Merge pull request #218385 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 11/15

Author: ttorble

articles/active-directory/cloud-infrastructure-entitlement-management/overview.md

@@ -55,7 +55,7 @@ Customers can right-size permissions based on usage, grant new permissions on-de
 
 ### Monitor
 
-Customers can detect anomalous activities with machine language-powered (ML-powered) alerts and generate detailed forensic reports.
+Customers can detect anomalous activities with machine learning-powered (ML-powered) alerts and generate detailed forensic reports.
 
 - ML-powered anomaly detections.
 - Context-rich forensic reports around identities, actions, and resources to support rapid investigation and remediation.

articles/active-directory/cloud-infrastructure-entitlement-management/product-permission-analytics.md

@@ -61,8 +61,6 @@ This article describes how you can create and view permission analytics triggers
 
     - The **Status** column displays if the authorization system is online or offline
     - The **Controller** column displays if the controller is enabled or disabled.
-
-1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown.
 1. Select **Save**.
 
 ## View permission analytics alert triggers

articles/active-directory/cloud-infrastructure-entitlement-management/product-statistical-anomalies.md

@@ -70,7 +70,7 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac
      - The **Controller** column displays if the controller is enabled or disabled.
 
 
-1. On the **Configuration** tab, to update the **Time Interval**, from the **Time Range** dropdown, select **90 Days**, **60 Days**, or **30 Days**, and then select **Save**.
+1. Select **Save**.
 
 ## View statistical anomaly triggers
 

articles/active-directory/hybrid/whatis-phs.md

@@ -13,7 +13,7 @@ ms.collection: M365-identity-device-management
 ---
 
 # What is password hash synchronization with Azure AD?
-Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
+Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
 
 Password hash synchronization is an extension to the directory synchronization feature implemented by Azure AD Connect sync. You can use this feature to sign in to Azure AD services like Microsoft 365. You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance.
 

articles/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md

@@ -12,7 +12,7 @@ ms.subservice: msi
 ms.devlang:
 ms.topic: conceptual
 ms.custom: mvc
-ms.date: 10/30/2022
+ms.date: 11/15/2022
 ms.author: barclayn
 ms.collection: M365-identity-device-management
 ---
@@ -33,7 +33,7 @@ Your code can use a managed identity to request access tokens for services that
 
 The following diagram shows how managed service identities work with Azure virtual machines (VMs):
 
-[![Managed service identities and Azure VMs](media/how-managed-identities-work-vm/data-flow.png)](media/how-managed-identities-work-vm/data-flow.png#lightbox)
+[![Diagram that shows how managed service identities are associated with Azure virtual machines, get an access token, and invoked a protected Azure AD resource.](media/how-managed-identities-work-vm/data-flow.png)](media/how-managed-identities-work-vm/data-flow.png#lightbox)
 
 The following table shows the differences between the system-assigned and user-assigned managed identities:
 
@@ -52,12 +52,18 @@ The following table shows the differences between the system-assigned and user-a
 
 3. Azure Resource Manager updates the VM identity using the Azure Instance Metadata Service identity endpoint (for [Windows](/azure/virtual-machines/windows/instance-metadata-service) and [Linux](/azure/virtual-machines/linux/instance-metadata-service)), providing the endpoint with the service principal client ID and certificate.
 
-4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use Azure role-based access control (Azure RBAC) to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
+4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use Azure Role-Based Access Control (Azure RBAC) to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
 
 5. Your code that's running on the VM can request a token from the Azure Instance Metadata service endpoint, accessible only from within the VM: `http://169.254.169.254/metadata/identity/oauth2/token`
     - The resource parameter specifies the service to which the token is sent. To authenticate to Azure Resource Manager, use `resource=https://management.azure.com/`.
     - API version parameter specifies the IMDS version, use api-version=2018-02-01 or greater.
 
+    The following example demonstrates how to to use CURL to make a request to the local Managed Identity endpoint to get an access token for Azure Instance Metadata service.
+
+    ```bash
+    curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true
+    ```
+
 6. A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD returns a JSON Web Token (JWT) access token.
 
 7. Your code sends the access token on a call to a service that supports Azure AD authentication.
@@ -77,9 +83,18 @@ The following table shows the differences between the system-assigned and user-a
 
 5. Your code that's running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: `http://169.254.169.254/metadata/identity/oauth2/token`
     - The resource parameter specifies the service to which the token is sent. To authenticate to Azure Resource Manager, use `resource=https://management.azure.com/`.
-    - The client ID parameter specifies the identity for which the token is requested. This value is required for disambiguation when more than one user-assigned identity is on a single VM.
+    - The `client_id` parameter specifies the identity for which the token is requested. This value is required for disambiguation when more than one user-assigned identity is on a single VM. You can find the **Client ID** in the Managed Identity **Overview**:
+
+        [![Screenshot that shows how to copy the managed identity client ID.](./media/how-managed-identities-work-vm/managed-identity-client-id.png)](./media/how-managed-identities-work-vm/managed-identity-client-id.png#lightbox)
+
     - The API version parameter specifies the Azure Instance Metadata Service version. Use `api-version=2018-02-01` or higher.
 
+        The following example demonstrates how to to use CURL to make a request to the local Managed Identity endpoint to get an access token for Azure Instance Metadata service.
+    
+        ```bash
+        curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F&client_id=12345678-0000-0000-0000-000000000000' -H Metadata:true
+        ```
+
 6. A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD returns a JSON Web Token (JWT) access token.
 7. Your code sends the access token on a call to a service that supports Azure AD authentication.
 

articles/active-directory/managed-identities-azure-resources/media/how-managed-identities-work-vm/managed-identity-client-id.png

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.subservice: roles
 ms.workload: identity
-ms.date: 07/15/2022
+ms.date: 11/15/2022
 ms.author: rolyon
 ms.reviewer: anandy
 ms.custom: oldportal;it-pro;
@@ -46,6 +46,7 @@ The following Azure AD roles can be assigned with administrative unit scope. Add
 | [Helpdesk Administrator](permissions-reference.md#helpdesk-administrator) | Can reset passwords for non-administrators in the assigned administrative unit only. |
 | [License Administrator](permissions-reference.md#license-administrator) | Can assign, remove, and update license assignments within the administrative unit only. |
 | [Password Administrator](permissions-reference.md#password-administrator) | Can reset passwords for non-administrators within the assigned administrative unit only. |
+| [Printer Administrator](permissions-reference.md#printer-administrator) | Can manage printers and printer connectors. For more information, see [Delegate administration of printers in Universal Print](/universal-print/portal/delegated-admin#scoped-admin-vs-tenant-printer-admin). |
 | [SharePoint Administrator](permissions-reference.md#sharepoint-administrator) | Can manage Microsoft 365 groups in the assigned administrative unit only. For SharePoint sites associated with Microsoft 365 groups in an administrative unit, can also update site properties (site name, URL, and external sharing policy) using the Microsoft 365 admin center. Cannot use the SharePoint admin center or SharePoint APIs to manage sites. |
 | [Teams Administrator](permissions-reference.md#teams-administrator) | Can manage Microsoft 365 groups in the assigned administrative unit only.  Can manage team members in the Microsoft 365 admin center for teams associated with groups in the assigned administrative unit only.  Cannot use the Teams admin center. |
 | [Teams Devices Administrator](permissions-reference.md#teams-devices-administrator) | Can perform management related tasks on Teams certified devices. |