MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 1840 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 1840 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/configure-tokens.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/configure-tokens.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory-domain-services/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory-domain-services/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory-domain-services/concepts-migration-benefits.md
Lines changed: 62 additions & 0 deletions b/‎articles/active-directory-domain-services/concepts-migration-benefits.md
Lines changed: 62 additions & 0 deletions
diff --git a/‎articles/active-directory-domain-services/migrate-from-classic-vnet.md
Lines changed: 4 additions & 18 deletions b/‎articles/active-directory-domain-services/migrate-from-classic-vnet.md
Lines changed: 4 additions & 18 deletions
diff --git a/‎articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
Lines changed: 8 additions & 5 deletions b/‎articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
Lines changed: 8 additions & 5 deletions
diff --git a/‎articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Lines changed: 11 additions & 0 deletions b/‎articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Lines changed: 11 additions & 0 deletions
@@ -163,6 +163,11 @@
       "url": "https://github.com/Azure/azure-functions-templates",
       "branch": "dev"
     },
+    {
+        "path_to_root": "azure-functions-samples-java",
+        "url": "https://github.com/Azure-Samples/azure-functions-samples-java",
+        "branch": "master"
+    },
     {
       "path_to_root": "functions-quickstart-java",
       "url": "https://github.com/Azure-Samples/functions-quickstarts-java",
 
@@ -50,7 +50,7 @@ You can configure the token lifetime on any user flow.
 
 ## Next steps
 
-Learn more about how to [use access tokens](access-tokens.md).
+Learn more about how to [request access tokens](access-tokens.md).
 
 
 
@@ -47,6 +47,8 @@
       href: synchronization.md
     - name: How password hash synchronization works
       href: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md?context=/azure/active-directory-domain-services/context/azure-ad-ds-context
+    - name: Classic deployment migration benefits
+      href: concepts-migration-benefits.md
     - name: What is Azure Active Directory?
       href: ../active-directory/fundamentals/active-directory-whatis.md?context=/azure/active-directory-domain-services/context/azure-ad-ds-context
     - name: Azure Active Directory architecture
 
@@ -0,0 +1,62 @@
+---
+title: Benefits of Classic deployment migration in Azure AD Domain Services | Microsoft Docs
+description: Learn more about the benefits of migrating a Classic deployment of Azure Active Directory Domain Services to the Resource Manager deployment model
+services: active-directory-ds
+author: iainfoulds
+manager: daveba
+
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 05/26/2020
+ms.author: iainfou
+---
+
+# Benefits of migration from the Classic to Resource Manager deployment model in Azure Active Directory Domain Services
+
+Azure Active Directory Domain Services (AD DS) lets you migrate an existing managed domain that uses the Classic deployment model to the Resource Manager deployment model. Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.
+
+This article outlines the benefits for migration. To get started, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager][howto-migrate].
+
+> [!NOTE]
+> In 2017, Azure AD Domain Services became available to host in an Azure Resource Manager network. Since then, we have been able to build a more secure service using the Azure Resource Manager's modern capabilities. Because Azure Resource Manager deployments fully replace classic deployments, Azure AD DS classic virtual network deployments will be retired on March 1, 2023.
+>
+> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/)
+
+## Migration benefits
+
+The migration process takes an existing Azure AD DS instance that uses the Classic deployment model and moves to use the Resource Manager deployment model. When you migrate an Azure AD DS managed domain from the Classic to Resource Manager deployment model, you avoid the need to rejoin machines to the managed domain or delete the Azure AD DS instance and create one from scratch. VMs continue to be joined to the Azure AD DS managed domain at the end of the migration process.
+
+After migration, Azure AD DS provides many features that are only available for domains using Resource Manager deployment model, such as the following:
+
+* [Fine-grained password policy support][password-policy].
+* Faster synchronization speeds between Azure AD and Azure AD Domain Services.
+* Two new [attributes that synchronize from Azure AD][attributes] - *manager* and *employeeID*.
+* Access to higher-powered domain controllers when you [upgrade the SKU][skus].
+* AD account lockout protection.
+* [Email notifications for alerts on your managed domain][email-alerts].
+* [Use Azure Workbooks and Azure monitor to view audit logs and sign-in activity][workbooks].
+* In supported regions, [Azure Availability Zones][availability-zones].
+* Integrations with other Azure products such as [Azure Files][azure-files], [HD Insights][hd-insights], and [Windows Virtual Desktop][wvd].
+* Support has access to more telemetry and can help troubleshoot more effectively.
+* Encryption at rest using [Azure Managed Disks][managed-disks] for the data on the managed domain controllers.
+
+Azure AD DS managed domains that use a Resource Manager deployment model help you stay up-to-date with the latest new features. New features aren't available for Azure AD DS managed domains that use the Classic deployment model.
+
+## Next steps
+
+To get started, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager][howto-migrate].
+
+<!-- LINKS - INTERNAL -->
+[password-policy]: password-policy.md
+[skus]: change-sku.md
+[email-alerts]: notifications.md
+[workbooks]: use-azure-monitor-workbooks.md
+[azure-files]: ../storage/files/storage-files-identity-auth-active-directory-domain-service-enable.md
+[hd-insights]: ../hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds.md
+[wvd]: ../virtual-desktop/overview.md
+[availability-zones]: ../availability-zones/az-overview.md
+[howto-migrate]: migrate-from-classic-vnet.md
+[attributes]: synchronization.md#attribute-synchronization-and-mapping-to-azure-ad-ds
+[managed-disks]: ../virtual-machines/windows/managed-disks-overview.md
@@ -17,16 +17,16 @@ ms.author: iainfou
 
 Azure Active Directory Domain Services (AD DS) supports a one-time move for customers currently using the Classic virtual network model to the Resource Manager virtual network model. Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.
 
-This article outlines the benefits and considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance.
+This article outlines considerations for migration, then the required steps to successfully migrate an existing Azure AD DS instance. For some of the benefits, see [Benefits of migration from the Classic to Resource Manager deployment model in Azure AD DS][migration-benefits].
 
 > [!NOTE]
 > In 2017, Azure AD Domain Services became available to host in an Azure Resource Manager network. Since then, we have been able to build a more secure service using the Azure Resource Manager's modern capabilities. Because Azure Resource Manager deployments fully replace classic deployments, Azure AD DS classic virtual network deployments will be retired on March 1, 2023.
 >
-> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/)
+> For more information, see the [official deprecation notice](https://azure.microsoft.com/updates/we-are-retiring-azure-ad-domain-services-classic-vnet-support-on-march-1-2023/).
 
 ## Overview of the migration process
 
-The migration process takes an existing Azure AD DS instance that runs in a Classic virtual network and moves it to an existing Resource Manager virtual network. The migration is performed using PowerShell, and has two main stages of execution - *preparation* and *migration*.
+The migration process takes an existing Azure AD DS instance that runs in a Classic virtual network and moves it to an existing Resource Manager virtual network. The migration is performed using PowerShell, and has two main stages of execution: *preparation* and *migration*.
 
 ![Overview of the migration process for Azure AD DS](media/migrate-from-classic-vnet/migration-overview.png)
 
@@ -38,21 +38,6 @@ In the *migration* stage, the underlying virtual disks for the domain controller
 
 ![Migration of Azure AD DS](media/migrate-from-classic-vnet/migration-process.png)
 
-## Migration benefits
-
-When you move an Azure AD DS managed domain using this migration process, you avoid the need to rejoin machines to the managed domain or delete the Azure AD DS instance and create one from scratch. VMs continue to be joined to the Azure AD DS managed domain at the end of the migration process.
-
-After migration, Azure AD DS provides many features that are only available for domains using Resource Manager virtual networks, such as:
-
-* Fine-grained password policy support.
-* AD account lockout protection.
-* Email notifications of alerts on the Azure AD DS managed domain.
-* Audit logs using Azure Monitor.
-* Azure Files integration
-* HD Insights integration
-
-Azure AD DS managed domains that use a Resource Manager virtual network help you stay up-to-date with the latest new features. Support for Azure AD DS using Classic virtual networks is to be deprecated in the future.
-
 ## Example scenarios for migration
 
 Some common scenarios for migrating an Azure AD DS managed domain include the following examples.
@@ -364,6 +349,7 @@ With your Azure AD DS managed domain migrated to the Resource Manager deployment
 [troubleshoot-sign-in]: troubleshoot-sign-in.md
 [tshoot-ldaps]: tshoot-ldaps.md
 [get-credential]: /powershell/module/microsoft.powershell.security/get-credential
+[migration-benefits]: concepts-migration-benefits.md
 
 <!-- EXTERNAL LINKS -->
 [powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/
@@ -76,10 +76,11 @@ You also need a valid Azure AD Premium P1 or higher subscription license for eve
 
 ### Prerequisites
 
-- Azure AD global administrator access to configure the Azure AD Connect provisioning agent.
+- Azure AD [hybrid identity administrator](../users-groups-roles/directory-assign-admin-roles.md#hybrid-identity-administrator)  to configure the Azure AD Connect provisioning agent.
+- Azure AD [application administrator](../users-groups-roles/directory-assign-admin-roles.md#application-administrator) role to configure the provisioning app in the Azure portal
 - A test and production instance of the cloud HR app.
 - Administrator permissions in the cloud HR app to create a system integration user and make changes to test employee data for testing purposes.
-- For user provisioning to Active Directory, a server running Windows Server 2012 or greater with .NET 4.7.1+ runtime is required to host the [Azure AD Connect provisioning agent](https://go.microsoft.com/fwlink/?linkid=847801).
+- For user provisioning to Active Directory, a server running Windows Server 2012 or greater with .NET 4.7.1+ runtime is required to host the Azure AD Connect provisioning agent
 - [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) for synchronizing users between Active Directory and Azure AD.
 
 ### Training resources
@@ -243,7 +244,7 @@ By default, the attribute in the cloud HR app that represents the unique employe
 
 You can set multiple matching attributes and assign matching precedence. They're evaluated on matching precedence. As soon as a match is found, no further matching attributes are evaluated.
 
-You can also [customize the default attribute mappings](../app-provisioning/customize-application-attributes.md#understanding-attribute-mapping-types), such as changing or deleting existing attribute mappings. You can also create new attribute mappings according to your business needs. For more information, see the cloud HR app tutorial (such as [Workday](../saas-apps/workday-inbound-tutorial.md#planning-workday-to-active-directory-user-attribute-mapping-and-transformations)) for a list of custom attributes to map.
+You can also [customize the default attribute mappings](../app-provisioning/customize-application-attributes.md#understanding-attribute-mapping-types), such as changing or deleting existing attribute mappings. You can also create new attribute mappings according to your business needs. For more information, see the cloud HR app tutorial (such as [Workday](../saas-apps/workday-inbound-tutorial.md#managing-your-configuration)) for a list of custom attributes to map.
 
 ### Determine user account status
 
@@ -280,7 +281,7 @@ When you initiate the Joiners-Movers-Leavers process, gather the following requi
 | | What effective dates are considered for processing user termination? |
 | | How do employee and contingent worker conversions impact existing Active Directory accounts? |
 
-Depending on your requirements, you can modify the mappings to meet your integration goals. For more information, see the specific cloud HR app tutorial (such as [Workday](../saas-apps/workday-inbound-tutorial.md#planning-workday-to-active-directory-user-attribute-mapping-and-transformations)) for a list of custom attributes to map.
+Depending on your requirements, you can modify the mappings to meet your integration goals. For more information, see the specific cloud HR app tutorial (such as [Workday](../saas-apps/workday-inbound-tutorial.md#part-4-configure-attribute-mappings)) for a list of custom attributes to map.
 
 ### Generate a unique attribute value
 
@@ -360,7 +361,9 @@ The cloud HR user provisioning implementation might fail to work as desired in t
 
 Choose the cloud HR app that aligns to your solution requirements.
 
-**Workday**: To import worker profiles from Workday into Active Directory and Azure AD, see [Tutorial: Configure Workday for automatic user provisioning](../saas-apps/workday-inbound-tutorial.md#planning-your-deployment). Optionally, you can write back the email address and username to Workday.
+**Workday**: To import worker profiles from Workday into Active Directory and Azure AD, see [Tutorial: Configure Workday for automatic user provisioning](../saas-apps/workday-inbound-tutorial.md#planning-your-deployment). Optionally, you can write back the email address, username and phone number to Workday.
+
+**SAP SuccessFactors**: To import worker profiles from SuccessFactors into Active Directory and Azure AD, see [Tutorial: Configure SAP SuccessFactors for automatic user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md). Optionally, you can write back the email address and username to SuccessFactors.
 
 ## Manage your configuration
 
 
@@ -744,6 +744,17 @@ TLS 1.2 Cipher Suites minimum bar:
 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 
+### IP Ranges
+The Azure AD Provisionong service currently operates under the following IP ranges. 
+
+13.86.239.205; 52.188.178.195; 13.86.61.156; 40.67.254.206; 51.105.237.71; 20.44.38.166; 40.81.88.68; 52.184.94.250;
+20.43.180.59; 20.193.16.105; 20.40.167.232; 13.86.3.57; 52.188.72.113; 13.88.140.233; 52.142.121.156; 51.124.0.213;
+40.81.92.36; 20.44.39.175; 20.189.114.130; 20.44.193.163; 20.193.23.17; 20.40.173.237; 13.86.138.128; 52.142.29.23;
+13.86.2.238; 40.127.246.167; 51.136.72.4; 20.44.39.244; 40.81.92.186; 20.189.114.131; 20.44.193.210; 20.193.2.21; 20.40.174.46;
+13.86.219.18; 40.71.13.10; 20.44.16.38; 13.89.174.16; 13.69.66.182; 13.69.229.118; 104.211.147.176; 40.78.195.176;
+13.67.9.240; 13.75.38.48; 13.70.73.48; 13.77.52.176;
+
+
 
 ## Step 3: Build a SCIM endpoint
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ You can configure the token lifetime on any user flow.`
`50`	`50`
`51`	`51`	`## Next steps`
`52`	`52`
`53`		`-Learn more about how to [use access tokens](access-tokens.md).`
	`53`	`+Learn more about how to [request access tokens](access-tokens.md).`
`54`	`54`
`55`	`55`
`56`	`56`