Merge pull request #186866 from billmath/cloud3

staging

Author: Court72

articles/active-directory/cloud-sync/how-to-install-pshell.md

@@ -7,7 +7,7 @@ manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/16/2020
+ms.date: 01/31/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -29,76 +29,78 @@ The Windows server must have TLS 1.2 enabled before you install the Azure AD Con
 
 ## Install the Azure AD Connect provisioning agent by using PowerShell cmdlets 
 
- 1. Sign in to the Azure portal, and then go to **Azure Active Directory**.
- 1. In the menu on the left, select **Azure AD Connect**.
- 1. Select **Manage provisioning** > **Review all agents**.
- 1. Download the Azure AD Connect provisioning agent from the Azure portal.
-
-    ![Screenshot that shows downloading the on-premises agent.](media/how-to-install/install-9.png)</br>
-
- 1. For the purposes of these instructions, the agent was downloaded to the C:\temp folder. 
- 1. Install ProvisioningAgent in quiet mode.
-
-       ```
-       $installerProcess = Start-Process c:\temp\AADConnectProvisioningAgent.Installer.exe /quiet -NoNewWindow -PassThru 
-       $installerProcess.WaitForExit()  
+ 1. Sign in to the server you'll use with enterprise admin permissions.
+ 2. Sign in to the Azure portal, and then go to **Azure Active Directory**.
+ 3. On the menu on the left, select **Azure AD Connect**.
+ 4. Select **Manage cloud sync**.
+     [![Screenshot that shows manage cloud sync](media/how-to-install/new-install-1.png)](media/how-to-install/new-install-1.png#lightbox)</br>
+ 5. At the top, click **Download agent**.
+    [![Screenshot that the download agent](media/how-to-install/new-install-2.png)](media/how-to-install/new-install-2.png#lightbox)</br>
+ 6. On the right, click **Accept terms and download**.
+ 7. For the purposes of these instructions, the agent was downloaded to the C:\temp folder.
+ 8. Install ProvisioningAgent in quiet mode.
        ```
- 1. Import the Provisioning Agent PS module.
+      $installerProcess = Start-Process 'c:\temp\AADConnectProvisioningAgentSetup.exe' /quiet -NoNewWindow -PassThru 
+      $installerProcess.WaitForExit()
 
        ```
+ 9. Import the Provisioning Agent PS module.
+       ```
        Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.PowerShell.dll" 
        ```
- 1. Connect to Azure AD by using global administrator credentials. You can customize this section to fetch a password from a secure store. 
-
+ 10. Connect to Azure AD by using an account with the hybrid identity role. You can customize this section to fetch a password from a secure store. 
        ```
-       $globalAdminPassword = ConvertTo-SecureString -String "Global admin password" -AsPlainText -Force 
+       $hybridAdminPassword = ConvertTo-SecureString -String "Hybrid identity admin password" -AsPlainText -Force 
     
-       $globalAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("GlobalAdmin@contoso.onmicrosoft.com", $globalAdminPassword) 
+       $hybridAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("HybridIDAdmin@contoso.onmicrosoft.com", $hybridAdminPassword) 
        
-       Connect-AADCloudSyncAzureAD -Credential $globalAdminCreds 
+       Connect-AADCloudSyncAzureAD -Credential $hybridAdminCreds 
        ```
- 1. Add the gMSA account, and provide credentials of the domain admin to create the default gMSA account.
- 
+ 11. Add the gMSA account, and provide credentials of the domain admin to create the default gMSA account.
        ```
        $domainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force 
     
        $domainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $domainAdminPassword) 
     
        Add-AADCloudSyncGMSA -Credential $domainAdminCreds 
        ```
- 1. Or use the preceding cmdlet to provide a pre-created gMSA account.
- 
+ 12. Or use the preceding cmdlet to provide a pre-created gMSA account.
        ```
        Add-AADCloudSyncGMSA -CustomGMSAName preCreatedGMSAName$ 
        ```
- 1. Add the domain.
-
+ 13. Add the domain.
        ```
        $contosoDomainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force 
     
        $contosoDomainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $contosoDomainAdminPassword) 
     
        Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds 
        ```
- 1. Or use the preceding cmdlet to configure preferred domain controllers.
-
+ 14. Or use the preceding cmdlet to configure preferred domain controllers.
        ```
        $preferredDCs = @("PreferredDC1", "PreferredDC2", "PreferredDC3") 
     
        Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds -PreferredDomainControllers $preferredDCs 
        ```
- 1. Repeat the previous step to add more domains. Provide the account names and domain names of the respective domains.
- 
- 1. Restart the service.
- 
+ 15. Repeat the previous step to add more domains. Provide the account names and domain names of the respective domains.
+ 16. Restart the service.
        ```
        Restart-Service -Name AADConnectProvisioningAgent  
        ```
- 1. Go to the Azure portal to create the cloud sync configuration.
+ 17. Go to the Azure portal to create the cloud sync configuration.
 
 ## Provisioning agent gMSA PowerShell cmdlets
 Now that you've installed the agent, you can apply more granular permissions to the gMSA. For information and step-by-step instructions on how to configure the permissions, see [Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md).
 
+## Installing against US govt cloud
+By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment.  If you are installing the agent for use in the US government cloud do the following:
+
+- In step #8 above, add **ENVIRONMENTNAME=AzureUSGovernment** to the command line like the example below.
+    ```
+    $installerProcess = Start-Process -FilePath "c:\temp\AADConnectProvisioningAgent.Installer.exe" -ArgumentList "/quiet ENVIRONMENTNAME=AzureUSGovernment" -NoNewWindow -PassThru 
+    $installerProcess.WaitForExit()
+   ```
+
 ## Next steps 
 
 - [What is provisioning?](what-is-provisioning.md)

articles/active-directory/cloud-sync/how-to-install.md

@@ -7,7 +7,7 @@ manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 12/13/2021
+ms.date: 01/31/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -22,7 +22,7 @@ This article walks you through the installation process for the Azure Active Dir
 >[!NOTE]
 >This article deals with installing the provisioning agent by using the wizard. For information on installing the Azure AD Connect provisioning agent by using a command-line interface (CLI), see [Install the Azure AD Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md).
 
-For additional information and an example, see the following video.
+For more information and an example, see the following video.
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mR]
 
@@ -38,36 +38,33 @@ To upgrade an existing agent to use the group Managed Service Account created du
 To install the agent:
 
  1. Sign in to the server you'll use with enterprise admin permissions.
- 1. Sign in to the Azure portal, and then go to **Azure Active Directory**.
- 1. On the menu on the left, select **Azure AD Connect**.
- 1. Select **Manage cloud sync** > **Review all agents**.
- 1. Download the Azure AD Connect provisioning agent from the Azure portal.
- 
-    ![Screenshot that shows Download on-premises agent.](media/how-to-install/install-9.png)</br>
- 1. Accept the terms and select **Download**.
- 1. Run the Azure AD Connect provisioning installer AADConnectProvisioningAgentSetup.msi.
- 1. On the **Microsoft Azure AD Connect Provisioning Agent Package** screen, accept the licensing terms and select **Install**.
- 
-    ![Screenshot that shows the Microsoft Azure AD Connect Provisioning Agent Package screen.](media/how-to-install/install-1.png)</br>
- 1. After this operation finishes, the configuration wizard starts. Sign in with your Azure AD global administrator account.
- 1. On the **Configure Service Account** screen, select either **Create gMSA** or **Use custom gMSA**. If you allow the agent to create the account, it will be named provAgentgMSA$. If you specify **Use custom gMSA**, you're prompted to provide this account.
- 1. Enter the domain admin credentials to create the group Managed Service account that will be used to run the agent service. Select **Next**.
-  
-    ![Screenshot that shows the Create gMSA option.](media/how-to-install/install-12.png)</br>
- 1. On the **Connect Active Directory** screen, select **Add Directory**. Then sign in with your Active Directory administrator account. This operation adds your on-premises directory. 
- 1. Optionally, you can manage the preference of domain controllers the agent will use by selecting the **Select domain controller priority** checkbox and ordering the list of domain controllers. Select **OK**.
- 
-    ![Screenshot that shows ordering the domain controllers.](media/how-to-install/install-2a.png)</br>
- 1. Select **Next**.
- 
-    ![Screenshot that shows the Connect Active Directory screen.](media/how-to-install/install-3a.png)</br>
- 1. On the **Agent installation** screen, confirm settings and the account that will be created and select **Confirm**.
- 
-    ![Screenshot that shows the Confirm settings.](media/how-to-install/install-11.png)</br>
- 1. After this operation finishes, you should see **Your agent installation is complete.** Select **Exit**.
- 
-    ![Screenshot that shows the Configuration complete screen.](media/how-to-install/install-4a.png)</br>
- 1. If you still see the initial **Microsoft Azure AD Connect Provisioning Agent Package** screen, select **Close**.
+ 2. Sign in to the Azure portal, and then go to **Azure Active Directory**.
+ 3. On the menu on the left, select **Azure AD Connect**.
+ 4. Select **Manage cloud sync**.
+     [![Screenshot that shows manage cloud sync](media/how-to-install/new-install-1.png)](media/how-to-install/new-install-1.png#lightbox)</br>
+ 5. At the top, click **Download agent**.
+    [![Screenshot that the download agent](media/how-to-install/new-install-2.png)](media/how-to-install/new-install-2.png#lightbox)</br>
+ 7. On the right, click **Accept terms and download**.
+   [![Screenshot that accept and download](media/how-to-install/new-install-3.png)](media/how-to-install/new-install-3.png#lightbox)</br>
+ 9. Once the agent has completed downloading, click **Open file**.  This will start the installation.
+    [![Screenshot that shows open file](media/how-to-install/new-install-4.png)](media/how-to-install/new-install-4.png#lightbox)</br>
+ 10. On the **Microsoft Azure AD Connect Provisioning Agent Package** screen, accept the licensing terms, and select **Install**.
+  [![Screenshot that shows install](media/how-to-install/new-install-5.png)](media/how-to-install/new-install-5.png#lightbox)</br>
+ 11. After this operation finishes, the configuration wizard starts. Click **Next**.
+ [![Screenshot that shows wizard](media/how-to-install/new-install-6.png)](media/how-to-install/new-install-6.png#lightbox)</br>
+ 13. Sign in with your Azure AD global administrator account.
+ 14. On the **Configure Service Account** screen, select either **Create gMSA**, or **Use custom gMSA**. If you allow the agent to create the account, it will be named **provAgentgMSA$**. If you specify **Use custom gMSA**, you're prompted to provide this account.
+ [![Screenshot that shows create service account](media/how-to-install/new-install-7.png)](media/how-to-install/new-install-7.png#lightbox)</br>
+ 15. Enter the domain administrator credentials to create the group Managed Service account that will be used to run the agent service. Select **Next**.
+  ![Screenshot that shows the Create gMSA option.](media/how-to-install/install-12.png)</br>
+ 16. On the **Connect Active Directory** screen, click **Next**.  Your current domain has been added automatically.  If you wish to add additional domains, enter them and select **Add Directory**. Then sign in with an administrator account from that domain.
+ [![Screenshot that shows connecting to AD](media/how-to-install/new-install-8.png)](media/how-to-install/new-install-8.png#lightbox)</br>
+ 17. Optionally, you can manage the preference of domain controllers the agent will use.  To do this, click **Add Directory** and select the **Select domain controller priority** checkbox and then order the list of domain controllers. Select **OK**.  Click **Next**.
+    [![Screenshot that shows adding domain controller priority](media/how-to-install/new-install-10.png)](media/how-to-install/new-install-10.png#lightbox)</br>
+ 18. On the **Agent installation** screen, confirm settings and the account that will be created and select **Confirm**.
+  [![Screenshot that shows install confirmation](media/how-to-install/new-install-11.png)](media/how-to-install/new-install-11.png#lightbox)</br>
+ 20. After this operation finishes, you should see **Your agent installation is complete.** Select **Exit**.
+ 21. If you still see the initial **Microsoft Azure AD Connect Provisioning Agent Package** screen, select **Close**.
 
 ## Verify agent installation
 Agent verification occurs in the Azure portal and on the local server that's running the agent.
@@ -76,33 +73,27 @@ Agent verification occurs in the Azure portal and on the local server that's run
 To verify the agent is being seen by Azure:
 
  1. Sign in to the Azure portal.
- 1. On the left, select **Azure Active Directory** > **Azure AD Connect**. In the center, select **Manage cloud sync**.
-
+ 2. On the left, select **Azure Active Directory** > **Azure AD Connect**. In the center, select **Manage cloud sync**.
     ![Screenshot that shows the Azure portal.](media/how-to-install/install-6.png)</br>
-
- 1. On the **Azure AD Connect cloud sync** screen, select **Review all agents**.
-
+ 3. On the **Azure AD Connect cloud sync** screen, select **Review all agents**.
     ![Screenshot that shows the Review all agents option.](media/how-to-install/install-7.png)</br>
- 
- 1. On the **On-premises provisioning agents** screen, you see the agents you installed. Verify that the agent in question is there and is marked *active*.
-
+ 4.  On the **On-premises provisioning agents** screen, you see the agents you installed. Verify that the agent in question is there and is marked *active*.
     ![Screenshot that shows On-premises provisioning agents screen.](media/how-to-install/verify-1.png)</br>
 
 ### On the local server
 To verify that the agent is running:
 
 1. Sign in to the server with an administrator account.
-1. Open **Services** by going to it or by selecting **Start** > **Run** > **Services.msc**.
-1. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are there and their status is *Running*.
-
-    ![Screenshot that shows the Services screen.](media/how-to-install/troubleshoot-1.png)
+2. Open **Services** by going to it or by selecting **Start** > **Run** > **Services.msc**.
+3. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are present.  Also, ensure the status is *Running*.
+ ![Screenshot that shows the Services screen.](media/how-to-install/troubleshoot-1.png)
 
 >[!IMPORTANT]
 >The agent has been installed, but it must be configured and enabled before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
 
 ## Enable password writeback in Azure AD Connect cloud sync 
 
-To use password writeback and enable the SSPR service to detect the cloud sync agent , you need to use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and tenant’s global administrator credentials: 
+To use password writeback and enable the self-service password reset (SSPR) service to detect the cloud sync agent, you need to use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and tenant’s global administrator credentials: 
 
   ```   
    Import-Module "C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll" 
@@ -111,6 +102,12 @@ To use password writeback and enable the SSPR service to detect the cloud sync a
 
 For more information on using password writeback with Azure AD Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
 
+## Installing against US govt cloud
+By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment.  If you are installing the agent for use in the US government cloud do the following:
+
+- In step #7 above, instead of click **Open file**, go to start run and navigate to the **AADConnectProvisioningAgentSetup.exe** file.  In the run box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment** and click **Ok**.
+ [![Screenshot showing US govt cloud install](media/how-to-install/new-install-12.png)](media/how-to-install/new-install-12.png#lightbox)</br>
+
 
 ## Next steps