Merge pull request #212320 from MicrosoftDocs/main

Publish to live, Friday 3PM PST 9/23

Author: huypub

.github/workflows/stale.yml

@@ -23,11 +23,11 @@ jobs:
         # start-date: '2021-03-19'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
-          If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation?branch=main) for instructions.
+          If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.learn.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation?branch=main) for instructions.
                     
-          [Get Help](https://review.docs.microsoft.com/help/contribute/help-options?branch=main)  
+          [Get Help](https://review.learn.microsoft.com/help/contribute/help-options?branch=main)  
           
           [Docs Support Teams Channel](https://teams.microsoft.com/l/channel/19%3a7ecffca1166a4a3986fed528cf0870ee%40thread.skype/General?groupId=de9ddba4-2574-4830-87ed-41668c07a1ca&tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47)  
           
-          [Resolve Merge Conflict](https://review.docs.microsoft.com/help/contribute/resolve-merge-conflicts?branch=main)  
+          [Resolve Merge Conflict](https://review.learn.microsoft.com/help/contribute/resolve-merge-conflicts?branch=main)  
         

.openpublishing.redirection.active-directory.json

@@ -4178,12 +4178,12 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-troubleshooting-support-howto.md",
-      "redirect_url": "/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/b2b/get-support.md",
-      "redirect_url": "/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
       "redirect_document_id": false
     },
     {
@@ -10885,7 +10885,16 @@
       "source_path_from_root": "/articles/active-directory/cloud-infrastructure-entitlement-management/product-integrations.md",
       "redirect_url": "/azure/active-directory/cloud-infrastructure-entitlement-management",
       "redirect_document_id": false
+    },
+{
+      "source_path_from_root": "/articles/active-directory/fundamentals/active-directory-troubleshooting-support-howto.md",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
+      "redirect_document_id": false
+    },
+{
+      "source_path_from_root": "/articles/active-directory/fundamentals/support-help-options.md",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
+      "redirect_document_id": false
     }
-
   ]
 }

.openpublishing.redirection.json

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 06/20/2022
+ms.date: 09/21/2022
 ms.author: justinha
 
 ---
@@ -108,14 +108,21 @@ The following sections cover network security groups and Inbound and Outbound po
 
 ### Inbound connectivity
 
-The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your managed domain is deployed into.
+The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet for your managed domain.
 
 | Inbound port number | Protocol | Source                             | Destination | Action | Required | Purpose |
 |:-----------:|:--------:|:----------------------------------:|:-----------:|:------:|:--------:|:--------|
 | 5986        | TCP      | AzureActiveDirectoryDomainServices | Any         | Allow  | Yes      | Management of your domain. |
 | 3389        | TCP      | CorpNetSaw                         | Any         | Allow  | Optional      | Debugging for support. |
 
-An Azure standard load balancer is created that requires these rules to be place. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it.
+Azure AD DS also relies on the Default Security rules AllowVnetInBound and AllowAzureLoadBalancerInBound.
+
+:::image type="content" border="true" source="./media/network-considerations/nsg.png" alt-text="Screenshot of network security group rules.":::
+
+The AllowVnetInBound rule allows all traffic within the VNet which allows the DCs to properly communicate and replicate as well as allow domain join and other domain services to domain members. For more information about required ports for Windows, see [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements).
+
+
+The AllowAzureLoadBalancerInBound rule is also required so that the service can properly communicate over the loadbalancer to manage the DCs. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it. 
 
 If needed, you can [create the required network security group and rules using Azure PowerShell](powershell-create-instance.md#create-a-network-security-group).
 

articles/active-directory-domain-services/media/network-considerations/nsg.png

@@ -216,7 +216,7 @@ Extending this scenario:
 
 ### Mapping employment status to account status
 
-By default, the Azure AD SuccessFactors connector uses the `activeEmploymentsCount` field of the `PersonEmpTerminationInfo` object to set account status. There is a known SAP SuccessFactors issue documented in [knowledge base article 3047486](https://userapps.support.sap.com/sap/support/knowledge/en/3047486) that at times this may disable the account of a terminated worker one day prior to the termination on the last day of work. 
+By default, the Azure AD SuccessFactors connector uses the `activeEmploymentsCount` field of the `PersonEmpTerminationInfo` object to set account status. There is a known SAP SuccessFactors issue documented in [knowledge base article 3047486](https://launchpad.support.sap.com/#/notes/3047486) that at times this may disable the account of a terminated worker one day prior to the termination on the last day of work. 
 
 If you are running into this issue or prefer mapping employment status to  account status, you can update the mapping to expand the `emplStatus` field and use the employment status code present in the field `emplStatus.externalCode`. Based on [SAP support note 2505526](https://launchpad.support.sap.com/#/notes/2505526), here is a list of employment status codes that you can retrieve in the provisioning app. 
 * A = Active 

articles/active-directory-domain-services/network-considerations.md

@@ -230,10 +230,11 @@ Use the **Activity triggers** dashboard to view information and set alerts and t
 -   **Group entitlements and Usage reports:** Provides guidance on cleaning up directly assigned permissions
 -   **Access Key Entitlements and Usage reports**: Identifies high risk service principals with old secrets that haven’t been rotated every 90 days (best practice) or decommissioned due to lack of use (as recommended by the Cloud Security Alliance).
 
-## Next Steps
-For more information about Permissions Management, see:                     
-                     
-**Microsoft Docs**: [Visit Docs](../cloud-infrastructure-entitlement-management/index.yml).
+## Next steps
+
+For more information about Permissions Management, see:
+
+**Microsoft Learn**: [Permissions management](../cloud-infrastructure-entitlement-management/index.yml).
 
 **Datasheet:** <https://aka.ms/PermissionsManagementDataSheet>
 

articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md

@@ -195,7 +195,7 @@ The following are known limitations:
 
 ### Scoping filter
 When using OU scoping filter
-- You can only sync up to 59 separate OUs for a given configuration. 
+- You can only sync up to 59 separate OUs or Security Groups for a given configuration. 
 - Nested OUs are supported (that is, you **can** sync an OU that has 130 nested OUs, but you **cannot** sync 60 separate OUs in the same configuration). 
 
 ### Password Hash Sync

articles/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-playbook.md

@@ -139,13 +139,15 @@ The following client apps are confirmed to support this setting:
 - Microsoft Cortana
 - Microsoft Edge
 - Microsoft Excel
+- Microsoft Launcher
 - Microsoft Lists
 - Microsoft Office
 - Microsoft OneDrive
 - Microsoft OneNote
 - Microsoft Outlook
 - Microsoft Planner
 - Microsoft Power BI
+- Microsoft PowerApps
 - Microsoft PowerPoint
 - Microsoft SharePoint
 - Microsoft Teams
@@ -156,6 +158,7 @@ The following client apps are confirmed to support this setting:
 - MultiLine for Intune
 - Nine Mail - Email and Calendar
 - Notate for Intune
+- Yammer (iOS and iPadOS)
 
 This list is not all encompassing, if your app is not in this list please check with the application vendor to confirm support.