Merge pull request #191827 from MicrosoftDocs/main

3/15 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -528,7 +528,7 @@
     {
       "path_to_root": "azure-sdk-for-go-samples",
       "url": "https://github.com/Azure-Samples/azure-sdk-for-go-samples",
-      "branch": "master",
+      "branch": "main",
       "branch_mapping": {}
     },
     {

articles/active-directory/app-provisioning/use-scim-to-build-users-and-groups-endpoints.md

@@ -99,7 +99,7 @@ The default token validation code is configured to use an Azure AD token and req
 
 After you deploy the SCIM endpoint, you can test to ensure that it's compliant with SCIM RFC. This example provides a set of tests in Postman that validate CRUD (create, read, update, and delete) operations on users and groups, filtering, updates to group membership, and disabling users.
 
-The endpoints are in the `{host}/scim/` directory, and you can use standard HTTP requests to interact with them. To modify the `/scim/` route, see *TokenController.cs* in **SCIMReferenceCode** > **Microsoft.SCIM.WebHostSample** > **Controllers**.
+The endpoints are in the `{host}/scim/` directory, and you can use standard HTTP requests to interact with them. To modify the `/scim/` route, see *ControllerConstant.cs* in **AzureADProvisioningSCIMreference** > **ScimReferenceApi** > **Controllers**.
 
 > [!NOTE]
 > You can only use HTTP endpoints for local tests. The Azure AD provisioning service requires that your endpoint support HTTPS.
@@ -141,4 +141,4 @@ To develop a SCIM-compliant user and group endpoint with interoperability for a
 
 > [!div class="nextstepaction"]
 > [Tutorial: Develop and plan provisioning for a SCIM endpoint](use-scim-to-provision-users-and-groups.md)
-> [Tutorial: Configure provisioning for a gallery app](configure-automatic-user-provisioning-portal.md)
+> [Tutorial: Configure provisioning for a gallery app](configure-automatic-user-provisioning-portal.md)

articles/active-directory/app-proxy/application-proxy-high-availability-load-balancing.md

@@ -28,7 +28,7 @@ Connectors establish their connections based on principles for high availability
 ![Diagram showing connections between users and connectors](media/application-proxy-high-availability-load-balancing/application-proxy-connections.png)
 
 1. A user on a client device tries to access an on-premises application published through Application Proxy.
-2. The request goes through an Azure Load Balancer to determine which Application Proxy service instance should take the request. Per region, there are tens of instances available to accept the request. This method helps to evenly distribute the traffic across the service instances.
+2. The request goes through an Azure Load Balancer to determine which Application Proxy service instance should take the request. There are tens of instances available to accept the requests for all traffic in the region. This method helps to evenly distribute the traffic across the service instances.
 3. The request is sent to [Service Bus](../../service-bus-messaging/index.yml).
 4. Service Bus signals to an available connector. The connector then picks up the request from Service Bus.
    - In step 2, requests go to different Application Proxy service instances, so connections are more likely to be made with different connectors. As a result, connectors are almost evenly used within the group.
@@ -89,4 +89,4 @@ Refer to your software vendor's documentation to understand the load-balancing r
 - [Enable single-sign on](application-proxy-configure-single-sign-on-with-kcd.md)
 - [Enable Conditional Access](./application-proxy-integrate-with-sharepoint-server.md)
 - [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)
-- [Learn how Azure AD architecture supports high availability](../fundamentals/active-directory-architecture.md)
+- [Learn how Azure AD architecture supports high availability](../fundamentals/active-directory-architecture.md)

articles/active-directory/conditional-access/block-legacy-authentication.md

@@ -16,7 +16,7 @@ ms.collection: M365-identity-device-management
 To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication doesn't support multifactor authentication (MFA). MFA is in many environments a common requirement to address identity theft. 
 
 > [!NOTE]
-> Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication.
+> Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication. Read more [here](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online)
 
 Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post [New tools to block legacy authentication in your organization](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#) emphasizes why organizations should block legacy authentication and what other tools Microsoft provides to accomplish this task:
 

articles/active-directory/conditional-access/concept-conditional-access-users-groups.md

@@ -74,7 +74,7 @@ By default the policy will provide an option to exclude the current user from th
 
 ![Warning, don't lock yourself out!](./media/concept-conditional-access-users-groups/conditional-access-users-and-groups-lockout-warning.png)
 
-If you do find yourself locked out[What to do if you are locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-you-are-locked-out-of-the-azure-portal)
+If you do find yourself locked out[What to do if you are locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal)
 
 ## Next steps
 

articles/active-directory/conditional-access/terms-of-use.md

@@ -355,7 +355,7 @@ Conditional Access policies take effect immediately. When this happens, the admi
 
 ## B2B guests
 
-Most organizations have a process in place for their employees to consent to their organization's terms of use policy and privacy statements. But how can you enforce the same consents for Azure AD business-to-business (B2B) guests when they're added via SharePoint or Teams? Using Conditional Access and terms of use policies, you can enforce a policy directly towards B2B guest users. During the invitation redemption flow, the user is presented with the terms of use policy. This support is currently in preview.
+Most organizations have a process in place for their employees to consent to their organization's terms of use policy and privacy statements. But how can you enforce the same consents for Azure AD business-to-business (B2B) guests when they're added via SharePoint or Teams? Using Conditional Access and terms of use policies, you can enforce a policy directly towards B2B guest users. During the invitation redemption flow, the user is presented with the terms of use policy. 
 
 Terms of use policies will only be displayed when the user has a guest account in Azure AD. SharePoint Online currently has an [ad hoc external sharing recipient experience](/sharepoint/what-s-new-in-sharing-in-targeted-release) to share a document or a folder that doesn't require the user to have a guest account. In this case, a terms of use policy isn't displayed.
 

articles/active-directory/conditional-access/troubleshoot-conditional-access.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: troubleshooting
-ms.date: 10/16/2020
+ms.date: 03/15/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
-ms.reviewer: calebb, martinco
+ms.reviewer: calebb
 
 ms.collection: M365-identity-device-management
 ---
@@ -28,9 +28,9 @@ Organizations should avoid the following configurations:
 **For all users, all cloud apps:**
 
 - **Block access** - This configuration blocks your entire organization.
-- **Require device to be marked as compliant** - For users that have not enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you are an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.
+- **Require device to be marked as compliant** - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.
 - **Require Hybrid Azure AD domain joined device** - This policy block access has also the potential to block access for all users in your organization if they don't have a hybrid Azure AD joined device.
-- **Require app protection policy** - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. If you are an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure.
+- **Require app protection policy** - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. If you're an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure.
 
 **For all users, all cloud apps, all device platforms:**
 
@@ -42,7 +42,7 @@ The first way is to review the error message that appears. For problems signing
 
 ![Sign in error - compliant device required](./media/troubleshoot-conditional-access/image1.png)
 
-In the above error, the message states that the application can only be accessed from devices or client applications that meet the company's mobile device management policy. In this case, the application and device do not meet that policy.
+In the above error, the message states that the application can only be accessed from devices or client applications that meet the company's mobile device management policy. In this case, the application and device don't meet that policy.
 
 ## Azure AD sign-in events
 
@@ -66,7 +66,7 @@ To find out which Conditional Access policy or policies applied and why do the f
    ![Selecting the Conditional access filter in the sign-ins log](./media/troubleshoot-conditional-access/image3.png)
 
 1. Once the sign-in event that corresponds to the user's sign-in failure has been found select the **Conditional Access** tab. The Conditional Access tab will show the specific policy or policies that resulted in the sign-in interruption.
-   1. Information in the **Troubleshooting and support** tab may provide a clear reason as to why a sign-in failed such as a device that did not meet compliance requirements.
+   1. Information in the **Troubleshooting and support** tab may provide a clear reason as to why a sign-in failed such as a device that didn't meet compliance requirements.
    1. To investigate further, drill down into the configuration of the policies by clicking on the **Policy Name**. Clicking the **Policy Name** will show the policy configuration user interface for the selected policy for review and editing.
    1. The **client user** and **device details** that were used for the Conditional Access policy assessment are also available in the **Basic Info**, **Location**, **Device Info**, **Authentication Details**, and **Additional Details** tabs of the sign-in event.
 
@@ -80,11 +80,9 @@ Selecting the ellipsis on the right side of the policy in a sign-in event brings
 
 The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. Conditional Access policies only apply when all conditions are satisfied or not configured.
 
-If the information in the event isn't enough to understand the sign-in results or adjust the policy to get desired results, then a support incident may be opened. Navigate to that sign-in event's **Troubleshooting and support** tab and select **Create a new support request**.
+If the information in the event isn't enough to understand the sign-in results or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under **Basic info** > **Troubleshoot Event**. For more information about the sign-in diagnostic, see the article [What is the sign-in diagnostic in Azure AD](../reports-monitoring/overview-sign-in-diagnostics.md).
 
-![The Troubleshooting and support tab of the Sign-in event](./media/troubleshoot-conditional-access/image6.png)
-
-When submitting the incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information will allow Microsoft support to find the event you're concerned about.
+If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information will allow Microsoft support to find the specific event you're concerned about.
 
 ### Conditional Access error codes
 
@@ -96,9 +94,9 @@ When submitting the incident, provide the request ID and time and date from the
 | 53003 | BlockedByConditionalAccess |
 | 53004 | ProofUpBlockedDueToRisk |
 
-## What to do if you are locked out of the Azure portal?
+## What to do if you're locked out of the Azure portal?
 
-If you are locked out of the Azure portal due to an incorrect setting in a Conditional Access policy:
+If you're locked out of the Azure portal due to an incorrect setting in a Conditional Access policy:
 
 - Check is there are other administrators in your organization that aren't blocked yet. An administrator with access to the Azure portal can disable the policy that is impacting your sign-in. 
 - If none of the administrators in your organization can update the policy, submit a support request. Microsoft support can review and upon confirmation update the Conditional Access policies that are preventing access.

articles/active-directory/hybrid/how-to-connect-pta-disable-do-not-configure.md

@@ -1,6 +1,6 @@
 ---
-title: 'Disable PTA when using Azure AD Connect "Do not configure" | Microsoft Docs'
-description: This article describes how to disable PTA with the Azure AD Connect "do not configure" feature.
+title: 'Disable pass-through authentication by using Azure AD Connect or PowerShell | Microsoft Docs'
+description: This article describes how to disable pass-through authentication by using the Azure AD Connect Do Not Configure feature or by using PowerShell.
 services: active-directory
 author: billmath
 manager: karenhoran
@@ -13,52 +13,47 @@ ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
-# Disable PTA 
+# Disable pass-through authentication 
 
-To disable PTA, complete the steps that are described in [Disable PTA when using Azure AD Connect](#disable-pta-when-using-azure-ad-connect) and [Disable PTA in PowerShell](#disable-pta-in-powershell) in this article.
+In this article, you learn how to disable pass-through authentication by using Azure Active Directory (Azure AD) Connect or PowerShell.
 
-## Disable PTA when using Azure AD Connect
+## Prerequisites
 
-If you are using Pass-through Authentication with Azure AD Connect and you have it set to **"Do not configure"**, you can disable it. 
+Before you begin, ensure that you have the following:
 
->[!NOTE]
->If you have PHS already enabled then disabling PTA will result in the tenant fallback to PHS.
+- A Windows machine with pass-through authentication agent version 1.5.1742.0 or later installed. Any earlier version might not have the requisite cmdlets for completing this operation.
 
-Disabling PTA can be done using the following cmdlets. 
+   If you don't already have an agent, you can install it by doing the following:
 
-## Prerequisites
-The following prerequisites are required:
-- Any Windows machine that has the PTA agent installed. 
-- Agent must be at version 1.5.1742.0 or later. 
-- An Azure global administrator account in order to run the PowerShell cmdlets to disable PTA.
+   1. Go to the [Azure portal](https://portal.azure.com).
+   1. Download the latest Auth Agent.
+   1. Install the feature by running either of the following: 
+      * `.\AADConnectAuthAgentSetup.exe`  
+      * `.\AADConnectAuthAgentSetup.exe ENVIRONMENTNAME=<identifier>`
+        > [!IMPORTANT]
+        > If you're using the Azure Government cloud, pass in the ENVIRONMENTNAME parameter with the following value: 
+        >
+        >| Environment Name | Cloud |
+        >| - | - |
+        >| AzureUSGovernment | US Gov |
 
->[!NOTE]
-> If your agent is older then it may not have the cmdlets required to complete this operation. You can get a new agent from Azure Portal an install it on any Windows machine and provide admin credentials. (Installing the agent does not affect the PTA status in the cloud)
+- An Azure global administrator account for running the PowerShell cmdlets.
+
+## Use Azure AD Connect
 
-> [!IMPORTANT]
-> If you are using the Azure Government cloud then you will have to pass in the ENVIRONMENTNAME parameter with the following value. 
->
->| Environment Name | Cloud |
->| - | - |
->| AzureUSGovernment | US Gov|
+If you're using pass-through authentication with Azure AD Connect and you have it set to **Do not configure**, you can disable the setting. 
 
+>[!NOTE]
+>If you already have password hash synchronization enabled, disabling pass-through authentication will result in a tenant fallback to password hash synchronization.
 
-## Disable PTA in PowerShell
+## Use PowerShell
 
-From within a PowerShell session, use the following to disable PTA:
+In a PowerShell session, run the following cmdlets:
 
 1. PS C:\Program Files\Microsoft Azure AD Connect Authentication Agent> `Import-Module .\Modules\PassthroughAuthPSModule`
 2. `Get-PassthroughAuthenticationEnablementStatus`
 3. `Disable-PassthroughAuthentication`
 
-## If you don't have access to an agent
-
-If you do not have an agent machine you can use following command to install an agent.
-
-1. Download the latest Auth Agent from portal.azure.com.
-2. Install the feature: `.\AADConnectAuthAgentSetup.exe` or `.\AADConnectAuthAgentSetup.exe ENVIRONMENTNAME=<identifier>`
-
-
 ## Next steps
 
-- [User sign-in with Azure Active Directory Pass-through Authentication](how-to-connect-pta.md)
+- [User sign-in with Azure AD pass-through authentication](how-to-connect-pta.md)