Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

articles/active-directory/cloud-infrastructure-entitlement-management/how-to-add-remove-user-to-group.md

@@ -21,7 +21,7 @@ This article describes how you can add or remove a new user for a group in Permi
 
 ## Add a user
 
-1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 
+1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).
 1. From the Azure Active Directory tile, select **Go to Azure Active Directory**. 
 1. From the navigation pane, select the **Groups** drop-down menu, then **All groups**.
 1. Select the group name for the group you want to add the user to.

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md

@@ -17,7 +17,7 @@ ms.author: jfields
 This article describes how to onboard a Microsoft Azure subscription or subscriptions on Permissions Management. Onboarding a subscription creates a new authorization system to represent the Azure subscription in Permissions Management.
 
 > [!NOTE]
-> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
+> A *global administrator* or *root user* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
 
 ## Explanation
 

articles/active-directory/enterprise-users/licensing-service-plan-reference.md

@@ -1,7 +1,7 @@
 ---
 title: What's deprecated in Azure Active Directory?
 description: Learn about features being deprecated in Azure Active Directory
-author: jricketts
+author: janicericketts
 manager: martinco
 ms.service: active-directory
 ms.subservice: fundamentals

articles/active-directory/fundamentals/whats-deprecated-azure-ad.md

@@ -20,6 +20,8 @@ ms.collection: M365-identity-device-management
 
 You may have received a notification email that says that your [Azure AD Connect version is deprecated](whatis-azure-ad-connect-v2.md) and no longer supported.  Or, you may have read a portal recommendation about upgrading your Azure AD Connect version. What is next?
 
+[!INCLUDE [Choose cloud sync](../../../includes/choose-cloud-sync.md)]
+
 Using a deprecated and unsupported version of Azure AD Connect isn't recommended and not supported. Deprecated and unsupported versions of Azure AD Connect may **unexpectedly stop working**.  In these instances, you may need to install the latest version of Azure AD Connect as your only remedy to restore your sync process. 
 
 We regularly update Azure AD Connect with [newer versions](reference-connect-version-history.md). The new versions have bug fixes, performance improvements, new functionality, and security fixes, so it's important to stay up to date.

articles/active-directory/hybrid/deprecated-azure-ad-connect.md

@@ -19,6 +19,9 @@ ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 # Azure AD Connect: Upgrade from a previous version to the latest
+
+[!INCLUDE [Choose cloud sync](../../../includes/choose-cloud-sync.md)]
+
 This topic describes the different methods that you can use to upgrade your Azure Active Directory (Azure AD) Connect installation to the latest release. Microsoft recommends using the steps in the [Swing migration](#swing-migration) section when you make a substantial configuration change or upgrade from older 1.x versions.
 
 >[!NOTE]

articles/active-directory/hybrid/how-to-upgrade-previous-version.md

@@ -17,6 +17,8 @@ ms.collection: M365-identity-device-management, has-adal-ref
 
 Azure AD Connect was released several years ago.  Since this time, several of the components that Azure AD Connect uses have been scheduled for deprecation and updated to newer versions.  Attempting to update all of these components individually would take time and planning. 
 
+[!INCLUDE [Choose cloud sync](../../../includes/choose-cloud-sync.md)]
+
 To address this, we've bundled as many of these newer components into a new, single release, so you only have to update once. This release is Azure AD Connect V2.  This release is a new version of the same software used to accomplish your hybrid identity goals, built using the latest foundational components. 
 
  >[!NOTE]

articles/active-directory/hybrid/whatis-azure-ad-connect-v2.md

@@ -17,6 +17,8 @@ ms.collection: M365-identity-device-management
 
 Azure AD Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. If you're evaluating how to best meet your goals, you should also consider the cloud-managed solution [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md).
 
+[!INCLUDE [Choose cloud sync](../../../includes/choose-cloud-sync.md)]
+
 > [!div class="nextstepaction"]
 > [Install Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594)
 > 

articles/active-directory/hybrid/whatis-azure-ad-connect.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 01/12/2023
+ms.date: 02/03/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler
 ms.collection: M365-identity-device-management
@@ -51,17 +51,17 @@ Depending on where you want to route the audit log data, you also need one of th
     - For storage pricing information, see the [Azure Storage pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=storage). 
 * An **[Azure Event Hubs namespace](../../event-hubs/event-hubs-create.md)** to integrate with third-party solutions.
 
-Once you have your endpoint established, go to **Azure AD** and then **Diagnostic settings.** From here you can choose what logs to send to the endpoint of your choice. For more information, see the **Create diagnostic settings** section of the [Diagnostic settings in Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md#create-diagnostic-settings) article.
+Once you have your endpoint established, go to **Azure AD** and then **Diagnostic settings.** From here, you can choose what logs to send to the endpoint of your choice. For more information, see the **Create diagnostic settings** section of the [Diagnostic settings in Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md#create-diagnostic-settings) article.
 
 ## Cost considerations
 
-If you already have an Azure AD license, you need an Azure subscription to set up the storage account and Event Hubs. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources, including the storage account that you use for archival and the Event Hubs that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size. 
+If you already have an Azure AD license, you need an Azure subscription to set up the storage account and Event Hubs. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources. These resources could include the storage account that you use for archival and the Event Hubs that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size. 
 
 Azure Monitor provides the option to exclude whole events, fields, or parts of fields when ingesting logs from Azure AD. Learn more about this cost saving feature in [Data collection transformation in Azure Monitor](../../azure-monitor/essentials/data-collection-transformations.md).
 
 ### Storage size for activity logs
 
-Every audit log event uses about 2 KB of data storage. Sign in event logs are about 4 KB of data storage. For a tenant with 100,000 users, which would incur about 1.5 million events per day, you would need about 3 GB of data storage per day. Because writes occur in approximately five-minute batches, you can anticipate approximately 9,000 write operations per month. 
+Every audit log event uses about 2 KB of data storage. Sign-in event logs are about 4 KB of data storage. For a tenant with 100,000 users, which would incur about 1.5 million events per day, you would need about 3 GB of data storage per day. Because writes occur in approximately five-minute batches, you can anticipate around 9,000 write operations per month. 
 
 The following table contains a cost estimate of, depending on the size of the tenant, a general-purpose v2 storage account in West US for at least one year of retention. To create a more accurate estimate for the data volume that you anticipate for your application, use the [Azure storage pricing calculator](https://azure.microsoft.com/pricing/details/storage/blobs/).
 
@@ -80,9 +80,9 @@ If you want to know for how long the activity data is stored in a Premium tenant
 
 Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. A message in the Event Hubs has a maximum size of 256 KB. If the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent. 
 
-For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Because audit logs are about 2 KB per event, this equates to 10.8 MB of data. Therefore, 43 messages are sent to the event hub in that five-minute interval. 
+For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Audit logs are about 2 KB per event, which equates to 10.8 MB of data. Therefore, 43 messages are sent to the event hub in that five-minute interval. 
 
-The following table contains estimated costs per month for a basic event hub in West US, depending on the volume of event data which can vary from tenant to tenant as per many factors like user sign-in behavior etc. To calculate an accurate estimate of the data volume that you anticipate for your application, use the [Event Hubs pricing calculator](https://azure.microsoft.com/pricing/details/event-hubs/).
+The following table contains estimated costs per month for a basic event hub in West US. The volume of event data can vary from tenant to tenant, based on factors like user sign-in behavior. To calculate an accurate estimate of the data volume that you anticipate for your application, use the [Event Hubs pricing calculator](https://azure.microsoft.com/pricing/details/event-hubs/).
 
 | Log category | Number of users | Events per second | Events per five-minute interval | Volume per interval | Messages per interval | Messages per month | Cost per month (est.) |
 |--------------|-----------------|-------------------------|----------------------------------------|---------------------|---------------------------------|------------------------------|----------------------------|
@@ -111,18 +111,6 @@ This section answers frequently asked questions and discusses known issues with
 
 ---
 
-**Q: How soon after an action will the corresponding logs show up in my event hub?**
-
-**A**: The logs should show up in your event hub within two to five minutes after the action is performed. For more information about Event Hubs, see [What is Azure Event Hubs?](../../event-hubs/event-hubs-about.md).
-
----
-
-**Q: How soon after an action will the corresponding logs show up in my storage account?**
-
-**A**: For Azure storage accounts, the latency is anywhere from 5 to 15 minutes after the action is performed.
-
----
-
 **Q: What happens if an Administrator changes the retention period of a diagnostic setting?**
 
 **A**: The new retention policy will be applied to logs collected after the change. Logs collected before the policy change will be unaffected.
@@ -141,11 +129,11 @@ This section answers frequently asked questions and discusses known issues with
 
 ---
 
-**Q: How do I integrate Azure AD activity logs with my SIEM system?**
+**Q: How do I integrate Azure AD activity logs with my SIEM tools?**
 
-**A**: You can do this in two ways:
+**A**: You can do integrate with your SIEM tools in two ways:
 
-- Use Azure Monitor with Event Hubs to stream logs to your SIEM system. First, [stream the logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md) and then [set up your SIEM tool](tutorial-azure-monitor-stream-logs-to-event-hub.md#access-data-from-your-event-hub) with the configured event hub. 
+- Use Azure Monitor with Event Hubs to stream logs to your SIEM tool. First, [stream the logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md) and then [set up your SIEM tool](tutorial-azure-monitor-stream-logs-to-event-hub.md#access-data-from-your-event-hub) with the configured event hub. 
 
 - Use the [Reporting Graph API](concept-reporting-api.md) to access the data, and push it into the SIEM system using your own scripts.
 

articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 10/31/2022
+ms.date: 02/03/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler 
 
@@ -32,41 +32,30 @@ As an Azure AD administrator, you can use the sign-in logs to:
 
 Some scenarios require you to get an understanding of how your Conditional Access policies were applied to a sign-in event. Common examples include:
 
-- *Helpdesk administrators* who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened. 
+- Helpdesk administrators who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened. 
 
-- *Tenant administrators* who need to verify that Conditional Access policies have the intended effect on the users of a tenant.
+- Tenant administrators who need to verify that Conditional Access policies have the intended effect on the users of a tenant.
 
 You can access the sign-in logs by using the Azure portal, Microsoft Graph, and PowerShell.  
 
 ## Required administrator roles 
 
-To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view both the logs and the policies.
+To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view *both* the logs and the policies. The least privileged built-in role that grants *both* permissions is *Security Reader*. As a best practice, your Global Administrator should add the Security Reader role to the related administrator accounts. 
 
-The least privileged built-in role that grants both permissions is *Security Reader*. As a best practice, your global administrator should add the Security Reader role to the related administrator accounts. 
-
-The following built-in roles grant permissions to read Conditional Access policies:
+The following built-in roles grant permissions to *read Conditional Access policies*:
 
 - Global Administrator 
-
 - Global Reader 
-
 - Security Administrator 
-
 - Security Reader 
-
 - Conditional Access Administrator 
 
-
-The following built-in roles grant permission to view sign-in logs: 
+The following built-in roles grant permission to *view sign-in logs*: 
 
 - Global Administrator 
-
 - Security Administrator 
-
 - Security Reader 
-
 - Global Reader 
-
 - Reports Reader 
 
 ## Permissions for client apps 
@@ -76,9 +65,7 @@ If you use a client app to pull sign-in logs from Microsoft Graph, your app need
 Any of the following permissions is sufficient for a client app to access applied certificate authority (CA) policies in sign-in logs through Microsoft Graph: 
 
 - `Policy.Read.ConditionalAccess` 
-
 - `Policy.ReadWrite.ConditionalAccess` 
-
 - `Policy.Read.All` 
 
 ## Permissions for PowerShell 
@@ -89,37 +76,28 @@ Like any other client app, the Microsoft Graph PowerShell module needs client pe
 - `AuditLog.Read.All` 
 - `Directory.Read.All` 
 
-These permissions are the least privileged permissions with the necessary access. 
-
-To consent to the necessary permissions, use: 
-
-`Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`
-
-To view the sign-in logs, use: 
+The following permissions are the least privileged permissions with the necessary access:
 
-`Get-MgAuditLogSignIn`
+- To consent to the necessary permissions: `Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`
+- To view the sign-in logs: `Get-MgAuditLogSignIn`
 
 For more information about this cmdlet, see [Get-MgAuditLogSignIn](/powershell/module/microsoft.graph.reports/get-mgauditlogsignin).
 
 The Azure AD Graph PowerShell module doesn't support viewing applied Conditional Access policies. Only the Microsoft Graph PowerShell module returns applied Conditional Access policies.  
 
-## Confirming access 
-
-On the **Conditional Access** tab, you see a list of Conditional Access policies applied to that sign-in event. 
-
-To confirm that you have admin access to view applied Conditional Access policies in the sign-in logs: 
-
-1. Go to the Azure portal. 
-
-2. In the upper-right corner, select your directory, and then select **Azure Active Directory** on the left pane. 
+## View Conditional Access policies in Azure AD sign-in logs
 
-3. In the **Monitoring** section, select **Sign-in logs**. 
+The activity details of sign-in logs contain several tabs. The **Conditional Access** tab lists the Conditional Access policies applied to that sign-in event. 
 
-4. Select an item in the sign-in table to open the **Activity Details: Sign-ins context** pane.  
+1. Sign in to the [Azure portal](https://portal.azure.com) using the Security Reader role.
+1. In the **Monitoring** section, select **Sign-in logs**. 
+1. Select  a sign-in item from the table to open the **Activity Details: Sign-ins context** pane.  
+1. Select the **Conditional Access** tab.
 
-5. Select the **Conditional Access** tab on the context pane. If your screen is small, you might need to select the ellipsis (**...**) to see all tabs on the context pane.  
+If you don't see the Conditional Access policies, confirm you're using a role that provides access to both the sign-in logs and the Conditional Access policies.
 
 ## Next steps
 
-* [Sign-in error code reference](./concept-sign-ins.md)
-* [Sign-in report overview](concept-sign-ins.md)
+* [Troubleshoot sign-in problems](../conditional-access/troubleshoot-conditional-access.md#azure-ad-sign-in-events)
+* [Review the Conditional Access sign-in logs FAQs](reports-faq.yml#conditional-access)
+* [Learn about the sign-in logs](concept-sign-ins.md)