MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md
Lines changed: 4 additions & 1 deletion b/‎articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎articles/active-directory/authentication/howto-mfa-userstates.md
Lines changed: 7 additions & 4 deletions b/‎articles/active-directory/authentication/howto-mfa-userstates.md
Lines changed: 7 additions & 4 deletions
diff --git a/‎articles/active-directory/cloud-provisioning/TOC.yml
Lines changed: 79 additions & 0 deletions b/‎articles/active-directory/cloud-provisioning/TOC.yml
Lines changed: 79 additions & 0 deletions
diff --git a/‎articles/active-directory/cloud-provisioning/bread/toc.yml
Lines changed: 24 additions & 0 deletions b/‎articles/active-directory/cloud-provisioning/bread/toc.yml
Lines changed: 24 additions & 0 deletions
@@ -33,14 +33,17 @@ This topic:
 
 To configure certificate-based authentication, the following statements must be true:
 
-- Certificate-based authentication (CBA) is only supported for Federated environments for browser applications or native clients using modern authentication (ADAL). The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for  federated and managed accounts.
+- Certificate-based authentication (CBA) is only supported for Federated environments for browser applications, native clients using modern authentication (ADAL), or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for  federated and managed accounts.
 - The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
 - Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.
 - You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.
 - For Exchange ActiveSync clients, the client certificate must have the user’s routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.
 - Your client device must have access to at least one certificate authority that issues client certificates.
 - A client certificate for client authentication must have been issued to your client.
 
+>[!IMPORTANT]
+>The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds.  If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates. 
+
 ## Step 1: Select your device platform
 
 As a first step, for the device platform you care about, you need to review the following:
 
@@ -38,11 +38,14 @@ Enabled by Azure AD Identity Protection - This method uses the Azure AD Identity
 
 User accounts in Azure Multi-Factor Authentication have the following three distinct states:
 
+> [!IMPORTANT]
+> Enabling Azure MFA through a Conditional Access policy will not change the state of the user. Do not be alarmed users appear disabled. Conditional Access does not change the state. **Organizations should not enable or enforce users if they are utilizing Conditional Access policies.**
+
 | Status | Description | Non-browser apps affected | Browser apps affected | Modern authentication affected |
-|:---:|:---:|:---:|:--:|:--:|
-| Disabled |The default state for a new user not enrolled in Azure MFA. |No |No |No |
-| Enabled |The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. |No.  They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
-| Enforced |The user has been enrolled and has completed the registration process for Azure MFA. |Yes. Apps require app passwords. |Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
+|:---:| --- |:---:|:--:|:--:|
+| Disabled | The default state for a new user not enrolled in Azure MFA. | No | No | No |
+| Enabled | The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. | No.  They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
+| Enforced | The user has been enrolled and has completed the registration process for Azure MFA. | Yes. Apps require app passwords. | Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
 
 A user's state reflects whether an admin has enrolled them in Azure MFA, and whether they completed the registration process.
 
 
@@ -0,0 +1,79 @@
+- name: Cloud provisioning
+  href: index.yml
+- name: Overview
+  items:
+  - name: What is identity provisioning?
+    href: what-is-provisioning.md
+  - name: What is Azure AD Connect cloud provisioning?
+    href: what-is-cloud-provisioning.md
+    maintainContext: true
+- name: Tutorials
+  expanded: true
+  items:
+  - name: Integrate a single AD forest  with a single Azure AD tenant
+    href: tutorial-single-forest.md
+  - name: Integrate an existing forest and a new forest with a single Azure AD tenant
+    href: tutorial-existing-forest.md
+  - name: Pilot cloud provisioning for an existing synced AD forest 
+    href: tutorial-pilot-aadc-aadccp.md
+
+
+
+
+
+- name: Concepts
+  items:
+  - name: What is password hash sync?
+    href: /azure/active-directory/hybrid/whatis-phs?context=azure/active-directory/cloud-provisioning/context/cloud-provisioning-context
+  - name: Understanding the Azure AD schema, attributes, and expressions
+    href: concept-attributes.md
+  - name: Writing Expressions for Attribute Mappings in Azure Active Directory
+    href: reference-expressions.md
+    
+  
+
+- name: How-to guides
+  items:
+  - name: Installation and upgrade
+    items:
+    - name: Installation Prerequisites
+      href: how-to-prerequisites.md
+    - name: Install the Azure AD Connect cloud provisioning agent
+      href: how-to-install.md
+    - name: Cloud provisioning configuration
+      href: how-to-configure.md
+  - name: Plan and design
+    items:
+    - name: Topologies and scenarios for Azure AD Connect cloud provisioning
+      href: plan-cloud-provisioning-topologies.md
+    
+     
+  - name: Manage 
+    items:
+    - name: Agent automatic upgrade
+      href: how-to-automatic-upgrade.md
+  - name: Develop
+    items:
+    - name: Transformations
+      href: how-to-transformation.md
+    - name: Azure AD synchronization API 
+      href: https://docs.microsoft.com/graph/api/resources/synchronization-overview
+  
+  - name: Troubleshoot
+    items:
+    - name: Troubleshoot cloud provisioning
+      href: how-to-troubleshoot.md
+    - name: Duplicate attributes
+      href: https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync
+    
+- name: Reference
+  items:
+  - name: Azure AD Connect cloud provisioning agent version history
+    href: /azure/active-directory/manage-apps/provisioning-agent-release-version-history?context=azure/active-directory/cloud-provisioning/context/cp-context
+  - name: Azure AD Connect cloud provisioning FAQ
+    href: reference-cloud-provisioning-faq.md
+  - name: Attributes that are synchronized
+    href: /azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized?context=azure/active-directory/cloud-provisioning/context/cp-context
+  - name: Basic Active Directory and Azure AD environment
+    href: tutorial-basic-ad-azure.md
+  
@@ -0,0 +1,24 @@
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:
+  - name: Active Directory
+    tocHref: /azure/active-directory/manage-apps/
+    topicHref: /azure/active-directory/index
+    items:
+    - name: Cloud provisioning
+      tocHref: /azure/active-directory/manage-apps/
+      topicHref: /azure/active-directory/cloud-provisioning/index
+  
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:  
+  - name: Active Directory
+    tocHref: /azure/active-directory/hybrid/
+    topicHref: /azure/active-directory/index
+    items:
+    - name: Cloud provisioning
+      tocHref: /azure/active-directory/hybrid/
+      topicHref: /azure/active-directory/cloud-provisioning/index
+