Merge pull request #194112 from MicrosoftDocs/main

4/05 PM Publish

Author: huypub

articles/active-directory/authentication/howto-mfa-nps-extension.md

@@ -107,6 +107,8 @@ When you install the extension, you need the *Tenant ID* and admin credentials f
 The NPS server must be able to communicate with the following URLs over ports 80 and 443:
 
 * *https:\//strongauthenticationservice.auth.microsoft.com*
+* *https:\//strongauthenticationservice.auth.microsoft.us*
+* *https:\//strongauthenticationservice.auth.microsoft.cn*
 * *https:\//adnotifications.windowsazure.com*
 * *https:\//login.microsoftonline.com*
 * *https:\//credentials.azure.com*
@@ -266,14 +268,14 @@ For customers that use the Azure Government or Azure China 21Vianet clouds, the
 
     | Registry key       | Value |
     |--------------------|-----------------------------------|
-    | AZURE_MFA_HOSTNAME | adnotifications.windowsazure.us   |
+    | AZURE_MFA_HOSTNAME | strongauthenticationservice.auth.microsoft.us   |
     | STS_URL            | https://login.microsoftonline.us/ |
 
 1. For Azure China 21Vianet customers, set the following key values:
 
     | Registry key       | Value |
     |--------------------|-----------------------------------|
-    | AZURE_MFA_HOSTNAME | adnotifications.windowsazure.cn   |
+    | AZURE_MFA_HOSTNAME | strongauthenticationservice.auth.microsoft.cn   |
     | STS_URL            | https://login.chinacloudapi.cn/   |
 
 1. Repeat the previous two steps to set the registry key values for each NPS server.
@@ -393,7 +395,7 @@ Verify that AD Connect is running, and that the user is present in both the on-p
 
 ### Why do I see HTTP connect errors in logs with all my authentications failing?
 
-Verify that https://adnotifications.windowsazure.com is reachable from the server running the NPS extension.
+Verify that https://adnotifications.windowsazure.com, https://strongauthenticationservice.auth.microsoft.com is reachable from the server running the NPS extension.
 
 ### Why is authentication not working, despite a valid certificate being present?
 

articles/active-directory/conditional-access/concept-conditional-access-conditions.md

@@ -107,15 +107,18 @@ This setting works with all browsers. However, to satisfy a device policy, like
 | Windows 10 + | Microsoft Edge, [Chrome](#chrome-support), [Firefox 91+](https://support.mozilla.org/kb/windows-sso) |
 | Windows Server 2022 | Microsoft Edge, [Chrome](#chrome-support) |
 | Windows Server 2019 | Microsoft Edge, [Chrome](#chrome-support) |
-| iOS | Microsoft Edge, Safari |
+| iOS | Microsoft Edge, Safari (see the notes) |
 | Android | Microsoft Edge, Chrome |
 | macOS | Microsoft Edge, Chrome, Safari |
 
 These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode or if cookies are disabled. 
 
 > [!NOTE]
-> Edge 85+ requires the user to be signed in to the browser to properly pass device identity. Otherwise, it behaves like Chrome without the accounts extension. This sign-in might not occur automatically in a Hybrid Azure AD Join scenario. 
+> Edge 85+ requires the user to be signed in to the browser to properly pass device identity. Otherwise, it behaves like Chrome without the accounts extension. This sign-in might not occur automatically in a Hybrid Azure AD Join scenario.
+>  
 > Safari is supported for device-based Conditional Access, but it can not satisfy the **Require approved client app** or **Require app protection policy** conditions. A managed browser like Microsoft Edge will satisfy approved client app and app protection policy requirements.
+> On iOS with 3rd party MDM solution only Microsoft Edge browser supports device policy.
+> 
 > [Firefox 91+](https://support.mozilla.org/kb/windows-sso) is supported for device-based Conditional Access, but "Allow Windows single sign-on for Microsoft, work, and school accounts" needs to be enabled. 
 
 #### Why do I see a certificate prompt in the browser

articles/active-directory/enterprise-users/TOC.yml

@@ -4,6 +4,8 @@
   items:
   - name: Azure AD users, groups, and licensing
     href: directory-overview-user-model.md
+  - name: What is delegated administration?
+    href: directory-delegated-administration-primer.md
 - name: Quickstarts
   items:
   - name: Add users to Azure AD
@@ -64,7 +66,7 @@
       href: users-restrict-guest-permissions.md
     - name: Dynamic groups and guests   
       href: ../external-identities/use-dynamic-groups.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
-  - name: Organization
+  - name: Organization (tenant)
     items:
     - name: Azure AD tenant organizations    
       href: ../fundamentals/active-directory-whatis.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context

articles/active-directory/enterprise-users/directory-delegated-administration-primer.md

@@ -0,0 +1,48 @@
+---
+title: Delegated administration in Azure Active Directory
+description: The relationship between older delegated admin permissions and new granular delegated admin permissions in Azure Active Directory
+keywords:
+author: curtand
+manager: karenhoran
+ms.author: curtand
+ms.reviewer: yuank
+ms.date: 03/24/2022
+ms.topic: overview
+ms.service: active-directory
+ms.subservice: enterprise-users
+ms.workload: identity
+services: active-directory
+ms.custom: "it-pro"
+
+#Customer intent: As a new Azure AD identity administrator, access management requires me to understand the permissions of partners who have access to our resources. 
+ms.collection: M365-identity-device-management
+---
+# What is delegated administration?
+
+Managing permissions for external partners is a key part of your security posture. We’ve added capabilities to the Azure Active Directory (Azure AD) admin portal experience so that an administrator can see the relationships that their Azure AD tenant has with Microsoft Cloud Service Providers (CSP) who can manage the tenant. This permissions model is called delegated administration. This article introduces the Azure AD administrator to the relationship between the old Delegated Admin Permissions (DAP) permission model and the new Granular Delegated Admin Permissions (GDAP) permission model.
+
+## Delegated administration relationships
+
+Delegated administration relationships enable technicians at a Microsoft CSP to administer Microsoft services such as Microsoft 365, Dynamics, 365, and Azure on behalf of your organization. These technicians administer these services for you using the same roles and permissions as administrators in your organization. These roles are assigned to security groups in the CSP’s Azure AD tenant, which is why CSP technicians don’t need user accounts in your tenant in order to administer services for you.
+
+There are two types of delegated administration relationships that are visible in the Azure AD admin portal experience. The newer type of delegated admin relationship is known as Granular Delegated Admin Permission. The older type of relationship is known as Delegated Admin Permission. You can see both types of relationship if you sign in to the Azure AD admin portal and then select **Delegated administration**.
+
+## Granular delegated admin permission
+
+When a Microsoft CSP creates a GDAP relationship request for your tenant, a GDAP relationship is created in the tenant when a global administrator approves the request. The GDAP relationship request specifies:
+
+* The CSP partner tenant
+* The roles that the partner needs to delegate to their technicians
+* The expiration date
+
+If you have any GDAP relationships in your tenant, you will see a notification banner on the **Delegated Administration** page in the Azure AD admin portal. Select the notification banner to see and manage GDAP relationships in the **Partners** page in Microsoft Admin Center.
+
+## Delegated admin permission
+
+When a Microsoft CSP creates a DAP relationship request for your tenant, a GDAP relationship is created in the tenant when a global administrator approves the request. All DAP relationships enable the CSP to delegate Global administrator and Helpdesk administrator roles to their technicians. Unlike a GDAP relationship, a DAP relationship persists until they are revoked either by you or by your CSP.
+
+If you have any DAP relationships in your tenant, you will see them in the list on the Delegated Administration page in the Azure AD admin portal. To remove a DAP relationship for a CSP, follow the link to the Partners page in the Microsoft Admin Center.
+
+## Next steps
+
+If you're a beginning Azure AD administrator, get the basics down in [Azure Active Directory Fundamentals](../fundamentals/index.yml).

articles/active-directory/governance/entitlement-management-access-package-first.md

@@ -39,7 +39,7 @@ For a step-by-step demonstration of the process of deploying Azure Active Direct
 
 >[!VIDEO https://www.youtube.com/embed/zaaKvaaYwI4]
 
-This rest of this article uses the Azure portal to configure and demonstrate Azure AD entitlement management.  You can also follow a tutorial to [manage access to resources via Microsoft Graph](/graph/tutorial-access-package-api?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json) or [via PowerShell](/powershell/microsoftgraph/tutorial-entitlement-management?view=graph-powershell-beta).
+This rest of this article uses the Azure portal to configure and demonstrate Azure AD entitlement management. 
 
 ## Prerequisites
 

articles/active-directory/governance/entitlement-management-overview.md

@@ -173,5 +173,4 @@ Here are some example license scenarios to help you determine the number of lice
 
 - If you are interested in using the Azure portal to manage access to resources, see [Tutorial: Manage access to resources - Azure portal](entitlement-management-access-package-first.md).
 - if you are interested in using Microsoft Graph to manage access to resources, see [Tutorial: manage access to resources - Microsoft Graph](/graph/tutorial-access-package-api?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json)
-- If you are interested in using Microsoft PowerShell to manage access to resources, see [Tutorial: manage access to resources - PowerShell](/powershell/microsoftgraph/tutorial-entitlement-management?view=graph-powershell-beta)
 - [Common scenarios](entitlement-management-scenarios.md)

articles/active-directory/governance/identity-governance-automation.md

@@ -208,4 +208,3 @@ There are two places where you can see the expiration date in the Azure portal.
 ## Next steps
 
 - [Create an Automation account using the Azure portal](../../automation/quickstarts/create-account-portal.md)
-- [Manage access to resources in Active Directory entitlement management using Microsoft Graph PowerShell](/powershell/microsoftgraph/tutorial-entitlement-management?view=graph-powershell-beta)

articles/active-directory/hybrid/plan-connect-design-concepts.md

@@ -180,6 +180,9 @@ When you are selecting the attribute for providing the value of UPN to be used i
 
 In express settings, the assumed choice for the attribute is userPrincipalName. If the userPrincipalName attribute does not contain the value you want your users to sign in to Azure, then you must choose **Custom Installation**.
 
+>[!NOTE]
+>It's recommended as a best practice that the UPN prefix contains more than one character.
+
 ### Custom domain state and UPN
 It is important to ensure that there is a verified domain for the UPN suffix.
 

articles/active-directory/roles/delegate-by-task.md

@@ -124,7 +124,7 @@ You can further restrict permissions by assigning roles at smaller scopes or by
 > [!div class="mx-tableFixed"]
 > | Task | Least privileged role | Additional roles |
 > | ---- | --------------------- | ---------------- |
-> | Create Azure AD Domain Services instance | [Application Administrator](../roles/permissions-reference.md#application-administrator) and [Groups Administrator](../roles/permissions-reference.md#groups-administrator)|[Domain Services Contributor](/azure/role-based-access-control/built-in-roles#domain-services-contributor)   |
+> | Create Azure AD Domain Services instance | [Application Administrator](../roles/permissions-reference.md#application-administrator)<br>[Groups Administrator](../roles/permissions-reference.md#groups-administrator)<br> [Domain Services Contributor](/azure/role-based-access-control/built-in-roles#domain-services-contributor)|   |
 > | Perform all Azure AD Domain Services tasks | [AAD DC Administrators group](../../active-directory-domain-services/tutorial-create-management-vm.md#administrative-tasks-you-can-perform-on-a-managed-domain) |  |
 > | Read all configuration | Reader on Azure subscription containing AD DS service |  |
 

articles/aks/coredns-custom.md

@@ -43,15 +43,15 @@ metadata:
   namespace: kube-system
 data:
   test.server: | # you may select any name here, but it must end with the .server file extension
-  <domain to be rewritten>.com:53 {
-  log
-  errors
-  rewrite stop {
-    name regex (.*)\.<domain to be rewritten>.com {1}.default.svc.cluster.local
-    answer name (.*)\.default\.svc\.cluster\.local {1}.<domain to be rewritten>.com
-  }
-  forward . /etc/resolv.conf # you can redirect this to a specific DNS server such as 10.0.0.10, but that server must be able to resolve the rewritten domain name
-}
+    <domain to be rewritten>.com:53 {
+    log
+    errors
+    rewrite stop {
+      name regex (.*)\.<domain to be rewritten>.com {1}.default.svc.cluster.local
+      answer name (.*)\.default\.svc\.cluster\.local {1}.<domain to be rewritten>.com
+    }
+    forward . /etc/resolv.conf # you can redirect this to a specific DNS server such as 10.0.0.10, but that server must be able to resolve the rewritten domain name
+    }
 ```
 
 > [!IMPORTANT]