Merge pull request #106847 from martincoetzer/patch-2

Update active-directory-compare-azure-ad-to-ad.md

Author: PRMerger6

articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md

@@ -27,7 +27,7 @@ Most IT administrators are familiar with Active Directory Domain Services concep
 |Provisioning: users | Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.|Existing AD organizations use [Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis) to sync identities to the cloud.</br> Azure AD adds support to automatically create users from [cloud HR systems](https://docs.microsoft.com/azure/active-directory/saas-apps/workday-tutorial). </br>Azure AD can provision identities in [SCIM enabled](https://docs.microsoft.com/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups) SaaS apps to automatically provide apps with the necessary details to allow access for users. |
 |Provisioning: external identities| Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)| Azure AD provides a special class of identity to support external identities. [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/) will manage the link to the external user identity to make sure they are valid. |
 | Entitlement management and groups| Administrators make users members of groups. App and resource owners then give groups access to apps or resources.| [Groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. </br> Administrators can use [Entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview) in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria. |
-| Admin management|Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.| Azure AD provides [built-in roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal) with its role-based access control (RBAC) system, as well as, the ability to [create custom roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/roles-custom-overview) to delegate privileged access to the identity system and the apps and resources it controls. </br>Managing  roles can be enhanced with [Privileged Identity Management (PIM)](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. |
+| Admin management|Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.| Azure AD provides [built-in roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal) with its role-based access control (RBAC) system, with limited support for [creating custom roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/roles-custom-overview) to delegate privileged access to the identity system, the apps, and resources it controls.</br>Managing  roles can be enhanced with [Privileged Identity Management (PIM)](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. |
 | Credential management| Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks) and [passwordless](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks) system. |
 | **Apps**|||
 | Infrastructure apps|Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access|In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate[, Conditional access (CA)](https://docs.microsoft.com/azure/active-directory/conditional-access/overview), will control which users, will have access to which apps under required conditions.|