Merge branch 'main' into release-ga-ddos-ip

Author: v-alje

.openpublishing.publish.config.json

@@ -996,7 +996,7 @@
   "articles/iot-develop/.openpublishing.redirection.iot-develop.json",
   "articles/iot-dps/.openpublishing.redirection.iot-dps.json",
   "articles/iot-edge/.openpublishing.redirection.iot-edge.json",
-  "articles/iot-fundamentals/.openpublishing.redirection.iot-fundamentals.json",
+  "articles/iot/.openpublishing.redirection.iot.json",
   "articles/iot-hub/.openpublishing.redirection.iot-hub.json",
   "articles/load-testing/.openpublishing.redirection.azure-load-testing.json",
   "articles/logic-apps/.openpublishing.redirection.logic-apps.json",

.openpublishing.redirection.azure-monitor.json

@@ -45,6 +45,11 @@
             "redirect_url": "/azure/azure-monitor/app/app-insights-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/console.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/console",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/resource-manager-web-app.md",
             "redirect_url": "/previous-versions/azure/azure-monitor/app/resource-manager-web-app",

.openpublishing.redirection.json

@@ -12510,12 +12510,12 @@
         },
         {
             "source_path_from_root": "/articles/security/fundamentals/iot-overview.md",
-            "redirect_url": "/azure/iot-fundamentals/iot-security-architecture",
+            "redirect_url": "/azure/iot/iot-security-architecture",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/security/fundamentals/iot-best-practices.md",
-            "redirect_url": "/azure/iot-fundamentals/iot-security-best-practices",
+            "redirect_url": "/azure/iot/iot-security-best-practices",
             "redirect_document_id": false
         },
         {

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -25,7 +25,7 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 - A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy.
 
 ## Deploying Azure AD provisioning agent
-The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a seperate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or seperate hosts, again as long as each SCIM endpoint is reachable by the agent.  
+The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a separate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or separate hosts, again as long as each SCIM endpoint is reachable by the agent.  
 
  1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on.
  2. Run the provisioning agent installer, agree to the terms of service, and select **Install**.

articles/active-directory/app-provisioning/provision-on-demand.md

@@ -173,6 +173,7 @@ There are currently a few known limitations to on-demand provisioning. Post your
 * Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft delete a user with on-demand provisioning and then restore the user, it can result in duplicate users.
 * On-demand provisioning of roles isn't supported.
 * On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users won't appear when you search for a user.
+* On-demand provisioning does not support nested groups that are not directly assigned to the application.
 
 ## Next steps
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 03/23/2023
 
 ms.author: justinha
 author: justinha
 manager: amycolannino
-ms.reviewer: jsimmons
+ms.reviewer: mimanans
 
 ms.collection: M365-identity-device-management
 ---
@@ -95,6 +95,7 @@ The following core requirements apply:
 
 > [!NOTE]
 > Some endpoints, such as the CRL endpoint, are not addressed in this article. For a list of all supported endpoints, see [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).
+>In addition, other endpoints are required for Azure portal authentication. For more information, see [Azure portal URLs for proxy bypass](/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-urls-for-proxy-bypass).
 
 ### Azure AD Password Protection DC agent
 
@@ -248,6 +249,8 @@ To install the Azure AD Password Protection proxy service, complete the followin
 
     Registration of the Azure AD Password Protection proxy service is necessary only once in the lifetime of the service. After that, the Azure AD Password Protection proxy service will automatically perform any other necessary maintenance.
 
+1. To make sure that the changes have taken effect, run `Test-AzureADPasswordProtectionDCAgentHealth -TestAll`. For help resolving errors, see [Troubleshoot: On-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-troubleshoot.md).
+
 1. Now register the on-premises Active Directory forest with the necessary credentials to communicate with Azure by using the `Register-AzureADPasswordProtectionForest` PowerShell cmdlet.
 
     > [!NOTE]
@@ -301,6 +304,8 @@ To install the Azure AD Password Protection proxy service, complete the followin
     
     For `Register-AzureADPasswordProtectionForest` to succeed, at least one DC running Windows Server 2012 or later must be available in the Azure AD Password Protection proxy server's domain. The Azure AD Password Protection DC agent software doesn't have to be installed on any domain controllers prior to this step.
 
+1. To make sure that the changes have taken effect, run `Test-AzureADPasswordProtectionDCAgentHealth -TestAll`. For help resolving errors, see [Troubleshoot: On-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-troubleshoot.md).
+
 ### Configure the proxy service to communicate through an HTTP proxy
 
 If your environment requires the use of a specific HTTP proxy to communicate with Azure, use the following steps to configure the Azure AD Password Protection service.

articles/active-directory/authentication/media/how-to-authentication-methods-manage/authentication-methods-policy.png

@@ -14,7 +14,7 @@ ms.reviewer: phsignor, jawoods
 
 # Troubleshooting the configured permissions limits
 
-The `RequiredResourceAccess` collection (RRA) on an application object contains all the configured API permissions that an app requires for its default consent request. This collection has various limits depending on which types of identities the app supports, For more information on the limits for supported account types, see [Validation differences by supported account types](supported-accounts-validation.md).
+The `RequiredResourceAccess` collection (RRA) on an application object contains all the configured API permissions that an app requires for its default consent request. This collection has various limits depending on which types of identities the app supports. For more information on the limits for supported account types, see [Validation differences by supported account types](supported-accounts-validation.md).
 
 The limits on maximum permissions were updated in May 2022, so some apps may have more permissions in their RRA than are now allowed. In addition, apps that change their supported account types after configuring permissions may exceed the limits of the new setting. When apps exceed the configured permissions limit, no new permissions may be added until the number of permissions in the `RequiredResourceAccess` collection is brought back under the limits.
 
@@ -35,7 +35,6 @@ If you still need the application or are unsure, the following steps will help y
 1. **Remove duplicate permissions.** In some cases, the same permission is listed multiple times. Review the required permissions and remove permissions that are listed two or more times. See the related PowerShell script on the [additional resources](#additional-resources) section of this article.
 2. **Remove unused permissions.** Review the permissions required by the application and compare them to what the application or service does. Remove permissions that are configured in the app registration, but which the application or service doesn’t require. For more information on how to review permissions, see [Review application permissions](../manage-apps/manage-application-permissions.md)
 3. **Remove redundant permissions.** In many APIs, including Microsoft Graph, some permissions aren't necessary when other more privileged permissions are included. For example, the Microsoft Graph permission User.Read.All (read all users) isn't needed when an application also has User.ReadWrite.All (read, create and update all users). To learn more about Microsoft Graph permissions, see [Microsoft Graph permissions reference](/graph/permissions-reference). 
-4. **Use multiple app registrations.** If a single app or service requires more than 400 permissions in the required permissions list, the app will need to be configured to use two (or more) different app registrations, each one with 400 or fewer permissions configured on the app registration. 
 
 ## Frequently asked questions (FAQ)
 
@@ -147,4 +146,4 @@ process {
 
 - Learn about API permissions and the Microsoft identity platform: [Overview of permissions and consent in the Microsoft identity platform](permissions-consent-overview.md)
 - Understand the permissions available for Microsoft Graph: [Microsoft Graph permissions reference](/graph/permissions-reference)
-- Review the limitations to application configurations: [Validation differences by supported account types](supported-accounts-validation.md)
+- Review the limitations to application configurations: [Validation differences by supported account types](supported-accounts-validation.md)

articles/active-directory/authentication/media/how-to-authentication-methods-manage/start-mfa-migration.png

@@ -8,50 +8,51 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: quickstart
 ms.workload: identity
-ms.date: 03/24/2022
+ms.date: 03/23/2023
 ms.author: jomondi
 ms.reviewer: alamaral
-ms.custom: mode-other
+ms.custom: mode-other, enterprise-apps
 #Customer intent: As an administrator of an Azure AD tenant, I want to assign a user to an enterprise application.
 ---
 
 # Quickstart: Create and assign a user account
 
 In this quickstart, you use the Azure portal to create a user account in your Azure Active Directory (Azure AD) tenant. After you create the account, you can assign it to the enterprise application that you added to your tenant.
 
-It is recommended that you use a non-production environment to test the steps in this quickstart.
+It's recommended that you use a nonproduction environment to test the steps in this quickstart.
 
 ## Prerequisites
 
 To create a user account and assign it to an enterprise application, you need:
 
 - An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- One of the following roles: Global Administrator, or owner of the service principal.
 - Completion of the steps in [Quickstart: Add an enterprise application](add-application-portal.md).
 
 ## Create a user account
 
 To create a user account in your Azure AD tenant:
 
 1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. Browse to **Azure Active Directory** > **Users**.
+1. Browse to **Azure Active Directory** and select **Users**.
 1. Select **New user** at the top of the pane.
 
     :::image type="content" source="media/add-application-portal-assign-users/new-user.png" alt-text="Add a new user account to your Azure AD tenant.":::
 
 1. In the **User name** field, enter the username of the user account. For example, `[email protected]`. Be sure to change `contoso.com` to the name of your tenant domain.
 1. In the **Name** field, enter the name of the user of the account. For example, `contosouser1`.
-1. Leave **Auto-generate password** selected, and then select **Show password**. Write down the value that's displayed in the Password box.
+1. Enter the details required for the user under the **Groups and roles**, **Settings**, and **Job info** sections.
 1. Select **Create**.
 
 ## Assign a user account to an enterprise application
 
 To assign a user account to an enterprise application:
 
-1. In the [Azure portal](https://portal.azure.com), browse to **Azure Active Directory** > **Enterprise applications**, and then search for and select the application to which you want to assign the user account. For example, the application that you created in the previous quickstart named **Azure AD SAML Toolkit 1**.
+1. In the [Azure portal](https://portal.azure.com), browse to **Azure Active Directory** and select **Enterprise applications**.
+1. Search for and select the application to which you want to assign the user account. For example, the application that you created in the previous quickstart named **Azure AD SAML Toolkit 1**.
 1. In the left pane, select **Users and groups**, and then select **Add user/group**.
 
-    :::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to zn application in your Azure AD tenant.":::
+    :::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to an application in your Azure AD tenant.":::
 
 1. On the **Add Assignment** pane, select **None Selected** under **Users and groups**.
 1. Search for and select the user that you want to assign to the application. For example, `[email protected]`.
@@ -60,7 +61,7 @@ To assign a user account to an enterprise application:
 
 ## Clean up resources
 
-If you are planning to complete the next quickstart, keep the application that you created. Otherwise, you can consider deleting it to clean up your tenant.
+If you're planning to complete the next quickstart, keep the application that you created. Otherwise, you can consider deleting it to clean up your tenant.
 
 ## Next steps