Merge pull request #178918 from MicrosoftDocs/master

11/05 PM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -957,7 +957,7 @@
         },
         {
             "source_path_from_root": "/articles/active-directory/active-directory-saas-facebook-at-work-provisioning-tutorial.md",
-            "redirect_url": "/azure/active-directory/active-directory-saas-workplacebyfacebook-provisioning-tutorial",
+            "redirect_url": "/azure/active-directory/saas-apps/workplace-by-facebook-provisioning-tutorial",
             "redirect_document_id": false
         },
         {
@@ -9887,7 +9887,7 @@
         },
         {
             "source_path_from_root": "/articles/active-directory/active-directory-saas-workplacebyfacebook-provisioning-tutorial.md",
-            "redirect_url": "/azure/active-directory/saas-apps/workplacebyfacebook-provisioning-tutorial",
+            "redirect_url": "/azure/active-directory/saas-apps/workplace-by-facebook-provisioning-tutorial",
             "redirect_document_id": true
         },
         {
@@ -10546,4 +10546,4 @@
             "redirect_document_id": false
           }
     ]
-}
+}

articles/active-directory/conditional-access/concept-conditional-access-session.md

@@ -73,10 +73,10 @@ For more information, see the article [Configure authentication session manageme
 
 [Continuous access evaluation](concept-continuous-access-evaluation.md) is auto enabled as part of an organization's Conditional Access policies. For organizations who wish to disable or strictly enforce continuous access evaluation, this configuration is now an option within the session control within Conditional Access. Continuous access evaluation policies can be scoped to all users or specific users and groups. Admins can make the following selections while creating a new policy or while editing an existing Conditional Access policy.
 
-- **Disable** is accomplished when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy.
-- **Strict enforcement** means that any critical event and policy will be enforced in real time. All CAE-capable services always get CAE tokens, whatever the client or user might ask for or do. There are two scenarios where CAE won't come into play when strict enforcement mode is turned on:
-   - Non-CAE capable clients shouldn't get a regular token for CAE-capable services.
-   - Reject when IP seen by resource provider isn't in the allowed range.
+- **Disable** only work when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy. You can choose to disable all users or specific users and groups.
+- **Strict enforcement** can be used to further strengthen the security benefits from CAE. It will make sure that any critical event and policy will be enforced in real time.  There are two additional scenarios where CAE will enforce when strict enforcement mode is turned on:
+   - Non-CAE capable clients will not be allowed to access CAE-capable services.
+   - Access will be rejected when client's IP address seen by resource provider isn't in the Conditional Access's allowed range.
 
 > [!NOTE] 
 > You should only enable strict enforcement after you ensure that all the client applications support CAE and you have included all your IP addresses seen by Azure AD and the resource providers, like Exchange online and Azure Resource Mananger, in your location policy under Conditional Access. Otherwise, users in your tenants could be blocked.

articles/active-directory/devices/hybrid-azuread-join-managed-domains.md

@@ -73,7 +73,7 @@ Hybrid Azure AD join requires devices to have access to the following Microsoft
 - `https://autologon.microsoftazuread-sso.com` (If you use or plan to use seamless SSO)
 
 > [!WARNING]
-> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to `https://device.login.microsoftonline.com` and `https://enterpriseregistration.windows.net`is excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.
+> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.
 
 If your organization requires access to the internet via an outbound proxy, you can use [implementing Web Proxy Auto-Discovery (WPAD)](/previous-versions/tn-archive/cc995261(v=technet.10)) to enable Windows 10 computers for device registration with Azure AD. To address issues configuring and managing WPAD, see [Troubleshooting Automatic Detection](/previous-versions/tn-archive/cc302643(v=technet.10)). In Windows 10 devices prior to 1709 update, WPAD is the only available option to configure a proxy to work with Hybrid Azure AD join. 
 
@@ -224,4 +224,4 @@ If you experience issues completing hybrid Azure AD join for domain-joined Windo
 
 Advance to the next article to learn how to manage device identities by using the Azure portal.
 > [!div class="nextstepaction"]
-> [Manage device identities](device-management-azure-portal.md)
+> [Manage device identities](device-management-azure-portal.md)

articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 10/30/2020
+ms.date: 11/05/2021
 
 ms.author: mimart
 author: msmimart
@@ -44,10 +44,10 @@ To provide B2B users access to on-premises applications that are secured with in
    > [!NOTE]
    > When you configure the Azure AD Application Proxy, ensure that **Delegated Logon Identity** is set to **User principal name** (default) in the single sign-on configuration for integrated Windows authentication (IWA).
 
-   For the B2B user scenario, there are two methods available that you can use to create the guest user objects that are required for authorization in the on-premises directory:
+   For the B2B user scenario, there are two methods you can use to create the guest user objects that are required for authorization in the on-premises directory:
 
-   - Microsoft Identity Manager (MIM) and the MIM management agent for Microsoft Graph. 
-   - [A PowerShell script](#create-b2b-guest-user-objects-through-a-script-preview). Using the script is a more lightweight solution that does not require MIM. 
+   - Microsoft Identity Manager (MIM) and the MIM management agent for Microsoft Graph.
+   - A PowerShell script, which is a more lightweight solution that does not require MIM.
 
 The following diagram provides a high-level overview of how Azure AD Application Proxy and the generation of the B2B user object in the on-premises directory work together to grant B2B users access to your on-premises IWA and KCD apps. The numbered steps are described in detail below the diagram.
 
@@ -72,20 +72,12 @@ You can manage the on-premises B2B user objects through lifecycle management pol
 
 For information about how to use MIM 2016 Service Pack 1 and the MIM management agent for Microsoft Graph to create the guest user objects in the on-premises directory, see [Azure AD business-to-business (B2B) collaboration with Microsoft Identity Manager (MIM) 2016 SP1 with Azure Application Proxy](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario).
 
-### Create B2B guest user objects through a script (Preview)
-
-There’s a PowerShell sample script available that you can use as a starting point to create the guest user objects in your on-premises Active Directory.
-
-You can download the script and the Readme file from [Connectors for Microsoft Identity Manager 2016 and Forefront Identity Manager 2010 R2](https://www.microsoft.com/download/details.aspx?id=51495). In the download package, choose the **Script and Readme to pull Azure AD B2B users on-prem.zip** file.
-
-Before you use the script, make sure that you review the prerequisites and important considerations in the associated Readme file. Also, understand that the script is made available only as a sample. Your development team or a partner must customize and review the script before you run it.
-
 ## License considerations
 
 Make sure that you have the correct Client Access Licenses (CALs) for external guest users who access on-premises apps. For more information, see the "External Connectors" section of [Client Access Licenses and Management Licenses](https://www.microsoft.com/licensing/product-licensing/client-access-license.aspx). Consult your Microsoft representative or local reseller regarding your specific licensing needs.
 
 ## Next steps
 
-- [Azure Active Directory B2B collaboration for hybrid organizations](hybrid-organizations.md)
+- See also [Azure Active Directory B2B collaboration for hybrid organizations](hybrid-organizations.md)
 
 - For an overview of Azure AD Connect, see [Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md).

articles/active-directory/external-identities/invite-internal-users.md

@@ -34,7 +34,7 @@ Sending an invitation to an existing internal account lets you retain that user
 - **On-premises synced users**: For user accounts that are synced between on-premises and the cloud, the on-premises directory remains the source of authority after they’re invited to use B2B collaboration. Any changes you make to the on-premises account will sync to the cloud account, including disabling or deleting the account. Therefore, you can’t prevent the user from signing into their on-premises account while retaining their cloud account by simply deleting the on-premises account. Instead, you can set the on-premises account password to a random GUID or other unknown value.
 
 > [!NOTE]
-In Azure AD Connect sync, there’s a default rule that writes the [onPremisesUserPrincipalName attribute](../hybrid/reference-connect-sync-attributes-synchronized.md#notes) to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If you’re using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isn’t written to the user object.
+> In Azure AD Connect sync, there’s a default rule that writes the [onPremisesUserPrincipalName attribute](../hybrid/reference-connect-sync-attributes-synchronized.md#notes) to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If you’re using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isn’t written to the user object.
 ## How to invite internal users to B2B collaboration
 
 You can use PowerShell or the invitation API to send a B2B invitation to the internal user. Make sure the email address you want to use for the invitation is set as the external email address on the internal user object.