MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎.openpublishing.redirection.azure-blob.json
Lines changed: 19 additions & 0 deletions b/‎.openpublishing.redirection.azure-blob.json
Lines changed: 19 additions & 0 deletions
diff --git a/‎articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Lines changed: 14 additions & 1 deletion b/‎articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Lines changed: 14 additions & 1 deletion
diff --git a/‎articles/active-directory/external-identities/external-collaboration-settings-configure.md
Lines changed: 6 additions & 4 deletions b/‎articles/active-directory/external-identities/external-collaboration-settings-configure.md
Lines changed: 6 additions & 4 deletions
diff --git a/‎articles/active-directory/external-identities/media/external-collaboration-settings-configure/guest-invite-settings.png
-1.97 KB b/‎articles/active-directory/external-identities/media/external-collaboration-settings-configure/guest-invite-settings.png
-1.97 KB
diff --git a/‎articles/active-directory/external-identities/media/external-collaboration-settings-configure/guest-user-access.png
16 KB b/‎articles/active-directory/external-identities/media/external-collaboration-settings-configure/guest-user-access.png
16 KB
diff --git a/‎articles/active-directory/governance/entitlement-management-access-package-incompatible.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/governance/entitlement-management-access-package-incompatible.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md
Lines changed: 8 additions & 2 deletions b/‎articles/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md
Lines changed: 8 additions & 2 deletions
diff --git a/‎articles/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial.md
Lines changed: 2 additions & 2 deletions
@@ -885,6 +885,7 @@
   "redirection_files": [
     ".openpublishing.redirection.json",
     ".openpublishing.redirection.active-directory.json",
+    ".openpublishing.redirection.azure-blob.json",
     ".openpublishing.redirection.azure-sql.json",
     "articles/data-factory/.openpublishing.redirection.data-factory.json",
     ".openpublishing.redirection.defender-for-cloud.json",
 
@@ -0,0 +1,19 @@
+{
+    "redirections": [
+        {
+            "source_path_from_root": "/articles/storage/blobs/storage-upload-process-images.md",
+            "redirect_url": "/azure/storage/blobs/blob-upload-function-trigger",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/storage/blobs/storage-secure-access-application.md",
+            "redirect_url": "/azure/storage/blobs/blob-upload-function-trigger",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/storage/blobs/storage-monitor-troubleshoot-storage-application.md",
+            "redirect_url": "/azure/storage/blobs/blob-upload-function-trigger",
+            "redirect_document_id": false
+        }
+    ]
+}
@@ -7,7 +7,7 @@ manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 04/04/2022
+ms.date: 04/11/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -138,8 +138,21 @@ You can also check whether all the required ports are open.
      - Microsoft Azure AD Connect Agent Updater
      - Microsoft Azure AD Connect Provisioning Agent Package
 
+### Provisioning agent history
+This article lists the versions and features of Azure Active Directory Connect Provisioning Agent that have been released. The Azure AD team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-prem provisioning and Cloud Sync / HR-driven provisioning.
 
+Microsoft provides direct support for the latest agent version and one version before.
 
+## Download link
+You can download the latest version of the agent using [this link](https://aka.ms/onpremprovisioningagent).
+
+## 1.1.846.0
+
+April 11th, 2022 - released for download
+
+### Fixed issues
+
+- We added support for ObjectGUID as an anchor for the generic LDAP connector when provisioning users into AD LDS. 
 
 
 ## Next steps
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 01/31/2022
+ms.date: 04/11/2022
 
 ms.author: mimart
 author: msmimart
@@ -37,6 +37,8 @@ For B2B collaboration with other Azure AD organizations, you should also review
 
 1. Under **Guest user access**, choose the level of access you want guest users to have:
 
+    ![Screenshot showing Guest user access settings.](./media/external-collaboration-settings-configure/guest-user-access.png)
+
    - **Guest users have the same access as members (most inclusive)**: This option gives guests the same access to Azure AD resources and directory data as member users.
 
    - **Guest users have limited access to properties and memberships of directory objects**: (Default) This setting blocks guests from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all non-hidden groups.
@@ -45,7 +47,7 @@ For B2B collaboration with other Azure AD organizations, you should also review
 
 1. Under **Guest invite settings**, choose the appropriate settings:
 
-    ![Guest invite settings](./media/external-collaboration-settings-configure/guest-invite-settings.png)
+    ![Screenshot showing Guest invite settings.](./media/external-collaboration-settings-configure/guest-invite-settings.png)
 
    - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive)**: To allow guests in the organization to invite other guests including those who are not members of an organization, select this radio button.
    - **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**: To allow member users and users who have specific administrator roles to invite guests, select this radio button.
@@ -56,11 +58,11 @@ For B2B collaboration with other Azure AD organizations, you should also review
 
 1. Under **Enable guest self-service sign up via user flows**, select **Yes** if you want to be able to create user flows that let users sign up for apps. For more information about this setting, see [Add a self-service sign-up user flow to an app](self-service-sign-up-user-flow.md).
 
-    ![Self-service sign up via user flows setting](./media/external-collaboration-settings-configure/self-service-sign-up-setting.png)
+    ![Screenshot showing Self-service sign up via user flows setting.](./media/external-collaboration-settings-configure/self-service-sign-up-setting.png)
 
 1. Under **Collaboration restrictions**, you can choose whether to allow or deny invitations to the domains you specify and enter specific domain names in the text boxes. For multiple domains, enter each domain on a new line. For more information, see [Allow or block invitations to B2B users from specific organizations](allow-deny-list.md).
 
-    ![Collaboration restrictions settings](./media/external-collaboration-settings-configure/collaboration-restrictions.png)
+    ![Screenshot showing Collaboration restrictions settings.](./media/external-collaboration-settings-configure/collaboration-restrictions.png)
 ## Assign the Guest Inviter role to a user
 
 With the Guest Inviter role, you can give individual users the ability to invite guests without assigning them a global administrator or other admin role. Assign the Guest inviter role to individuals. Then make sure you set **Admins and users in the guest inviter role can invite** to **Yes**.
 
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 #Customer intent: As a global administrator or access package manager, I want to configure that a user cannot request an access package if they already have incompatible access.
 
 ---
-# Configure separation of duties checks for an access package in Azure AD entitlement management (Preview)
+# Configure separation of duties checks for an access package in Azure AD entitlement management
 
 In Azure AD entitlement management, you can configure multiple policies, with different settings for each user community that will need access through an access package.  For example, employees might only need manager approval to get access to certain apps, but guests coming in from other organizations may require both a sponsor and a resource team departmental manager to approve. In a policy for users already in the directory, you can specify a particular group of users for who can request access. However, you may have a requirement to avoid a user obtaining excessive access.  To meet this requirement, you will want to further restrict who can request access, based on the access the requestor already has.
 
@@ -57,7 +57,7 @@ Follow these steps to change the list of incompatible groups or other access pac
 
 1.	In the left menu, click **Access packages** and then open the access package which users will request.
 
-1.	In the left menu, click **Separation of duties (preview)**.
+1.	In the left menu, click **Separation of duties**.
 
 1.  If you wish to prevent users who have another access package assignment already from requesting this access package, click on **Add access package** and select the access package that the user would already be assigned.
 
@@ -84,7 +84,7 @@ Follow these steps to view the list of other access packages that have indicated
 
 1.	In the left menu, click **Access packages** and then open the access package.
 
-1.	In the left menu, click **Separation of duties (preview)**.
+1.	In the left menu, click **Separation of duties**.
 
 1. Click on **Incompatible With**.
 
 
@@ -51,7 +51,7 @@ For more information on setting the PowerShell execution policy, see [Set-Execut
 ### Azure AD Connect server
 The Azure AD Connect server contains critical identity data. It's important that administrative access to this server is properly secured. Follow the guidelines in [Securing privileged access](/windows-server/identity/securing-privileged-access/securing-privileged-access). 
 
-The Azure AD Connect server must be treated as a Tier 0 component as documented in the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material) 
+The Azure AD Connect server must be treated as a Tier 0 component as documented in the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). We recommend hardening the Azure AD Connect server as a Control Plane asset by following the guidance provided in [Secure Privileged Access]( https://docs.microsoft.com/security/compass/overview) 
 
 To read more about securing your Active Directory environment, see [Best practices for securing Active Directory](/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory).
 
@@ -73,7 +73,7 @@ To read more about securing your Active Directory environment, see [Best practic
 ### Harden your Azure AD Connect server 
 We recommend that you harden your Azure AD Connect server to decrease the security attack surface for this critical component of your IT environment. Following these recommendations will help to mitigate some security risks to your organization.
 
-- Treat Azure AD Connect the same as a domain controller and other Tier 0 resources. For more information, see [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).
+- We recommend hardening the Azure AD Connect server as a Control Plane (formerly Tier 0) asset by following the guidance provided in [Secure Privileged Access]( https://docs.microsoft.com/security/compass/overview) and [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).
 - Restrict administrative access to the Azure AD Connect server to only domain administrators or other tightly controlled security groups.
 - Create a [dedicated account for all personnel with privileged access](/windows-server/identity/securing-privileged-access/securing-privileged-access). Administrators shouldn't be browsing the web, checking their email, and doing day-to-day productivity tasks with highly privileged accounts.
 - Follow the guidance provided in [Securing privileged access](/windows-server/identity/securing-privileged-access/securing-privileged-access). 
 
@@ -134,8 +134,14 @@ To manage a series of access reviews, navigate to the access review, and you wil
 
 Based on your selections in **Upon completion settings**, auto-apply will be executed after the review's end date or when you manually stop the review. The status of the review will change from **Completed** through intermediate states such as **Applying** and finally to state **Applied**. You should expect to see denied users, if any, being removed from roles in a few minutes.
 
-> [!IMPORTANT]
-> If a group is assigned to **Azure resource roles**, the reviewer of the Azure resource role will see the expanded list of the indirect users with access assigned through a nested group. Should a reviewer deny a member of a nested group, that deny result will not be applied successfully for the role because the user will not be removed from the nested group. For **Azure AD roles**, [role-assignable groups](../roles/groups-concept.md) will show up in the review instead of expanding the members of the group, and a reviewer will either approve or deny access to the entire group.
+## Impact of groups assigned to Azure AD roles and Azure resource roles in access reviews
+
+•	For **Azure AD roles**, role-assignable groups can be assigned to the role using [role-assignable groups](../roles/groups-concept.md). When a review is created on an Azure AD role with role-assignable groups assigned, the group name shows up in the review without expanding the group membership. The reviewer can approve or deny access of the entire group to the role. Denied groups will lose their assignment to the role when review results are applied.
+
+•	For **Azure resource roles**, any security group can be assigned to the role. When a review is created on an Azure resource role with a security group assigned, the users assigned to that security group will be fully expanded and shown to the reviewer of the role. When a reviewer denies a user that was assigned to the role via the security group, the user will not be removed from the group, and therefore the apply of the deny result will be unsuccessful.
+
+> [!NOTE]
+> It is possible for a security group to have other groups assigned to it. In this case, only the users assigned directly to the security group assigned to the role will appear in the review of the role.
 
 ## Update the access review
 
 
@@ -21,7 +21,7 @@ ms.author: thwimmer
 This tutorial describes the steps you need to perform in both GitHub Enterprise Managed User and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to GitHub Enterprise Managed User using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
 
 > [!NOTE]
-> [GitHub Enterprise Managed Users](https://docs.github.com/enterprise-cloud@latest/admin/authentication/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users) is a feature of GitHub Enterprise Cloud which is different from GitHub Enterprise's standard SAML SSO and user provisioning implementation. If you haven't specifically requested EMU instance, you have standard GitHub Enterprise Cloud plan. In that case, please refer to [the documentation](./github-provisioning-tutorial.md) to configure user provisioning in your non-EMU organisation. User provisioning is not supported for [GitHub Enteprise Accounts](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-enterprise-accounts)
+> [GitHub Enterprise Managed Users](https://docs.github.com/enterprise-cloud@latest/admin/authentication/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users) is a feature of GitHub Enterprise Cloud which is different from GitHub Enterprise's standard SAML SSO and user provisioning implementation. If you haven't specifically requested an EMU instance, you have a standard GitHub Enterprise Cloud plan. In that case, please refer to [the documentation](./github-provisioning-tutorial.md) to configure user provisioning in your non-EMU organization. User provisioning is not supported for [GitHub Enterprise Accounts](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-enterprise-accounts)
 
 ## Capabilities Supported
 > [!div class="checklist"]
@@ -172,4 +172,4 @@ Once you've configured provisioning, use the following resources to monitor your
 
 ## Next steps
 
-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)