Merge branch 'main' of https://github.com/microsoftdocs/azure-docs-pr into adapter

Author: stevenmatthew

.openpublishing.redirection.json

@@ -34,6 +34,6 @@
             "source_path": "articles/virtual-desktop/azure-stack-hci-faq.yml",
             "redirect_url": "/azure/virtual-desktop/azure-stack-hci",
             "redirect_document_id": false
-        }       
+        }
     ]
 }

.openpublishing.redirection.virtual-desktop.json

@@ -129,7 +129,7 @@ In order to collect the user_agent from client-side, create your own `**ContentD
 To customize the user interface, you specify a URL in the `ContentDefinition` element with customized HTML content. In the self-asserted technical profile or orchestration step, you point to that ContentDefinition identifier.
 
 
-1. Open the `TrustFrameworksExtension.xml` and define a new **ContentDefinition** to customize the [self-asserted technical profile](/azure/active-directory-b2c/self-asserted-technical-profile).
+1. Open the `TrustFrameworksExtension.xml` and define a new **ContentDefinition** to customize the [self-asserted technical profile](./self-asserted-technical-profile.md).
 
 1. Find the `BuildingBlocks` element and add the `**api.selfassertedDeduce**` ContentDefinition:
 
@@ -434,11 +434,11 @@ The **ClaimsSchema** element defines the claim types that can be referenced as p
 
 ### Step 6: Add Deduce ClaimsProvider
 
-A **claims provider** is an interface to communicate with different types of parties via its [technical profiles](/azure/active-directory-b2c/technicalprofiles).
+A **claims provider** is an interface to communicate with different types of parties via its [technical profiles](./technicalprofiles.md).
 
 - `SelfAsserted-UserAgent` self-asserted technical profile is used to collect user_agent from client-side.
 
-- `deduce_insight_api` technical profile sends data to the Deduce RESTful service in an input claims collection and receives data back in an output claims collection. For more information, see [integrate REST API claims exchanges in your Azure AD B2C custom policy](/azure/active-directory-b2c/api-connectors-overview?pivots=b2c-custom-policy)
+- `deduce_insight_api` technical profile sends data to the Deduce RESTful service in an input claims collection and receives data back in an output claims collection. For more information, see [integrate REST API claims exchanges in your Azure AD B2C custom policy](./api-connectors-overview.md?pivots=b2c-custom-policy)
 
 You can define Deduce as a claims provider by adding it to the **ClaimsProvider** element in the extension file of your policy.
 
@@ -709,4 +709,4 @@ For additional information, review the following articles:
 
 - [Custom policies in Azure AD B2C](./custom-policy-overview.md)
 
-- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)
+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)

articles/active-directory-b2c/partner-deduce.md

@@ -123,6 +123,10 @@
           href: join-ubuntu-linux-vm.md
         - name: SUSE Linux Enterprise
           href: join-suse-linux-vm.md
+    - name: AD authentication through LDAP Linux
+      items:
+        - name: Active Directory authentication non domain joined Linux Virtual Machines
+          href: ad-auth-no-join-linux-vm.md
     - name: Deploy applications
       items:
         - name: Deploy Azure AD Application Proxy

articles/active-directory-domain-services/TOC.yml

@@ -0,0 +1,234 @@
+---
+title: Active Directory authentication non domain joined Linux Virtual Machines
+description: Active Directory authentication non domain joined Linux Virtual Machines.
+services: active-directory-ds
+author: DevOpsStyle
+
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: how-to
+ms.date: 10/12/2022
+ms.author: tommasosacco
+
+---
+
+# Active Directory authentication non domain joined Linux Virtual Machines
+
+Currently Linux distribution can work as member of Active Directory domains, which gives them access to the AD authentication system. To take advantage of AD authentication in some cases, we can avoid the AD join. To let users sign in on Azure Linux VM with Active Directory account you have different choices. One possibility is to Join in Active Directory the VM. Another possibility is to base the authentication flow through LDAP to your Active Directory without Join the VM on AD. This article shows you how to authenticate with AD credential on your Linux system (CentosOS) based on LDAP.
+
+## Prerequisites
+
+To complete the authentication flow we assume, you already have:
+
+* An Active Directory Domain Services already configured.
+* A Linux VM (for the test we use CentosOS based machine).
+* A network infrastructure that allows communication between Active Directory and the Linux VM.
+* A dedicated User Account for read AD objects.
+* The Linux VM need to have these packages installed:
+    - sssd 
+    - sssd-tools 
+    - sssd-ldap
+    - openldap-clients
+* An LDAPS Certificate correctly configured on the Linux VM.
+* A CA Certificate correctly imported into Certificate Store of the Linux VM (the path varies depending on the Linux distro).
+
+## Active Directory User Configuration
+
+To read Users in your Active Directory Domain Services create a ReadOnlyUser in AD. For create a new user follow the steps below:
+
+1. Connect to your *Domain Controller*.
+2. Click *Start*, point to *Administrative Tools*, and then click *Active Directory Users and Computers* to start the Active Directory Users and Computers console.
+3. Click the domain name that you created, and then expand the contents.
+4. Right-click Users, point to *New*, and then click *User*.
+5. Type the first name, last name, and user logon name of the new user, and then click Next. In lab environment we used a user called *ReadOnlyUser*.
+6. Type a *new password*, confirm the password, and then click to select one of the following check boxes if needed:
+    - Users must change password at next logon (recommended for most user)
+    - User cannot change password
+    - Password never expires
+    - Account is disabled (If you disable the account the authentication will fail)
+7. Click *Next*.
+
+Review the information that you provided, and if everything is correct, click Finish.
+
+> [!NOTE]
+> The lab environment is based on:
+> - Windows Server 2016 Domain and Forest Functional Level.
+> - Linux client Centos 8.5.
+
+## Linux Virtual Machines Configuration
+
+> [!NOTE]
+> You must run these command with sudo permission
+
+On your Linux VM, install the following packages: *sssd sssd-tools sssd-ldap openldap-client*:
+
+```console
+yum install -y sssd sssd-tools sssd-ldap openldap-clients
+```
+
+After the installation check if LDAP search works. In order to check it try an LDAP search following the example below:
+
+```console
+ldapsearch -H ldaps://contoso.com -x \
+        -D CN=ReadOnlyUser,CN=Users,DC=contoso,DC=com -w Read0nlyuserpassword \
+        -b CN=Users,DC=contoso,DC=com
+```
+
+If the LDAP query works fine, you will obtain an output with some information like follow:
+
+```console
+extended LDIF
+
+LDAPv3
+base <CN=Users,DC=contoso,DC=com> with scope subtree
+filter: (objectclass=*)
+requesting: ALL
+
+Users, contoso.com
+dn: CN=Users,DC=contoso,DC=com
+objectClass: top
+objectClass: container
+cn: Users
+description: Default container for upgraded user accounts
+distinguishedName: CN=Users,DC=contoso,DC=com
+instanceType: 4
+whenCreated: 20220913115340.0Z
+whenChanged: 20220913115340.0Z
+uSNCreated: 5660
+uSNChanged: 5660
+showInAdvancedViewOnly: FALSE
+name: Users
+objectGUID:: i9MABLytKUurB2uTe/dOzg==
+systemFlags: -1946157056
+objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=contoso,DC=com
+isCriticalSystemObject: TRUE
+dSCorePropagationData: 20220930113600.0Z
+dSCorePropagationData: 20220930113600.0Z
+dSCorePropagationData: 20220930113600.0Z
+dSCorePropagationData: 20220930113600.0Z
+dSCorePropagationData: 16010101000000.0Z
+```
+
+> [!NOTE]
+> If your get and error run the following command:
+>
+> ldapsearch -H ldaps://contoso.com -x \
+>       -D CN=ReadOnlyUser,CN=Users,DC=contoso,DC=com -w Read0nlyuserpassword \
+>       -b CN=Users,DC=contoso,DC=com -d 3
+>
+> Troubleshoot according to the output.
+
+## Create sssd.conf file
+
+Create */etc/sssd/sssd.conf* with a content like the following. Remember to update the *ldap_uri*, *ldap_search_base* and *ldap_default_bind_dn*.
+
+Command for file creation:
+
+```console
+vi /etc/sssd/sssd.conf
+```
+
+Example sssd.conf:
+
+```bash
+[sssd]
+config_file_version = 2
+domains = default
+services = nss, pam
+full_name_format = %1$s
+
+[nss]
+
+[pam]
+
+[domain/default]
+id_provider = ldap
+cache_credentials = True
+ldap_uri = ldaps://contoso.com
+ldap_search_base = CN=Users,DC=contoso,DC=com
+ldap_schema = AD
+ldap_default_bind_dn = CN=ReadOnlyUser,CN=Users,DC=contoso,DC=com
+ldap_default_authtok_type = obfuscated_password
+ldap_default_authtok = generated_password
+
+# Obtain the CA root certificate for your LDAPS connection.
+ldap_tls_cacert = /etc/pki/tls/cacerts.pem
+
+# This setting disables cert verification.
+#ldap_tls_reqcert = allow
+
+# Only if the LDAP directory doesn't provide uidNumber and gidNumber attributes
+ldap_id_mapping = True
+
+# Consider setting enumerate=False for very large directories
+enumerate = True
+
+# Only needed if LDAP doesn't provide homeDirectory and loginShell attributes
+fallback_homedir = /home/%u
+default_shell = /bin/bash
+access_provider = permit
+sudo_provider = ldap
+auth_provider = ldap
+autofs_provider = ldap
+resolver_provider = ldap
+
+```
+
+Save the file with *ESC + wq!* command.
+
+> [!NOTE]
+> If you don't have a valid TLS certificate under */etc/pki/tls/* called *cacerts.pem* the bind doesn't work
+
+## Change permission for sssd.conf and create the obfuscated password
+
+Set the permission to sssd.conf to 600 with the following command:
+
+```console
+chmod 600 /etc/sssd/sssd.conf
+```
+
+After that create an obfuscated password for the Bind DN account. You must insert the Domain password for ReadOnlyUser:
+
+```console
+sss_obfuscate --domain default
+```
+
+The password will be placed automatically in the configuration file.
+
+## Configure the sssd service
+
+Start the sssd service:
+
+```console
+service sssd start
+```
+
+Now configure the service with the *authconfig* tool:
+
+```console
+authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateall
+```
+
+At this point restart the service:
+
+```console
+systemctl restart sssd
+```
+
+## Test the configuration
+
+The final step is to check that the flow works properly. To check this, try logging in with one of your AD users in Active Directory. We tried with a user called *ADUser*. If the configuration is correct, you will get the following result:
+
+```console
+[centosuser@centos8 ~]su - [email protected]
+Last login: Wed Oct 12 15:13:39 UTC 2022 on pts/0
+[ADUser@Centos8 ~]$ exit
+
+```
+Now you are ready to use AD authentication on your Linux VM.
+
+<!-- INTERNAL LINKS -->
+[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
+[create-azure-ad-ds-instance]: tutorial-create-instance.md

articles/active-directory-domain-services/ad-auth-no-join-linux-vm.md

@@ -62,9 +62,9 @@ The following table describes the metrics that are available for Azure AD DS.
 
 ## Azure Monitor alert
 
-You can configure metric alerts for Azure AD DS to be notified of possible problems. Metric alerts are one type of alert for Azure Monitor. For more information about other types of alerts, see [What are Azure Monitor Alerts?](/azure/azure-monitor/alerts/alerts-overview). 
+You can configure metric alerts for Azure AD DS to be notified of possible problems. Metric alerts are one type of alert for Azure Monitor. For more information about other types of alerts, see [What are Azure Monitor Alerts?](../azure-monitor/alerts/alerts-overview.md). 
 
-To view and manage Azure Monitor alert, a user needs to be assigned [Azure Monitor roles](/azure/azure-monitor/roles-permissions-security). 
+To view and manage Azure Monitor alert, a user needs to be assigned [Azure Monitor roles](../azure-monitor/roles-permissions-security.md). 
 
 In Azure Monitor or Azure AD DS Metrics, click **New alert** and configure an Azure AD DS instance as the scope. Then choose the metrics you want to measure from the list of available signals:
 
@@ -98,4 +98,4 @@ You can upvote to enable multiple resource selection to correlate data between r
 
 ## Next steps
 
-- [Check the health of an Azure Active Directory Domain Services managed domain](check-health.md)
+- [Check the health of an Azure Active Directory Domain Services managed domain](check-health.md)

articles/active-directory-domain-services/fleet-metrics.md

@@ -75,7 +75,7 @@ Go to the [reference code](https://github.com/AzureAD/SCIMReferenceCode) from Gi
 
 1. If not installed, add [Azure App Service for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureappservice) extension.
 
-1. To deploy the Microsoft.SCIM.WebHostSample app to Azure App Services, [create a new App Services](/azure/app-service/tutorial-dotnetcore-sqldb-app#2---create-the-app-service).
+1. To deploy the Microsoft.SCIM.WebHostSample app to Azure App Services, [create a new App Services](../../app-service/tutorial-dotnetcore-sqldb-app.md#2---create-the-app-service).
 
 1. In the Visual Studio Code terminal, run the .NET CLI command below. This command generates a deployable publish folder for the app in the bin/debug/publish directory.
 

articles/active-directory/app-provisioning/use-scim-to-build-users-and-groups-endpoints.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 08/17/2022
+ms.date: 10/17/2022
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -1308,7 +1308,7 @@ Applications that support the SCIM profile described in this article can be conn
 
 **To connect an application that supports SCIM:**
 
-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com). You can get access a free trial for Azure AD with P2 licenses by signing up for the [developer program](https://developer.microsoft.com/office/dev-program)
+1. Sign in to the [Azure AD portal](https://aad.portal.azure.com). You can get access a free trial for Azure AD with P2 licenses by signing up for the [developer program](https://developer.microsoft.com/microsoft-365/dev-program))
 1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery.
 1. Select **+ New application** > **+ Create your own application**.
 1. Enter a name for your application, choose the option "*integrate any other application you don't find in the gallery*" and select **Add** to create an app object. The new app is added to the list of enterprise applications and opens to its app management screen.

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -213,6 +213,8 @@ An authentication strength Conditional Access policy works together with [MFA tr
 
 - **Using 'Require one of the selected controls' with 'require authentication strength' control** - After you select authentication strengths grant control and additional controls, all the selected controls must be satisfied in order to gain access to the resource. Using **Require one of the selected controls** isn't applicable, and will default to requiring all the controls in the policy.
 
+- **Authentication loop** - when the user is required to use Microsoft Authenticator (Phone Sign-in) but the user is not registered for this method, they will be given instructions on how to set up the Microsoft Authenticator, that does not include how to enable Passwordless sign-in. As a result, the user can get into an authentication loop. To avoid this issue, make sure the user is registered for the method before the Conditional Access policy is enforced. Phone Sign-in can be registered using the steps outlined here: [Add your work or school account to the Microsoft Authenticator app](https://support.microsoft.com/en-us/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c)
+
 ## Limitations
 
 - **Conditional Access policies are only evaluated after the initial authentication** -  As a result, authentication strength will not restrict a user's initial authentication. Suppose you are using the built-in phishing-resistant MFA strength. A user can still type in their password, but they will be required to use a phishing-resistant method such as FIDO2 security key before they can continue.

articles/active-directory/authentication/concept-authentication-strengths.md

@@ -43,7 +43,7 @@ The following images show how Azure AD CBA simplifies the customer environment b
 |---------|---------|
 | Great user experience |- Users who need certificate-based authentication can now directly authenticate against Azure AD and not have to invest in federated AD FS.<br>- Portal UI enables users to easily configure how to map certificate fields to a user object attribute to look up the user in the tenant ([certificate username bindings](concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-username-binding-policy))<br>- Portal UI to [configure authentication policies](concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-authentication-binding-policy) to help determine which certificates are single-factor versus multifactor. |
 | Easy to deploy and administer |- Azure AD CBA is a free feature, and you don't need any paid editions of Azure AD to use it. <br>- No need for complex on-premises deployments or network configuration.<br>- Directly authenticate against Azure AD. |
-| Secure |- On-premises passwords don't need to be stored in the cloud in any form.<br>- Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including unphishable [multifactor authentication](concept-mfa-howitworks.md) (MFA which requires [licensed edition](concept-mfa-licensing.md)) and blocking legacy authentication.<br>- Strong authentication support where users can define authentication policies through the certificate fields, such as issuer or policy OID (object identifiers), to determine which certificates qualify as single-factor versus multifactor.<br>- The feature works seamlessly with [Conditional Access features](../conditional-access/overview.md) and authentication strength capability to enforce MFA to help secure your users. |
+| Secure |- On-premises passwords don't need to be stored in the cloud in any form.<br>- Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including Phishing-Resistant [multifactor authentication](concept-mfa-howitworks.md) (MFA requires [licensed edition](concept-mfa-licensing.md)) and blocking legacy authentication.<br>- Strong authentication support where users can define authentication policies through the certificate fields, such as issuer or policy OID (object identifiers), to determine which certificates qualify as single-factor versus multifactor.<br>- The feature works seamlessly with [Conditional Access features](../conditional-access/overview.md) and authentication strength capability to enforce MFA to help secure your users. |
 
 
 ## Supported scenarios