrid/connect/how-to-connect-staged-rollout.md#pre-work-for-pass-through-authentication). We  recommend PHS. 
-* Next, you'll do the [prework for seamless SSO](../hybrid/connect/how-to-connect-staged-rollout.md#pre-work-for-seamless-sso). 
+* First, you'll need to do either the [prework for PHS](../hybrid/connect/how-to-connect-staged-rollout.md#prework-for-password-hash-sync) or the [prework for PTA](../hybrid/connect/how-to-connect-staged-rollout.md#prework-for-pass-through-authentication). We  recommend PHS. 
+* Next, you'll do the [prework for seamless SSO](../hybrid/connect/how-to-connect-staged-rollout.md#prework-for-seamless-sso). 
 * [Enable the Staged Rollout of cloud authentication](../hybrid/connect/how-to-connect-staged-rollout.md#enable-a-staged-rollout-of-a-specific-feature-on-your-tenant) for your selected authentication method. 
 * Add the group(s) you created for Staged Rollout. Remember that you'll add users to groups iteratively, and that they can't be dynamic groups or nested groups. 
 

articles/active-directory/conditional-access/TOC.yml

@@ -134,9 +134,7 @@
     href: controls.md
   - name: Classic policies
     items:
-    - name: Classic policy migrations
-      href: policy-migration.md
-    - name: Migrate classic policies
+    - name: Migrate from classic policies
       href: policy-migration-mfa.md
 - name: Reference
   items:

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -181,7 +181,7 @@ User actions are tasks that can be performed by a user. Currently, Conditional A
 - **Register or join devices**: This user action enables administrators to enforce Conditional Access policy when users [register](../devices/concept-device-registration.md) or [join](../devices/concept-directory-join.md) devices to Microsoft Entra ID. It provides granularity in configuring multifactor authentication for registering or joining devices instead of a tenant-wide policy that currently exists. There are three key considerations with this user action: 
    - `Require multifactor authentication` is the only access control available with this user action and all others are disabled. This restriction prevents conflicts with access controls that are either dependent on Microsoft Entra device registration or not applicable to Microsoft Entra device registration. 
    - `Client apps`, `Filters for devices` and `Device state` conditions aren't available with this user action since they're dependent on Microsoft Entra device registration to enforce Conditional Access policies.
-   - When a Conditional Access policy is enabled with this user action, you must set **Microsoft Entra ID** > **Devices** > **Device Settings** - `Devices to be Azure AD joined or Azure AD registered require Multifactor Authentication` to **No**. Otherwise, the Conditional Access policy with this user action isn't properly enforced. More information about this device setting can found in [Configure device settings](../devices/manage-device-identities.md#configure-device-settings). 
+   - When a Conditional Access policy is enabled with this user action, you must set **Identity** > **Devices** > **Overview** > **Device Settings** - `Devices to be Azure AD joined or Azure AD registered require Multifactor Authentication` to **No**. Otherwise, the Conditional Access policy with this user action isn't properly enforced. More information about this device setting can found in [Configure device settings](../devices/manage-device-identities.md#configure-device-settings). 
 
 ## Traffic forwarding profiles
 
@@ -197,7 +197,7 @@ For example, an organization may keep files in SharePoint sites like the lunch m
 
 ### Configure authentication contexts
 
-Authentication contexts are managed under **Microsoft Entra ID** > **Security** > **Conditional Access** > **Authentication context**.
+Authentication contexts are managed under **Protection** > **Conditional Access** > **Authentication context**.
 
 :::image type="content" source="media/concept-conditional-access-cloud-apps/conditional-access-authentication-context-get-started.png" alt-text="Screenshot showing the management of authentication contexts." lightbox="media/concept-conditional-access-cloud-apps/conditional-access-authentication-context-get-started.png":::
 

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -53,7 +53,7 @@ Selecting this checkbox requires users to perform Microsoft Entra multifactor au
 
 ### Require authentication strength
 
-Administrators can choose to require [specific authentication strengths](../authentication/concept-authentication-strengths.md) in their Conditional Access policies. These authentication strengths are defined in the **Azure portal** > **Microsoft Entra ID** > **Security** > **Authentication methods** > **Authentication strengths**. Administrators can choose to create their own or use the built-in versions.
+Administrators can choose to require [specific authentication strengths](../authentication/concept-authentication-strengths.md) in their Conditional Access policies. These authentication strengths are defined in the **Microsoft Entra admin center** > **Protection** > **Authentication methods** > **Authentication strengths**. Administrators can choose to create their own or use the built-in versions.
 
 ### Require device to be marked as compliant