Merge pull request #225578 from MicrosoftDocs/main

1/30 AM Publish

Author: huypub

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -193,6 +193,12 @@ With inbound settings, you select which external users and groups will be able t
 
 1. Select **Save**.
 
+### Allow users to sync into this tenant
+
+If you select **Inbound access** of the added organization, you'll see the **Cross-tenant sync (Preview)** tab and the **Allow users sync into this tenant** check box. Cross-tenant synchronization is a one-way synchronization service in Azure AD that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. For more information, see [Configure cross-tenant synchronization](../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md) and the [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations).
+
+:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-sync-tab.png" alt-text="Screenshot that shows the Cross-tenant sync tab with the Allow users sync into this tenant check box." lightbox="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-sync-tab.png":::
+
 ## Modify outbound access settings
 
 With outbound settings, you select which of your users and groups will be able to access the external applications you choose. Whether you're configuring default settings or organization-specific settings, the steps for changing outbound cross-tenant access settings are the same. As described in this section, you'll navigate to either the **Default** tab or an organization on the **Organizational settings** tab, and then make your changes.

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -187,6 +187,9 @@ With inbound settings, you select which external users and groups will be able t
 
 1. Select **Save**.
 
+> [!NOTE]
+> When configuring settings for an organization, you'll notice a **Cross-tenant sync (Preview)** tab. This tab doesn't apply to your B2B direct connect configuration. Instead, this feature is used by multi-tenant organizations to enable B2B collaboration across their tenants. For more information, see the [multi-tenant organization documentation](/azure/active-directory/multi-tenant-organizations).
+
 ## Modify outbound access settings
 
 With outbound settings, you select which of your users and groups will be able to access the external applications you choose. The detailed steps for modifying outbound cross-tenant access settings are the same whether you're configuring default or organization-specific settings. As described in this section, navigate to the **Default** tab or an organization on the **Organizational settings** tab, and then make your changes.

articles/active-directory/external-identities/external-identities-overview.md

@@ -29,6 +29,8 @@ The following capabilities make up External Identities:
 
 - **Azure AD B2C** - Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.
 
+- **Azure AD multi-tenant organization** - Collaborate with multiple tenants in a single Azure AD organization via cross-tenant synchronization.  
+
 Depending on how you want to interact with external organizations and the types of resources you need to share, you can use a combination of these capabilities.
 
 ![External Identities overview diagram.](media/external-identities-overview/external-identities-b2b-overview.png)
@@ -87,6 +89,8 @@ The following table gives a detailed comparison of the scenarios you can enable
 | **Branding**  | Host/inviting organization's brand is used.  | For sign-in screens, the user’s home organization brand is used. In the shared channel, the resource organization's brand is used. | Fully customizable branding per application or organization.   |
 | **More information** | [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md)            |   [Documentation](b2b-direct-connect-overview.md)     | [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](../../active-directory-b2c/index.yml)       |
 
+Based on your organization’s requirements you might use cross-tenant synchronization (preview) in multi-tenant organizations. For more information about this new feature, see the [multi-tenant organization documentation](/azure/active-directory/multi-tenant-organizations) and the [feature comparison](../multi-tenant-organizations/overview.md#compare-multi-tenant-capabilities). 
+
 ## Managing External Identities features
 
 Azure AD B2B collaboration and B2B direct connect are features Azure AD, and they're managed in the Azure portal through the Azure Active Directory service. To control inbound and outbound collaboration, you can use a combination of *cross-tenant access settings* and *external collaboration settings*.
@@ -101,6 +105,8 @@ Cross-tenant access settings let you manage B2B collaboration and B2B direct con
 
 For more information, see [Cross-tenant access in Azure AD External Identities](cross-tenant-access-overview.md).
 
+Azure AD has a new feature for multi-tenant organizations called cross-tenant synchronization (preview), which allows for a seamless collaboration experience across Azure AD tenants. Cross-tenant synchronization settings are configured under the **Organization-specific access settings**. To learn more about multi-tenant organizations and cross-tenant synchronization see the [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations).
+
 ### Microsoft cloud settings for B2B collaboration (preview)
 
 Microsoft Azure cloud services are available in separate national clouds, which are physically isolated instances of Azure. Increasingly, organizations are finding the need to collaborate with organizations and users across global cloud and national cloud boundaries. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following Microsoft Azure clouds:
@@ -162,8 +168,13 @@ Organizations can enforce Conditional Access policies for external B2B collabora
 
 If you offer a Software as a Service (SaaS) application to many organizations, you can configure your application to accept sign-ins from any Azure Active Directory (Azure AD) tenant. This configuration is called making your application multi-tenant. Users in any Azure AD tenant will be able to sign in to your application after consenting to use their account with your application. See how to [enable multitenant sign-ins](../develop/howto-convert-app-to-be-multi-tenant.md).
 
+### Multi-tenant organizations
+
+A multi-tenant organization is an organization that has more than one instance of Azure AD. There are various reasons for [multi-tenancy](../../active-directory/multi-tenant-organizations/overview.md#what-is-a-multi-tenant-organization), like using multiple clouds or having multiple geographical boundaries. Multi-tenant organizations use a one-way synchronization service in Azure AD, called [cross-tenant synchronization](../../active-directory/multi-tenant-organizations/overview.md#cross-tenant-synchronization-preview). Cross-tenant synchronization enables seamless collaboration for a multi-tenant organization. It improves user experience and ensures that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant. Cross-tenant synchronization is currently in preview.
+
 ## Next steps
 
 - [What is Azure AD B2B collaboration?](what-is-b2b.md)
 - [What is Azure AD B2B direct connect?](b2b-direct-connect-overview.md)
 - [About Azure AD B2C](../../active-directory-b2c/overview.md)
+- [About Azure AD multi-tenant organizations](../../active-directory/multi-tenant-organizations/overview.md)

articles/active-directory/external-identities/index.yml

@@ -85,4 +85,19 @@ landingContent:
           - text: Add a self-service sign-up user flow
             url: self-service-sign-up-user-flow.md
           - text: Define custom attributes for user flows
-            url: user-flow-add-custom-attributes.md
+            url: user-flow-add-custom-attributes.md
+  - title: Multi-tenant organizations 
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: What is a multi-tenant organization in Azure AD?
+            url: ../../active-directory/multi-tenant-organizations/overview.md
+      - linkListType: concept
+        links:
+          - text: Topologies for cross-tenant synchronization
+            url: ../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-topology.md
+      - linkListType: how-to-guide
+        links:
+          - text: Configure cross-tenant synchronization
+            url: ../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.md
+             

articles/active-directory/external-identities/media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-sync-tab.png

@@ -70,6 +70,8 @@
     href: authentication-conditional-access.md
   - name: Azure AD B2C (link to documentation)
     href: ../../active-directory-b2c/overview.md
+  - name: Multi-tenant organizations documentation (link to documentation)
+    href: ../../active-directory/multi-tenant-organizations/overview.md
 - name: How-to guides
   expanded: false
   items:

articles/active-directory/external-identities/media/cross-tenant-access-settings-b2b-direct-connect/cross-tenant-sync-tab.png

@@ -8,22 +8,23 @@ ms.service: active-directory
 ms.subservice: compliance
 ms.workload: identity
 ms.topic: how-to 
-ms.date: 01/26/2023
+ms.date: 01/30/2023
 ms.custom: template-how-to 
 ---
 
 
 # Run a workflow on-demand (Preview)
 
-While most workflows by default are scheduled to run every 3 hours, workflows created using Lifecycle Workflows can also run on-demand so that they can be applied to specific users whenever you see fit. A workflow can be run on demand for any user and doesn't take into account whether or not a user meets the workflow's execution conditions. Workflows created in the Azure portal are disabled by default. Running a workflow on-demand allows you to run workflows that can't be run on schedule currently such as leaver workflows. It also allows you to test workflows before their scheduled run. You can test the workflow on a smaller group of users before enabling it for a broader audience.
+Scheduled workflows by default run every 3 hours, but can also run on-demand so that they can be applied to specific users whenever you see fit. A workflow can be run on demand for any user, and doesn't take into account whether or not a user meets the workflow's execution conditions. Running a workflow on-demand allows you to test workflows before their scheduled run. This testing, on a set of users up to 10 at a time, allows you to see how a workflow will run before it processes a larger set of users. Testing your workflow before their scheduled runs helps you proactively solve potential lifecycle issues more quickly.
 
->[!NOTE]
->Be aware that you currently cannot run a workflow on-demand if it is set to disabled, which is the default state of newly created workflows using the Azure portal.  You need to set the workflow to enabled to use the on-demand feature.
 
 ## Run a workflow on-demand in the Azure portal
 
 Use the following steps to run a workflow on-demand.
 
+>[!NOTE]
+>To be run on demand, the  workflow must be enabled.
+
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
 1. Select **Azure Active Directory** and then select **Identity Governance**.
@@ -50,6 +51,7 @@ Use the following steps to run a workflow on-demand.
 
      :::image type="content" source="media/on-demand-workflow/on-demand-run.png" alt-text="Screenshot of a workflow being run on-demand.":::
 
+
 ## Run a workflow on-demand using Microsoft Graph
 
 To run a workflow on-demand using API via Microsoft Graph, see: [workflow: activate (run a workflow on-demand)](/graph/api/identitygovernance-workflow-activate).

articles/active-directory/external-identities/toc.yml

@@ -23,14 +23,31 @@ The following document provides an overview of a workflow created using Lifecycl
 
 [!INCLUDE [Azure AD Premium P2 license](../../../includes/lifecycle-workflows-license.md)]
 
-## Permissions
+## Permissions and Roles
 
-The following permissions are required for Lifecycle Workflows:
+For a full list of supported delegate and application permissions required to use Lifecycle Workflows, see: [Lifecycle workflows permissions](/graph/permissions-reference#lifecycle-workflows-permissions).
 
-|Parameter  |Display String  |Description  |Admin Consent Required  |
-|---------|---------|---------|---------|
-|LifecycleWorkflows.Read.All     | Read all lifecycle workflows and tasks.| Allows the app to list and read all workflows and tasks related to lifecycle workflows on behalf of the signed-in user.| Yes
-|LifecycleWorkflows.ReadWrite.All     | Read and write all lifecycle workflows and tasks.| Allows the app to create, update, list, read and delete all workflows and tasks related to lifecycle workflows on behalf of the signed-in user.| Yes
+For delegated scenarios, the admin needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+
+- Global administrator
+- Global reader
+- Lifecycle workflows administrator
+
+## Restrictions
+
+
+|Column1  |Limit  |
+|---------|---------|
+|Number of Workflows     |   50 per tenant      |
+|Number of Tasks     |  25 per workflow       |
+|Number of Custom Task Extensions     |  100 per tenant       |
+|offsetInDays range of triggerAndScopeBasedConditions executionConditions     |  60 days       |
+|Workflow schedule interval in hours     |   1-24 hours      |
+|Number of users per on-demand selection	     |  10       |
+|durationBeforeTimeout range of custom task extensions     |   5 minutes-3 hours      |
+
+> [!NOTE]
+> If creating, or updating, a workflow via API the offsetInDays range will be between -60-60 days. The negative value will signal happening before the timeBasedAttribute, while the positive value will signal happening afterwards.
 
 ## Parts of a workflow 
 

articles/active-directory/governance/on-demand-workflow.md

@@ -9,7 +9,7 @@ metadata:
   ms.workload: identity
   ms.topic: faq
   ms.subservice: report-monitor
-  ms.date: 10/04/2022
+  ms.date: 01/30/2023
   ms.author: sarahlipsey
   ms.reviewer: besiler
   ms.collection: M365-identity-device-management
@@ -71,7 +71,7 @@ sections:
       - question: |
           How many records I can download from the Azure portal?
         answer: |
-          You can download up to 250,000 records from the Azure portal. The records are sorted by *most recent* and by default. You can use [Azure AD Reporting APIs](concept-reporting-api.md) to fetch up to a million records at any given point.
+          You can download up to 250,000 records from the Azure portal. To download data sets larger than 250,000 records, use the [reporting API](/graph/api/resources/azure-ad-auditlog-overview?view=graph-rest-1.0) to download the data.
 
       - question: |
           How long does Azure AD store activity logs?