Merge pull request #243427 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

.openpublishing.publish.config.json

@@ -74,6 +74,12 @@
       "branch": "main",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "ms-identity-ciam-dotnet-tutorial",
+      "url": "https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "_themes",
       "url": "https://github.com/Microsoft/templates.docs.msft",

.openpublishing.redirection.json

@@ -23967,6 +23967,26 @@
             "source_path_from_root": "/articles/active-directory/manage-apps/migrate-okta-sync-provisioning-to-azure-active-directory.md",
             "redirect_url": "/azure/active-directory/manage-apps/migrate-okta-sync-provisioning",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-preface.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-preface",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-configuration.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-configuration",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-control-plane.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-control-plane",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-data-plane.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-data-plane",
+            "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.reliability.json

@@ -0,0 +1,11 @@
+{
+  "redirections": [
+    {
+      "source_path_from_root": "/articles/reliability/reliability-energy-data-services.md",
+      "redirect_url": "/azure/energy-data-services/reliability-energy-data-services",
+      "redirect_document_id": true
+    }  
+  ]
+}
+
+

articles/active-directory/app-provisioning/known-issues.md

@@ -167,7 +167,7 @@ The following information is a current list of known limitations with the Azure
 The following applications and directories aren't yet supported.
 
 #### Active Directory Domain Services (user or group writeback from Azure AD by using the on-premises provisioning preview)
-   - When a user is managed by Azure AD Connect, the source of authority is on-premises Azure AD. So, user attributes can't be changed in Azure AD. This preview doesn't change the source of authority for users managed by Azure AD Connect.
+   - When a user is managed by Azure AD Connect, the source of authority is on-premises Active Directory Domain Services. So, user attributes can't be changed in Azure AD. This preview doesn't change the source of authority for users managed by Azure AD Connect.
    - Attempting to use Azure AD Connect and the on-premises provisioning to provision groups or users into Active Directory Domain Services can lead to creation of a loop, where Azure AD Connect can overwrite a change that was made by the provisioning service in the cloud. Microsoft is working on a dedicated capability for group or user writeback. Upvote the UserVoice feedback on [this website](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789/) to track the status of the preview. Alternatively, you can use [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for user or group writeback from Azure AD to Active Directory.
 
 #### Azure AD

articles/active-directory/authentication/concept-system-preferred-multifactor-authentication.md

@@ -4,7 +4,7 @@ description: Learn how to use system-preferred multifactor authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 06/02/2023
+ms.date: 06/28/2023
 ms.author: justinha
 author: justinha
 manager: amycolannino
@@ -25,7 +25,7 @@ System-preferred MFA is a Microsoft managed setting, which is a [tristate policy
 After system-preferred MFA is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered. 
 
 >[!NOTE]
->System-preferred MFA is a key security upgrade to traditional second factor notifications. We highly recommend enabling system-preferred MFA in the near term for improved sign-in security. 
+>System-preferred MFA is an important security enhancement for users authenticating by using telecom transports. Starting July 07, 2023, the Microsoft managed value of system-preferred MFA will change from **Disabled** to **Enabled**. If you don't want to enable system-peeferred MFA, change the state from **Default** to **Disabled**, or exclude users and groups from the policy.
 
 ## Enable system-preferred MFA in the Azure portal
 
@@ -101,7 +101,7 @@ Content-Type: application/json
 
 ## Known issue
 
-[FIDO2 security keys](../develop/support-fido2-authentication.md#mobile) on mobile devices and [registration for certificate-based authentication (CBA)](concept-certificate-based-authentication.md) aren't supported due to an issue that might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on mobile devices or registering for CBA. To disable system-preferred MFA for these users, you can either add them to an excluded group or remove them from an included group.
+A fix for [FIDO2 security keys](../develop/support-fido2-authentication.md#mobile) is being rolled out with the change of the Microsoft managed setting to **Enabled**. As part of the rollout, we adjusted the preferred methods list, which moved certificate-based authentication (CBA) lower on the list of preferred methods. This change is necessary due to a known issue where users within the scope of CBA can't use any other available authentication method. We are actively working to address this issue, and once the fix is rolled out, CBA will return to its appropriate position on the list of preferred methods. However, tenants that use a Conditional Access policy that mandates CBA will have the ability to bypass this downgrade and be unaffected by the change.
 
 ## FAQ
 
@@ -110,19 +110,19 @@ Content-Type: application/json
 When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is prompted to sign-in with the most secure method according to the following order. The order of authentication methods is dynamic. It's updated as the security landscape changes, and as better authentication methods emerge. Click the link for information about each method.
 
 1. [Temporary Access Pass](howto-authentication-temporary-access-pass.md)
-1. [Certificate-based authentication](concept-certificate-based-authentication.md)
 1. [FIDO2 security key](concept-authentication-passwordless.md#fido2-security-keys)
 1. [Microsoft Authenticator push notifications](concept-authentication-authenticator-app.md)
 1. [Time-based one-time password (TOTP)](concept-authentication-oath-tokens.md)<sup>1</sup>
 1. [Telephony](concept-authentication-phone-options.md)<sup>2</sup>
+1. [Certificate-based authentication](concept-certificate-based-authentication.md)
 
 <sup>1</sup> Includes hardware or software TOTP from Microsoft Authenticator, Authenticator Lite, or third-party applications.
 
 <sup>2</sup> Includes SMS and voice calls.
 
-### How does system-preferred MFA affect AD FS or NPS extension?
+### How does system-preferred MFA affect the NPS extension?
 
-System-preferred MFA doesn't affect users who sign in by using federation, such as Active Directory Federation Services (AD FS) or third-party providers, or Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience.
+System-preferred MFA doesn't affect users who sign in by using the Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience.
 
 ### What happens for users who aren't specified in the Authentication methods policy but enabled in the legacy MFA tenant-wide policy?
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -92,7 +92,7 @@ The following core requirements apply:
     | --- | --- |
     |`https://login.microsoftonline.com`|Authentication requests|
     |`https://enterpriseregistration.windows.net`|Azure AD Password Protection functionality|
-    |`https://autoupdate.msappproxaxy.net` | Azure AD Password Protection auto-upgrade functionality |
+    |`https://autoupdate.msappproxy.net` | Azure AD Password Protection auto-upgrade functionality |
 
 > [!NOTE]
 > Some endpoints, such as the CRL endpoint, are not addressed in this article. For a list of all supported endpoints, see [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).

articles/active-directory/enterprise-users/groups-dynamic-membership.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.workload: identity
 ms.topic: overview
-ms.date: 08/18/2022
+ms.date: 06/07/2023
 ms.author: barclayn
 ms.reviewer: krbain
 ms.custom: it-pro
@@ -96,6 +96,7 @@ dirSyncEnabled |true false |user.dirSyncEnabled -eq true
 | department |Any string value or *null* | user.department -eq "value" |
 | displayName |Any string value | user.displayName -eq "value" |
 | employeeId |Any string value | user.employeeId -eq "value"<br>user.employeeId -ne *null* |
+| employeeHireDate (Preview) |Any DateTimeOffset value or keyword system.now | user.employeeHireDate -eq "value" |
 | facsimileTelephoneNumber |Any string value or *null* | user.facsimileTelephoneNumber -eq "value" |
 | givenName |Any string value or *null* | user.givenName -eq "value" |
 | jobTitle |Any string value or *null* | user.jobTitle -eq "value" |
@@ -154,9 +155,20 @@ If you want to compare the value of a user attribute against multiple values, yo
 ```
    user.department -in ["50001","50002","50003","50005","50006","50007","50008","50016","50020","50024","50038","50039","51100"]
 ```
+### Using the -le and -ge operators
 
+You can use the less than (-le) or greater than (-ge) operators when using the employeeHireDate attribute in dynamic group rules.  
+Examples:
+
+```
+user.employeehiredate -ge system.now -plus p1d 
+
+user.employeehiredate -le 2020-06-10T18:13:20Z 
+
+```
 
 ### Using the -match operator 
+
 The **-match** operator is used for matching any regular expression. Examples:
 
 ```

articles/active-directory/enterprise-users/groups-self-service-management.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.workload: identity
 ms.topic: how-to
-ms.date: 01/09/2023
+ms.date: 06/12/2023
 ms.author: barclayn
 ms.reviewer: krbain
 ms.custom: "it-pro;seo-update-azuread-jan"
@@ -53,6 +53,7 @@ Groups created in | Security group default behavior | Microsoft 365 group defaul
 
 3. Set **Owners can manage group membership requests in the Access Panel** to **Yes**.
 
+
 4. Set **Restrict user ability to access groups features in the Access Panel** to **No**.
 
 5. Set **Users can create security groups in Azure portals, API or PowerShell** to **Yes** or **No**.

articles/active-directory/external-identities/customers/how-to-browserless-app-dotnet-sign-in-overview.md

@@ -11,8 +11,7 @@ ms.workload: identity
 ms.subservice: ciam
 ms.topic: how-to
 ms.date: 05/10/2023
-ms.custom: developer
-
+ms.custom: developer, devx-track-dotnet
 #Customer intent: As a dev, devops, I want to learn about how to enable authentication in my ASP.NET browserless app with Azure Active Directory (Azure AD) for customers tenant
 ---
 

articles/active-directory/external-identities/customers/how-to-browserless-app-dotnet-sign-in-prepare-app.md

@@ -11,8 +11,7 @@ ms.workload: identity
 ms.subservice: ciam
 ms.topic: how-to
 ms.date: 05/10/2023
-ms.custom: developer
-
+ms.custom: developer, devx-track-dotnet
 #Customer intent: As a dev, devops, I want to learn about how to enable authentication in my ASP.NET browserless app with Azure Active Directory (Azure AD) for customers tenant
 ---