Merge branch 'cosmos-dileepraotv-rbac-cmk' of https://github.com/seesharprun/azure-docs-pr into cosmos-dileepraotv-rbac-cmk

Author: seesharprun

articles/active-directory-b2c/saml-identity-provider-technical-profile.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 01/11/2022
+ms.date: 01/05/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -31,7 +31,7 @@ Each SAML identity provider has different steps to expose and set the service pr
 The following example shows a URL address to the SAML metadata of an Azure AD B2C technical profile:
 
 ```
-https://your-tenant-name.b2clogin.com/your-tenant-name/your-policy/samlp/metadata?idptp=your-technical-profile
+https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/your-policy/samlp/metadata?idptp=your-technical-profile
 ```
 
 Replace the following values:

articles/active-directory/authentication/how-to-mfa-registration-campaign.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: authentication
 ms.custom: ignite-2022
 ms.topic: conceptual
-ms.date: 06/23/2022
+ms.date: 01/05/2023
 
 ms.author: justinha
 author: mjsantani
@@ -305,6 +305,9 @@ Yes. If they have been scoped for the nudge using the policy.
 
 It's the same as snoozing.
 
+**Why don’t some users see a nudge when there is a conditional access policy for "Register security information"?**
+
+A nudge won't appear if a user is in scope for a conditional access policy that blocks access to the **Register security information** page.
 
 ## Next steps
 

articles/active-directory/authentication/troubleshoot-sspr-writeback.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: troubleshooting
-ms.date: 02/22/2022
+ms.date: 01/05/2023
 
 ms.author: justinha
 author: justinha
@@ -157,7 +157,7 @@ The following more specific issues may occur with password writeback. If you hav
 | Federated, pass-through authentication, or password-hash-synchronized users who attempt to reset their passwords, see an error after they submit their password. The error indicates that there was a service problem. <br> <br> In addition to this problem, during password reset operations, you might see an error in your event logs from the Azure AD Connect service indicating an "Object could not be found" error. | This error usually indicates that the sync engine is unable to find either the user object in the Azure AD connector space or the linked metaverse (MV) or Azure AD connector space object. <br> <br> To troubleshoot this problem, make sure that the user is indeed synchronized from on-premises to Azure AD via the current instance of Azure AD Connect and inspect the state of the objects in the connector spaces and MV. Confirm that the Active Directory Certificate Services (AD CS) object is connected to the MV object via the "Microsoft.InfromADUserAccountEnabled.xxx" rule.|
 | Federated, pass-through authentication, or password-hash-synchronized users who attempt to reset their passwords see an error after they submit their password. The error indicates that there was a service problem. <br> <br> In addition to this problem, during password reset operations, you might see an error in your event logs from the Azure AD Connect service that indicates that there's a "Multiple matches found" error. | This indicates that the sync engine detected that the MV object is connected to more than one AD CS object via "Microsoft.InfromADUserAccountEnabled.xxx". This means that the user has an enabled account in more than one forest. This scenario isn't supported for password writeback. |
 | Password operations fail with a configuration error. The application event log contains Azure AD Connect error 6329 with the text "0x8023061f (The operation failed because password synchronization is not enabled on this Management Agent)". | This error occurs if the Azure AD Connect configuration is changed to add a new Active Directory forest (or to remove and readd an existing forest) after the password writeback feature has already been enabled. Password operations for users in these recently added forests fail. To fix the problem, disable and then re-enable the password writeback feature after the forest configuration changes have been completed.
-| SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration. Please contact your admin and ask them to investigate. | Problem: Password writeback has been enabled following all of the required steps, but when attempting to change a password you receive "SSPR_0029: Your organization hasn’t properly set up the on-premises configuration for password reset." Checking the event logs on the Azure AD Connect system shows that the management agent credential was denied access.Possible Solution: Use RSOP on the Azure AD Connect system and your domain controllers to see if the policy "Network access: Restrict clients allowed to make remote calls to SAM" found under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options is enabled. Edit the policy to include the MSOL_XXXXXXX management account as an allowed user. |
+| SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration. Please contact your admin and ask them to investigate. | Problem: Password writeback has been enabled following all of the required steps, but when attempting to change a password you receive "SSPR_0029: Your organization hasn’t properly set up the on-premises configuration for password reset." Checking the event logs on the Azure AD Connect system shows that the management agent credential was denied access.Possible Solution: Use RSOP on the Azure AD Connect system and your domain controllers to see if the policy "Network access: Restrict clients allowed to make remote calls to SAM" found under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options is enabled. Edit the policy to include the MSOL_XXXXXXX management account as an allowed user. For more information, see [Troubleshoot error SSPR_0029: Your organization hasn't properly set up the on-premises configuration for password reset](/troubleshoot/azure/active-directory/password-writeback-error-code-sspr-0029).|
 
 ## Password writeback event log error codes
 

articles/active-directory/develop/howto-configure-publisher-domain.md

@@ -2,24 +2,26 @@
 title: Configure an app's publisher domain
 description: Learn how to configure an app's publisher domain to let users know where their information is being sent.
 services: active-directory
-author: rwike77
+author: OwenRichards1
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 11/11/2022
-ms.author: ryanwi
+ms.date: 01/05/2023
+ms.author: owenrichards
 ms.reviewer: xurobert, brianokoyo
 ms.custom: contperf-fy21q4, aaddev
 ---
 
 # Configure an app's publisher domain
 
-An app’s publisher domain informs users where their information is being sent. The publisher domain also acts as an input or prerequisite for [publisher verification](publisher-verification-overview.md).
+An app’s publisher domain informs users where their information is being sent. The publisher domain also acts as an input or prerequisite for [publisher verification](publisher-verification-overview.md). Depending on when the app was registered and the status of the Publisher Verification, it would be displayed directly to the user on the [application's consent prompt](application-consent-experience.md). An application’s publisher domain is displayed to users (depending on the state of Publisher Verification) on the consent UX to let users know where their information is being sent for trustworthiness.
 
-In an app's [consent prompt](application-consent-experience.md), either the publisher domain or the publisher verification status appears. Which information is shown depends on whether the app is a [multitenant app](/azure/architecture/guide/multitenant/overview), when the app was registered, and the app's publisher verification status.
+In an app's consent prompt, either the publisher domain or the publisher verification status appears. Which information is shown depends on whether the app is a [multitenant app](/azure/architecture/guide/multitenant/overview), when the app was registered, and the app's publisher verification status.
+
+## Understand multitenant apps
 
 A *multitenant app* is an app that supports user accounts that are outside a single organizational directory. For example, a multitenant app might support all Azure Active Directory (Azure AD) work or school accounts, or it might support both Azure AD work or school accounts and personal Microsoft accounts.
 

articles/active-directory/reports-monitoring/concept-all-sign-ins.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 11/04/2022
+ms.date: 01/05/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler
 ms.collection: M365-identity-device-management
@@ -41,6 +41,9 @@ To access the sign-ins log for a tenant, you must have one of the following role
 - Global Reader
 - Reports Reader
 
+>[!NOTE]
+>You might need conditional access administrator role to see applied conditional access policies in the sign-ins log. 
+
 The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade.
 
 **To access the Azure AD sign-ins log preview:**

articles/active-directory/saas-apps/media/tranxfer-tutorial/tranxfer-saml-settings.png

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 01/05/2023
 ms.author: jeedes
 
 ---
@@ -27,15 +27,16 @@ In this tutorial, you'll learn how to integrate OpenText XM Fax and XM SendSecur
 To get started, you need the following items:
 
 * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* OpenText XM Fax and XM SendSecure single sign-on (SSO) enabled subscription.
-* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+* Azure AD Cloud Application Administrator or Application Administrator role.
 For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+* OpenText XM Fax and XM SendSecure subscription.
+* OpenText XM Fax and XM SendSecure administrator account.
 
 ## Scenario description
 
 In this tutorial, you configure and test Azure AD SSO in a test environment.
 
-* OpenText XM Fax and XM SendSecure supports **SP** initiated SSO.
+* OpenText XM Fax and XM SendSecure supports **SP-initiated** SSO.
 
 > [!NOTE]
 > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
@@ -98,9 +99,9 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
     | **Sign-on URL** |
     |-------------|
-    | `https://login.xmedius.com/` |
-    | `https://login.xmedius.eu/` |
-    | `https://login.xmedius.ca/` |
+    | `https://login.xmedius.com/{account}` |
+    | `https://login.xmedius.eu/{account}` |
+    | `https://login.xmedius.ca/{account}` |
 
 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
 
@@ -112,19 +113,19 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 ### Create an Azure AD test user
 
-In this section, you'll create a test user in the Azure portal called B.Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon:
 
 1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
 1. Select **New user** at the top of the screen.
 1. In the **User** properties, follow these steps:
    1. In the **Name** field, enter `B.Simon`.  
-   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. In the **User name** field, enter the user name in the following format: [email protected]. For example, `[email protected]`.
    1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
    1. Click **Create**.
 
 ### Assign the Azure AD test user
 
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to OpenText XM Fax and XM SendSecure.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to OpenText XM Fax and XM SendSecure:
 
 1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
 1. In the applications list, select **OpenText XM Fax and XM SendSecure**.
@@ -144,28 +145,33 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 1. Provide the following required information:
 
-    a. In the **Sign In URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
+    a. In the **Issuer (Identity Provider)** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.
+    
+    b. In the **Sign In URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
 
-    b. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **X.509 Signing Certificate** textbox.
+    c. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **X.509 Signing Certificate** textbox.
 
-    c. click **Save**.
+    d. click **Save**.
 
 > [!NOTE]
 > Keep the fail-safe URL (`https://login.[domain]/[account]/no-sso`) provided at the bottom of the SSO configuration section, it will allow you to log in using your XM Cloud account credentials if you lock yourself after SSO activation.
 
 ### Create OpenText XM Fax and XM SendSecure test user
 
-In this section, you create a user called Britta Simon at OpenText XM Fax and XM SendSecure. Work with [OpenText XM Fax and XM SendSecure support team](mailto:[email protected]) to add the users in the OpenText XM Fax and XM SendSecure platform. Users must be created and activated before you use single sign-on.
+Create a user called Britta Simon at OpenText XM Fax and XM SendSecure. Make sure the email is set to "[email protected]".
+
+> [!NOTE]
+> Users must be created and activated before you use single sign-on.
 
 ## Test SSO 
 
-In this section, you test your Azure AD single sign-on configuration with following options. 
+In this section, you test your Azure AD single sign-on configuration with the following options. 
 
 * Click on **Test this application** in Azure portal. This will redirect to OpenText XM Fax and XM SendSecure Sign-on URL where you can initiate the login flow. 
 
 * Go to OpenText XM Fax and XM SendSecure Sign-on URL directly and initiate the login flow from there.
 
-* You can use Microsoft My Apps. When you click the OpenText XM Fax and XM SendSecure tile in the My Apps, this will redirect to OpenText XM Fax and XM SendSecure Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the OpenText XM Fax and XM SendSecure tile in the My Apps portal, this will redirect to OpenText XM Fax and XM SendSecure Sign-on URL. For more information about the My Apps portal, see [Introduction to the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
 
 ## Next steps