Merge pull request #188228 from MicrosoftDocs/main

2/10 AM Publish

Author: huypub

articles/active-directory/authentication/howto-mfa-adfs.md

@@ -43,7 +43,9 @@ To secure your cloud resource, set up a claims rule so that Active Directory Fed
 6. Give your rule a name. 
 7. Select **Authentication Methods References** as the Incoming claim type.
 8. Select **Pass through all claim values**.
+
     ![Screenshot shows Add Transform Claim Rule Wizard where you select Pass through all claim values.](./media/howto-mfa-adfs/configurewizard.png)
+
 9. Click **Finish**. Close the AD FS Management console.
 
 ## Trusted IPs for federated users
@@ -59,25 +61,34 @@ The first thing we need to do is to configure the AD FS claims. Create two claim
 1. Open AD FS Management.
 2. On the left, select **Relying Party Trusts**.
 3. Right-click on **Microsoft Office 365 Identity Platform** and select **Edit Claim Rules…**
+
    ![ADFS Console - Edit Claim Rules](./media/howto-mfa-adfs/trustedip1.png)
+
 4. On Issuance Transform Rules, click **Add Rule.**
+
    ![Adding a Claim Rule](./media/howto-mfa-adfs/trustedip2.png)
+
 5. On the Add Transform Claim Rule Wizard, select **Pass Through or Filter an Incoming Claim** from the drop-down and click **Next**.
+
    ![Screenshot shows Add Transform Claim Rule Wizard where you select Pass Through or Filter an Incoming Claim.](./media/howto-mfa-adfs/trustedip3.png)
+
 6. In the box next to Claim rule name, give your rule a name. For example: InsideCorpNet.
 7. From the drop-down, next to Incoming claim type, select **Inside Corporate Network**.
+
    ![Adding Inside Corporate Network claim](./media/howto-mfa-adfs/trustedip4.png)
+
 8. Click **Finish**.
 9. On Issuance Transform Rules, click **Add Rule**.
 10. On the Add Transform Claim Rule Wizard, select **Send Claims Using a Custom Rule** from the drop-down and click **Next**.
 11. In the box under Claim rule name: enter *Keep Users Signed In*.
 12. In the Custom rule box, enter:
 
-```ad-fs-claim-rule
+    ```ad-fs-claim-rule
         c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
-            => issue(claim = c);
+            => issue(claim = c); 
+    ```
+
     ![Create custom claim to keep users signed in](./media/howto-mfa-adfs/trustedip5.png)
-```
 
 13. Click **Finish**.
 14. Click **Apply**.
@@ -97,4 +108,4 @@ Now that the claims are in place, we can configure trusted IPs.
 4. On the Service Settings page, under **trusted IPs**, select **Skip multi-factor-authentication for requests from federated users on my intranet**.  
 5. Click **save**.
 
-That's it! At this point, federated Microsoft 365 users should only have to use MFA when a claim originates from outside the corporate intranet.
+That's it! At this point, federated Microsoft 365 users should only have to use MFA when a claim originates from outside the corporate intranet.

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -78,7 +78,7 @@ The Office 365 suite makes it possible to target these services all at once. We
 
 Targeting this group of applications helps to avoid issues that may arise because of inconsistent policies and dependencies. For example: The Exchange Online app is tied to traditional Exchange Online data like mail, calendar, and contact information. Related metadata may be exposed through different resources like search. To ensure that all metadata is protected by as intended, administrators should assign policies to the Office 365 app.
 
-Administrators can exclude specific apps from policy if they wish, including the Office 365 suite and excluding the specific apps in policy.
+Administrators can exclude the entire Office 365 suite or specific Office 365 client apps from the Conditional Access policy.
 
 The following key applications are included in the Office 365 client app:
 

articles/active-directory/hybrid/how-to-connect-pta-faq.yml

@@ -25,7 +25,7 @@ sections:
   - name: Ignored
     questions:
       - question: |
-          Which of the methods to sign in to Azure AD, Pass-through Authentication, password hash synchronization, and Active Directory Federation Services (AD FS), should I choose?
+          Which of the methods to sign in to Azure AD, Pass-through Authentication, password hash synchronization, and Active Directory Federation Services (AD FS) should I choose?
         answer: |
           Review [this guide](./choose-ad-authn.md) for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in method for your organization.
           
@@ -180,20 +180,34 @@ sections:
           If you uninstall a Pass-through Authentication Agent from a server, it causes the server to stop accepting sign-in requests. To avoid breaking the user sign-in capability on your tenant, ensure that you have another Authentication Agent running before you uninstall a Pass-through Authentication Agent.
 
       - question: |
-          I have an older tenant that was originally setup using AD FS.  We recently migrated to PTA but now are not seeing our UPN changes synchronizing to Azure AD.  Why are our UPN changes not being synchronized?
+          I have an older tenant that was originally setup using AD FS. We recently migrated to PTA, but now are not seeing our UPN changes synchronizing to Azure AD. Why are our UPN changes not being synchronized?
         answer: |
-          A: Under the following circumstances your on-premises UPN changes may not synchronize if:
+          Under the following circumstances your on-premises UPN changes might not synchronize if:
           
-          - Your Azure AD tenant was created prior to June 15th 2015
-          - You initially were federated with your Azure AD tenant using AD FS for authentication
-          - You switched to having managed users using PTA as authentication
+          - Your Azure AD tenant was created prior to June 15, 2015.
+          - You initially were federated with your Azure AD tenant using AD FS for authentication.
+          - You switched to having managed users using PTA as authentication.
           
-          This is because the default behavior of tenants created prior to June 15th 2015 was to block UPN changes.  If you need to un-block UPN changes you need to run the following PowerShell cmdlt:  
+          This is because the default behavior of tenants created prior to June 15, 2015 was to block UPN changes. If you need to un-block UPN changes you need to run the following PowerShell cmdlet:  
           
           `Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers -Enable $True`
           
-          Tenants created after June 15th 2015 have the default behavior of synchronizing UPN changes.   
+          Tenants created after June 15, 2015 have the default behavior of synchronizing UPN changes.   
           
+      - question: |
+          How do I capture the PTA Agent ID from Azure AD sign-in logs and the PTA server to validate which PTA server was used for a sign-in event?
+        answer: |
+          To validate which local server or authentication agent was used for a specific sign-in event:
+
+          1. In the Azure portal, go to the sign-in event.
+          2. Select **Authentication Details**. In the **Authentication Method Detail** column, Agent ID details are shown in the format "Pass-through Authentication; PTA AgentId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX".
+          3. To get Agent ID details for the agent that's installed on your local server, log in to your local server and run following cmdlet: 
+          
+              `Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Authentication Agent' | Select *Instance*`
+          
+              The GUID value that's returned is the Agent ID of the authentication agent that's installed on that specific server. If you have multiple agents in your environment, you can run this cmdlet on each agent server and capture the Agent ID details.
+          4. Correlate the Agent ID that you get from the local server and from the Azure AD sign-in logs to validate which agent or server acknowledged the sign-request.
+            
 additionalContent: |
 
   ## Next steps

articles/active-directory/saas-apps/facebook-work-accounts-provisioning-tutorial.md

@@ -40,7 +40,7 @@ The scenario outlined in this tutorial assumes that you already have the followi
 ## Step 1. Plan your provisioning deployment
 1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
 1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-1. Determine what data to [map between Azure AD and Vonage](../app-provisioning/customize-application-attributes.md).
+1. Determine what data to [map between Azure AD and Facebook Work Accounts](../app-provisioning/customize-application-attributes.md).
 
 
 ## Step 2. Add Facebook Work Accounts from the Azure AD application gallery

articles/active-directory/standards/configure-azure-active-directory-for-fedramp-high-impact.md

@@ -42,7 +42,7 @@ The following is a list of FedRAMP resources:
 
 * [FedRAMP Security Assessment Framework](https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Assessment_Framework.pdf)
 
-* [Agency Guide for FedRAMP Authorizations](https://www.fedramp.gov/assets/resources/documents/Agency_Guide_for_Reuse_of_FedRAMP_Authorizations.pdf)
+* [Agency Guide for FedRAMP Authorizations](https://www.fedramp.gov/assets/resources/documents/Agency_Authorization_Playbook.pdf)
 
 * [Managing compliance in the cloud at Microsoft](https://www.microsoft.com/trustcenter/common-controls-hub)
 

articles/analysis-services/analysis-services-refresh-azure-automation.md

@@ -62,7 +62,7 @@ The Service Principal you create must have server administrator permissions on t
 4. Browse for the [Refresh-Model.ps1](#sample-powershell-runbook) file, provide a **Name** and **Description**, and then click **Create**.
 
     > [!NOTE]
-    > Use script from [Sample Powershell Runbook](#sample-powershell-runbook) section at the bottom of this document to create a file called Refresh-Model.ps1 and save to local machine to import into Runbook.
+    > Use script from [Sample PowerShell Runbook](#sample-powershell-runbook) section at the bottom of this document to create a file called Refresh-Model.ps1 and save to local machine to import into Runbook.
 
     ![Import Runbook](./media/analysis-services-refresh-azure-automation/9.png)
 

articles/api-management/api-management-faq.yml

@@ -103,7 +103,7 @@ sections:
         answer: |
           Yes. This can be done through PowerShell or by directly submitting to the API. This will disable certificate chain validation and will allow you to use self-signed or privately-signed certificates when communicating from API Management to the back end services.
           
-          ### Powershell method
+          ### PowerShell method
           Use the [`New-AzApiManagementBackend`](/powershell/module/az.apimanagement/new-azapimanagementbackend) (for new back end) or [`Set-AzApiManagementBackend`](/powershell/module/az.apimanagement/set-azapimanagementbackend) (for existing back end) PowerShell cmdlets and set the `-SkipCertificateChainValidation` parameter to `True`.
           
           ```powershell

articles/api-management/automation-manage-api-management.md

@@ -29,7 +29,7 @@ Reduce operational overhead and free up IT and DevOps staff to focus on work tha
 ## How can Azure Automation help manage Azure API Management?
 API Management can be managed in Azure Automation by using the [Windows PowerShell cmdlets for Azure API Management API](/powershell/module/az.apimanagement). Within Azure Automation, you can write PowerShell workflow scripts to perform many of your API Management tasks using the cmdlets. You can also pair these cmdlets in Azure Automation with the cmdlets for other Azure services, to automate complex tasks across Azure services and 3rd party systems.
 
-Here are some examples of using API Management with Powershell:
+Here are some examples of using API Management with PowerShell:
 
 * [Azure PowerShell samples for API Management](./powershell-samples.md)
 

articles/app-service/app-service-hybrid-connections.md

@@ -5,7 +5,7 @@ author: madsd
 
 ms.assetid: 66774bde-13f5-45d0-9a70-4e9536a4f619
 ms.topic: article
-ms.date: 05/05/2021
+ms.date: 2/10/2022
 ms.author: madsd
 ms.custom: seodec18, fasttrack-edit
 ---
@@ -140,7 +140,7 @@ To support the Hybrid Connections it's configured with, HCM requires:
 
 - TCP access to Azure over port 443.
 - TCP access to the Hybrid Connection endpoint.
-- The ability to do DNS look-ups on the endpoint host and the Service Bus namespace.
+- The ability to do DNS look-ups on the endpoint host and the Service Bus namespace. In other words, the hostname in the Azure relay connection should be resolvable from the machine hosting the HCM.
 
 > [!NOTE]
 > Azure Relay relies on Web Sockets for connectivity. This capability is only available on Windows Server 2012 or later. Because of that, HCM is not supported on anything earlier than Windows Server 2012.

articles/app-service/environment/migrate.md

@@ -3,7 +3,7 @@ title: Migrate to App Service Environment v3 by using the migration feature
 description: Overview of the migration feature for migration to App Service Environment v3
 author: seligj95
 ms.topic: article
-ms.date: 2/2/2022
+ms.date: 2/10/2022
 ms.author: jordanselig
 ms.custom: references_regions
 ---
@@ -21,7 +21,6 @@ At this time, App Service Environment migrations to v3 using the migration featu
 
 - West Central US
 - Canada Central
-- Canada East
 - UK South
 - Germany West Central
 - East Asia