MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 20 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 20 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/desktop-quickstart-portal-wpf.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/develop/desktop-quickstart-portal-wpf.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/develop/msal-android-shared-devices.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory/develop/msal-android-shared-devices.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/service-accounts-governing-azure.md
Lines changed: 100 additions & 119 deletions b/‎articles/active-directory/fundamentals/service-accounts-governing-azure.md
Lines changed: 100 additions & 119 deletions
diff --git a/‎articles/active-directory/fundamentals/service-accounts-group-managed.md
Lines changed: 44 additions & 52 deletions b/‎articles/active-directory/fundamentals/service-accounts-group-managed.md
Lines changed: 44 additions & 52 deletions
diff --git a/‎articles/active-directory/fundamentals/whats-deprecated-azure-ad.md
Lines changed: 11 additions & 11 deletions b/‎articles/active-directory/fundamentals/whats-deprecated-azure-ad.md
Lines changed: 11 additions & 11 deletions
@@ -14099,6 +14099,26 @@
             "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
             "redirect_document_id": ""
         },
+        {
+            "source_path_from_root": "/articles/search/cognitive-search-tutorial-aml-designer-custom-skill.md",
+            "redirect_url": "/previous-versions/azure/search/cognitive-search-tutorial-aml-designer-custom-skill",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/search/cognitive-search-tutorial-aml-custom-skill.md",
+            "redirect_url": "/previous-versions/azure/search/cognitive-search-tutorial-aml-custom-skill",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/search/cognitive-search-custom-skill-form.md",
+            "redirect_url": "/previous-versions/azure/search/cognitive-search-custom-skill-form",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/search/cognitive-search-custom-skill-python.md",
+            "redirect_url": "/previous-versions/azure/search/cognitive-search-custom-skill-python",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/search/search-get-started-vs-code.md",
             "redirect_url": "/previous-versions/azure/search/search-get-started-vs-code",
 
@@ -13,8 +13,7 @@ ms.author: owenrichards
 ms.custom: aaddev, identityplatformtop40, mode-api
 #Customer intent: As an application developer, I want to learn how my Windows Presentation Foundation (WPF) application can get an access token and call an API that's protected by the Microsoft identity platform.
 ---
-
-# Quickstart: Acquire a token and call the Microsoft Graph API from a Windows desktop app
+# Quickstart: Sign in users and call Microsoft Graph in a Windows desktop app
 
 > [!div renderon="docs"]
 > Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
@@ -24,7 +23,8 @@ ms.custom: aaddev, identityplatformtop40, mode-api
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
 > [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
-
+> ## Quickstart: Acquire a token and call the Microsoft Graph API from a Windows desktop application
+>
 > In this quickstart, you download and run a code sample that demonstrates how a Windows Presentation Foundation (WPF) application can sign in users and get an access token to call the Microsoft Graph API. 
 > 
 > See [How the sample works](#how-the-sample-works) for an illustration.
 
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 12/06/2022
+ms.date: 02/06/2023
 ms.author: henrymbugua
 ms.reviewer: brandwe
 ms.custom: aaddev, identitypla | Azuretformtop40
@@ -96,6 +96,7 @@ These Microsoft applications support Azure AD's shared device mode:
 - [Microsoft Teams](/microsoftteams/platform/)
 - [Microsoft Managed Home Screen](/mem/intune/apps/app-configuration-managed-home-screen-app) app for Android Enterprise
 - [Microsoft Edge](/microsoft-edge) (in Public Preview)
+- [Outlook](/mem/intune/apps/app-configuration-policies-outlook) (in Public Preview)
 - [Microsoft Power Apps](/power-apps) (in Public Preview)
 - [Yammer](/yammer) (in Public Preview)
 
 
@@ -1,14 +1,13 @@
 ---
-title: Secure group managed service accounts  | Azure Active Directory
-description: A guide to securing group managed service account (gMSA) computer accounts.
-services: active-directory
-author: janicericketts
+title: Secure group managed service accounts
+description: A guide to securing group managed service accounts (gMSAs) 
+author: jricketts
 manager: martinco
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 08/20/2022
+ms.date: 02/06/2023
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -17,48 +16,42 @@ ms.collection: M365-identity-device-management
 
 # Secure group managed service accounts
 
-Group managed service accounts (gMSAs) are managed domain accounts that you use to help secure services. gMSAs can run on a single server or on a server farm, such as systems behind a network load balancing or Internet Information Services (IIS) server. After you configure your services to use a gMSA principal, password management for that account is handled by the Windows operating system.
+Group managed service accounts (gMSAs) are domain accounts to help secure services. gMSAs can run on one server, or in a server farm, such as systems behind a network load balancing or Internet Information Services (IIS) server. After you configure your services to use a gMSA principal, account password management is handled by the Windows operating system (OS).
 
-## Benefits of using gMSAs
+## Benefits of gMSAs
 
-gMSAs offer a single identity solution with greater security. At the same time, to help reduce administrative overhead, they:
+gMSAs are an identity solution with greater security that help reduce administrative overhead:
 
-* **Set strong passwords**: gMSAs use 240-byte, randomly generated complex passwords. The complexity and length of gMSA passwords minimizes the likelihood of a service getting compromised by brute force or dictionary attacks.
+* **Set strong passwords** - 240-byte, randomly generated passwords: the complexity and length of gMSA passwords minimizes the likelihood of compromise by brute force or dictionary attacks
+* **Cycle passwords regularly** - password management goes to the Windows OS, which changes the password every 30 days. Service and domain administrators don't need to schedule password changes, or manage service outages.
+* **Support deployment to server farms** - deploy gMSAs to multiple servers to support load balanced solutions where multiple hosts run the same service 
+* **Support simplified service principal name (SPN) management** - set up an SPN with PowerShell, when you create an account. 
+  * In addition, services that support automatic SPN registrations might do so against the gMSA, if the gMSA permissions are set correctly. 
 
-* **Cycle passwords regularly**: gMSAs shift password management to the Windows operating system, which changes the password every 30 days. Service and domain administrators no longer need to schedule password changes or manage service outages to help keep service accounts secure. 
+## Using gMSAs
 
-* **Support deployment to server farms**: The ability to deploy gMSAs to multiple servers allows for the support of load balanced solutions where multiple hosts run the same service. 
-
-* **Support simplified service principal name (SPN) management**: You can set up an SPN by using PowerShell when you create an account. In addition, services that support automatic SPN registrations might do so against the gMSA, provided that the gMSA permissions are correctly set. 
-
-## When to use gMSAs
-
-Use gMSAs as the preferred account type for on-premises services unless a service, such as Failover Clustering, doesn't support it.
+Use gMSAs as the account type for on-premises services unless a service, such as failover clustering, doesn't support it.
 
 > [!IMPORTANT]
-> You must test your service with gMSAs before you deploy it into production. To do so, set up a test environment to ensure that the application can use the gMSA, and then access the resources it needs to access. For more information, see [Support for group managed service accounts](/system-center/scom/support-group-managed-service-accounts).
-
+> Test your service with gMSAs before it goes to production. Set up a test environment to ensure the application uses the gMSA, then accesses resources. For more information, see [Support for group managed service accounts](/system-center/scom/support-group-managed-service-accounts?view=sc-om-2022&preserve-view=true).
 
-If a service doesn't support the use of gMSAs, your next best option is to use a standalone managed service account (sMSA). An sMSA provides the same functionality as a gMSA, but it's intended for deployment on a single server only.
+If a service doesn't support gMSAs, you can use a standalone managed service account (sMSA). An sMSA has the same functionality, but is intended for deployment on a single server.
 
-If you can't use a gMSA or sMSA that's supported by your service, you must configure the service to run as a standard user account. Service and domain administrators are required to observe strong password management processes to help keep the account secure.
+If you can't use a gMSA or sMSA supported by your service, configure the service to run as a standard user account. Service and domain administrators are required to observe strong password management processes to help keep the account secure.
 
-## Assess the security posture of gMSAs
+## Assess gSMA security posture
 
-gMSA accounts are inherently more secure than standard user accounts, which require ongoing password management. However, it's important to consider a gMSA's scope of access as you look at its overall security posture.
-
-Potential security issues and mitigations for using gMSAs are shown in the following table:
+gMSAs are more secure than standard user accounts, which require ongoing password management. However, consider gMSA scope of access in relation to security posture. Potential security issues and mitigations for using gMSAs are shown in the following table:
 
 | Security issue| Mitigation |
 | - | - |
-| gMSA is a member of privileged groups. | <li>Review your group memberships. To do so, you create a PowerShell script to enumerate all group memberships. You can then filter a resultant CSV file by the names of your gMSA files.<li>Remove the gMSA from privileged groups.<li>Grant the gMSA only the rights and permissions it requires to run its service (consult with your service vendor). 
-| gMSA has read/write access to sensitive resources. | <li>Audit access to sensitive resources.<li>Archive audit logs to a SIEM, such as Azure Log Analytics or Microsoft Sentinel, for analysis.<li>Remove unnecessary resource permissions if you detect an undesirable level of access. |
-| | |
+| gMSA is a member of privileged groups | <li>Review your group memberships. Create a PowerShell script to enumerate group memberships. Filter the resultant CSV file by gMSA file names.<li>Remove the gMSA from privileged groups.<li>Grant the gMSA rights and permissions it requires to run its service. See your service vendor. 
+| gMSA has read/write access to sensitive resources | <li>Audit access to sensitive resources.<li>Archive audit logs to a SIEM, such as Azure Log Analytics or Microsoft Sentinel, for analysis.<li>Remove unnecessary resource permissions if there's an unnecessary access level. |
 
 
 ## Find gMSAs
 
-Your organization might already have created gMSAs. To retrieve these accounts, run the following PowerShell cmdlets:
+Your organization might have gMSAs. To retrieve these accounts, run the following PowerShell cmdlets:
 
 ```powershell
 Get-ADServiceAccount 
@@ -70,19 +63,19 @@ Test-ADServiceAccount
 Uninstall-ADServiceAccount
 ```
 
-
-To work effectively, gMSAs must be in the Managed Service Accounts AD container.
-
+### Managed Service Accounts container
 
-![Screen shot of a gMSA account in the managed service accounts container.](./media/securing-service-accounts/secure-gmsa-image-1.png)
+To work effectively, gMSAs must be in the Managed Service Accounts container.
+  
+![Screenshot of a gMSA in the Managed Service Accounts container.](./media/securing-service-accounts/secure-gmsa-image-1.png)
 
-To find service MSAs that might not be in the list, run the following commands:
+To find service MSAs not in the list, run the following commands:
 
 ```powershell
 
 Get-ADServiceAccount -Filter *
 
-# This PowerShell cmdlet will return all managed service accounts (both gMSAs and sMSAs). An administrator can differentiate between the two by examining the ObjectClass attribute on returned accounts.
+# This PowerShell cmdlet returns managed service accounts (gMSAs and sMSAs). Differentiate by examining the ObjectClass attribute on returned accounts.
 
 # For gMSA accounts, ObjectClass = msDS-GroupManagedServiceAccount
 
@@ -95,7 +88,7 @@ Get-ADServiceAccount –Filter * | where-object {$_.ObjectClass -eq "msDS-GroupM
 
 ## Manage gMSAs
 
-To manage gMSA accounts, you can use the following Active Directory PowerShell cmdlets:
+To manage gMSAs, use the following Active Directory PowerShell cmdlets:
 
 `Get-ADServiceAccount`
 
@@ -112,33 +105,32 @@ To manage gMSA accounts, you can use the following Active Directory PowerShell c
 `Uninstall-ADServiceAccount`
 
 > [!NOTE]
-> Beginning with Windows Server 2012, the *-ADServiceAccount cmdlets work with gMSAs by default. For more information about using the preceding cmdlets, see [Get started with group managed service accounts](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts).
+> In Windows Server 2012, and later versions, the *-ADServiceAccount cmdlets work with gMSAs. Learn more: [Get started with group managed service accounts](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts).
 
 ## Move to a gMSA
-gMSA accounts are the most secure type of service account for on-premises needs. If you can move to one, you should. Additionally, consider moving your services to Azure and your service accounts to Azure Active Directory. To move to a gMSA account, do the following:
-
-1. Ensure that the [Key Distribution Service (KDS) root key](/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key) is deployed in the forest. This is a one-time operation.
 
-1. [Create a new gMSA](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts).
+gMSAs are a secure service account type for on-premises. It's recommended you use gMSAs, if possible. In addition, consider moving your services to Azure and your service accounts to Azure Active Directory. 
+  
+To move to a gMSA:
 
-1. Install the new gMSA on each host that runs the service.
+1. Ensure the [Key Distribution Service (KDS) root key](/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key) is deployed in the forest. This is a one-time operation.
+2. [Create a new gMSA](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts).
+3. Install the new gMSA on hosts that run the service.
+   
    > [!NOTE] 
-   > For more information about creating and installing a gMSA on a host, prior to configuring your service to use the gMSA, see [Get started with group managed service accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)).
-
-1. Change your service identity to gMSA, and specify a blank password.
-
-1. Validate that your service is working under the new gMSA identity.
-
-1. Delete the old service account identity.
+   > Before configuring your service to use the gMSA, see [Get started with group managed service accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)).
 
- 
+4. Change your service identity to gMSA.
+5. Specify a blank password.
+6. Validate your service is working under the new gMSA identity.
+7. Delete the old service account identity.
 
 ## Next steps
 
 To learn more about securing service accounts, see the following articles:
 
 * [Introduction to on-premises service accounts](service-accounts-on-premises.md)  
 * [Secure standalone managed service accounts](service-accounts-standalone-managed.md)  
-* [Secure computer accounts](service-accounts-computer.md)  
-* [Secure user accounts](service-accounts-user-on-premises.md)  
+* [Secure computer accounts with Active Directory](service-accounts-computer.md)  
+* [Secure user-based service accounts in Active Directory](service-accounts-user-on-premises.md)  
 * [Govern on-premises service accounts](service-accounts-govern-on-premises.md)
@@ -27,15 +27,17 @@ Use the following table to learn about changes including deprecations, retiremen
    > [!NOTE]
    > Dates and times are United States Pacific Standard Time, and are subject to change. 
 
-|Functionality, feature, or service|Change|New tenant change date |Current tenant change date|
-|---|---|---|---|
-|Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|Feb 27, 2023|Feb 27, 2023|
-|Azure AD DS [virtual network deployments](../../active-directory-domain-services/migrate-from-classic-vnet.md)|Retirement|Mar 1, 2023|Mar 1, 2023|
-|[License management API, PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366)|Retirement|Nov 1, 2022|Mar 31, 2023|
-|[Azure AD Authentication Library (ADAL)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Jun 30, 2023|Jun 30, 2023|
-|[Azure AD Graph API](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Deprecation|Jun 30, 2023|Jun 30, 2023|
-|[Azure AD PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Jun 30, 2023|Jun 30, 2023|
-|[Azure AD MFA Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Sep 30, 2024|Sep 30, 2024|
+|Functionality, feature, or service|Change|Change date |
+|---|---|---:|
+|Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|Feb 27, 2023|
+|Azure AD DS [virtual network deployments](../../active-directory-domain-services/migrate-from-classic-vnet.md)|Retirement|Mar 1, 2023|
+|[License management API, PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366)|Retirement|*Mar 31, 2023|
+|[Azure AD Authentication Library (ADAL)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Jun 30, 2023|
+|[Azure AD Graph API](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Deprecation|Jun 30, 2023|
+|[Azure AD PowerShell and MSOnline PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Deprecation|Jun 30, 2023|
+|[Azure AD MFA Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Sep 30, 2024|
+
+\* The legacy license management API and PowerShell cmdlets will not work for **new tenants** created after Nov 1, 2022.
 
 
    > [!IMPORTANT]
@@ -58,8 +60,6 @@ Use the definitions in this section help clarify the state, availability, and su
 ### Terminology
 
 * **End-of-life** - engineering investments have ended, and the feature is unavailable to any customer
-* **Current tenant change date** - the change date goes into effect for tenants created before the new tenant change date
-* **New tenant change date** - the change date goes into effect for tenants created after the change date
 
 ## Next steps
 [What's new in Azure Active Directory?](../../active-directory/fundamentals/whats-new.md)