Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into yelevin/advanced-scheduling

Author: yelevin

.openpublishing.redirection.json

@@ -16084,11 +16084,36 @@
             "redirect_url": "/azure/sentinel/normalization-schema-dns",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/sentinel/authentication-normalization-schema.md",
+            "redirect_url": "/azure/sentinel/normalization-schema-authentication",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/sentinel/dhcp-normalization-schema.md",
+            "redirect_url": "/azure/sentinel/normalization-schema-dhcp",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/sentinel/user-management-normalization-schema.md",
+            "redirect_url": "/azure/sentinel/normalization-schema-user-management",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/sentinel/file-event-normalization-schema.md",
             "redirect_url": "/azure/sentinel/normalization-schema-file-event",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/sentinel/registry-event-normalization-schema.md",
+            "redirect_url": "/azure/sentinel/normalization-schema-registry-event",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/sentinel/process-events-normalization-schema.md",
+            "redirect_url": "/azure/sentinel/normalization-schema-process-event",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/service-bus/index.md",
             "redirect_url": "/azure/service-bus-messaging/index",

articles/active-directory/authentication/how-to-certificate-based-authentication.md

@@ -5,10 +5,10 @@ description: Topic that shows how to configure Azure AD certificate-based authen
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 01/30/2023
 
 ms.author: justinha
-author: vimrang
+author: justinha
 manager: amycolannino
 ms.reviewer: vimrang
 
@@ -134,7 +134,7 @@ To enable the certificate-based authentication in the Azure portal, complete the
 1. Sign in to the [Azure portal](https://portal.azure.com/) as an Authentication Policy Administrator.
 1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
 1. Under **Manage**, select **Authentication methods** > **Certificate-based Authentication**.
-1.	Under **Basics**, select **Yes** to enable CBA.
+1.	Under **Enable and Target**, click **Enable**.
 1. Click **All users**, or click **Add groups** to select specific groups.
 
    :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/enable.png" alt-text="Screenshot of how to enable CBA.":::

articles/active-directory/authentication/howto-authentication-use-email-signin.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/03/2023
+ms.date: 01/30/2023
 
 ms.author: justinha
 author: calui
@@ -43,8 +43,8 @@ Here's what you need to know about email as an alternate login ID:
     * If the non-UPN email in use becomes stale (no longer belongs to the user), these claims will return the UPN instead.
 * The feature supports managed authentication with Password Hash Sync (PHS) or Pass-Through Authentication (PTA).
 * There are two options for configuring the feature:
-    * [Home Realm Discovery (HRD) policy](#enable-user-sign-in-with-an-email-address) - Use this option to enable the feature for the entire tenant. Global administrator privileges required.
-    * [Staged rollout policy](#enable-staged-rollout-to-test-user-sign-in-with-an-email-address) - Use this option to test the feature with specific Azure AD groups. Global administrator privileges required. When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required.
+    * [Home Realm Discovery (HRD) policy](#enable-user-sign-in-with-an-email-address) - Use this option to enable the feature for the entire tenant. Global Administrator, Application Administrator, or Cloud Application Administrator role is required.
+    * [Staged rollout policy](#enable-staged-rollout-to-test-user-sign-in-with-an-email-address) - Use this option to test the feature with specific Azure AD groups. Global Administrator privileges required. When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required.
 
 ## Preview limitations
 
@@ -132,11 +132,11 @@ Email as an alternate login ID applies to [Azure AD B2B collaboration](../extern
 
 Once users with the *ProxyAddresses* attribute applied are synchronized to Azure AD using Azure AD Connect, you need to enable the feature for users to sign in with email as an alternate login ID for your tenant. This feature tells the Azure AD login servers to not only check the sign-in identifier against UPN values, but also against *ProxyAddresses* values for the email address.
 
-During preview, you currently need *global administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Azure portal or PowerShell to set up the feature.
+During preview, you currently need *Global Administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Azure portal or PowerShell to set up the feature.
 
 ### Azure portal
 
-1. Sign in to the [Azure portal][azure-portal] as a *global administrator*.
+1. Sign in to the [Azure portal][azure-portal] as a *Global Administrator*.
 1. Search for and select **Azure Active Directory**.
 1. From the navigation menu on the left-hand side of the Azure Active Directory window, select **Azure AD Connect > Email as alternate login ID**.
 
@@ -156,7 +156,7 @@ With the policy applied, it can take up to 1 hour to propagate and for users to
 
 Once users with the *ProxyAddresses* attribute applied are synchronized to Azure AD using Azure AD Connect, you need to enable the feature for users to sign-in with email as an alternate login ID for your tenant. This feature tells the Azure AD login servers to not only check the sign-in identifier against UPN values, but also against *ProxyAddresses* values for the email address.
 
-During preview, you can currently only enable email as an alternate login ID using PowerShell or the Microsoft Graph API. You need *global administrator* privileges to complete the following steps:
+During preview, you can currently only enable email as an alternate login ID using PowerShell or the Microsoft Graph API. You need *Global Administrator* privileges to complete the following steps:
 
 1. Open a PowerShell session as an administrator, then install the *Microsoft.Graph* module using the `Install-Module` cmdlet:
 
@@ -274,7 +274,7 @@ Remove-MgPolicyHomeRealmDiscoveryPolicy -HomeRealmDiscoveryPolicyId "HRD_POLICY_
 Staged rollout policy allows tenant administrators to enable features for specific Azure AD groups. It is recommended that tenant administrators use staged rollout to test user sign-in with an email address. When administrators are ready to deploy this feature to their entire tenant, they should use [HRD policy](#enable-user-sign-in-with-an-email-address).  
 
 
-You need *global administrator* permissions to complete the following steps:
+You need *Global Administrator* permissions to complete the following steps:
 
 1. Open a PowerShell session as an administrator, then install the *AzureADPreview* module using the [Install-Module][Install-Module] cmdlet:
 
@@ -284,7 +284,7 @@ You need *global administrator* permissions to complete the following steps:
 
     If prompted, select **Y** to install NuGet or to install from an untrusted repository.
 
-1. Sign in to your Azure AD tenant as a *global administrator* using the [Connect-AzureAD][Connect-AzureAD] cmdlet:
+1. Sign in to your Azure AD tenant as a *Global Administrator* using the [Connect-AzureAD][Connect-AzureAD] cmdlet:
 
     ```powershell
     Connect-AzureAD
@@ -379,7 +379,7 @@ Within a tenant, a cloud-only user's UPN may take on the same value as another u
 
     If prompted, select **Y** to install NuGet or to install from an untrusted repository.
 
-1. Sign in to your Azure AD tenant as a *global administrator* using the [Connect-AzureAD][Connect-AzureAD] cmdlet:
+1. Sign in to your Azure AD tenant as a *Global Administrator* using the [Connect-AzureAD][Connect-AzureAD] cmdlet:
 
     ```powershell
     Connect-AzureAD

articles/active-directory/authentication/tutorial-enable-sspr.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 01/29/2023
+ms.date: 01/30/2023
 ms.author: justinha
 author: justinha
 ms.reviewer: tilarso
@@ -143,6 +143,10 @@ If you no longer want to use the SSPR functionality you have set up as part of t
 
 This section explains common questions from administrators and end-users who try SSPR:
 
+- Why aren't on-premises password policies displayed during SSPR?
+
+  At this time, Azure AD Connect and cloud sync don't support sharing password policy details with the cloud. SSPR only displays the cloud password policy details, and can't show on-premises policies.
+
 - Why do federated users wait up to 2 minutes after they see **Your password has been reset** before they can use passwords that are synchronized from on-premises?
 
   For federated users whose passwords are synchronized, the source of authority for the passwords is on-premises. As a result, SSPR updates only the on-premises passwords. Password hash synchronization back to Azure AD is scheduled for every 2 minutes.

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -193,6 +193,12 @@ With inbound settings, you select which external users and groups will be able t
 
 1. Select **Save**.
 
+### Allow users to sync into this tenant
+
+If you select **Inbound access** of the added organization, you'll see the **Cross-tenant sync (Preview)** tab and the **Allow users sync into this tenant** check box. Cross-tenant synchronization is a one-way synchronization service in Azure AD that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. For more information, see [Configure cross-tenant synchronization](../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md) and the [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations).
+
+:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-sync-tab.png" alt-text="Screenshot that shows the Cross-tenant sync tab with the Allow users sync into this tenant check box." lightbox="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-sync-tab.png":::
+
 ## Modify outbound access settings
 
 With outbound settings, you select which of your users and groups will be able to access the external applications you choose. Whether you're configuring default settings or organization-specific settings, the steps for changing outbound cross-tenant access settings are the same. As described in this section, you'll navigate to either the **Default** tab or an organization on the **Organizational settings** tab, and then make your changes.

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -187,6 +187,9 @@ With inbound settings, you select which external users and groups will be able t
 
 1. Select **Save**.
 
+> [!NOTE]
+> When configuring settings for an organization, you'll notice a **Cross-tenant sync (Preview)** tab. This tab doesn't apply to your B2B direct connect configuration. Instead, this feature is used by multi-tenant organizations to enable B2B collaboration across their tenants. For more information, see the [multi-tenant organization documentation](/azure/active-directory/multi-tenant-organizations).
+
 ## Modify outbound access settings
 
 With outbound settings, you select which of your users and groups will be able to access the external applications you choose. The detailed steps for modifying outbound cross-tenant access settings are the same whether you're configuring default or organization-specific settings. As described in this section, navigate to the **Default** tab or an organization on the **Organizational settings** tab, and then make your changes.

articles/active-directory/external-identities/external-identities-overview.md

@@ -29,6 +29,8 @@ The following capabilities make up External Identities:
 
 - **Azure AD B2C** - Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.
 
+- **Azure AD multi-tenant organization** - Collaborate with multiple tenants in a single Azure AD organization via cross-tenant synchronization.  
+
 Depending on how you want to interact with external organizations and the types of resources you need to share, you can use a combination of these capabilities.
 
 ![External Identities overview diagram.](media/external-identities-overview/external-identities-b2b-overview.png)
@@ -87,6 +89,8 @@ The following table gives a detailed comparison of the scenarios you can enable
 | **Branding**  | Host/inviting organization's brand is used.  | For sign-in screens, the user’s home organization brand is used. In the shared channel, the resource organization's brand is used. | Fully customizable branding per application or organization.   |
 | **More information** | [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md)            |   [Documentation](b2b-direct-connect-overview.md)     | [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](../../active-directory-b2c/index.yml)       |
 
+Based on your organization’s requirements you might use cross-tenant synchronization (preview) in multi-tenant organizations. For more information about this new feature, see the [multi-tenant organization documentation](/azure/active-directory/multi-tenant-organizations) and the [feature comparison](../multi-tenant-organizations/overview.md#compare-multi-tenant-capabilities). 
+
 ## Managing External Identities features
 
 Azure AD B2B collaboration and B2B direct connect are features Azure AD, and they're managed in the Azure portal through the Azure Active Directory service. To control inbound and outbound collaboration, you can use a combination of *cross-tenant access settings* and *external collaboration settings*.
@@ -101,6 +105,8 @@ Cross-tenant access settings let you manage B2B collaboration and B2B direct con
 
 For more information, see [Cross-tenant access in Azure AD External Identities](cross-tenant-access-overview.md).
 
+Azure AD has a new feature for multi-tenant organizations called cross-tenant synchronization (preview), which allows for a seamless collaboration experience across Azure AD tenants. Cross-tenant synchronization settings are configured under the **Organization-specific access settings**. To learn more about multi-tenant organizations and cross-tenant synchronization see the [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations).
+
 ### Microsoft cloud settings for B2B collaboration (preview)
 
 Microsoft Azure cloud services are available in separate national clouds, which are physically isolated instances of Azure. Increasingly, organizations are finding the need to collaborate with organizations and users across global cloud and national cloud boundaries. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following Microsoft Azure clouds:
@@ -162,8 +168,13 @@ Organizations can enforce Conditional Access policies for external B2B collabora
 
 If you offer a Software as a Service (SaaS) application to many organizations, you can configure your application to accept sign-ins from any Azure Active Directory (Azure AD) tenant. This configuration is called making your application multi-tenant. Users in any Azure AD tenant will be able to sign in to your application after consenting to use their account with your application. See how to [enable multitenant sign-ins](../develop/howto-convert-app-to-be-multi-tenant.md).
 
+### Multi-tenant organizations
+
+A multi-tenant organization is an organization that has more than one instance of Azure AD. There are various reasons for [multi-tenancy](../../active-directory/multi-tenant-organizations/overview.md#what-is-a-multi-tenant-organization), like using multiple clouds or having multiple geographical boundaries. Multi-tenant organizations use a one-way synchronization service in Azure AD, called [cross-tenant synchronization](../../active-directory/multi-tenant-organizations/overview.md#cross-tenant-synchronization-preview). Cross-tenant synchronization enables seamless collaboration for a multi-tenant organization. It improves user experience and ensures that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant. Cross-tenant synchronization is currently in preview.
+
 ## Next steps
 
 - [What is Azure AD B2B collaboration?](what-is-b2b.md)
 - [What is Azure AD B2B direct connect?](b2b-direct-connect-overview.md)
 - [About Azure AD B2C](../../active-directory-b2c/overview.md)
+- [About Azure AD multi-tenant organizations](../../active-directory/multi-tenant-organizations/overview.md)

articles/active-directory/external-identities/index.yml

@@ -85,4 +85,19 @@ landingContent:
           - text: Add a self-service sign-up user flow
             url: self-service-sign-up-user-flow.md
           - text: Define custom attributes for user flows
-            url: user-flow-add-custom-attributes.md
+            url: user-flow-add-custom-attributes.md
+  - title: Multi-tenant organizations 
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: What is a multi-tenant organization in Azure AD?
+            url: ../../active-directory/multi-tenant-organizations/overview.md
+      - linkListType: concept
+        links:
+          - text: Topologies for cross-tenant synchronization
+            url: ../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-topology.md
+      - linkListType: how-to-guide
+        links:
+          - text: Configure cross-tenant synchronization
+            url: ../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.md
+