Merge pull request #98207 from MicrosoftDocs/master

12/06 AM Publish

Author: huypub

articles/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.md

@@ -360,6 +360,5 @@ By using `B2CGraphClient`, you have a service application that can manage your B
 As you incorporate this functionality into your own application, remember a few key points for B2C applications:
 
 * Grant the application the required permissions in the tenant.
-* For now, you need to use ADAL (not MSAL) to get access tokens. (You can also send protocol messages directly, without using a library.)
 * When you call the Graph API, use `api-version=1.6`.
 * When you create and update consumer users, a few properties are required, as described above.

articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md

@@ -79,7 +79,7 @@ If you are relying on a Virtual Machine (VM) snapshot to create additional VMs,
 When deploying non-persistent VDI, IT administrators should pay close attention to managing stale devices in Azure AD. Microsoft recommends that IT administrators implement the guidance below. Failure to do so will result in your directory having lots of stale Hybrid Azure AD joined devices that were registered from your non-persistent VDI platform.
 
 - Create and use a prefix for the display name of the computer that indicates the desktop as VDI-based.
-- Implement the following commands as part of logoff script. These commands will trigger a best effort call to Azure AD to delete the device.
+- Implement the following command as part of logoff script. This command will trigger a best effort call to Azure AD to delete the device.
    - For Windows down-level devices – autoworkplace.exe /leave
 - Define and implement process for [managing stale devices](manage-stale-devices.md).
    - Once you have a strategy to identify your non-persistent Hybrid Azure AD joined devices, you can be more aggressive on the clean-up of these devices to ensure your directory does not get consumed with lots of stale devices.

articles/active-directory/manage-apps/application-provisioning-when-will-provisioning-finish-specific-user.md

@@ -99,5 +99,7 @@ Summary of factors that influence the time it takes to complete an **initial cyc
 
 - The number and sizes of assigned groups. Syncing assigned groups takes longer than syncing users. Both the number and the sizes of the assigned groups impact performance. If an application has [mappings enabled for group object sync](customize-application-attributes.md#editing-group-attribute-mappings), group properties such as group names and memberships are synced in addition to users. These additional syncs will take longer than only syncing user objects.
 
+- If performance becomes an issue and you are attempting to provision the majority of users and groups in your tenant, use scoping filters. Scoping filters allow you to fine tune the data that the provisioning service extracts from Azure AD by filtering out users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+
 ## Next steps
 [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-app-provisioning)

articles/active-directory/manage-apps/customize-application-attributes.md

@@ -74,12 +74,12 @@ Along with this property, attribute-mappings also support the following attribut
   - **Only during creation** - Apply this mapping only on user creation actions.
 
 ## Matching users in the source and target  systems
-The Azure AD provisioning service can be deployed in both greenfield (users do not exit in the target system) and brownfield (users already exist in the target system) scenarios. To support both scenarios, the provisioning service uses the concept of matching attribute(s). Matching attribute(s) allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
+The Azure AD provisioning service can be deployed in both "greenfield" scenarios (where users do not exit in the target system) and "brownfield" scenarios (where users already exist in the target system). To support both scenarios, the provisioning service uses the concept of matching attributes. Matching attributes allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
 
 - **Matching attributes should be unique:** Customers often use attributes such as userPrincipalName, mail, or object ID as the matching attribute.
-- **Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they are evaluated (defined as matching precedence in the UI). If, for example, you define three attributes as matching attributes, and a user is uniquely matched after evaluating the first two attributes, the service will not evaluat the third attribute. The service will evaluate matching attributes in the order specified and stop evaluating when a match is found.  
+- **Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they are evaluated (defined as matching precedence in the UI). If, for example, you define three attributes as matching attributes, and a user is uniquely matched after evaluating the first two attributes, the service will not evaluate the third attribute. The service will evaluate matching attributes in the order specified and stop evaluating when a match is found.  
 - **The value in the source and the target do not have to match exactly:** The value in the target can be some simple function of the value in the source. So, one could have an emailAddress attribute in the source and the userPrincipalName in the target, and match by a function of the emailAddress attribute that replaces some characters with some constant value.  
-- **Matching based on a combination of attributes is not supported:** Most applications do not support querying based on two properties and therfore it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
+- **Matching based on a combination of attributes is not supported:** Most applications do not support querying based on two properties. Therefore, it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
 - **All users must have a value for at least one matching attribute:** If you define one matching attribute, all users must have a value for that attribute in the source system. If, for example, you define userPrincipalName as the matching attribute, all users must have a userPrincipalName. If you define multiple matching attribute (e.g. extensionAttribute1 and mail), not all users have to have the same matching attribute. One user could have a extensionAttribute1 but not mail while another user could have mail but no extensionAttribute1. 
 - **The target application must support filtering on the matching attribute:** Application developers allow filtering for a subset of attributes on their user or group API. For applications in the gallery, we ensure that the default attribute mapping is for an attribute that the target application's API does support filtering on. When changing the default matching attribute for the target application, check the third party API documentation to ensure that the attribute can be filtered on.  
 
@@ -130,7 +130,61 @@ When editing the list of supported attributes, the following properties are prov
 - **API Expression** - Don't use, unless instructed to do so by the documentation for a specific provisioning connector (such as Workday).
 - **Referenced Object Attribute** - If it's a Reference type attribute, then this menu lets you select the table and attribute in the target application that contains the value associated with the attribute. For example, if you have an attribute named "Department" whose stored value references an object in a separate "Departments" table, you would select "Departments.Name". The reference tables and the primary ID fields supported for a given application are pre-configured and currently can't be edited using the Azure portal, but can be edited using the [Graph API](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/synchronization-configure-with-custom-target-attributes).
 
-To add a new attribute, scroll to the end of the list of supported attributes, populate the fields above using the provided inputs, and select **Add Attribute**. Select **Save** when finished adding attributes. You then need to reload the **Provisioning** tab for the new attributes to become available in the attribute-mapping editor.
+#### Provisioning a custom extension attribute to a SCIM compliant application
+The SCIM RFC defines a core user and group schema, while also allowing for extensions to the schema to meet your application's needs. To add a custom attribute to a SCIM application:
+   1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com), select **Enterprise Applications**, select your application, and then select **Provisioning**.
+   2. Under **Mappings**, select the object (user or group) for which you'd like to add a custom attribute.
+   3. At the bottom of the page, select **Show advanced options**.
+   4. Select **Edit attribute list for *application*.
+   5. At the bottom of the attribute list, enter information about the custom attribute in the fields provided. Then select **Add Attribute**.
+
+For SCIM applications, the attribute name must follow the pattern shown in the example below. The "CustomExtensionName" and "CustomAttribute" can be customized per your application's requirements, for example:  urn:ietf:params:scim:schemas:extension:2.0:CustomExtensionName:CustomAttribute
+
+These instructions are only applicable to SCIM-enabled applications. Applications such as ServiceNow and Salesforce are not integrated with Azure AD using SCIM, and therefore they don't require this specific namespace when adding a custom attribute.
+
+Custom attributes can't be referential attributes or multi-value attributes. Custom multi-value extension attributes are currently supported only for applications in the gallery.  
+ 
+**Example representation of a user with an extension attribute:**
+
+```json
+   {
+     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
+      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+      "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User"],
+     "userName":"bjensen",
+     "externalId":"bjensen",
+     "name":{
+       "formatted":"Ms. Barbara J Jensen III",
+       "familyName":"Jensen",
+       "givenName":"Barbara"
+     },
+     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
+     "employeeNumber": "701984",
+     "costCenter": "4130",
+     "organization": "Universal Studios",
+     "division": "Theme Park",
+     "department": "Tour Operations",
+     "manager": {
+       "value": "26118915-6090-4610-87e4-49d8ca9f808d",
+       "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d",
+       "displayName": "John Smith"
+     }
+   },
+     "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomAttribute:User": {
+     "CustomAttribute": "701984",
+   },
+   "meta": {
+     "resourceType": "User",
+     "created": "2010-01-23T04:56:22Z",
+     "lastModified": "2011-05-13T04:42:34Z",
+     "version": "W\/\"3694e05e9dff591\"",
+     "location":
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+   }
+ }
+```
+
+
 ## Provisioning a role to a SCIM app
 Use the steps below to provision roles for a user to your application. Note that the description below is specific to custom SCIM applications. For gallery applications such as Salesforce and ServiceNow, use the pre-defined role mappings. The bullets below describe how to transform the AppRoleAssignments attribute to the format your application expects.
 

articles/active-directory/privileged-identity-management/media/pim-configure/pim-quickstart.png

@@ -40,7 +40,7 @@ Privileged Identity Management provides time-based and approval-based role activ
 
 Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**, and **Activity** options in the left navigation menu. As an administrator, you'll choose between managing **Azure AD roles** and **Azure resource** roles. When you choose the type of roles to manage, you see a similar set of options for that role type.
 
-![Screenshot of Privileged Identity Management in the Azure portal](./media/pim-configure/pim-overview.png)
+![Screenshot of Privileged Identity Management in the Azure portal](./media/pim-configure/pim-quickstart.png)
 
 ## Who can do what?
 

articles/active-directory/privileged-identity-management/pim-configure.md

@@ -90,7 +90,7 @@ After you have turned on Azure AD Privileged Identity Management:
 
 2. To select the tenant where you want to use Privileged Identity Management, select your user name in the upper right-hand corner of the Azure portal.
 
-3. Select **All services** and filter the list for **Azure AD Privileged Identity Management**.
+3. On the Azure portal menu, select **All services** and filter the list for **Azure AD Privileged Identity Management**.
 
 4. Open Privileged Identity Management from the **All services** list and pin it to your dashboard.
 
@@ -257,7 +257,7 @@ If you’re already using Azure AD Privileged Identity Management, adjust timefr
 
 #### Determine exposure to password-based sign-in protocols (if using Exchange Online)
 
-In the past, protocols assumed that username/password combinations were embedded in devices, email accounts, phones, and so on. But now with the risk for cyber-attacks in the cloud, we recommend you identify every potential user who, if their credentials were compromised, could be catastrophic to the organization, and exclude them from being able to sign in to their email via username/password by implementing strong authentication requirements and Conditional Access. You can block [legacy authentication using Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication). Please check the details on [how to block basic authentication](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) through Exchnage online. 
+In the past, protocols assumed that username/password combinations were embedded in devices, email accounts, phones, and so on. But now with the risk for cyber-attacks in the cloud, we recommend you identify every potential user who, if their credentials were compromised, could be catastrophic to the organization, and exclude them from being able to sign in to their email via username/password by implementing strong authentication requirements and Conditional Access. You can block [legacy authentication using Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication). Please check the details on [how to block basic authentication](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) through Exchange online. 
 
 #### Complete a roles review assessment for Office 365 roles (if using Office 365)
 

articles/active-directory/users-groups-roles/directory-admin-roles-secure.md

@@ -21,11 +21,11 @@ You can now see and manage all the members of the administrator roles in the Azu
 
 ## View all roles
 
-In Azure Active Directory, select **Roles and administrators** to see the list of all available roles. 
+Search for and select **Azure Active Directory**. Select **Roles and administrators** to see the list of all available roles.
 
 Click the ellipsis on the right of each row to open the detailed description of the role.
 
-![list of roles in Azure AD portal](./media/directory-manage-roles-portal/role-list.png)
+![list of roles in Azure AD portal](./media/directory-manage-roles-portal/view-roles-in-azure-active-directory.png)
 
 ## View my roles
 

articles/active-directory/users-groups-roles/directory-manage-roles-portal.md

@@ -43,10 +43,10 @@ For examples of syntax, supported properties, operators, and values for a member
 ## To create a group membership rule
 
 1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that is in the Global administrator, Intune administrator, or User administrator role in the tenant.
-1. Select **Groups**.
+1. Search for and select **Groups**.
 1. Select **All groups**, and select **New group**.
 
-   ![Select the command to add new group](./media/groups-create-rule/new-group-creation.png)
+   ![Select the command to add new group](./media/groups-create-rule/create-new-group-azure-active-directory.png)
 
 1. On the **Group** page, enter a name and description for the new group. Select a **Membership type** for either users or devices, and then select **Add dynamic query**. The rule builder supports up to five expressions. To add more than five expressions, you must use the text box.
 
@@ -84,7 +84,7 @@ The following status messages can be shown for **Membership last updated** statu
 - **In Progress**: Updates are currently in progress.
 - **Unknown**: The last update time can't be retrieved. The group might be new.
 
-If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the **Overview page** for the group. If no pending dynamic membership updates can be processed for all the groups within the tenant for more then 24 hours, an alert is shown on the top of **All groups**.
+If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the **Overview page** for the group. If no pending dynamic membership updates can be processed for all the groups within the tenant for more than 24 hours, an alert is shown on the top of **All groups**.
 
 ![processing error message alerts](./media/groups-create-rule/processing-error.png)
 

articles/active-directory/users-groups-roles/groups-create-rule.md

@@ -37,7 +37,7 @@ In this example, the tenant contains a security group called **HR Department**.
 
 1. Under **All products**, select both Office 365 Enterprise E5 and Enterprise Mobility + Security E3 by selecting the product names. To start the assignment, select **Assign** at the top of the page.
 
-   ![Select products to assign licenses](./media/licensing-groups-assign/all-products-assign.png)
+   ![Select products to assign licenses](./media/licensing-groups-assign/licenses-all-products-assign.png)
 
 1. On the **Assign license** page, select **Users and groups** to open a list of users and groups.
 
@@ -85,7 +85,7 @@ When assign licenses to a group, Azure AD processes all existing members of that
 
 1. Select a user to open the user's **Licenses** page. This page shows all licenses that are currently assigned to the user. In this example, the user has the Office 365 Enterprise E1 license that was inherited from the **Kiosk users** group. This conflicts with the E3 license that the system tried to apply from the **HR Department** group. As a result, none of the licenses from that group has been assigned to the user.
 
-   ![View all license conflicts for a user](./media/licensing-groups-assign/user-license-view.png)
+   ![View all license conflicts for a user](./media/licensing-groups-assign/user-licence-conflicting-service-plans.png)
 
 1. To solve this conflict, remove the user from the **Kiosk users** group. After Azure AD processes the change, the **HR Department** licenses are correctly assigned.