Merge pull request #180194 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md

@@ -47,16 +47,14 @@ Based on gaps you found, require administrators to use multi-factor authenticati
 
 - Run the [MFA enablement wizard](https://aka.ms/MFASetupGuide) to choose your MFA policy.
 
-- If you assign custom or built-in admin roles in [Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure), require multi-factor authentication upon role activation.
+- If you assign custom or built-in admin roles in [Privileged Identity Management](../privileged-identity-management/pim-configure.md), require multi-factor authentication upon role activation.
 
 ## Use Passwordless and phishing resistant authentication methods for your administrators
 
 After your admins are enforced for multi-factor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method: 
 
 - [Phone Sign-in (with Microsoft Authenticator)](concept-authentication-authenticator-app.md)
 - [FIDO2](concept-authentication-passwordless.md#fido2-security-keys)
-- [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview)
-
-You can read more about these authentication methods and their security considerations in [Azure AD authentication methods](concept-authentication-methods.md).
-
+- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview)
 
+You can read more about these authentication methods and their security considerations in [Azure AD authentication methods](concept-authentication-methods.md).

articles/active-directory/develop/active-directory-enterprise-app-role-management.md

@@ -11,7 +11,7 @@ ms.subservice: develop
 ms.custom: aaddev 
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/15/2021
+ms.date: 11/11/2021
 ms.author: jeedes
 ---
 
@@ -90,6 +90,9 @@ Use this feature if your application expects custom roles in the SAML response r
 
         If you're using the custom app (not the Azure Marketplace app), you see two default roles: user and msiam_access. For the Marketplace app, msiam_access is the only default role. You don't need to make any changes in the default roles.
 
+        > [!NOTE]
+        > When you are creating multiple roles, please don't modify the default role content just add the new msiam_access block of code for the new role.
+
     1. Generate new roles for your application.
 
         The following JSON is an example of the **appRoles** object. Create a similar object to add the roles that you want for your application.

articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md

@@ -34,7 +34,7 @@ This article assumes that you have [configured hybrid Azure AD-joined devices](h
 
 
 > [!NOTE] 
-> To troubleshoot the common device registration issues, use [Device Registration Troubleshooter Tool](https://aka.ms/DSRegTool).
+> To troubleshoot the common device registration issues, use [Device Registration Troubleshooter Tool](/samples/azure-samples/dsregtool/dsregtool/).
 
 
 ## Troubleshoot join failures
@@ -520,4 +520,4 @@ Use Event Viewer to look for the log entries that are logged by the Azure AD Clo
 ## Next steps
 
 - [Troubleshoot devices by using the `dsregcmd` command](troubleshoot-device-dsregcmd.md).
-- Go to the [Microsoft Error Lookup Tool](/windows/win32/debug/system-error-code-lookup-tool).
+- Go to the [Microsoft Error Lookup Tool](/windows/win32/debug/system-error-code-lookup-tool).

articles/active-directory/external-identities/faq.yml

@@ -188,7 +188,7 @@ sections:
       - question: |
           Can B2B collaboration users sign in with their non-UPN email address?
         answer: |
-          Yes. For more information about email as an alternate login ID for B2B collaboration, see [B2B guest user sign-in with an email address](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-use-email-signin#b2b-guest-user-sign-in-with-an-email-address).
+          Yes. For more information about email as an alternate login ID for B2B collaboration, see [B2B guest user sign-in with an email address](../authentication/howto-authentication-use-email-signin.md#b2b-guest-user-sign-in-with-an-email-address).
 
 additionalContent: |
 

articles/active-directory/fundamentals/whats-new.md

@@ -63,7 +63,7 @@ Previously, we announced that starting October 31, 2021, Microsoft Azure Active
 **Service category:** Conditional Access  
 **Product capability:** End User Experiences
 
-If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we have created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. [Learn more](https://docs.microsoft.com/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal#prerequisites).
+If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we have created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. [Learn more](../external-identities/b2b-quickstart-add-guest-users-portal.md#prerequisites).
 
 ---
 
@@ -111,7 +111,7 @@ Flagged sign-ins is a feature that will increase the signal to noise ratio for u
 **Service category:** Device Registration and Management  
 **Product capability:** Device Lifecycle Management
 
-The new Device Overview feature provides actionable insights about devices in your tenant. [Learn more](https://docs.microsoft.com/azure/active-directory/devices/device-management-azure-portal).
+The new Device Overview feature provides actionable insights about devices in your tenant. [Learn more](../devices/device-management-azure-portal.md).
 
 ---
 
@@ -170,7 +170,7 @@ We now support native single sign-on (SSO) support and device-based Conditional
 **Service category:** My Apps  
 **Product capability:** End User Experiences
 
-Apps that have been recently assigned to the user show up with a "new" indicator. When the app is launched or the page is refreshed, this indicator disappears. [Learn more](https://docs.microsoft.com/azure/active-directory/user-help/my-apps-portal-end-user-access).
+Apps that have been recently assigned to the user show up with a "new" indicator. When the app is launched or the page is refreshed, this indicator disappears. [Learn more](/azure/active-directory/user-help/my-apps-portal-end-user-access).
 
 ---
 
@@ -180,7 +180,7 @@ Apps that have been recently assigned to the user show up with a "new" indicator
 **Service category:** B2C - Consumer Identity Management  
 **Product capability:** B2B/B2C
 
-Azure AD B2C customers can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability. [Learn more](https://docs.microsoft.com/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow).
+Azure AD B2C customers can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability. [Learn more](../../active-directory-b2c/custom-domain.md?pivots=b2c-user-flow).
 
 ---
 
@@ -191,7 +191,7 @@ Azure AD B2C customers can now enable custom domains so their end-users are redi
 **Product capability:** Access Control
 
 
-Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. [Learn more](https://docs.microsoft.com/deployedge/edge-ie-mode-cloud-site-list-mgmt)
+Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. [Learn more](/deployedge/edge-ie-mode-cloud-site-list-mgmt)
 
 ---
 
@@ -1268,5 +1268,4 @@ A previous version of the PIM API under `/privilegedaccess` will continue to fun
 
 A new role, Identity Governance Administrator, has recently been introduced. This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. [Learn more](../governance/identity-governance-overview.md#appendix---least-privileged-roles-for-managing-in-identity-governance-features).
 
----
-
+---

articles/active-directory/governance/entitlement-management-logic-apps-integration.md

@@ -23,7 +23,7 @@ ms.collection: M365-identity-device-management
 # Trigger custom Logic Apps with Azure AD entitlement management
 
 
-[Azure Logic Apps](https://docs.microsoft.com/azure/logic-apps/logic-apps-overview) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.
+[Azure Logic Apps](../../logic-apps/logic-apps-overview.md) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.
 
 These Logic Apps can then be triggered to run in accordance with entitlement management use cases such as when an access package is granted or requested. For example, an admin could create and link a custom Logic App to entitlement management so that when a user requests an access package, a Logic App is triggered that ensures the user is also assigned certain characteristics in a 3rd party SAAS app (like Salesforce) or is sent a custom email.
 
@@ -96,7 +96,7 @@ These triggers to Logic Apps are controlled in a new tab within access package p
 
 1. Here, you can view all custom extensions (Logic Apps) that you have added to this Catalog. To edit a Logic App workflow, or to create a workflow for a newly-added Logic App, select the Logic App custom extension under **Endpoint**. This will open Logic App Designer and allow you to create your workflow.  
 
- For more information on creating Logic App workflows, see [Create automated workflows with Azure Logic Apps in the Azure portal](https://docs.microsoft.com/azure/logic-apps/quickstart-create-first-logic-app-workflow).
+ For more information on creating Logic App workflows, see [Create automated workflows with Azure Logic Apps in the Azure portal](../../logic-apps/quickstart-create-first-logic-app-workflow.md).
 
 ## Add custom extension to access package policy 
 

articles/active-directory/identity-protection/concept-identity-protection-risks.md

@@ -37,7 +37,7 @@ Real-time detections may not show up in reporting for five to 10 minutes. Offlin
 
 ### User-linked detections
 
-Risky activity can be detected for a user that isn't linked to a specific malicious sign-in but to the user itself. These risk detections are calculated offline using Microsoft's internal and external threat intelligence sources, like security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
+Risky activity can be detected for a user that isn't linked to a specific malicious sign-in but to the user itself. 
 
 These risks are calculated offline using Microsoft's internal and external threat intelligence sources including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
 

articles/active-directory/manage-apps/f5-big-ip-header-advanced.md

@@ -26,7 +26,7 @@ Integrating BIG-IP published applications with Azure AD provides many benefits,
 
 - Manage identities and access from a single control plane - The [Azure portal](https://azure.microsoft.com/features/azure-portal)
 
-To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD integration](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-integration) and [what is application access and single sign-on with Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis).
+To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).
 
 ## Scenario description
 
@@ -67,7 +67,7 @@ Prior BIG-IP experience isn't necessary, but you'll need:
 - An Azure AD free subscription or above
 
 - An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in
-    Azure](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-bigip-deployment-guide)
+    Azure](./f5-bigip-deployment-guide.md)
 
 - Any of the following F5 BIG-IP license SKUs
 
@@ -81,15 +81,15 @@ Prior BIG-IP experience isn't necessary, but you'll need:
   - 90-day BIG-IP full feature [trial
     license](https://www.f5.com/trial/big-ip-trial.php).
 
-- User identities [synchronized](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis)
+- User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md)
 from an on-premises directory to Azure AD
 
-- An account with Azure AD application admin [permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)
+- An account with Azure AD application admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)
 
-- [SSL certificate](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-bigip-deployment-guide#ssl-profile)
+- [SSL certificate](./f5-bigip-deployment-guide.md#ssl-profile)
 for publishing services over HTTPS or use default certificates while testing
 
-- An existing header-based application or [setup a simple IIS header app](https://docs.microsoft.com/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing
+- An existing header-based application or [setup a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing
 
 ## Deployment modes
 
@@ -105,7 +105,7 @@ should be replaced with those for your actual environment.
 ## Adding F5 BIG-IP from the Azure AD gallery
 
 Setting up a SAML federation trust between BIG-IP APM and Azure AD is one of the first step in implementing secure hybrid access. It establishes the integration required for BIG-IP to hand off pre-authentication and [conditional
-access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) to Azure AD, before granting access to the published service.
+access](../conditional-access/overview.md) to Azure AD, before granting access to the published service.
 
 1. Sign-in to the Azure AD portal using an account with application administrative rights.
 
@@ -164,7 +164,7 @@ access](https://docs.microsoft.com/azure/active-directory/conditional-access/ove
 
    ![Screenshot shows user attributes and claims configuration](./media/f5-big-ip-header-advanced/user-attributes-claims.png)
 
-   Feel free to add any other specific claims your BIG-IP published application might expect as headers. Any claims defined in addition to the default set will only be issued if they exist in Azure AD. In the same way, Directory [roles or group](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-group-claims)
+   Feel free to add any other specific claims your BIG-IP published application might expect as headers. Any claims defined in addition to the default set will only be issued if they exist in Azure AD. In the same way, Directory [roles or group](../hybrid/how-to-connect-fed-group-claims.md)
    memberships also need defining against a user object in Azure AD before they can be issued as a claim.
 
 9. In the **SAML Signing Certificate** section, select the
@@ -173,7 +173,7 @@ access](https://docs.microsoft.com/azure/active-directory/conditional-access/ove
    ![Screenshot shows saml signing certificate](./media/f5-big-ip-header-advanced/saml-signing-certificate.png)
 
 SAML signing certificates created by Azure AD have a lifespan of three years and should be managed using the published
-[guidance](https://docs.microsoft.com/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on).
+[guidance](./manage-certificates-for-federated-single-sign-on.md).
 
 ### Azure AD authorization
 
@@ -431,7 +431,7 @@ For more information refer to these articles:
 
 - [The end of passwords, go password-less](https://www.microsoft.com/security/business/identity/passwordless)
 
-- [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+- [What is Conditional Access?](../conditional-access/overview.md)
 
 - [Microsoft Zero Trust framework to enable remote
-  work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)
+  work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

articles/active-directory/reports-monitoring/overview-flagged-sign-ins.md

@@ -87,7 +87,7 @@ Flagged Sign-ins query for specific user by UPN (e.g.: [email protected]):
 Flagged Sign-ins query for specific user and date greater than:
 `https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=flaggedforReview eq true and createdDateTime ge 2021-10-01 and userPrincipalname eq '[email protected]'`
 
-For more information on using the sign-ins Graph API, see [signIn resource type](https://docs.microsoft.com/graph/api/resources/signin?view=graph-rest-1.0&preserve-view=true).
+For more information on using the sign-ins Graph API, see [signIn resource type](/graph/api/resources/signin?preserve-view=true&view=graph-rest-1.0).
 
 
 
@@ -117,4 +117,4 @@ While the names are similar, **flagged sign-ins** and **risky sign-ins** are dif
 ## Next steps
 
 - [Sign-in logs in Azure Active Directory](concept-sign-ins.md)
-- [Sign in diagnostics for Azure AD scenarios](concept-sign-in-diagnostics-scenarios.md)
+- [Sign in diagnostics for Azure AD scenarios](concept-sign-in-diagnostics-scenarios.md)