MicrosoftDocs
diff --git a/‎articles/active-directory/app-provisioning/how-provisioning-works.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/app-provisioning/how-provisioning-works.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd.md
Lines changed: 5 additions & 3 deletions b/‎articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd.md
Lines changed: 5 additions & 3 deletions
diff --git a/‎articles/active-directory/enterprise-users/licensing-service-plan-reference.md
Lines changed: 4 additions & 2 deletions b/‎articles/active-directory/enterprise-users/licensing-service-plan-reference.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎articles/active-directory/fundamentals/service-accounts-govern-on-premises.md
Lines changed: 17 additions & 12 deletions b/‎articles/active-directory/fundamentals/service-accounts-govern-on-premises.md
Lines changed: 17 additions & 12 deletions
diff --git a/‎articles/active-directory/fundamentals/service-accounts-managed-identities.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/service-accounts-managed-identities.md
Lines changed: 1 addition & 1 deletion
@@ -8,14 +8,14 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 10/20/2022
+ms.date: 02/10/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
 
 # How Application Provisioning works in Azure Active Directory
 
-Automatic provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Before you start a deployment, you can review this article to learn how Azure AD provision works and get configuration recommendations. 
+Automatic provisioning refers to creating user identities and roles in the cloud applications that users need to access. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Before you start a deployment, you can review this article to learn how Azure AD provisioning works and get configuration recommendations. 
 
 The **Azure AD Provisioning Service** provisions users to SaaS apps and other systems by connecting to a System for Cross-Domain Identity Management (SCIM) 2.0 user management API endpoint provided by the application vendor. This SCIM endpoint allows Azure AD to programmatically create, update, and remove users. For selected applications, the provisioning service can also create, update, and remove additional identity-related objects, such as groups and roles. The channel used for provisioning between Azure AD and the application is encrypted using HTTPS TLS 1.2 encryption.
 
@@ -136,7 +136,7 @@ After the initial cycle, all other cycles will:
 The provisioning service continues running back-to-back incremental cycles indefinitely, at intervals defined in the [tutorial specific to each application](../saas-apps/tutorial-list.md). Incremental cycles continue until one of the following events occurs:
 
 - The service is manually stopped using the Azure portal, or using the appropriate Microsoft Graph API command.
-- A new initial cycle is triggered using the **Restart provisioning** option in the Azure portal, or using the appropriate Microsoft Graph API command. This action clears any stored watermark and causes all source objects to be evaluated again. This will not break the links between source and target objects. To break the links use [Restart synchronizationJob](https://learn.microsoft.com/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http) with the following request: 
+- A new initial cycle is triggered using the **Restart provisioning** option in the Azure portal, or using the appropriate Microsoft Graph API command. This action clears any stored watermark and causes all source objects to be evaluated again. This will not break the links between source and target objects. To break the links use [Restart synchronizationJob](/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http&preserve-view=true) with the following request: 
 
 <!-- {
   "blockType": "request",
 
@@ -8,15 +8,17 @@ ms.service: active-directory
 ms.subservice: app-proxy
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/17/2022
+ms.date: 02/10/2023
 ms.author: kenwith
 ms.reviewer: ashishj
 ms.custom: contperf-fy21q2
 ---
 
 # Kerberos Constrained Delegation for single sign-on (SSO) to your apps with Application Proxy
 
-You can provide single sign-on for on-premises applications published through Application Proxy that are secured with integrated Windows authentication. These applications require a Kerberos ticket for access. Application Proxy uses Kerberos Constrained Delegation (KCD) to support these applications. 
+You can provide single sign-on for on-premises applications published through Application Proxy that are secured with integrated Windows authentication. These applications require a Kerberos ticket for access. Application Proxy uses Kerberos Constrained Delegation (KCD) to support these applications.
+
+To learn more about Single Sign-On (SSO), see [What is Single Sign-On?](../manage-apps/what-is-single-sign-on.md).
 
 You can enable single sign-on to your applications using integrated Windows authentication (IWA) by giving Application Proxy connectors permission in Active Directory to impersonate users. The connectors use this permission to send and receive tokens on their behalf.
 
@@ -147,4 +149,4 @@ But, in some cases, the request is successfully sent to the backend application
 ## Next steps
 
 * [How to configure an Application Proxy application to use Kerberos Constrained Delegation](application-proxy-back-end-kerberos-constrained-delegation-how-to.md)
-* [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)
+* [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)
@@ -13,7 +13,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.topic: reference
 ms.workload: identity
-ms.date: 02/03/2023
+ms.date: 02/10/2023
 ms.author: nicholak
 ms.reviewer: Nicholak-MS
 ms.custom: "it-pro;seo-update-azuread-jan"
@@ -32,7 +32,7 @@ When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
 - **Service plans included (friendly names)**: A list of service plans (friendly names) in the product that correspond to the string ID and GUID
 
 >[!NOTE]
->This information last updated on February 3rd, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).
+>This information last updated on February 10th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).
 ><br/>
 
 | Product name | String ID | GUID | Service plans included | Service plans included (friendly names) |
@@ -46,6 +46,7 @@ When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
 | Azure Active Directory Premium P1 for faculty | AAD_PREMIUM_FACULTY | 30fc3c36-5a95-4956-ba57-c09c2a600bb9 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9) |
 | Azure Active Directory Premium P2	| AAD_PREMIUM_P2	| 84a661c4-e949-4bd2-a560-ed7766fcaf2b	| AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0) | AZURE ACTIVE DIRECTORY PREMIUM P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>AZURE ACTIVE DIRECTORY PREMIUM P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>CLOUD APP SECURITY DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>EXCHANGE FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>MICROSOFT AZURE MULTI-FACTOR AUTHENTICATION (8a256a2b-b617-496d-b51b-e76466e88db0) |
 | Azure Information Protection Plan 1	| RIGHTSMANAGEMENT	| c52ea49f-fe5d-4e95-93ba-1de91d380f89	| RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3) | AZURE INFORMATION PROTECTION PREMIUM P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90) |
+| Azure Information Protection Premium P1 for Government | RIGHTSMANAGEMENT_CE_GOV | 78362de1-6942-4bb8-83a1-a32aa67e6e2c | EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>RMS_S_PREMIUM_GOV (1b66aedf-8ca1-4f73-af76-ec76c6180f98)<br/>RMS_S_ENTERPRISE_GOV (6a76346d-5d6e-4051-9fe3-ed3f312b5597) | Exchange Foundation for Government (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>Azure Information Protection Premium P1 for GCC (1b66aedf-8ca1-4f73-af76-ec76c6180f98)<br/>Azure Rights Management (6a76346d-5d6e-4051-9fe3-ed3f312b5597) |
 | Business Apps (free) |	SMB_APPS | 90d8b3f8-712e-4f7b-aa1e-62e7ae6cbe96 | DYN365BC_MS_INVOICING (39b5c996-467e-4e60-bd62-46066f572726)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2) | Microsoft Invoicing (39b5c996-467e-4e60-bd62-46066f572726)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2) |
 | Common Data Service Database Capacity |	CDS_DB_CAPACITY |	e612d426-6bc3-4181-9658-91aa906b0ac0 |	CDS_DB_CAPACITY (360bcc37-0c11-4264-8eed-9fa7a3297c9b)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) |	Common Data Service for Apps Database Capacity (360bcc37-0c11-4264-8eed-9fa7a3297c9b)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |
 | Common Data Service Database Capacity for Government | CDS_DB_CAPACITY_GOV |	eddf428b-da0e-4115-accf-b29eb0b83965 | CDS_DB_CAPACITY_GOV (1ddffef6-4f69-455e-89c7-d5d72105f915)<br/>EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8) | Common Data Service for Apps Database Capacity for Government (1ddffef6-4f69-455e-89c7-d5d72105f915)<br/>Exchange Foundation for Government (922ba911-5694-4e99-a794-73aed9bfeec8)|
@@ -116,6 +117,7 @@ When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
 | Exchange Online (Plan 1) for Students | EXCHANGESTANDARD_STUDENT | ad2fe44a-915d-4e2b-ade1-6766d50a9d9c | EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122) |	Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122) |
 | Exchange Online (Plan 1) for Alumni with Yammer | EXCHANGESTANDARD_ALUMNI | aa0f9eb7-eff2-4943-8424-226fb137fcad |	EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) |
 | Exchange Online (PLAN 2)	| EXCHANGEENTERPRISE	| 19ec0d23-8335-4cbd-94ac-6050e30712fa	| EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0) | EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0) |
+| Exchange Online (Plan 2) for GCC | EXCHANGEENTERPRISE_GOV | 7be8dc28-4da4-4e6d-b9b9-c60f2806df8a | EXCHANGE_S_ENTERPRISE_GOV (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/> INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117) | Exchange Online (Plan 2) for Government (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117) |
 | Exchange Online Archiving for Exchange Online	| EXCHANGEARCHIVE_ADDON	| ee02fd1b-340e-4a4b-b355-4a514e4c8943	| EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793) | EXCHANGE ONLINE ARCHIVING FOR EXCHANGE ONLINE (176a09a6-7ec5-4039-ac02-b2791c6ba793) |
 | Exchange Online Archiving for Exchange Server	| EXCHANGEARCHIVE	| 90b5e015-709a-4b8b-b08e-3200f994494c	| EXCHANGE_S_ARCHIVE (da040e0a-b393-4bea-bb76-928b3fa1cf5a) | EXCHANGE ONLINE ARCHIVING FOR EXCHANGE SERVER (da040e0a-b393-4bea-bb76-928b3fa1cf5a) |
 | Exchange Online Essentials (ExO P1 Based)	| EXCHANGEESSENTIALS	| 7fc0182e-d107-4556-8329-7caaa511197b	| EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c) | EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)|
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 02/07/2023
+ms.date: 02/10/2023
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -45,17 +45,17 @@ When you create service accounts, consider the information in the following tabl
 | Ownership| Ensure there's an account owner who requests and assumes responsibility |
 | Scope| Define the scope, and anticipate usage duration|
 | Purpose| Create service accounts for one purpose |
-| Permissions | Apply the principle of least permission:<li>Don't assign permissions to built-in groups, such as administrators<li>Remove local machine permissions, where feasible<li>Tailor access, and use AD delegation for directory access<li>Use granular access permissions<li>Set account expiration and location restrictions on user-based service accounts |
-| Monitor and audit use| <li>Monitor sign-in data, and ensure it matches the intended usage <li>Set alerts for anomalous usage |
+| Permissions | Apply the principle of least permission:</br> - Don't assign permissions to built-in groups, such as administrators</br> - Remove local machine permissions, where feasible</br> - Tailor access, and use AD delegation for directory access</br> - Use granular access permissions</br> - Set account expiration and location restrictions on user-based service accounts |
+| Monitor and audit use| - Monitor sign-in data, and ensure it matches the intended usage</br> - Set alerts for anomalous usage |
 
 ### User account restrictions
 
 For user accounts used as service accounts, apply the following settings:
 
-* Account expiration - set the service account to automatically expire, after its review period, unless the account can continue
-* LogonWorkstations - restrict service account sign-in permissions
+* **Account expiration** - set the service account to automatically expire, after its review period, unless the account can continue
+* **LogonWorkstations** - restrict service account sign-in permissions
   * If it runs locally and accesses resources on the machine, restrict it from signing in elsewhere
-* Can't change password - set the parameter to **true** to prevent the service account from changing its own password
+* **Can't change password** - set the parameter to **true** to prevent the service account from changing its own password
 
 ## Lifecycle management process
 
@@ -135,10 +135,14 @@ Consider the following restrictions, although some might not be relevant to your
 * For user accounts used as service accounts, define a realistic end date 
   * Use the **Account Expires** flag to set the date
   * Learn more: [Set-ADAccountExpiration](/powershell/module/activedirectory/set-adaccountexpiration)
-* Sign in to the [LogonWorkstation](/powershell/module/activedirectory/set-aduser)
-* [Password policy](../../active-directory-domain-services/password-policy.md) requirements
-* Create accounts in an [organizational unit location](/windows-server/identity/ad-ds/plan/delegating-administration-of-account-ous-and-resource-ous) that ensures only some users will manage it
-* Set up and collect auditing that detects [service account changes](/windows/security/threat-protection/auditing/audit-directory-service-changes), and [service account usage](https://www.manageengine.com/products/active-directory-audit/how-to/audit-kerberos-authentication-events.html)
+* See, [Set-ADUser (Active Directory)](/powershell/module/activedirectory/set-aduser)
+* Password policy requirements
+  * See, [Password and account lockout policies on Azure AD Domain Services managed domains](../../active-directory-domain-services/password-policy.md)
+* Create accounts in an organizational unit location that ensures only some users will manage it
+  *  See, [Delegating Administration of Account OUs and Resource OUs](/windows-server/identity/ad-ds/plan/delegating-administration-of-account-ous-and-resource-ous)  
+* Set up and collect auditing that detects service account changes:
+  * See, [Audit Directory Service Changes](/windows/security/threat-protection/auditing/audit-directory-service-changes), and
+  * Go to manageengine.com for [How to audit Kerberos authentication events in AD](https://www.manageengine.com/products/active-directory-audit/how-to/audit-kerberos-authentication-events.html)
 * Grant account access more securely before it goes into production
 
 ### Service account reviews
@@ -167,8 +171,9 @@ To deprovision:
 5. Create a business policy that determines the amount of time that accounts are disabled.
 6. Delete the service account.
 
-  * MSAs - see, [Uninstall the account](/powershell/module/activedirectory/uninstall-adserviceaccount?view=winserver2012-ps&preserve-view=true). Use PowerShell, or delete it manually from the managed service account container.
-  * Computer or user accounts - manually delete the account from Active Directory
+  * **MSAs** - see, [Uninstall-ADServiceAccount](/powershell/module/activedirectory/uninstall-adserviceaccount?view=winserver2012-ps&preserve-view=true)
+    * Use PowerShell, or delete it manually from the managed service account container
+  * **Computer or user accounts** - manually delete the account from Active Directory
 
 ## Next steps
 
 
@@ -47,7 +47,7 @@ Azure control plane operations are managed by Azure Resource Manager and use Azu
 
 Learn more:
 * [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md)
-* [What is Azure RBAC?](../../role-based-access-control/overview.md)
+* [What is Azure role-based Azure RBAC?](../../role-based-access-control/overview.md)
 * [Azure control plane and data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md)
 * [Azure services that can use managed identities to access other services](../managed-identities-azure-resources/managed-identities-status.md)