Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into varund-july

Author: varun-dhawan

articles/active-directory/app-provisioning/inbound-provisioning-api-faqs.md

@@ -139,7 +139,7 @@ You can retrieve the unique API endpoint for each job from the Provisioning blad
 
 To process terminations, identify an attribute in your source that will be used to set the ```accountEnabled``` flag in Azure AD. If you are provisioning to on-premises Active Directory, then map that source attribute to the `accountDisabled` attribute. 
 
-By default, the value associated with the SCIM User Core schema attribute ```active``` determines the status of the user's account in the target directory.
+By default, the value associated with the SCIM Core User schema attribute ```active``` determines the status of the user's account in the target directory.
 
 If the attribute is set to **true**, the default mapping rule enables the account. If the attribute is set to **false**, then the default mapping rule disables the account. 
 

articles/active-directory/cloud-infrastructure-entitlement-management/all-reports.md

@@ -37,13 +37,13 @@ This article provides you with a list and description of the system reports avai
 | Report name                | Type of the report                | File format              | Description               | Availability                | Collated report?                 |
 |----------------------------|-----------------------------------|--------------------------|---------------------------| ----------------------------|----------------------------------|
 | Access Key Entitlements and Usage Report                | Summary </p>Detailed                | CSV                 | This report displays: </p> - Access key age, last rotation date, and last usage date availability in the summary report. Use this report to decide when to rotate access keys. </p> - Granted task and Permissions creep index (PCI) score. This report provides supporting information when you want to take the action on the keys.                | AWS</p>Azure</p>GCP                 | Yes      |
-| All Permissions for Identity                 | Detailed                 | CSV                | This report lists all the assigned permissions for the selected identities.                | AWS</p>Azure</p>GCP            | N/A      |
+| All Permissions for Identity                 | Summary                 | CSV                | This report lists all the assigned permissions for the selected identities.                | AWS</p>Azure</p>GCP            | N/A      |
 | Group Entitlements and Usage       | Summary                | CSV                | This report tracks all group level entitlements and the permission assignment, PCI. The number of members is also listed as part of this report.                 | AWS</p>Azure</p>GCP                 | Yes      |
 | Identity Permissions                 | Summary                | CSV                 | This report tracks any, or specific, task usage per **User**, **Group**, **Role**, or **App**.                 | AWS</p>Azure</p>GCP                 | N/A      |
 | AWS Role Policy Audit       | Detailed | CSV | This report gives the list of AWS roles, which can be assumed by **User**, **Group**, **resource** or **AWS Role**.                | AWS | N/A      |
 | Cross Account Access Details| Detailed                 | CSV                 | This report helps track **User**, **Group** from other AWS accounts have cross account access to the specified AWS account.                | AWS                | N/A      |
 | PCI History                 | Summary                 | CSV                 | This report helps track **Monthly PCI History** for each authorized system. It can be used to plot the trend of the PCI.                 | AWS</p>Azure</p>GCP                 | Yes      |
-| Permissions Analytics Report (PAR)  |     Detailed                 | CSV                 | This report lists the different key findings in the selected authorized systems. The key findings include **Super identities**, **Inactive identities**, **Over-provisioned active identities**, **Storage bucket hygiene**, **Access key age (AWS)**, and so on. </p>This report helps administrators to visualize the findings across the organization and make decisions.                    | AWS</p>Azure</p>GCP                | Yes      |
+| Permissions Analytics Report (PAR)  |     Detailed                 | XSLX, PDF                 | This report lists the different key findings in the selected authorized systems. The key findings include **Super identities**, **Inactive identities**, **Over-provisioned active identities**, **Storage bucket hygiene**, **Access key age (AWS)**, and so on. </p>This report helps administrators to visualize the findings across the organization and make decisions.                    | AWS</p>Azure</p>GCP                | Yes for XSLX     |
 | Role/Policy Details                 | Summary                 | CSV                | This report captures **Assigned/Unassigned** and **Custom/system policy with used/unused condition** for specific or all AWS accounts. </p>Similar data can be captured for Azure and GCP for assigned and unassigned roles.                | AWS</p>Azure</p>GCP                 | No      |
 | User Entitlements and Usage     | Detailed <p>Summary <p> Permissions                | CSV                 | **Summary** This report provides the summary view of all the identities with Permissions Creep Index (PCI), granted and executed tasks per Azure subscription, AWS account, GCP project.     </p>**Detailed** This report provides a detailed view of Azure role assignments, GCP role assignments and AWS policy assignment along with Permissions Creep Index (PCI), tasks used by each identity. </p>**Permissions** This report provides the list of role assignments for Azure, GCP and policy assignments in AWS per identity.                 | AWS</p>Azure</p>GCP                | Yes      |
 

articles/active-directory/cloud-infrastructure-entitlement-management/ui-triggers.md

@@ -1,6 +1,6 @@
 ---
-title: View information about activity triggers in Permissions Management
-description: How to view information about activity triggers in the Activity triggers dashboard in Permissions Management.
+title: View information about alerts and alert triggers in Permissions Management
+description: How to view information about alerts and alert triggers in the Alerts dashboard in Permissions Management.
 services: active-directory
 author: jenniferf-skc
 manager: amycolannino
@@ -55,6 +55,9 @@ The **Rule-Based Anomaly** tab and the **Statistical Anomaly** tab both have one
 - **Columns**: Select the columns you want to display: **Task**, **Resource**, and **Identity**.
     - To return to the system default settings, select **Reset to default**.
 
+Alert triggers are based on data collected. All alerts, if triggered, are shown every hour under the Alerts subtab.
+
+
 ## View information about alert triggers
 
 The **Alert Triggers** subtab in the **Activity**, **Rule-Based Anomaly**, **Statistical Anomaly**, and **Permission Analytics** tab displays the following information:

articles/active-directory/develop/msal-net-token-cache-serialization.md

@@ -228,10 +228,12 @@ public static async Task<AuthenticationResult> GetTokenAsync(string clientId, X5
 Instead of `app.AddInMemoryTokenCache();`, you can use different caching serialization technologies. For example, you can use no-serialization, in-memory, and distributed token cache storage provided by .NET.
 
 <a id="no-token-cache-serialization"></a>
-#### Token cache without serialization
+#### Token cache without serialization 
 
-You can specify that you don't want to have any token cache serialization and instead rely on the MSAL.NET internal cache. Use `.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)` when building the application and don't add any serializer.
-r.
+Use `.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)` when building the application and don't add any serializer.
+
+> [!IMPORTANT]
+> There is no way to control the size of the cache with this option. If you are building a website, a web API, or a multi-tenant S2S app, then use the `In-memory token cache` option.
 
 ```CSharp
     // Create the confidential client application

articles/active-directory/develop/publisher-verification-overview.md

@@ -56,7 +56,7 @@ App developers must meet a few requirements to complete the publisher verificati
 
 - The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the MPN PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account).
 
-- The app must be registered in an Azure AD tenant and have a [publisher domain](howto-configure-publisher-domain.md) set.
+- The app must be registered in an Azure AD tenant and have a [publisher domain](howto-configure-publisher-domain.md) set. The feature is not supported in Azure AD B2C tenant.
 
 - The domain of the email address that's used during MPN account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) 
 

articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md

@@ -62,11 +62,9 @@ To see which users and groups are consuming licenses, select a product. Under **
 
 **Problem:** One of the products that's specified in the group contains a service plan that conflicts with another service plan that's already assigned to the user via a different product. Some service plans are configured in a way that they can't be assigned to the same user as another, related service plan.
 
-Consider the following example. A user has a license for Office 365 Enterprise *E1* assigned directly, with all the plans enabled. The user has been added to a group that has the Office 365 Enterprise *E3* product assigned to it. The E3 product contains service plans that can't overlap with the plans that are included in E1, so the group license assignment fails with the “Conflicting service plans” error. In this example, the conflicting service plans are:
-
-- Exchange Online (Plan 2) conflicts with Exchange Online (Plan 1).
-
-To solve this conflict, you need to disable one of the plans. You can disable the E1 license that's directly assigned to the user. Or, you need to modify the entire group license assignment and disable the plans in the E3 license. Alternatively, you might decide to remove the E1 license from the user if it's redundant in the context of the E3 license.
+> [!TIP]
+> Exchange Online Plan1 and Plan2 were previously non-duplicable service plans. However, now they are service plans that can be duplicated.
+> If you are experiencing conflicts with these service plans, please try reprocessing them.
 
 The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD doesn't automatically resolve license conflicts.
 

articles/active-directory/enterprise-users/licensing-powershell-graph-examples.md

@@ -249,7 +249,7 @@ foreach ($userId in $skus.Keys) {
 
     Write-Host ""
 }
-
+```
 
 
 ## Remove direct licenses for users with group licenses

articles/active-directory/fundamentals/custom-security-attributes-overview.md

@@ -56,13 +56,19 @@ Currently, you can add custom security attributes for the following Azure AD obj
 - Azure AD enterprise applications (service principals)
 - Managed identities for Azure resources
 
-## How do custom security attributes compare with directory extensions?
+## How do custom security attributes compare with extensions?
 
-Here are some ways that custom security attributes compare with [directory extensions](../develop/active-directory-schema-extensions.md):
+While both extensions and custom security attributes can be used to extend objects in Azure AD and Microsoft 365, they are suitable for fundamentally different custom data scenarios. Here are some ways that custom security attributes compare with [extensions](/graph/extensibility-overview):
 
-- Directory extensions cannot be used for authorization scenarios and attributes because the access control for the extension attributes is tied to the Azure AD object. Custom security attributes can be used for authorization and attributes needing access control because the custom security attributes can be managed and protected through separate permissions.
-- Directory extensions are tied to an application and share the lifecycle of an application. Custom security attributes are tenant wide and not tied to an application.
-- Directory extensions support assigning a single value to an attribute. Custom security attributes support assigning multiple values to an attribute.
+| Capability | Extensions | Custom security attributes |
+|--|--|--|
+| Extend Azure AD and Microsoft 365 objects | Yes | Yes |
+| Supported objects | Depends on the extension type | Users and service principals |
+| Restricted access | No. Anyone with permissions to read the object can read the extension data. | Yes. Read and write access is restricted through a separate set of permissions and RBAC. |
+| When to use | Store data to be used by an application <br/> Store non-sensitive data | Store sensitive data <br/> Use for authorization scenarios |
+| License requirements | Available in all editions of Azure AD | Requires an Azure AD Premium P1 or P2 license |
+
+For more information about working with extensions, see [Add custom data to resources using extensions](/graph/extensibility-overview).
 
 ## Steps to use custom security attributes
 

articles/active-directory/fundamentals/users-default-permissions.md

@@ -143,6 +143,10 @@ Users can perform the following actions on owned enterprise applications. An ent
 | microsoft.directory/servicePrincipals/permissions/update | Update the `servicePrincipals.permissions` property in Azure AD. |
 | microsoft.directory/servicePrincipals/policies/update | Update the `servicePrincipals.policies` property in Azure AD. |
 | microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on sign-in reports in Azure AD. |
+| microsoft.directory/servicePrincipals/synchronizationCredentials/manage |	Manage application provisioning secrets and credentials |
+| microsoft.directory/servicePrincipals/synchronizationJobs/manage |	Start, restart, and pause application provisioning synchronization jobs |
+| microsoft.directory/servicePrincipals/synchronizationSchema/manage |	Create and manage application provisioning synchronization jobs and schema |
+| microsoft.directory/servicePrincipals/synchronization/standard/read |	Read provisioning settings associated with your service principal |
 
 #### Owned devices