Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory-b2c/faq.yml

@@ -9,7 +9,7 @@ metadata:
   ms.service: active-directory
   ms.workload: identity
   ms.topic: conceptual
-  ms.date: 09/16/2021
+  ms.date: 10/26/2021
   ms.author: kengaderdus
   ms.subservice: B2C
 
@@ -206,7 +206,15 @@ sections:
           Can I get Azure AD B2C as part of Enterprise Mobility Suite?
         answer: |
           No, Azure AD B2C is a pay-as-you-go Azure service and is not part of Enterprise Mobility Suite.
+          
+      - question: |
+          What Azure AD B2C features are unavailable in Microsoft Azure Government?
+        answer: |
+          The following AD B2C features are currently unavailable in Microsoft Azure Government:
 
+          * API connectors
+          * Conditional Access
+          
       - question: |
           How do I report issues with Azure AD B2C?
         answer: |

articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md

@@ -57,11 +57,11 @@ The following information is provided to better explain the anchor attributes an
 
 The anchor attribute is a unique attribute of an object type that does not change and represents that object in the ECMA Connector Host in-memory cache.
 
-The distinguished name (DN) is a name that uniquely identifies an object by indicating its current location in the directory hierarchy.  Or in the case of SQL, in the partition. The name is formed by concatenating the anchor attribute a the root of the directory partition. 
+The distinguished name (DN) is a name that uniquely identifies an object by indicating its current location in the directory hierarchy.  Or in the case of SQL, in the partition. The name is formed by concatenating the anchor attribute at the root of the directory partition. 
 
 When we think of traditional DNs in a traditional format, for say, Active Directory or LDAP, we think of something similar to:
 
-  CN=Lola Jacobson,CN=Users,DC=contoso,DC=com
+  `CN=Lola Jacobson,CN=Users,DC=contoso,DC=com`
 
 However, for a data source such as SQL, which is flat, not hierarchical, the DN needs to be either already present in one of the table or created from the information we provide to the ECMA Connector Host.  
 

articles/active-directory/app-provisioning/plan-auto-user-provisioning.md

@@ -94,7 +94,7 @@ In this example, users and or groups are created in an HR database connected to
 
 In this example, user creation occurs in Azure AD and the  Azure AD provisioning service manages automatic user provisioning to the target (SaaS) applications.
 
-![Diagram that shows the user/group creation process from an on-premises H R application through the Azure A D Provisioning Service to the target S a a S applications.](./media/plan-auto-user-provisioning/cloudprovisioning.png)
+![Diagram that shows the user/group creation process from an on-premises H R application through the Azure A D Provisioning Service to the target S A A S applications.](./media/plan-auto-user-provisioning/cloudprovisioning.png)
 
 **Description of workflow:**
 

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -157,7 +157,7 @@ The following client apps have been confirmed to support this setting:
 - Nine Mail - Email & Calendar
 
 > [!NOTE]
-> Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the **Require app protection policy** grant. If you require these apps to work, please use the **Require approved apps** grant exclusively. The use of the or clause between the two grants will not work for these three applications.
+> Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the **Require app protection policy** grant. If you require these apps to work, please use the **Require approved apps** grant exclusively. The use of the `or` clause between the two grants will not work for these three applications.
 
 **Remarks**
 

articles/active-directory/conditional-access/concept-conditional-access-policies.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 03/17/2021
+ms.date: 10/26/2021
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -23,17 +23,19 @@ How does an organization create these policies? What is required? How are they a
 
 ![Conditional Access (Signals + Decisions + Enforcement = Policies)](./media/concept-conditional-access-policies/conditional-access-signal-decision-enforcement.png)
 
-Multiple Conditional Access policies may apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device. All assignments are logically **ANDed**. If you have more than one assignment configured, all assignments must be satisfied to trigger a policy.
+Multiple Conditional Access policies may apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device. All assignments are logically **ANDed**. If you've more than one assignment configured, all assignments must be satisfied to trigger a policy.
+
+If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.
 
 All policies are enforced in two phases:
 
 - Phase 1: Collect session details 
    - Gather session details, like network location and device identity that will be necessary for policy evaluation. 
    - Phase 1 of policy evaluation occurs for enabled policies and policies in [report-only mode](concept-conditional-access-report-only.md).
 - Phase 2: Enforcement 
-   - Use the session details gathered in phase 1 to identify any requirements that have not been met. 
-   - If there is a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked. 
-   - The user will be prompted to complete additional grant control requirements that were not satisfied during phase 1 in the following order, until policy is satisfied:  
+   - Use the session details gathered in phase 1 to identify any requirements that haven't been met. 
+   - If there's a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked. 
+   - The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:  
       - Multi-factor authentication​ 
       - Approved client app/app protection policy​ 
       - Managed device (compliant or hybrid Azure AD join)​ 
@@ -74,9 +76,9 @@ Location data is provided by IP geolocation data. Administrators can choose to d
 
 #### Client apps
 
-By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition is not configured.
+By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
 
-The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they will remain unchanged. However, if you click on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
+The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they'll remain unchanged. However, if you select on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
 
 #### Device state
 

articles/active-directory/develop/msal-net-migration-public-client.md

@@ -221,7 +221,7 @@ result = await context.AcquireTokenAsync(resource, clientId,
       // AcquireTokenByIntegratedWindowsAuth form that takes in the username
 
       // Error Code: integrated_windows_auth_not_supported_managed_user
-      // Explanation: This method relies on an a protocol exposed by Active Directory (AD). If a user was created in Azure
+      // Explanation: This method relies on a protocol exposed by Active Directory (AD). If a user was created in Azure
       // Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by
       // AAD ("federated" users) can benefit from this non-interactive method of authentication.
       // Mitigation: Use interactive authentication

articles/active-directory/develop/scenario-desktop-acquire-token-integrated-windows-authentication.md

@@ -124,7 +124,7 @@ static async Task GetATokenForGraph()
       // AcquireTokenByIntegratedWindowsAuth form that takes in the username
 
       // Error Code: integrated_windows_auth_not_supported_managed_user
-      // Explanation: This method relies on an a protocol exposed by Active Directory (AD). If a user was created in Azure
+      // Explanation: This method relies on a protocol exposed by Active Directory (AD). If a user was created in Azure
       // Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by
       // AAD ("federated" users) can benefit from this non-interactive method of authentication.
       // Mitigation: Use interactive authentication

articles/active-directory/devices/azuread-join-sso.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: conceptual
-ms.date: 06/28/2019
+ms.date: 10/26/2021
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -31,7 +31,7 @@ With an Azure AD joined device, your users already have an SSO experience to the
 
 Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect.
 
-If you have a hybrid environment, with both Azure AD and on-premises AD, it is likely that you already have Azure AD Connect deployed to synchronize your on-premises identity information to the cloud. As part of the synchronization process, Azure AD Connect synchronizes on-premises user and domain information to Azure AD. When a user signs in to an Azure AD joined device in a hybrid environment:
+If you have a hybrid environment, with both Azure AD and on-premises AD, it is likely that you already have Azure AD Connect or Azure AD Connect cloud sync deployed to synchronize your on-premises identity information to the cloud. As part of the synchronization process, on-premises user and domain information is synchronized to Azure AD. When a user signs in to an Azure AD joined device in a hybrid environment:
 
 1. Azure AD sends the details of the user's on-premises domain back to the device, along with the [Primary Refresh Token](concept-primary-refresh-token.md)
 1. The local security authority (LSA) service enables Kerberos and NTLM authentication on the device.

articles/active-directory/external-identities/one-time-passcode.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 10/21/2021
+ms.date: 10/26/2021
 
 ms.author: mimart
 author: msmimart
@@ -154,7 +154,11 @@ For more information about current limitations, see [Azure US Government clouds]
 
 **Why do I still see “Automatically enable email one-time passcode for guests starting October 2021” selected in my email one-time passcode settings?**
 
-Due to our deployment schedules, we will start rolling out the change to enable email one-time passcode by default globally on November 1, 2021. Until then, you might still see “Automatically enable email one-time passcode for guests starting October 2021” selected in my email one-time passcode settings.
+Due to our deployment schedules, we will start rolling out the change to enable email one-time passcode by default globally on November 1, 2021. Until then, you might still see “Automatically enable email one-time passcode for guests starting October 2021” selected in your email one-time passcode settings.
+
+**What happens to my existing guest users if I enable email one-time passcode?**
+
+Your existing guest users will not be affected if you enable email one-time passcode, as your existing users are already past the point of redemption. Enabling email one-time passcode will only affect future redemption activities where new guest users are redeeming into the tenant.
 
 **What is the user experience for guests during global rollout?**
 
@@ -172,20 +176,20 @@ Before the change is rolled out to your region, guests will see the following be
 
   - If a guest has an existing unmanaged Azure AD account, they'll continue signing in with their unmanaged Azure AD account.
   - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll continue signing in with their unmanaged Azure AD account.
-  - If a guest doesn't have an existing unmanaged Azure AD account, they'll redeem using an email one-time passcode link, but they may get a sign-in error if they're not added to the Azure portal in advance.
+  - If a guest doesn't have an existing unmanaged Azure AD account, they'll redeem using an unmanaged Azure AD account, but they may get a sign-in error if they're not added to the Azure portal in advance if redeeming on a direct application link.
 
 After the change is rolled out to your region, guests will see the following behavior.
 
 - With email one-time passcode enabled:
 
-  - If a guest has an existing unmanaged Azure AD account, they'll use email one-time passcode to redeem and sign in going forward.
+  - If a guest has an existing unmanaged Azure AD account, they'll continue signing in with their unmanaged Azure AD account.
   - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll use email one-time passcode to redeem and sign in going forward.
   - If a guest doesn't have an unmanaged Azure AD account, they'll use email one-time passcode to redeem and sign in going forward.
 
 - With email one-time passcode disabled:
 
-  - If a guest has an existing unmanaged Azure AD account, they'll use a Microsoft account to redeem. They'll end up with two accounts (the unmanaged Azure AD account and the Microsoft account). To prevent this from happening, we strongly encourage you to enable email one-time passcode.
-  - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll use a Microsoft account to redeem. They'll end up with two accounts (the unmanaged Azure AD account and the Microsoft account). To prevent this from happening, we strongly encourage you to enable email one-time passcode.
+  - If a guest has an existing unmanaged Azure AD account, they'll continue signing in with their unmanaged Azure AD account.
+  - If a guest previously redeemed an invitation to your tenant using an unmanaged Azure AD account, and you reset their redemption status and reinvite them, they'll use a Microsoft account to redeem and sign in going forward.
   - If a guest doesn't have an unmanaged Azure AD account, they'll use a Microsoft account to redeem and sign in going forward.
 
 For more information about the different redemption pathways, see [B2B collaboration invitation redemption](redemption-experience.md).

articles/active-directory/governance/TOC.yml

@@ -92,7 +92,7 @@
         href: entitlement-management-access-package-lifecycle-policy.md
       - name: Configure separation of duties
         href: entitlement-management-access-package-incompatible.md
-      - name: View requests
+      - name: View and remove requests
         href: entitlement-management-access-package-requests.md
       - name: Reprocess requests
         href: entitlement-management-reprocess-access-package-requests.md