Merge pull request #227855 from MicrosoftDocs/main

2/17/2023 PM Publish

Author: Taojunshen

articles/active-directory-b2c/identity-provider-generic-saml-options.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 01/13/2022
+ms.date: 02/17/2023
 ms.custom: project-no-code
 ms.author: godonnell
 ms.subservice: B2C
@@ -294,7 +294,7 @@ The following SAML authorization request contains the authentication context cla
 
 ## Include custom data in the authorization request
 
-You can optionally include protocol message extension elements that are agreed to by both Azure AD BC and your identity provider. The extension is presented in XML format. You include extension elements by adding XML data inside the CDATA element `<![CDATA[Your Custom XML]]>`. Check your identity provider’s documentation to see if the extensions element is supported.
+You can optionally include protocol message extension elements that are agreed to by both Azure AD B2C and your identity provider. The extension is presented in XML format. You include extension elements by adding XML data inside the CDATA element `<![CDATA[Your Custom XML]]>`. Check your identity provider’s documentation to see if the extensions element is supported.
 
 The following example illustrates the use of extension data:
 

articles/active-directory/app-provisioning/media/provisioning-workbook/details-1.png

@@ -0,0 +1,143 @@
+---
+title: 'Provisioning insights workbook'
+description: This article describes the Azure Monitor workbook for provisioning.
+services: active-directory
+author: billmath
+manager: amycolannino
+ms.service: active-directory
+ms.topic: conceptual
+ms.workload: identity
+ms.date: 02/17/2023
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+
+
+# Provisioning insights workbook
+The Provisioning workbook provides a flexible canvas for data analysis. This workbook brings together all of the provisioning logs from various sources and allows you to gain insight, in a single area.  The workbook allows you to create rich visual reports within the Azure portal. To learn more, see Azure Monitor Workbooks overview.
+
+This workbook is intended for Hybrid Identity Admins who use provisioning to sync users from various data sources to various data repositories.  It allows admins to gain insights into sync status and details.
+
+This workbook:
+
+- Provides a synchronization summary of users and groups synchronized from all of you provisioning sources to targets
+- Provides and aggregated and detailed view of information captured by the provisioning logs.
+- Allows you to customize the data to tailor it to your specific needs
+
+
+
+## Enabling provisioning logs
+
+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](../cloud-sync/how-to-troubleshoot.md).
+
+## Source and Target
+At the top of the workbook, using the drop-down, specify the source and target identities.  
+
+Theses fields are the source and target of identities.  The rest of the filters that appear are based on the selection of source and target.
+You can scope your search so that it is more granular using the additional fields.  Use the table below as a reference for queries.
+
+For example, if you wanted to see data from your cloud sync workflow, your source would be Active Directory and your target would be Azure AD.
+
+
+>[!NOTE]
+>Source and target are required.  If you do not select a source and target, you won't see any data.
+
+:::image type="content" source="media/provisioning-workbook/fields-1.png" alt-text="Screenshot of fields." lightbox="media/provisioning-workbook/fields-1.png":::
+
+
+|Field|Description|
+|-----|-----|
+|Source|The provisioning source repository|
+|Target|The provisioning target repository|
+|Time Range|The range of provisioning information you want to view.  This can be anywhere from 4 hours to 90 days.  You can also set a custom value.|
+|Status|View the provisioning status such as Success or Skipped.|
+|Action|View the provisioning actions taken such as Create or Delete.|
+|App Name|Allows you to filter by the application name.  In the case of Active Directory, you can filter by domains.|
+|Job Id|Allows you to target specific Job Ids.|
+|Sync type|Filter by type of synchronization such as object or password.|
+
+>[!NOTE]
+> All of the charts and grids in Sync Summary, Sync Details, and Sync Details by grid, change based on source,target and the parameter selections. 
+
+
+## Sync Summary  
+The sync summary section provides a summary of your organizations synchronization activities.  These activities include:
+   - Total synced objects by type 
+   - Provisioning events by action
+   - Provisioning events by status
+   - Unique sync count by status
+   - Provisioning success rate
+   - Top provisioning errors
+
+
+ :::image type="content" source="media/provisioning-workbook/sync-summary-1.png" alt-text="Screenshot of the synchronization summary." lightbox="media/provisioning-workbook/sync-summary-1.png":::
+
+## Sync details
+The sync details tab allows you to drill into the synchronization data and get more information.  This information includes:
+   - Objects sync by status
+   - Objects synced by action
+   - Sync log details
+   
+ >[!NOTE] 
+ >The grid is filterable on any of the above filters but you can also click the tiles under under **Objects synced by Status** and **Action**.
+ 
+ :::image type="content" source="media/provisioning-workbook/sync-details-1.png" alt-text="Screenshot of the synchronization details." lightbox="media/provisioning-workbook/sync-details-1.png":::
+
+You can further drill in to the sync log details for additional information.
+
+
+
+>[!NOTE]
+>Clicking on the Source ID it will dive deeper and provide more information on the synchronized object.
+ 
+## Sync details by cycle
+The sync details by cycle tab allow you to get more granular with the synchronization data.  This information includes:
+   - Objects sync by status
+   - Objects synced by action
+   - Sync log details
+ 
+ :::image type="content" source="media/provisioning-workbook/sync-details-2.png" alt-text="Screenshot of the synchronization details by cycle tab." lightbox="media/provisioning-workbook/sync-details-2.png":::
+
+You can further drill in to the sync log details for additional information.
+
+>[!NOTE] 
+>The grid is filterable on any of the above filters but you can also click the tiles under under **Objects synced by Status** and **Action**.
+
+## Single user view
+The user provisioning view tab allows you to get synchronization data on individual users.  
+
+>[!NOTE]
+>This section does not involve using source and target.  
+
+In this section, you enter a time range and select a specific user to see which applications a user has been provisioned or deprovisioned in.
+
+Once you select a time range, it will filter for users that have events in that time range.
+
+
+To target a specific user, you can add one of the following parameters, for that user. 
+   - UPN
+   - UserID
+   
+:::image type="content" source="media/provisioning-workbook/single-user-1.png" alt-text="Screenshot of the single user view." lightbox="media/provisioning-workbook/single-user-1.png":::
+ 
+## Details 
+By clicking on the Source ID in the  **Sync details** or the **Sync details by cycle** views, you can see additional information on the object synchronized.
+
+:::image type="content" source="media/provisioning-workbook/details-1.png" alt-text="Screenshot of the details of an object." lightbox="media/provisioning-workbook/details-1.png":::
+
+## Custom queries
+
+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../azure-monitor/logs/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md).
+
+## Custom alerts
+
+Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
+
+To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md).
+
+## Next steps 
+
+- [What is provisioning?](../cloud-sync/what-is-provisioning.md)
+- [Error codes](../cloud-sync/reference-error-codes.md)

articles/active-directory/app-provisioning/media/provisioning-workbook/fields-1.png

@@ -75,6 +75,8 @@ items:
         href: export-import-provisioning-configuration.md  
       - name: Provisioning reports
         href: ../reports-monitoring/concept-provisioning-logs.md?context=%2fazure%2factive-directory%2fapp-provisioning%2fcontext%2fapp-provisioning-context
+      - name: Provisioning insights workbook
+        href: provisioning-workbook.md  
     - name: Workday provisioning scenarios
       items:
       - name: Retrieve pronoun information

articles/active-directory/app-provisioning/media/provisioning-workbook/single-user-1.png

@@ -28,14 +28,14 @@ Smart lockout tracks the last three bad password hashes to avoid incrementing th
 > [!NOTE]
 > Hash tracking functionality isn't available for customers with pass-through authentication enabled as authentication happens on-premises not in the cloud.
 
-Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection).
+Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection). It is recommended to move to [managed authentication](https://www.microsoft.com/security/business/identity-access/upgrade-adfs).  
 
 Smart lockout is always on, for all Azure AD customers, with these default settings that offer the right mix of security and usability. Customization of the smart lockout settings, with values specific to your organization, requires Azure AD Premium P1 or higher licenses for your users.
 
 Using smart lockout doesn't guarantee that a genuine user is never locked out. When smart lockout locks a user account, we try our best to not lock out the genuine user. The lockout service attempts to ensure that bad actors can't gain access to a genuine user account. The following considerations apply:
 
-* Lockout state across Azure AD data centers are synchronized. The total number of failed sign-in attempts allowed before an account is locked out will also match the configured lockout threshold though there still may be some slight variance before a lockout. Once an account is locked out, they will be locked out everywhere across all Azure AD data centers.
-* Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Unfamiliar and familiar locations both have separate lockout counters.
+* Lockout state across Azure AD data centers is synchronized. However, the total number of failed sign-in attempts allowed before an account is locked out will have slight variance from the configured lockout threshold. Once an account is locked out, it will be locked out everywhere across all Azure AD data centers.
+* Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Both unfamiliar and familiar locations have separate lockout counters.
 
 Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS.
 
@@ -66,7 +66,7 @@ Based on your organizational requirements, you can customize the Azure AD smart
 
 To check or modify the smart lockout values for your organization, complete the following steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Entra portal](https://entra.microsoft.com/#home).
 1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**.
 1. Set the **Lockout threshold**, based on how many failed sign-ins are allowed on an account before its first lockout.
 
@@ -87,7 +87,7 @@ When the smart lockout threshold is triggered, you will get the following messag
 
 *Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.*
 
-When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service. In that scenario, because each Azure AD datacenter tracks lockout independently, it might take more than your defined lockout threshold number of attempts to cause a lockout. A user has a maximum of (*threshold_limit * datacenter_count*) number of bad attempts before being completely locked out.
+When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service. 
 
 Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior won't cause the account to lock out.
 
@@ -97,6 +97,6 @@ In addition to Smart lockout, Azure AD also protects against attacks by analyzin
 
 ## Next steps
 
-To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).
+- To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).
 
-To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).
+- To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).