Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: AbbyMSFT

articles/active-directory/app-provisioning/user-provisioning.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: overview
 ms.workload: identity
-ms.date: 02/09/2023
+ms.date: 02/14/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -20,7 +20,7 @@ In Azure Active Directory (Azure AD), the term *app provisioning* refers to auto
 
 Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and many more.
 
-Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://aka.ms/scimoverview), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support those as well. 
+Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. Your application must support [SCIM](https://aka.ms/scimoverview). Or, you must build a SCIM gateway to connect to your legacy application. If so, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support these applications as well. 
 
 App provisioning lets you:
 

articles/active-directory/conditional-access/overview.md

@@ -6,15 +6,15 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 11/07/2022
+ms.date: 02/13/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
 ms.reviewer: calebb
 
 ms.collection: M365-identity-device-management
-ms.custom: contperf-fy20q4, azuread-video-2020
+ms.custom: zt-include
 ---
 # What is Conditional Access?
 
@@ -97,6 +97,8 @@ When licenses required for Conditional Access expire, policies aren't automatica
 
 [Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) help protect against identity-related attacks and are available for all customers.  
 
+[!INCLUDE [active-directory-zero-trust](../../../includes/active-directory-zero-trust.md)]
+
 ## Next steps
 
 - [Building a Conditional Access policy piece by piece](concept-conditional-access-policies.md)

articles/active-directory/develop/scenario-desktop-acquire-token-wam.md

@@ -129,7 +129,7 @@ Applications cannot remove accounts from Windows!
 - Removes app-only (not OS-wide) accounts.
 
 >[!NOTE]
-> Ony users can remove OS accounts, whereas apps themselves cannot. If an OS account is passed into `RemoveAsync`, and then `GetAccounts` is called with `ListWindowsWorkAndSchoolAccounts` enabled, the same OS accounts will still be returned.
+> Only users can remove OS accounts, whereas apps themselves cannot. If an OS account is passed into `RemoveAsync`, and then `GetAccounts` is called with `ListWindowsWorkAndSchoolAccounts` enabled, the same OS accounts will still be returned.
 
 ## Other considerations
 

articles/active-directory/develop/scenario-web-app-call-api-call-api.md

@@ -150,7 +150,7 @@ public async Task<IActionResult> Profile()
 > [!NOTE]
 > You can use the same principle to call any web API.
 >
-> Most Azure web APIs provide an SDK that simplifies calling the API as is the case for Microsoft Graph. See, for instance, [Create a web application that authorizes access to Blob storage with Azure AD](../../storage/common/storage-auth-aad-app.md?tabs=dotnet&toc=%2fazure%2fstorage%2fblobs%2ftoc.json) for an example of a web app using Microsoft.Identity.Web and using the Azure Storage SDK.
+> Most Azure web APIs provide an SDK that simplifies calling the API as is the case for Microsoft Graph.
 
 # [Java](#tab/java)
 

articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md

@@ -106,7 +106,7 @@ https://login.microsoftonline.com/common/adminconsent?client_id=6731de76-14a6-49
 | `redirect_uri` |  Required   | The redirect URI where you want the response to be sent for your app to handle. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded, and it can have additional path segments. |
 |    `state`     | Recommended | A value that's included in the request that's also returned in the token response. It can be a string of any content that you want. The state is used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. |
 
-At this point, Azure AD enforces that only a tenant administrator can sign into complete the request. The administrator will be asked to approve all the direct application permissions that you have requested for your app in the app registration portal.
+At this point, Azure AD enforces that only a tenant administrator can sign in to complete the request. The administrator will be asked to approve all the direct application permissions that you have requested for your app in the app registration portal.
 
 ##### Successful response
 

articles/active-directory/external-identities/b2b-tutorial-require-mfa.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: tutorial
-ms.date: 01/07/2022
+ms.date: 02/03/2023
 
 ms.author: cmulligan
 author: csmulligan
@@ -50,7 +50,7 @@ If you don’t have an Azure subscription, create a [free account](https://azure
 
 To complete the scenario in this tutorial, you need:
 
-- **Access to Azure AD Premium edition**, which includes Conditional Access policy capabilities. To enforce MFA, you need to create an Azure AD Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.
+- **Access to [Azure AD Premium edition](/security/business/identity-access/azure-active-directory-pricing)**, which includes Conditional Access policy capabilities. To enforce MFA, you need to create an Azure AD Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.
 - **A valid external email account** that you can add to your tenant directory as a guest user and use to sign in. If you don't know how to create a guest account, see [Add a B2B guest user in the Azure portal](add-users-administrator.md).
 
 ## Create a test guest user in Azure AD

articles/active-directory/external-identities/current-limitations.md

@@ -6,14 +6,16 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 01/31/2022
+ms.date: 02/13/2023
 
 ms.author: mimart
 author: msmimart
 manager: celestedg
 ms.reviewer: elisolMS
 
-ms.collection: M365-identity-device-management
+ms.collection: content-health, M365-identity-device-management
+
+# Customer intent: As a tenant administrator, I want to know about the current limitations for Azure AD B2B collaboration. 
 ---
 
 # Limitations of Azure AD B2B collaboration
@@ -23,7 +25,7 @@ Azure Active Directory (Azure AD) B2B collaboration is currently subject to the
 With Azure AD B2B, you can enforce multi-factor authentication at the resource organization (the inviting organization). The reasons for this approach are detailed in [Conditional Access for B2B collaboration users](authentication-conditional-access.md). If a partner already has multi-factor authentication set up and enforced, their users might have to perform the authentication once in their home organization and then again in yours.
 
 ## Instant-on
-In the B2B collaboration flows, we add users to the directory and dynamically update them during invitation redemption, app assignment, and so on. The updates and writes ordinarily happen in one directory instance and must be replicated across all instances. Replication is completed once all instances are updated. Sometimes when the object is written or updated in one instance and the call to retrieve this object is to another instance, replication latencies can occur. If that happens, refresh or retry to help. If you are writing an app using our API, then retries with some back-off is a good, defensive practice to alleviate this issue.
+In the B2B collaboration flows, we add users to the directory and dynamically update them during invitation redemption, app assignment, and so on. The updates and writes ordinarily happen in one directory instance and must be replicated across all instances. Replication is completed once all instances are updated. Sometimes when the object is written or updated in one instance and the call to retrieve this object is to another instance, replication latencies can occur. If that happens, refresh or retry to help. If you're writing an app using our API, then retries with some back-off is a good, defensive practice to alleviate this issue.
 
 ## Azure AD directories
 Azure AD B2B is subject to Azure AD service directory limits. For details about the number of directories a user can create and the number of directories to which a user or guest user can belong, see [Azure AD service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md).

articles/active-directory/hybrid/TOC.yml

@@ -68,11 +68,11 @@
        href: how-to-connect-fed-compatibility.md
    - name: Single sign-on
      items:
-     - name: What is Single Sign-On?
+     - name: What is single sign-on?
        href: how-to-connect-sso.md
-     - name: How Single Sign-On works
+     - name: How single sign-on works
        href: how-to-connect-sso-how-it-works.md
-     - name: Single Sign-On and user privacy
+     - name: Single sign-on and user privacy
        href: how-to-connect-sso-user-privacy.md
    - name: Azure AD Connect Sync
      items:
@@ -105,19 +105,19 @@
     items:
     - name: Installation Roadmap
       href: how-to-connect-install-roadmap.md
-    - name: Installation Prerequisites
+    - name: Installation prerequisites
       href: how-to-connect-install-prerequisites.md
     - name: Choose the installation type
       href: how-to-connect-install-select-installation.md
-    - name: Install Azure AD Connect with Express settings (Password Hash Synch)
+    - name: Install Azure AD Connect with Express settings (password hash sync)
       href:  how-to-connect-install-express.md
-    - name: Install Azure AD Connect Federation or other Custom settings
+    - name: Install Azure AD Connect federation or other Custom settings
       href:  how-to-connect-install-custom.md
     - name: Import and export configuration settings
       href:  how-to-connect-import-export-config.md
-    - name: Install Azure AD Connect with Pass-through Authentication (PTA)
+    - name: Install Azure AD Connect with pass-through authentication
       href:  how-to-connect-pta-quick-start.md 
-    - name: Install Azure AD Connect Health
+    - name: Install Azure AD Connect Health agents
       href:  how-to-connect-health-agent-install.md
     - name: Automatic upgrade
       href: how-to-connect-install-automatic-upgrade.md
@@ -151,7 +151,7 @@
       href: plan-connect-topologies.md
     - name: Factors influencing the performance of Azure AD Connect
       href: plan-connect-performance-factors.md
-    - name: How will users sign-in
+    - name: How will users sign in
       href: plan-connect-user-signin.md
     - name: Azure AD UserPrincipalName population
       href: plan-connect-userprincipalname.md
@@ -259,10 +259,10 @@
   - name: Manage single sign-on 
     items:
 
-    - name: Get started with Single Sign-On
+    - name: Get started with Seamless single sign-on
       href: how-to-connect-sso-quick-start.md
 
-    - name: Single Sign-On FAQ
+    - name: Single sign-on FAQ
       href: how-to-connect-sso-faq.yml
   - name: Manage Azure AD Connect Health
     items:

articles/active-directory/hybrid/concept-azure-ad-connect-sync-declarative-provisioning.md

@@ -98,7 +98,7 @@ In the attribute flows there is a setting to determine if multi-valued attribute
 
 ![Screenshot that shows the "Add transformations" section with the "Merge Types" drop-down menu open.](./media/concept-azure-ad-connect-sync-declarative-provisioning/mergetype.png)  
 
-There is also **Merge** and **MergeCaseInsensitive**. These options allow you to merge values from different sources. For example, it can be used to merge the member or proxyAddresses attribute from several different forests. When you use this option, all sync rules in scope for an object must use the same merge type. You cannot define **Update** from one Connector and **Merge** from another. If you try, you receive an error.
+There is also **Merge** and **MergeCaseInsensitive**. These options allow you to merge values from different sources. For example, it can be used to merge the proxyAddresses attribute from several different forests. When you use this option, all sync rules in scope for an object must use the same merge type. You cannot define **Update** from one Connector and **Merge** from another. If you try, you receive an error.
 
 The difference between **Merge** and **MergeCaseInsensitive** is how to process duplicate attribute values. The sync engine makes sure duplicate values are not inserted into the target attribute. With **MergeCaseInsensitive**, duplicate values with only a difference in case are not going to be present. For example, you should not see both "SMTP:bob@contoso.com" and "smtp:bob@contoso.com" in the target attribute. **Merge** is only looking at the exact values and multiple values where there only is a difference in case might be present.
 
@@ -122,14 +122,20 @@ In *Out to AD - User Exchange hybrid* the following flow can be found:
 This expression should be read as: if the user mailbox is located in Azure AD, then flow the attribute from Azure AD to AD. If not, do not flow anything back to Active Directory. In this case, it would keep the existing value in AD.
 
 ### ImportedValue
-The function ImportedValue is different than all other functions since the attribute name must be enclosed in quotes rather than square brackets:  
+
+The function ImportedValue is different than all other functions since the attribute name must be enclosed in quotes rather than square brackets:
+
 `ImportedValue("proxyAddresses")`.
 
-Usually during synchronization an attribute uses the expected value, even if it hasn’t been exported yet or an error was received during export (“top of the tower”). An inbound synchronization assumes that an attribute that hasn’t yet reached a connected directory eventually reaches it. In some cases, it is important to only synchronize a value that has been confirmed by the connected directory (“hologram and delta import tower”).
+Inbound synchronization has a concept of assuming that an attribute that hasn’t yet reached a connected directory will eventually reach it at some point so, normally, synchronization gets an attribute value from the respective connector space, even if it hasn’t been yet exported or an error occurred during export. 
+In some cases, however, it is important to only synchronize a value that has been exported and confirmed during import from the connected directory. This function can be found in multiple “In From AD/AAD” out-of-box transformation rules where the attribute should only be synchronized when it has been confirmed that the value was exported successfully.
+
+An example of this function can be found in the out-of-box Synchronization Rule *In from AD – User Common from Exchange*, for ProxyAddresses attribute flow with Hybrid Exchange. E.g., when a user’s ProxyAddresses is added, the ImportedValue function will only return the new value after it has been confirmed from the following import step:
 
-An example of this function can be found in the out-of-box Synchronization Rule *In from AD – User Common from Exchange*. In Hybrid Exchange, the value added by Exchange online should only be synchronized when it has been confirmed that the value was exported successfully:  
 `proxyAddresses` <- `RemoveDuplicates(Trim(ImportedValue("proxyAddresses")))`
 
+This function is required when the target directory might change or discard an exported attribute value silently, and we want the synchronization to only process confirmed attribute values. 
+
 ## Precedence
 When several sync rules try to contribute the same attribute value to the target, the precedence value is used to determine the winner. The rule with highest precedence, lowest numeric value, is going to contribute the attribute in a conflict.
 
@@ -140,11 +146,9 @@ This ordering can be used to define more precise attribute flows for a small sub
 Precedence can be defined between Connectors. That allows Connectors with better data to contribute values first.
 
 ### Multiple objects from the same connector space
-If you have several objects in the same connector space joined to the same metaverse object, precedence must be adjusted. If several objects are in scope of the same sync rule, then the sync engine is not able to determine precedence. It is ambiguous which source object should contribute the value to the metaverse. This configuration is reported as ambiguous even if the attributes in the source have the same value.  
-![Diagram that shows multiple objects joined to the same mv object with a transparent red X overlay. ](./media/concept-azure-ad-connect-sync-declarative-provisioning/multiple1.png)  
+It is not possible to have several objects in the same connector space joined to the same metaverse object. This configuration is reported as ambiguous even if the attributes in the source have the same value.
 
-For this scenario, you need to change the scope of the sync rules so the source objects have different sync rules in scope. That allows you to define different precedence.  
-![Multiple objects joined to the same mv object](./media/concept-azure-ad-connect-sync-declarative-provisioning/multiple2.png)  
+![Diagram that shows multiple objects joined to the same mv object with a transparent red X overlay. ](./media/concept-azure-ad-connect-sync-declarative-provisioning/multiple1.png) 
 
 ## Next steps
 * Read more about the expression language in [Understanding Declarative Provisioning Expressions](concept-azure-ad-connect-sync-declarative-provisioning-expressions.md).

articles/active-directory/hybrid/how-to-connect-group-writeback-v2.md

@@ -136,11 +136,6 @@ These limitations and known issues are specific to group writeback:
 - Nested cloud groups that are members of writeback enabled groups must also be enabled for writeback to remain nested in AD. 
 - Group Writeback setting to manage new security group writeback at scale is not yet available. You will need to configure writeback for each group.  
 
-  If you have a nested group like this, you'll see an export error in Azure AD Connect with the message "A universal group cannot have a local group as a member." The resolution is to remove the member with the **Domain local** scope from the Azure AD group, or update the nested group member scope in Active Directory to **Global** or **Universal**. 
-- Group writeback supports writing back groups to only a single organizational unit (OU). After the feature is enabled, you can't change the OU that you selected. A workaround is to disable group writeback entirely in Azure AD Connect and then select a different OU when you re-enable the feature.  
-- Nested cloud groups that are members of writeback-enabled groups must also be enabled for writeback to remain nested in Active Directory. 
-- A group writeback setting to manage new security group writeback at scale is not yet available. You need to configure writeback for each group.   
-
 ## Next steps 
 
 - [Modify Azure AD Connect group writeback default behavior](how-to-connect-modify-group-writeback.md)