Merge pull request #233861 from MicrosoftDocs/main

Publish to live, Sunday 4 AM PST, 4/9

Author: ttorble

.openpublishing.redirection.active-directory.json

@@ -7234,7 +7234,7 @@
     {
       "source_path_from_root": "/articles/active-directory/active-directory-privileged-identity-management-how-to-add-role-to-user.md",
       "redirect_url": "/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-privileged-identity-management-how-to-change-default-settings.md",
@@ -7551,6 +7551,11 @@
       "redirect_url": "/azure/active-directory/roles/view-assignments",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/roles/groups-pim-eligible.md",
+      "redirect_url": "/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/active-directory/users-groups-roles/directory-administrative-units.md",
       "redirect_url": "/azure/active-directory/roles/administrative-units",
@@ -7668,8 +7673,8 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/users-groups-roles/roles-groups-pim-eligible.md",
-      "redirect_url": "/azure/active-directory/roles/groups-pim-eligible",
-      "redirect_document_id": true
+      "redirect_url": "/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user",
+      "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/users-groups-roles/roles-groups-remove-assignment.md",

.openpublishing.redirection.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path": "articles/route-server/routing-preference.md",
+            "redirect_url": "/azure/route-server/overview",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/storage/queues/storage-ruby-how-to-use-queue-storage.md",
             "redirect_url": "/previous-versions/azure/storage/queues/storage-ruby-how-to-use-queue-storage",
@@ -22522,7 +22527,11 @@
             "source_path_from_root": "/articles/sentinel/data-connectors/microsoft-defender-threat-intelligence.md",
             "redirect_url": "/azure/sentinel/understand-threat-intelligence",
             "redirect_document_id": false
-        }
-       
+        },
+        {
+            "source_path_from_root": "/articles/principles-for-ai-generated-content.md",
+            "redirect_url": "https://aka.ms/ai-content-principles",
+            "redirect_document_id": false
+        } 
     ]
 }

articles/active-directory-b2c/manage-custom-policies-powershell.md

@@ -7,6 +7,7 @@ manager: CelesteDG
 
 ms.service: active-directory
 ms.workload: identity
+ms.custom: devx-track-azurepowershell
 ms.topic: how-to
 ms.date: 02/14/2020
 ms.author: kengaderdus

articles/active-directory-domain-services/ad-auth-no-join-linux-vm.md

@@ -22,7 +22,7 @@ Currently Linux distribution can work as member of Active Directory domains, whi
 To complete the authentication flow we assume, you already have:
 
 * An Active Directory Domain Services already configured.
-* A Linux VM (for the test we use CentosOS based machine).
+* A Linux VM (**for the test we use CentosOS based machine**).
 * A network infrastructure that allows communication between Active Directory and the Linux VM.
 * A dedicated User Account for read AD objects.
 * The Linux VM need to have these packages installed:
@@ -63,21 +63,21 @@ Review the information that you provided, and if everything is correct, click Fi
 
 On your Linux VM, install the following packages: *sssd sssd-tools sssd-ldap openldap-client*:
 
-```console
-yum install -y sssd sssd-tools sssd-ldap openldap-clients
+```bash
+sudo dnf install -y sssd sssd-tools sssd-ldap openldap-clients
 ```
 
 After the installation check if LDAP search works. In order to check it try an LDAP search following the example below:
 
-```console
-ldapsearch -H ldaps://contoso.com -x \
+```bash
+sudo ldapsearch -H ldaps://contoso.com -x \
         -D CN=ReadOnlyUser,CN=Users,DC=contoso,DC=com -w Read0nlyuserpassword \
         -b CN=Users,DC=contoso,DC=com
 ```
 
 If the LDAP query works fine, you will obtain an output with some information like follow:
 
-```console
+```config
 extended LDIF
 
 LDAPv3
@@ -113,7 +113,7 @@ dSCorePropagationData: 16010101000000.0Z
 > [!NOTE]
 > If your get and error run the following command:
 >
-> ldapsearch -H ldaps://contoso.com -x \
+> sudo ldapsearch -H ldaps://contoso.com -x \
 >       -D CN=ReadOnlyUser,CN=Users,DC=contoso,DC=com -w Read0nlyuserpassword \
 >       -b CN=Users,DC=contoso,DC=com -d 3
 >
@@ -125,13 +125,13 @@ Create */etc/sssd/sssd.conf* with a content like the following. Remember to upda
 
 Command for file creation:
 
-```console
-vi /etc/sssd/sssd.conf
+```bash
+sudo vi /etc/sssd/sssd.conf
 ```
 
 Example sssd.conf:
 
-```bash
+```config
 [sssd]
 config_file_version = 2
 domains = default
@@ -184,14 +184,14 @@ Save the file with *ESC + wq!* command.
 
 Set the permission to sssd.conf to 600 with the following command:
 
-```console
-chmod 600 /etc/sssd/sssd.conf
+```bash
+sudo chmod 600 /etc/sssd/sssd.conf
 ```
 
 After that create an obfuscated password for the Bind DN account. You must insert the Domain password for ReadOnlyUser:
 
-```console
-sss_obfuscate --domain default
+```bash
+sudo sss_obfuscate --domain default
 ```
 
 The password will be placed automatically in the configuration file.
@@ -200,27 +200,27 @@ The password will be placed automatically in the configuration file.
 
 Start the sssd service:
 
-```console
-service sssd start
+```bash
+sudo systemctl start sssd
 ```
 
 Now configure the service with the *authconfig* tool:
 
-```console
-authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateall
+```bash
+sudo authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateall
 ```
 
 At this point restart the service:
 
-```console
-systemctl restart sssd
+```bash
+sudo systemctl restart sssd
 ```
 
 ## Test the configuration
 
 The final step is to check that the flow works properly. To check this, try logging in with one of your AD users in Active Directory. We tried with a user called *ADUser*. If the configuration is correct, you will get the following result:
 
-```console
+```output
 [centosuser@centos8 ~]su - [email protected]
 Last login: Wed Oct 12 15:13:39 UTC 2022 on pts/0
 [ADUser@Centos8 ~]$ exit

articles/active-directory-domain-services/join-windows-vm-template.md

@@ -9,6 +9,7 @@ ms.assetid: 4eabfd8e-5509-4acd-86b5-1318147fddb5
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
+ms.custom: devx-track-arm-template
 ms.topic: how-to
 ms.date: 01/29/2023
 ms.author: justinha

articles/active-directory-domain-services/template-create-instance.md

@@ -8,6 +8,7 @@ manager: amycolannino
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
+ms.custom: devx-track-arm-template
 ms.topic: sample
 ms.date: 01/29/2023
 ms.author: justinha 

articles/active-directory/develop/howto-create-service-principal-portal.md

@@ -10,7 +10,7 @@ ms.subservice: develop
 ms.topic: how-to
 ms.date: 02/01/2023
 ms.author: cwerner
-ms.custom: aaddev, identityplatformtop40, subject-rbac-steps
+ms.custom: aaddev, identityplatformtop40, subject-rbac-steps, devx-track-arm-template
 ---
 
 # Create an Azure Active Directory application and service principal that can access resources
@@ -142,4 +142,4 @@ To configure access policies:
 - Learn how to use [Azure PowerShell](howto-authenticate-service-principal-powershell.md) or [Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli) to create a service principal.
 - To learn about specifying security policies, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md).
 - For a list of available actions that can be granted or denied to users, see [Azure Resource Manager Resource Provider operations](../../role-based-access-control/resource-provider-operations.md).
-- For information about working with app registrations by using **Microsoft Graph**, see the [Applications](/graph/api/resources/application) API reference.
+- For information about working with app registrations by using **Microsoft Graph**, see the [Applications](/graph/api/resources/application) API reference.

articles/active-directory/hybrid/migrate-from-federation-to-cloud-authentication.md

@@ -94,7 +94,7 @@ Modern authentication clients (Office 2016 and Office 2013, iOS, and Android app
 
 To plan for rollback, use the [documented current federation settings](#document-current-federation-settings) and check the [federation design and deployment documentation](/windows-server/identity/ad-fs/deployment/windows-server-2012-r2-ad-fs-deployment-guide). 
 
-The rollback process should include converting managed domains to federated domains by using the [Convert-MSOLDomainToFederated](/powershell/module/msonline/convert-msoldomaintofederated) cmdlet. If necessary, configuring extra claims rules.
+The rollback process should include converting managed domains to federated domains by using the [Convert-MSOLDomainToFederated](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-1.0&preserve-view=true) cmdlet. If necessary, configuring extra claims rules.
 
 ## Migration considerations 
 
@@ -136,7 +136,7 @@ The following table explains the behavior for each option. For more information,
 | rejectMfaByFederatedIdp | Azure AD always performs MFA and rejects MFA that federated identity provider performs. |
 
 >[!NOTE]
-> The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/msonline/set-msoldomainfederationsettings). 
+> The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-1.0&preserve-view=true). 
 
 For domains that have already set the **SupportsMfa** property, these rules determine how **federatedIdpMfaBehavior** and **SupportsMfa** work together:
 
@@ -251,12 +251,13 @@ Sign in to the [Azure portal](https://portal.azure.com/), browse to **Azure Acti
 
 4. On the **User sign-in** page:
 
-    - If you select **Pass-through authentication** option button, check **Enable single sign-on**, and then select **Next**.
+    - If you select **Pass-through authentication** option button, and if SSO is needed for Windows 7 and 8.1 devices, check **Enable single sign-on**, and then select **Next**.
 
-    -  If you select the **Password hash synchronization** option button, make sure to select the **Do not convert user accounts** check box. The option is deprecated. Check **Enable single sign-on**, and then select **Next**.
+    - If you select the **Password hash synchronization** option button, make sure to select the **Do not convert user accounts** check box. The option is deprecated. If SSO is needed for Windows 7 and 8.1 devices, check **Enable single sign-on**, and then select **Next**.
 
       ![Check enable single sign-on on User sign-in page](media/deploy-cloud-user-authentication/user-sign-in.png)
 
+   Learn more: [Enable seamless SSO by using PowerShell](how-to-connect-staged-rollout.md#pre-work-for-seamless-sso). 
 5. On the **Enable single sign-on** page, enter the credentials of a Domain Administrator account, and then select **Next**.
 
     ![Enable single sign-on page](media/deploy-cloud-user-authentication/enable-single-sign-on.png)
@@ -268,6 +269,8 @@ Sign in to the [Azure portal](https://portal.azure.com/), browse to **Azure Acti
 
     The domain administrator credentials aren't stored in Azure AD Connect or Azure AD and get discarded when the process successfully finishes. They are  used to turn ON this feature.
 
+    Learn more: [Seamless SSO technical deep dive.](how-to-connect-sso-how-it-works.md) 
+
 6. On the **Ready to configure** page, make sure that the **Start the synchronization process when configuration completes** check box is selected. Then, select **Configure**.
 
     ![Ready to configure page](media/deploy-cloud-user-authentication/ready-to-configure.png)

articles/active-directory/manage-apps/create-service-principal-cross-tenant.md

@@ -11,10 +11,8 @@ ms.workload: identity
 ms.date: 07/26/2022
 ms.author: jomondi
 ms.reviewer: karavar
-ms.custom: mode-other
+ms.custom: mode-other, devx-track-azurecli
 zone_pivot_groups: enterprise-apps-cli
-
-
 #Customer intent: As an administrator of an Azure AD tenant, I want to create an enterprise application using client ID for a multi-tenant application provided by a service provider or independent software vendor.
 ---
 
@@ -107,4 +105,4 @@ You can use an API client such as [Graph Explorer](https://aka.ms/ge) to work wi
 ## Next steps
 
 - [Add RBAC role to the enterprise application](../../role-based-access-control/role-assignments-portal.md)
-- [Assign users to your application](add-application-portal-assign-users.md)
+- [Assign users to your application](add-application-portal-assign-users.md)

articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md

@@ -16,6 +16,7 @@ ms.author: barclayn
 ms.collection: M365-identity-device-management 
 ms.tool: azure-cli, azure-powershell
 ms.devlang: azurecli
+ms.custom: devx-track-azurepowershell, devx-track-azurecli
 ---
 
 # How to use managed identities for Azure resources on an Azure VM for sign-in