MicrosoftDocs
diff --git a/‎articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md
Lines changed: 33 additions & 8 deletions b/‎articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md
Lines changed: 33 additions & 8 deletions
diff --git a/‎articles/active-directory/conditional-access/howto-policy-approved-app-or-app-protection.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/conditional-access/howto-policy-approved-app-or-app-protection.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/tutorial-single-page-app-react-sign-in-users.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/tutorial-single-page-app-react-sign-in-users.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/hybrid/connect/how-to-connect-syncservice-features.md
Lines changed: 13 additions & 13 deletions b/‎articles/active-directory/hybrid/connect/how-to-connect-syncservice-features.md
Lines changed: 13 additions & 13 deletions
diff --git a/‎articles/active-directory/saas-apps/hypervault-provisioning-tutorial.md
Lines changed: 7 additions & 4 deletions b/‎articles/active-directory/saas-apps/hypervault-provisioning-tutorial.md
Lines changed: 7 additions & 4 deletions
diff --git a/‎articles/active-directory/workload-identities/workload-identities-faqs.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/workload-identities/workload-identities-faqs.md
Lines changed: 1 addition & 1 deletion
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 09/05/2023
+ms.date: 10/04/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -17,13 +17,15 @@ ms.collection: M365-identity-device-management
 ---
 # Require an app protection policy on Windows devices (preview)
 
-App protection policies apply mobile application management (MAM) to specific applications on a device. These policies allow for securing data within an application in support of scenarios like bring your own device (BYOD). In the preview, we support applying policy to the Microsoft Edge browser on Windows 11 devices.
+App protection policies apply [mobile application management (MAM)](/mem/intune/apps/app-management#mobile-application-management-mam-basics) to specific applications on a device. These policies allow for securing data within an application in support of scenarios like bring your own device (BYOD). In the preview, we support applying policy to the Microsoft Edge browser on Windows 11 devices.
 
 ![Screenshot of a browser requiring the user to sign in to their Microsoft Edge profile to access an application.](./media/how-to-app-protection-policy-windows/browser-sign-in-with-edge-profile.png)
 
 ## Prerequisites
 
-Customers interested in the public preview need to opt in using the [MAM for Windows Public Preview Sign Up Form](https://aka.ms/MAMforWindowsPublic).
+- [Windows 11 Version 22H2 (OS build 22621)](/windows/release-health/windows11-release-information#windows-11-current-versions) or newer.
+- [Configured app protection policy targeting Windows devices](/mem/intune/apps/app-protection-policy-settings-windows).
+- Currently unsupported in sovereign clouds.
 
 ## User exclusions
 [!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)]
@@ -34,7 +36,13 @@ The following policy is put in to [Report-only mode](howto-conditional-access-in
 
 ### Require app protection policy for Windows devices
 
-The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [Preview: App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). The following policy includes multiple controls allowing devices to either use app protection policies for mobile application management (MAM) or be managed and compliant with mobile device management (MDM) policies.
+The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). The following policy includes multiple controls allowing devices to either use app protection policies for mobile application management (MAM) or be managed and compliant with mobile device management (MDM) policies.
+
+> [!TIP]
+> App protection policies (MAM) support unmanaged devices:
+> 
+> - If a device is already managed through mobile device management (MDM), then Intune MAM enrollment is blocked, and app protection policy settings aren't applied. 
+> - If a device becomes managed after MAM enrollment, app protection policy settings are no longer applied.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).
 1. Browse to **Protection** > **Conditional Access**.
@@ -44,12 +52,14 @@ The following steps help create a Conditional Access policy requiring an app pro
    1. Under **Include**, select **All users**.
    1. Under **Exclude**, select **Users and groups** and choose at least your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Cloud apps** > **Include**, select **Office 365**.
+   > [!WARNING]
+   > Selecting **All apps** prevents users from signing in.
 1. Under **Conditions**:
-   1. **Device platforms**, set **Configure** to **Yes**.
+   1. **Device platforms** set **Configure** to **Yes**.
       1. Under **Include**, **Select device platforms**.
       1. Choose **Windows** only.
       1. Select **Done**.
-   1. **Client apps**, set **Configure** to **Yes**. 
+   1. **Client apps** set **Configure** to **Yes**. 
       1. Select **Browser** only.
 1. Under **Access controls** > **Grant**, select **Grant access**.
    1. Select **Require app protection policy** and **Require device to be marked as compliant**.
@@ -62,6 +72,17 @@ After administrators confirm the settings using [report-only mode](howto-conditi
 > [!TIP]
 > Organizations should also deploy a policy that [blocks access from unsupported or unknown device platforms](howto-policy-unknown-unsupported-device.md) along with this policy.
 
+In organizations with existing Conditional Access policies that target: 
+
+- The **All cloud apps** resource.
+- The **Mobile apps and desktop clients** condition.
+- Use **Require app protection policy** or a **Block access** grant control.
+
+End users are unable to enroll their Windows device in MAM without the following policy changes.
+
+1. Register the **Microsoft Edge Auth** service principal in your tenant using the command `New-MgServicePrincipal -AppId f2d19332-a09d-48c8-a53b-c49ae5502dfc`.
+1. Add an exclusion for **Microsoft Edge Auth** to your existing policy targeting **All cloud apps**.
+
 ## Sign in to Windows devices
 
 When users attempt to sign in to a site that is protected by an app protection policy for the first time, they're prompted: To access your service, app or website, you may need to sign in to Microsoft Edge using `[email protected]` or register your device with `organization` if you're already signed in.
@@ -79,7 +100,7 @@ This process opens a window offering to allow Windows to remember your account a
 
 ![Screenshot showing the stay signed in to all your apps window. Uncheck the allow my organization to manage my device checkbox.](./media/how-to-app-protection-policy-windows/stay-signed-in-to-all-your-apps.png)
 
-After selecting **OK**, you may see a progress window while policy is applied. After a few moments, you should see a window saying "you're all set", app protection policies are applied.
+After selecting **OK**, you may see a progress window while policy is applied. After a few moments, you should see a window saying **You're all set**, app protection policies are applied.
 
 ## Troubleshooting
 
@@ -96,9 +117,13 @@ To resolve these possible scenarios:
 - Wait a few minutes and try again in a new tab.
 - Contact your administrator to check that Microsoft Intune MAM policies are applying to your account correctly.
 
+#### All apps selected
+
+If your policy for Windows devices targets **All apps** your users aren't able to sign in. Your policy should only target **Office 365**.
+
 ### Existing account
 
-If there's a pre-existing, unregistered account, like `[email protected]` in Microsoft Edge, or if a user signs in without registering using the Heads Up Page, then the account isn't properly enrolled in MAM. This configuration blocks the user from being properly enrolled in MAM. This is a known issue. 
+There's a known issue where there's a pre-existing, unregistered account, like `[email protected]` in Microsoft Edge, or if a user signs in without registering using the Heads Up Page, then the account isn't properly enrolled in MAM. This configuration blocks the user from being properly enrolled in MAM.
 
 ## Next steps
 
 
@@ -63,6 +63,9 @@ Organizations can choose to deploy this policy using the steps outlined below or
 
 After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.
 
+> [!TIP]
+> Organizations should also deploy a policy that [blocks access from unsupported or unknown device platforms](howto-policy-unknown-unsupported-device.md) along with this policy.
+
 ### Block Exchange ActiveSync on all devices
 
 This policy will block all Exchange ActiveSync clients using basic authentication from connecting to Exchange Online.
 
@@ -7,7 +7,7 @@ author: OwenRichards1
 ms.service: active-directory
 ms.subservice: develop
 ms.author: owenrichards
-ms.custom: devx-track-extended-java, devx-track-js
+ms.custom: devx-track-js
 ms.topic: tutorial
 ms.date: 09/26/2023
 #Customer intent: As a React developer, I want to know how to use functional components to add sign in and sign out experiences in my React application.
 
@@ -27,16 +27,16 @@ The synchronization feature of Microsoft Entra Connect has two components:
 
 This topic explains how the following features of the **Microsoft Entra Connect Sync service** work and how you can configure them using PowerShell.
 
-These settings are configured by the [Azure AD PowerShell module](/previous-versions/azure/jj151815(v=azure.100)). Download and install it separately from Microsoft Entra Connect. The cmdlets documented in this topic were introduced in the [2016 March release (build 9031.1)](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx#Version_9031_1). If you do not have the cmdlets documented in this topic or they do not produce the same result, then make sure you run the latest version.
+These settings are configured by the [Azure AD PowerShell module](/previous-versions/azure/jj151815(v=azure.100)). Download and install it separately from Microsoft Entra Connect. The cmdlets documented in this topic were introduced in the [2016 March release (build 9031.1)](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx#Version_9031_1). If you don't have the cmdlets documented in this topic or they don't produce the same result, then make sure you run the latest version.
 
 To see the configuration in your Microsoft Entra directory, run `Get-MsolDirSyncFeatures`.
 ![Get-MsolDirSyncFeatures result](./media/how-to-connect-syncservice-features/getmsoldirsyncfeatures.png)
 
-To see the configuration in your Microsoft Entra directory using the Graph Powershell, use the following commands:
+To see the configuration in your Microsoft Entra directory using the Graph PowerShell, use the following commands:
 ```powershell
 Connect-MgGraph -Scopes OnPremDirectorySynchronization.Read.All, OnPremDirectorySynchronization.ReadWrite.All
 
-Get-MgDirectoryOnPremisSynchronization | Select-Object -ExpandProperty Features | Format-List
+Get-MgDirectoryOnPremiseSynchronization | Select-Object -ExpandProperty Features | Format-List
 ```
 
 The output looks similar to `Get-MsolDirSyncFeatures`:
@@ -72,20 +72,20 @@ The following settings can be configured by `Set-MsolDirSyncFeature`:
 | [EnableSoftMatchOnUpn](#userprincipalname-soft-match) |Allows objects to join on userPrincipalName in addition to primary SMTP address. |
 | [SynchronizeUpnForManagedUsers](#synchronize-userprincipalname-updates) |Allows the sync engine to update the userPrincipalName attribute for managed/licensed (non-federated) users. |
 
-After you have enabled a feature, it cannot be disabled again.
+After you have enabled a feature, it can't be disabled again.
 
 > [!NOTE]
 > From August 24, 2016 the feature *Duplicate attribute resiliency* is enabled by default for new Microsoft Entra directories. This feature will also be rolled out and enabled on directories created before this date. You will receive an email notification when your directory is about to get this feature enabled.
 > 
 > 
 
-The following settings are configured by Microsoft Entra Connect and cannot be modified by `Set-MsolDirSyncFeature`:
+The following settings are configured by Microsoft Entra Connect and can't be modified by `Set-MsolDirSyncFeature`:
 
 | DirSyncFeature | Comment |
 | --- | --- |
 | DeviceWriteback |[Microsoft Entra Connect: Enabling device writeback](how-to-connect-device-writeback.md) |
 | DirectoryExtensions |[Microsoft Entra Connect Sync: Directory extensions](how-to-connect-sync-feature-directory-extensions.md) |
-| [DuplicateProxyAddressResiliency<br/>DuplicateUPNResiliency](#duplicate-attribute-resiliency) |Allows an attribute to be quarantined when it is a duplicate of another object rather than failing the entire object during export. |
+| [DuplicateProxyAddressResiliency<br/>DuplicateUPNResiliency](#duplicate-attribute-resiliency) |Allows an attribute to be quarantined when its a duplicate of another object rather than failing the entire object during export. |
 | Password Hash Sync |[Implementing password hash synchronization with Microsoft Entra Connect Sync](how-to-connect-password-hash-synchronization.md) |
 |Pass-through Authentication|[User sign-in with Microsoft Entra pass-through authentication](how-to-connect-pta.md)|
 | UnifiedGroupWriteback |Group writeback|
@@ -99,27 +99,27 @@ Instead of failing to provision objects with duplicate UPNs / proxyAddresses, th
 
 When this feature is enabled, soft-match is enabled for UPN in addition to the [primary SMTP address](https://support.microsoft.com/kb/2641663), which is always enabled. Soft-match is used to match existing cloud users in Microsoft Entra ID with on-premises users.
 
-If you need to match on-premises AD accounts with existing accounts created in the cloud and you are not using Exchange Online, then this feature is useful. In this scenario, you generally don’t have a reason to set the SMTP attribute in the cloud.
+If you need to match on-premises AD accounts with existing accounts created in the cloud and you aren't using Exchange Online, then this feature is useful. In this scenario, you generally don’t have a reason to set the SMTP attribute in the cloud.
 
 This feature is on by default for newly created Microsoft Entra directories. You can see if this feature is enabled for you by running:  
 
 ```powershell
 ## Using the MSOnline module
 Get-MsolDirSyncFeatures -Feature EnableSoftMatchOnUpn
 
-## Using the Graph Powershell module
+## Using the Graph PowerShell module
 $Config = Get-MgDirectoryOnPremisSynchronization
 $Config.Features.SoftMatchOnUpnEnabled
 ```
 
-If this feature is not enabled for your Microsoft Entra directory, then you can enable it by running:  
+If this feature isn't enabled for your Microsoft Entra directory, then you can enable it by running:  
 
 ```powershell
 Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $true
 ```
 
 ## BlockSoftMatch
-When this feature is enabled it will block the Soft Match feature. Customers are encouraged to enable this feature and keep it at enabled until Soft Matching is required again for their tenancy. This flag should be enabled again after any soft matching has completed and is no longer needed.
+When this feature is enabled, it blocks the Soft Match feature. Customers are encouraged to enable this feature and keep it at enabled until Soft Matching is required again for their tenancy. This flag should be enabled again after any soft matching has completed and is no longer needed.
 
 Example - to block soft matching in your tenant, run this cmdlet:
 
@@ -132,7 +132,7 @@ PS C:\> Set-MsolDirSyncFeature -Feature BlockSoftMatch -Enable $True
 Historically, updates to the UserPrincipalName attribute using the sync service from on-premises has been blocked, unless both of these conditions were true:
 
 * The user is managed (non-federated).
-* The user has not been assigned a license.
+* The user hasn't been assigned a license.
 
 > [!NOTE]
 > From March 2019, synchronizing UPN changes for federated user accounts is allowed.
@@ -146,12 +146,12 @@ This feature is on by default for newly created Microsoft Entra directories. You
 ## Using the MSOnline module
 Get-MsolDirSyncFeatures -Feature SynchronizeUpnForManagedUsers
 
-## Using the Graph Powershell module
+## Using the Graph PowerShell module
 $config = Get-MgDirectoryOnPremisSynchronization
 $config.Features.SynchronizeUpnForManagedUsersEnabled
 ```
 
-If this feature is not enabled for your Microsoft Entra directory, then you can enable it by running:  
+If this feature isn't enabled for your Microsoft Entra directory, then you can enable it by running:  
 
 ```powershell
 Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers -Enable $true
 
@@ -42,7 +42,11 @@ The scenario outlined in this tutorial assumes that you already have the followi
 <a name='step-2-configure-hypervault-to-support-provisioning-with-azure-ad'></a>
 
 ## Step 2: Configure Hypervault to support provisioning with Microsoft Entra ID
-Contact Hypervault support to configure Hypervault to support provisioning with Microsoft Entra ID.
+
+1. Sign in into your Hypervault account as a manager.
+1. Navigate to the **Workspace Settings** page.
+1. Under the **Connect to Microsoft Azure** section, click **Enable User Provisioning**.
+1. Copy the Domain and Token values. You will need these values in step 5.
 
 <a name='step-3-add-hypervault-from-the-azure-ad-application-gallery'></a>
 
@@ -58,10 +62,9 @@ The Microsoft Entra provisioning service allows you to scope who is provisioned
 
 * If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
 
-
 ## Step 5: Configure automatic user provisioning to Hypervault 
 
-This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in TestApp based on user assignments in Microsoft Entra ID.
+This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in Hypervault based on user assignments in Microsoft Entra ID.
 
 <a name='to-configure-automatic-user-provisioning-for-hypervault-in-azure-ad'></a>
 
@@ -84,7 +87,7 @@ This section guides you through the steps to configure the Microsoft Entra provi
 
 	![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
 
-1. Under the **Admin Credentials** section, input your Hypervault Tenant URL and Secret Token. Click **Test Connection** to ensure Microsoft Entra ID can connect to Hypervault. If the connection fails, ensure your Hypervault account has Admin permissions and try again.
+1. Under the **Admin Credentials** section, input your Hypervault Tenant URL and Secret Token (generated in step 2). Click **Test Connection** to ensure Microsoft Entra ID can connect to Hypervault. If the connection fails, ensure your Hypervault account has Admin permissions and try again.
 
  	![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png)
 
 
@@ -82,7 +82,7 @@ suspicious changes to accounts.
 Enables delegation of reviews to the right people, focused on the most
 important privileged roles.
 
-- [App health recommendations](/azure/active-directory/reports-monitoring/howto-use-recommendations): Provides you with personalized insights with actionable guidance so you can implement best practices, improve the state of your Microsoft Entra tenant, and optimize the configurations for your scenarios.
+- [App health recommendations](/azure/active-directory/reports-monitoring/howto-use-recommendations): Provides recommendations for addressing identity hygiene gaps in your application portfolio so you can improve the security and resilience posture of a tenant. 
 
 ## What do the numbers in each category on the [Workload identities - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) mean?