Merge pull request #245625 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md

@@ -24,7 +24,7 @@ This article describes current and past issues with the Azure AD user provisioni
 ## Understanding the provisioning job
 The provisioning service uses the concept of a job to operate against an application. The jobID can be found in the [progress bar](application-provisioning-when-will-provisioning-finish-specific-user.md#view-the-provisioning-progress-bar). All new provisioning applications are created with a jobID starting with "scim". The scim job represents the current state of the service. Older jobs have the ID "customappsso". This job represents the state of the service in 2018. 
 
-If you are using an application in the gallery, the job generally contains the name of the app (e.g. zoom snowFlake, dataBricks, etc.). You can skip this documentation when using a gallery application. This primarily applies for non-gallery applications with jobID SCIM or customAppSSO.
+If you are using an application in the gallery, the job generally contains the name of the app (such as zoom snowFlake or dataBricks). You can skip this documentation when using a gallery application. This primarily applies for non-gallery applications with jobID SCIM or customAppSSO.
 
 ## SCIM 2.0 compliance issues and status
 In the table below, any item marked as fixed means that the proper behavior can be found on the SCIM job. We have worked to ensure backwards compatibility for the changes we have made. We recommend using the new behavior for any new implementations and updating existing implementations. Please note that the customappSSO behavior that was the default prior to December 2018 is not supported anymore. 
@@ -234,13 +234,12 @@ Below are sample requests to help outline what the sync engine currently sends v
 
 
 ## Upgrading from the older customappsso job to the SCIM job
-Following the steps below will delete your existing customappsso job and create a new scim job. 
+Following the steps below will delete your existing customappsso job and create a new SCIM job.
 
-1. Sign into the Azure portal at https://portal.azure.com.
+1. Sign into the [Azure portal](https://portal.azure.com).
 2. In the **Azure Active Directory > Enterprise Applications** section of the Azure portal, locate and select your existing SCIM application.
 3. In the **Properties** section of your existing SCIM app, copy the **Object ID**.
-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer 
-   and sign in as the administrator for the Azure AD tenant where your app is added.
+4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.
 5. In the Graph Explorer, run the command below to locate the ID of your provisioning job. Replace "[object-id]" with the service principal ID (object ID) copied from the third step.
 
    `GET https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs` 
@@ -276,11 +275,10 @@ Following the steps below will delete your existing customappsso job and create
 ## Downgrading from the SCIM job to the customappsso job (not recommended)
  We allow you to downgrade back to the old behavior but don't recommend it as the customappsso does not benefit from some of the updates we make, and may not be supported forever. 
 
-1. Sign into the Azure portal at https://portal.azure.com.
-2. in the **Azure Active Directory > Enterprise Applications > Create application** section of the Azure portal, create a new **Non-gallery** application.
+1. Sign into the [Azure portal](https://portal.azure.com).
+2. In the **Azure Active Directory > Enterprise Applications > Create application** section of the Azure portal, create a new **Non-gallery** application.
 3. In the **Properties** section of your new custom app, copy the **Object ID**.
-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer 
-   and sign in as the administrator for the Azure AD tenant where your app is added.
+4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.
 5. In the Graph Explorer, run the command below to initialize the provisioning configuration for your app.
    Replace "[object-id]" with the service principal ID (object ID) copied from the third step.
 

articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md

@@ -24,7 +24,7 @@ This article describes the general steps for managing automatic user account pro
 
 Use the Azure portal to view and manage all applications that are configured for single sign-on in a directory. Enterprise apps are apps that are deployed and used within your organization. Follow these steps to view and manage your enterprise applications:
 
-1. Open the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Browse to **Azure Active Directory** > **Enterprise applications**.
 1. A list of all configured apps is shown, including apps that were added from the gallery.
 1. Select any app to load its resource pane, where you can view reports and manage app settings.

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -118,7 +118,7 @@ Applications and systems that support customization of the attribute list includ
 
 
 > [!NOTE]
-> Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure Portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). 
+> Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). 
 
 > [!NOTE]
 > When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list".  When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory.     
@@ -157,60 +157,63 @@ Custom attributes can't be referential attributes, multi-value or complex-typed
 **Example representation of a user with an extension attribute:**
 
 ```json
-   {
-     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
-     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
-     "userName":"bjensen",
-     "id": "48af03ac28ad4fb88478",
-     "externalId":"bjensen",
-     "name":{
-       "formatted":"Ms. Barbara J Jensen III",
-       "familyName":"Jensen",
-       "givenName":"Barbara"
-     },
-     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
-     "employeeNumber": "701984",
-     "costCenter": "4130",
-     "organization": "Universal Studios",
-     "division": "Theme Park",
-     "department": "Tour Operations",
-     "manager": {
-       "value": "26118915-6090-4610-87e4-49d8ca9f808d",
-       "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d",
-       "displayName": "John Smith"
-     }
-   },
-     "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
-     "CustomAttribute": "701984",
-   },
-   "meta": {
-     "resourceType": "User",
-     "created": "2010-01-23T04:56:22Z",
-     "lastModified": "2011-05-13T04:42:34Z",
-     "version": "W\/\"3694e05e9dff591\"",
-     "location":
- "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
-   }
- }
+{
+  "schemas":[
+    "urn:ietf:params:scim:schemas:core:2.0:User",
+      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+  ],
+  "userName":"bjensen",
+  "id": "48af03ac28ad4fb88478",
+  "externalId":"bjensen",
+  "name":{
+    "formatted":"Ms. Barbara J Jensen III",
+    "familyName":"Jensen",
+    "givenName":"Barbara"
+  },
+  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
+    "employeeNumber": "701984",
+    "costCenter": "4130",
+    "organization": "Universal Studios",
+    "division": "Theme Park",
+    "department": "Tour Operations",
+    "manager": {
+      "value": "26118915-6090-4610-87e4-49d8ca9f808d",
+      "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d",
+      "displayName": "John Smith"
+    }
+  },
+  "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
+    "CustomAttribute": "701984",
+  },
+  "meta": {
+    "resourceType": "User",
+    "created": "2010-01-23T04:56:22Z",
+    "lastModified": "2011-05-13T04:42:34Z",
+    "version": "W\/\"3694e05e9dff591\"",
+    "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+  }
+}
 ```
 
-
 ## Provisioning a role to a SCIM app
 Use the steps in the example to provision roles for a user to your application. The description is specific to custom SCIM applications. For gallery applications such as Salesforce and ServiceNow, use the predefined role mappings. The bullets describe how to transform the AppRoleAssignments attribute to the format your application expects.
 
 - Mapping an appRoleAssignment in Azure AD to a role in your application requires that you transform the attribute using an [expression](../app-provisioning/functions-for-customizing-application-data.md). The appRoleAssignment attribute **shouldn't be mapped directly** to a role attribute without using an expression to parse the role details. 
 
-- **SingleAppRoleAssignment** 
+- **SingleAppRoleAssignment**
+
   - **When to use:** Use the SingleAppRoleAssignment expression to provision a single role for a user and to specify the primary role. 
   - **How to configure:** Use the steps described to navigate to the attribute mappings page and use the SingleAppRoleAssignment expression to map to the roles attribute. There are three role attributes to choose from (`roles[primary eq "True"].display`, `roles[primary eq "True"].type`, and `roles[primary eq "True"].value`). You can choose to include any or all of the role attributes in your mappings. If you would like to include more than one, just add a new mapping and include it as the target attribute.
 
-  ![Add SingleAppRoleAssignment](./media/customize-application-attributes/edit-attribute-singleapproleassignment.png)
+    ![Add SingleAppRoleAssignment](./media/customize-application-attributes/edit-attribute-singleapproleassignment.png)
+
   - **Things to consider**
     - Ensure that multiple roles aren't assigned to a user. There's no guarantee which role is provisioned.
     - SingleAppRoleAssignments isn't compatible with setting scope to "Sync All users and groups." 
+
   - **Example request (POST)** 
 
-   ```json
+    ```json
     {
       "schemas": [
           "urn:ietf:params:scim:schemas:core:2.0:User"
@@ -229,25 +232,29 @@ Use the steps in the example to provision roles for a user to your application.
                "value": "Admin"
          }
       ]
-   }
-   ```
-  
+    }
+    ```
+
   - **Example output (PATCH)** 
-    
-   ```json
-   "Operations": [
-     {
-       "op": "Add",
-       "path": "roles",
-       "value": [
-         {
-           "value": "{\"id\":\"06b07648-ecfe-589f-9d2f-6325724a46ee\",\"value\":\"25\",\"displayName\":\"Role1234\"}"
-         }
-       ]
-   ```  
+
+    ```json
+    "Operations": [
+      {
+        "op": "Add",
+        "path": "roles",
+        "value": [
+          {
+            "value": "{\"id\":\"06b07648-ecfe-589f-9d2f-6325724a46ee\",\"value\":\"25\",\"displayName\":\"Role1234\"}"
+          }
+        ]
+      }
+    ]
+    ```
+
 The request formats in the PATCH and POST differ. To ensure that POST and PATCH are sent in the same format, you can use the feature flag described [here](./application-provisioning-config-problem-scim-compatibility.md#flags-to-alter-the-scim-behavior). 
 
-- **AppRoleAssignmentsComplex** 
+- **AppRoleAssignmentsComplex**
+
   - **When to use:** Use the AppRoleAssignmentsComplex expression to provision multiple roles for a user. 
   - **How to configure:** Edit the list of supported attributes as described to include a new attribute for roles: 
 
@@ -256,16 +263,18 @@ The request formats in the PATCH and POST differ. To ensure that POST and PATCH
     Then use the AppRoleAssignmentsComplex expression to map to the custom role attribute as shown in the image:
 
     ![Add AppRoleAssignmentsComplex](./media/customize-application-attributes/edit-attribute-approleassignmentscomplex.png)<br>
+
   - **Things to consider**
+
     - All roles are provisioned as primary = false.
     - The POST contains the role type. The PATCH request doesn't contain type. We're working on sending the type in both POST and PATCH requests.
     - AppRoleAssignmentsComplex isn't compatible with setting scope to "Sync All users and groups."
     - The AppRoleAssignmentsComplex only supports the PATCH add function. For multi-role SCIM applications, roles deleted in Azure Active Directory will therefore not be deleted from the application. We're working to support additional PATCH functions and address the limitation. 
 
-  - **Example output** 
+  - **Example output**
 
-   ```json
-   {
+    ```json
+    {
        "schemas": [
            "urn:ietf:params:scim:schemas:core:2.0:User"
       ],
@@ -290,35 +299,33 @@ The request formats in the PATCH and POST differ. To ensure that POST and PATCH
              "value": "User"
          }
       ]
-   }
-   ```
-
-  
-
+    }
+    ```
 
 ## Provisioning a multi-value attribute
+
 Certain attributes such as phoneNumbers and emails are multi-value attributes where you may need to specify different types of phone numbers or emails. Use the expression for multi-value attributes. It allows you to specify the attribute type and map that to the corresponding Azure AD user attribute for the value. 
 
-* phoneNumbers[type eq "work"].value
-* phoneNumbers[type eq "mobile"].value
-* phoneNumbers[type eq "fax"].value
+* `phoneNumbers[type eq "work"].value`
+* `phoneNumbers[type eq "mobile"]`.value
+* `phoneNumbers[type eq "fax"].value`
 
-   ```json
-   "phoneNumbers": [
-       {
-         "value": "555-555-5555",
-         "type": "work"
-      },
-      {
-         "value": "555-555-5555",
-         "type": "mobile"
-      },
-      {
-         "value": "555-555-5555",
-         "type": "fax"
-      }
-   ]
-   ```
+  ```json
+  "phoneNumbers": [
+     {
+        "value": "555-555-5555",
+        "type": "work"
+     },
+     {
+        "value": "555-555-5555",
+        "type": "mobile"
+     },
+     {
+        "value": "555-555-5555",
+        "type": "fax"
+     }
+  ]
+  ```
 
 ## Restoring the default attributes and attribute-mappings
 

articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md

@@ -127,7 +127,7 @@ https://[SuccessFactorsAPIEndpoint]/odata/v2/PerPerson/$count?$format=json&$filt
 ## How pre-hire processing works
 
 This section explains how the SAP SuccessFactors connector processes pre-hire records (workers with hire date / start date in future). 
-Let's say there is a pre-hire with employeeId "1234" in SuccessFactors Employee Central with start date on 1-June-2023. Let's further assume that this pre-hire record was first created either in Employee Central or in the Onboarding module on 15-May-2023. When the provisioning service first observes this record on 15-May-2023 (either as part of full sync or incremental sync), this record is still in pre-hire state. Due to this, SuccessFactors does not send the provisioning service all attributes (example: userNav/username) associated with the user. Only bare minimum data about the user such as `personIdExternal`, `firstname`, `lastname` and `startDate` is available. To process pre-hires successfully, the following pre-requisites must be met: 
+Let's say there is a pre-hire with employeeId "1234" in SuccessFactors Employee Central with start date on 1-June-2023. Let's further assume that this pre-hire record was first created either in Employee Central or in the Onboarding module on 15-May-2023. When the provisioning service first observes this record on 15-May-2023 (either as part of full sync or incremental sync), this record is still in pre-hire state. Due to this, SuccessFactors does not send the provisioning service all attributes (example: userNav/username) associated with the user. Only bare minimum data about the user such as `companyName`, `personIdExternal`, `firstname`, `lastname` and `startDate` is available. To process pre-hires successfully, the following pre-requisites must be met: 
 
 1) The `personIdExternal` attribute must be set as the primary matching identifier (joining property). If you configure a different attribute (example: userName) as the joining property then the provisioning service will not be able to retrieve the pre-hire information. 
 2) The `startDate` attribute must be available and it's JSONPath must be set to either `$.employmentNav.results[0].startDate` or `$.employmentNav.results[-1:].startDate`.

articles/active-directory/app-proxy/application-proxy-integrate-with-tableau.md

@@ -33,7 +33,7 @@ Application Proxy supports the OAuth 2.0 Grant Flow, which is required for Table
 
 ## Publish your applications in Azure 
 
-To publish Tableau, you need to publish an application in the Azure Portal.
+To publish Tableau, you need to publish an application in the Azure portal.
 
 For:
 
@@ -76,4 +76,3 @@ Your application is now ready to test. Access the external URL you used to publi
 ## Next steps
 
 For more information about Azure AD Application Proxy, see [How to provide secure remote access to on-premises applications](application-proxy.md).
-

articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md

@@ -34,7 +34,7 @@ The following Azure AD password policy requirements apply for all passwords that
 | Characters not allowed | Unicode characters |
 | Password length |Passwords require<br>- A minimum of eight characters<br>- A maximum of 256 characters</li> |
 | Password complexity |Passwords require three out of four of the following categories:<br>- Uppercase characters<br>- Lowercase characters<br>- Numbers <br>- Symbols<br> Note: Password complexity check isn't required for Education tenants. |
-| Password not recently used | When a user changes their password, the new password can't be the same as the current or recently used passwords. |
+| Password not recently used | When a user changes their password, the new password should not be the same as the current password. |
 | Password isn't banned by [Azure AD Password Protection](concept-password-ban-bad.md) | The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization. |
 
 ## Password expiration policies