Merge branch 'MicrosoftDocs:main' into main

Author: husamhilal

.openpublishing.redirection.azure-monitor.json

@@ -45,6 +45,26 @@
             "redirect_url": "/azure/azure-monitor/app/app-insights-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/tutorial-runtime-exceptions.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/tutorial-runtime-exceptions",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/tutorial-performance.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/tutorial-performance",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/tutorial-users.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/tutorial-users",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/custom-data-correlation.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/custom-data-correlation",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/correlation.md",
             "redirect_url": "/previous-versions/azure/azure-monitor/app/distributed-tracing-telemetry-correlation",

articles/active-directory/fundamentals/whats-deprecated-azure-ad.md

@@ -9,7 +9,7 @@ ms.workload: identity
 ms.topic: conceptual
 ms.date: 01/27/2023
 ms.author: jricketts
-ms.reviewer: ramical
+ms.reviewer: merill
 ms.custom: it-pro
 
 ---
@@ -30,12 +30,25 @@ Use the following table to learn about changes including deprecations, retiremen
 |Functionality, feature, or service|Change|Change date |
 |---|---|---:|
 |Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|May 8, 2023|
-|Azure AD DS [virtual network deployments](../../active-directory-domain-services/migrate-from-classic-vnet.md)|Retirement|Mar 1, 2023|
+|[My Groups experience](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023|
+|[My Apps browser extension](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023|
+|[System-preferred authentication methods](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|On GA|
+|[Azure AD Authentication Library (ADAL)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Jun 30, 2023|
+|[Azure AD Graph API](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Deprecation|Jun 30, 2023|
+|[Azure AD PowerShell and MSOnline PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Deprecation|Jun 30, 2023|
+|[My Apps improvements](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|Jun 30, 2023|
+|[Terms of Use experience](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|Jul 2023|
+|[Azure AD MFA Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2024|
+|[Legacy MFA & SSPR policy](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2024|
+|[‘Require approved client app’ Conditional Access Grant](https://aka.ms/RetireApprovedClientApp)|Retirement|Mar 31, 2026|
+
+
+## Past changes
+
+|Functionality, feature, or service|Change|Change date |
+|---|---|---:|
+|[Azure AD Domain Services virtual network deployments](../../active-directory-domain-services/migrate-from-classic-vnet.md)|Retirement|Mar 1, 2023|
 |[License management API, PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366)|Retirement|*Mar 31, 2023|
-|[Azure AD Authentication Library (ADAL)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Jun 30, 2023|
-|[Azure AD Graph API](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Deprecation|Jun 30, 2023|
-|[Azure AD PowerShell and MSOnline PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Deprecation|Jun 30, 2023|
-|[Azure AD MFA Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Sep 30, 2024|
 
 \* The legacy license management API and PowerShell cmdlets will not work for **new tenants** created after Nov 1, 2022.
 
@@ -51,11 +64,9 @@ Use the definitions in this section help clarify the state, availability, and su
 
 |Category|Definition|Communication schedule|
 |---|---|---|
-|Deprecation|The state of a feature, functionality, or service no longer in active development. A deprecated feature might be retired and removed from future releases.|2 times per year: March and September|
-|Retirement|Signals retirement in a specified period. Customers can’t adopt the service or feature, and engineering investments are reduced. Later, the feature reaches end-of-life and is unavailable to any customer.|2 times per year: March and September|
+|Retirement|Signals retirement of a feature, capability, or product in a specified period. Customers can’t adopt the service or feature, and engineering investments are reduced. Later, the feature reaches end-of-life and is unavailable to any customer.|2 times per year: March and September|
 |Breaking change|A change that might break the customer or partner experience if action isn’t taken, or a change made, for continued operation.|4 times per year: March, June, September, and December|
-|Feature change|Change to an IDNA feature that requires no customer action, but is noticeable to them. Typically, these changes are in the user interface/user experperience (UI/UX).|4 times per year: March, June, September, and December|
-|Rebranding|A new name, term, symbol, design, concept or combination thereof for an established brand to develop a differentiated experience.|As scheduled or announced|
+|Feature change|Change to an existing Identity feature that requires no customer action, but is noticeable to them. Typically, these changes are in the user interface/user experperience (UI/UX).|4 times per year: March, June, September, and December|
 
 ### Terminology
 

articles/active-directory/saas-apps/alinto-protect-provisioning-tutorial.md

@@ -41,7 +41,7 @@ The scenario outlined in this tutorial assumes that you already have the followi
 
 ## Step 2. Configure Cleanmail to support provisioning with Azure AD
 
-Contact [Cleanmail Support](https://www.alinto.com/contact-email-provider/) to configure Alinto to support provisioning with Azure AD.
+Contact [Cleanmail Support](https://www.alinto.com/contact-email-provider/) to configure Cleanmail to support provisioning with Azure AD.
 
 ## Step 3. Add Cleanmail from the Azure AD application gallery
 

articles/active-directory/saas-apps/salesforce-provisioning-tutorial.md

@@ -119,7 +119,7 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti
     * The credentials used have admin access to Salesforce.
     * The version of Salesforce that you are using supports Web Access (e.g. Developer, Enterprise, Sandbox, and Unlimited editions of Salesforce.)
     * Web API access is enabled for the user.
-* The Azure AD provisioning service supports provisioning language, locale, and timeZone for a user. These attributes are in the default attribute mappings but do not have a default source attribute. Ensure that you select the default source attribute and that the source attribute is in the format expected by SalesForce. For example, localeSidKey for english(UnitedStates) is en_US. Review the guidance provided [here](https://help.salesforce.com/articleView?id=setting_your_language.htm&type=5) to determine the proper localeSidKey format. The languageLocaleKey formats can be found [here](https://help.salesforce.com/articleView?id=faq_getstart_what_languages_does.htm&type=5). In addition to ensuring that the format is correct, you may need to ensure that the language is enabled for your users as described [here](https://help.salesforce.com/articleView?id=setting_your_language.htm&type=5). 
+* The Azure AD provisioning service supports provisioning language, locale, and timeZone for a user. These attributes are in the default attribute mappings but do not have a default source attribute. Ensure that you select the default source attribute and that the source attribute is in the format expected by SalesForce. For example, localeSidKey for english(UnitedStates) is en_US. Review the guidance provided [here](https://help.salesforce.com/articleView?id=faq_getstart_what_languages_does.htm&type=5) to determine the proper localeSidKey format. The languageLocaleKey formats can be found [here](https://help.salesforce.com/articleView?id=faq_getstart_what_languages_does.htm&type=5). In addition to ensuring that the format is correct, you may need to ensure that the language is enabled for your users as described [here](https://help.salesforce.com/articleView?id=faq_getstart_what_languages_does.htm&type=5). 
 * **SalesforceLicenseLimitExceeded:** The user could not be created in the target application because there are no available licenses for this user. Either procure additional licenses for the target application, or review your user assignments and attribute mapping configuration to ensure that the correct users are assigned with the correct attributes.
 * **SalesforceDuplicateUserName:** The user cannot be provisioned because it has a Salesforce.com 'Username' that is duplicated in another Salesforce.com tenant.  In Salesforce.com, values for the 'Username' attribute must be unique across all Salesforce.com tenants.  By default, a user’s userPrincipalName in Azure Active Directory becomes their 'Username' in Salesforce.com.   You have two options.  One option is to find and rename the user with the duplicate 'Username' in the other Salesforce.com tenant, if you administer that other tenant as well.  The other option is to remove access from the Azure Active Directory user to the Salesforce.com tenant with which your directory is integrated. We will retry this operation on the next synchronization attempt. 
 * **SalesforceRequiredFieldMissing:** Salesforce requires certain attributes to be present on the user to successfully create or update the user. This user is missing one of the required attributes. Ensure that attributes such as email and alias are populated on all users that you would like to be provisioned into Salesforce. You can scope users that don't have these attributes out using [attribute based scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 

articles/active-directory/verifiable-credentials/TOC.yml

@@ -83,6 +83,11 @@
     href: https://github.com/Azure-Samples/active-directory-verifiable-credentials
   - name: End to End Demo
     href: https://woodgroveemployee.azurewebsites.net/
+- name: Architecture and Deployment
+  expanded: true
+  items:
+  - name: Remote onboarding
+    href: remote-onboarding-new-employees-id-verification.md
 - name: Reference
   expanded: true
   items:

articles/active-directory/verifiable-credentials/media/remote-onboarding-new-employees-id-verification/high-level-flow-diagram.png

@@ -0,0 +1,56 @@
+---
+title: Onboard new remote employees using ID verification
+description: A design pattern describing how to onboard new employees remotely
+services: decentralized-identity
+author: barclayn
+manager: amycolannino
+ms.service: decentralized-identity
+ms.subservice: verifiable-credentials
+ms.topic: conceptual
+ms.date: 04/06/2023
+ms.author: barclayn
+---
+
+
+# Onboard new remote employees using ID verification
+
+Enterprises onboarding users face significant challenges onboarding remote users who are not yet inside the trust boundary. Microsoft Entra Verified ID can help customers facing these scenarios because it can use government issued ID based attestations as a way to establish trust. 
+
+## When to use this pattern
+
+- You have a modern Human resources (HR) system with API support. 
+- Your HR system allows programmatic integration to query the HR system to do a reliable matching of user profiles.
+- Your organization has already started their passwordless journey.
+
+## Solution
+
+1. A custom portal for new employee onboarding.
+
+2. A backend job provides new hires with a uniquely identifiable link to the employee onboarding portal from (A) that represents the new hire’s specific process. For this use case, the account for the new hire should already be provisioned in Azure AD. Consider using [Lifecycle Workflows](../governance/what-are-lifecycle-workflows.md) as the triggering point of this flow.
+
+3. New hires select the link to the portal in (A) above and are guided through a wizard-like experience:
+  1. New Hires are redirected to acquire a verified ID from the Identity verification partner (also referred to IDV. To learn more about the identity verification partners: <https://aka.ms/verifiedidisv>)
+  2. New Hires present the Verified ID acquired in Step 1
+  3. System receives the claims from identity verification partner, looks up the user account for the new hire and performs the validation.
+  4. System executes the onboarding logic to locate the Azure AD account of the user, and [generate a temporary access pass using MS Graph](/graph/api/resources/temporaryaccesspassauthenticationmethod?view=graph-rest-1.0&preserve-view=true).
+
+![Diagram showing a high-level flow.](media/remote-onboarding-new-employees-id-verification/high-level-flow-diagram.png)
+
+## Issues and considerations
+
+- The link used to initiate the process needs to meet some criteria:
+    - The link should be specific to each remote employee.
+    - The link should be valid for only a short period of time. 
+    - It should become invalid after a user finishes going through the flow.
+    - The link should be designed to correlate to a unique HR record identifier
+- An Azure AD account should be pre-created for every user. The account should be used as part of the site's request validation process.
+- Administrators frequently deal with discrepancies between users' information held in a company's IT systems, like human resource applications or identity management solutions, and the information the users provide. For example, an employee might have “James” as their first name but their profile has their name as “Jim”. For those scenarios:
+   1. At the beginning of the HR process, candidates must use their name exactly as it appears in government issued documents. Taking this approach simplifies validation logic.
+   1. Design validation logic to include attributes that are more likely to have an exact match against the HR system. Common attributes include street address, date of birth, nationality, national identification number (if applicable), in addition to first and last name.
+   1. As a fallback, plan for human review to work through ambiguous/non-conclusive results. This process might include temporarily storing the attributes presented in the VC, phone call with the user, etc.
+- Multinational organizations, may need to work with different identity proofing partners based on the region of the user.
+- Assume that the initial interaction between the user and the onboarding partner is untrusted. The onboarding portal should generate detailed logs for all requests processed that could be used for auditing purposes.
+
+## Additional resources
+
+- Public architecture document for generalized account onboarding: [Plan your Microsoft Entra Verified ID verification solution](plan-verification-solution.md#account-onboarding)