MicrosoftDocs
diff --git a/‎.github/workflows/stale.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/stale.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/howto-authentication-passwordless-phone.md
Lines changed: 1 addition & 10 deletions b/‎articles/active-directory/authentication/howto-authentication-passwordless-phone.md
Lines changed: 1 addition & 10 deletions
diff --git a/‎articles/active-directory/fundamentals/users-default-permissions.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/fundamentals/users-default-permissions.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-emergency-ad-fs-certificate-rotation.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/hybrid/how-to-connect-emergency-ad-fs-certificate-rotation.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/roles/permissions-reference.md
Lines changed: 46 additions & 1 deletion b/‎articles/active-directory/roles/permissions-reference.md
Lines changed: 46 additions & 1 deletion
diff --git a/‎articles/aks/use-wasi-node-pools.md
Lines changed: 2 additions & 2 deletions b/‎articles/aks/use-wasi-node-pools.md
Lines changed: 2 additions & 2 deletions
@@ -20,7 +20,7 @@ jobs:
         exempt-pr-labels: keep-open
         operations-per-run: 1200
         ascending: true
-        start-date: '2020-07-09'
+        start-date: '2021-04-13'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 07/02/2021
+ms.date: 10/21/2021
 
 ms.author: justinha
 author: justinha
@@ -34,11 +34,6 @@ People who enabled phone sign-in from the Microsoft Authenticator app see a mess
 To use passwordless phone sign-in with the Microsoft Authenticator app, the following prerequisites must be met:
 
 - Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity. 
-  
-  Azure Multi-Factor Auth Connector must be enabled to allow users to register for push notifications for phone sign-in.
-
-  ![Screenshot of Azure Multi-Factor Auth Connector enabled.](media/howto-authentication-passwordless-phone/connector.png)
-
 - Latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater, or Android 6.0 or greater.
 - The device on which the Microsoft Authenticator app is installed must be registered within the Azure AD tenant to an individual user. 
 
@@ -49,10 +44,6 @@ To use passwordless phone sign-in with the Microsoft Authenticator app, the foll
 
 To use passwordless authentication in Azure AD, first enable the combined registration experience, then enable users for the passwordless method.
 
-### Enable the combined registration experience
-
-Registration features for passwordless authentication methods rely on the combined registration feature. To let users complete the combined registration themselves, follow the steps to [enable combined security information registration](howto-registration-mfa-sspr-combined.md).
-
 ### Enable passwordless phone sign-in authentication methods
 
 Azure AD lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use. The **Microsoft Authenticator** authentication method policy manages both the traditional push MFA method, as well as the passwordless authentication method. 
 
@@ -26,7 +26,7 @@ The set of default permissions received depends on whether the user is a native
 
 ## Compare member and guest default permissions
 
-**Area** | **Member user permissions** | **Default guest user permissions** | **Restricted guest user permissions (Preview)**
+**Area** | **Member user permissions** | **Default guest user permissions** | **Restricted guest user permissions**
 ------------ | --------- | ---------- | ----------
 Users and contacts | <ul><li>Enumerate list of all users and contacts<li>Read all public properties of users and contacts</li><li>Invite guests<li>Change own password<li>Manage own mobile phone number<li>Manage own photo<li>Invalidate own refresh tokens</li></ul> | <ul><li>Read own properties<li>Read display name, email, sign in name, photo, user principal name, and user type properties of other users and contacts<li>Change own password<li>Search for another user by ObjectId (if allowed)<li>Read manager and direct report information of other users</li></ul> | <ul><li>Read own properties<li>Change own password</li><li>Manage own mobile phone number</li></ul>
 Groups | <ul><li>Create security groups<li>Create Microsoft 365 groups<li>Enumerate list of all groups<li>Read all properties of groups<li>Read non-hidden group memberships<li>Read hidden Microsoft 365 group memberships for joined group<li>Manage properties, ownership, and membership of groups the user owns<li>Add guests to owned groups<li>Manage dynamic membership settings<li>Delete owned groups<li>Restore owned Microsoft 365 groups</li></ul> | <ul><li>Read properties of non-hidden groups, including membership and ownership (even non-joined groups)<li>Read hidden Microsoft 365 group memberships for joined groups<li>Search for groups by Display Name or ObjectId (if allowed)</li></ul> | <ul><li>Read object id for joined groups<li>Read membership and ownership of joined groups in some Microsoft 365 apps (if allowed)</li></ul>
@@ -60,11 +60,11 @@ Ability to read other users | This setting is available in PowerShell only. Sett
 Default permissions for guest users can be restricted in the following ways:
 
 >[!NOTE]
->The guests user access restrictions setting replaced the **Guest users permissions are limited** setting. For guidance on using this feature, see [Restrict guest access permissions (preview) in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md).
+>The guests user access restrictions setting replaced the **Guest users permissions are limited** setting. For guidance on using this feature, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md).
 
 Permission | Setting explanation
 ---------- | ------------
-Guests user access restrictions (Preview) | Setting this option to **Guest users have the same access as members** grants all member user permissions to guest users by default.<p>Setting this option to **Guest user access is restricted to properties and memberships of their own directory objects** restricts guest access to only their own user profile by default. Access to other users are no longer allowed even when searching by User Principal Name, ObjectId or Display Name. Access to groups information including groups memberships is also no longer allowed.<p>**Note**: This setting does not prevent access to joined groups in some Microsoft 365 services like Microsoft Teams. See [Microsoft Teams Guest access](/MicrosoftTeams/guest-access) to learn more.<p>Guest users can still be added to administrator roles regardless of this permission settings.
+Guests user access restrictions | Setting this option to **Guest users have the same access as members** grants all member user permissions to guest users by default.<p>Setting this option to **Guest user access is restricted to properties and memberships of their own directory objects** restricts guest access to only their own user profile by default. Access to other users are no longer allowed even when searching by User Principal Name, ObjectId or Display Name. Access to groups information including groups memberships is also no longer allowed.<p>**Note**: This setting does not prevent access to joined groups in some Microsoft 365 services like Microsoft Teams. See [Microsoft Teams Guest access](/MicrosoftTeams/guest-access) to learn more.<p>Guest users can still be added to administrator roles regardless of this permission settings.
 Guests can invite | Setting this option to Yes allows guests to invite other guests. See [Delegate invitations for B2B collaboration](../external-identities/delegate-invitations.md#configure-b2b-external-collaboration-settings) to learn more.
 Members can invite | Setting this option to Yes allows non-admin members of your directory to invite guests. See [Delegate invitations for B2B collaboration](../external-identities/delegate-invitations.md#configure-b2b-external-collaboration-settings) to learn more.
 Admins and users in the guest inviter role can invite | Setting this option to Yes allows admins and users in the "Guest Inviter" role to invite guests. When set to Yes, users in the Guest inviter role will still be able to invite guests, regardless of the Members can invite setting. See [Delegate invitations for B2B collaboration](../external-identities/delegate-invitations.md#assign-the-guest-inviter-role-to-a-user) to learn more.
@@ -145,7 +145,7 @@ Users can perform the following actions on owned groups.
 
 ## Next steps
 
-* To learn more about the guests user access restrictions setting, see [Restrict guest access permissions (preview) in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md).
+* To learn more about the guests user access restrictions setting, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md).
 * To learn more about how to assign Azure AD administrator roles, see [Assign a user to administrator roles in Azure Active Directory](active-directory-users-assign-role-azure-portal.md)
 * To learn more about how resource access is controlled in Microsoft Azure, see [Understanding resource access in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md)
 * For more information on how Azure Active Directory relates to your Azure subscription, see [How Azure subscriptions are associated with Azure Active Directory](active-directory-how-subscriptions-associated-directory.md)
 
@@ -22,7 +22,7 @@ In the event that you need to rotate the AD FS certificates immediately, you can
 > For more information, see [Hardware Security Module](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#hardware-security-module-hsm) under best practices for securing AD FS.
 
 ## Determine your Token Signing Certificate thumbprint
-In order to revoke the old Token Signing Certificate which AD FS is currently using, you need to determine the thumbprint of the token-sigining certificate.  To do this, use the following steps below:
+In order to revoke the old Token Signing Certificate which AD FS is currently using, you need to determine the thumbprint of the token-signing certificate.  To do this, use the following steps below:
 
  1.    Connect to the Microsoft Online Service
 `PS C:\>Connect-MsolService`
@@ -37,7 +37,7 @@ By default, AD FS is configured to generate token signing and token decryption c
 
 You can run the following Windows PowerShell command: `PS C:\>Get-AdfsProperties | FL AutoCert*, Certificate*`.
 
-The AutoCertificateRollover property describes whether AD FS is configured to renew token signing and token decrypting certificates automatically.  If AutoCertificateRollover is set to TRUE, follow the instructions outlined below in [Generating new self-signed certificate if AutoCertificateRollover is set to TRUE].  If AutoCertificateRollover is set to FALSE, follow the instructions outlined below in [Generating new certificates manually if AutoCertificateRollover is set to FALSE]
+The AutoCertificateRollover property describes whether AD FS is configured to renew token signing and token decrypting certificates automatically.  If AutoCertificateRollover is set to TRUE, follow the instructions outlined below in [Generating new self-signed certificate if AutoCertificateRollover is set to TRUE](#generating-new-self-signed-certificate-if-autocertificaterollover-is-set-to-true).  If AutoCertificateRollover is set to FALSE, follow the instructions outlined below in [Generating new certificates manually if AutoCertificateRollover is set to FALSE](#generating-new-certificates-manually-if-autocertificaterollover-is-set-to-false).
 
 
 ## Generating new self-signed certificate if AutoCertificateRollover is set to TRUE
@@ -138,4 +138,4 @@ Now we want to revoke refresh tokens for users who may have them and force them
 
 - [Managing SSL Certificates in AD FS and WAP in Windows Server 2016](/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap#replacing-the-ssl-certificate-for-ad-fs)
 - [Obtain and Configure Token Signing and Token Decryption Certificates for AD FS](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn781426(v=ws.11)#updating-federation-partners)
-- [Renew federation certificates for Microsoft 365 and Azure Active Directory](how-to-connect-fed-o365-certs.md)
+- [Renew federation certificates for Microsoft 365 and Azure Active Directory](how-to-connect-fed-o365-certs.md)
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: roles
 ms.topic: reference
-ms.date: 10/07/2021
+ms.date: 10/15/2021
 ms.author: rolyon
 ms.reviewer: abhijeetsinha
 ms.custom: generated, it-pro, fasttrack-edit
@@ -102,6 +102,7 @@ This article lists the Azure AD built-in roles you can assign to allow managemen
 > | [Teams Devices Administrator](#teams-devices-administrator) | Can perform management related tasks on Teams certified devices. | 3d762c5a-1b6c-493f-843e-55a3b42923d4 |
 > | [Usage Summary Reports Reader](#usage-summary-reports-reader) | Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. | 75934031-6c7e-415a-99d7-48dbd49e875e |
 > | [User Administrator](#user-administrator) | Can manage all aspects of users and groups, including resetting passwords for limited admins. | fe930be7-5e62-47db-91af-98c3a49a38b1 |
+> | [Windows 365 Administrator](#windows-365-administrator) | Can provision and manage all aspects of Cloud PCs. | 11451d60-acb2-45eb-a7d6-43d0f0125c13 |
 > | [Windows Update Deployment Administrator](#windows-update-deployment-administrator) | Create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
 
 ## Application Administrator
@@ -2025,6 +2026,50 @@ Users with this role can create users, and manage all aspects of users with some
 > | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
 > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
 
+## Windows 365 Administrator
+
+Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.
+
+This role can create and manage security groups, but does not have administrator rights over Microsoft 365 groups. That means administrators cannot update owners or memberships of Microsoft 365 groups in the organization. However, they can manage the Microsoft 365 group they create, which is a part of their end-user privileges. So, any Microsoft 365 group (not security group) they create is counted against their quota of 250.
+
+Assign the Windows 365 Administrator role to users who need to do the following tasks:
+
+- Manage Windows 365 Cloud PCs in Microsoft Endpoint Manager
+- Enroll and manage devices in Azure AD, including assigning users and policies
+- Create and manage security groups, but not role-assignable groups
+- View basic properties in the Microsoft 365 admin center
+- Read usage reports in the Microsoft 365 admin center
+- Create and manage support tickets in Azure AD and the Microsoft 365 admin center
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | microsoft.directory/devices/create | Create devices (enroll in Azure AD) |
+> | microsoft.directory/devices/delete | Delete devices from Azure AD |
+> | microsoft.directory/devices/disable | Disable devices in Azure AD |
+> | microsoft.directory/devices/enable | Enable devices in Azure AD |
+> | microsoft.directory/devices/basic/update | Update basic properties on devices |
+> | microsoft.directory/devices/extensionAttributeSet1/update | Update the extensionAttribute1 to extensionAttribute5 properties on devices |
+> | microsoft.directory/devices/extensionAttributeSet2/update | Update the extensionAttribute6 to extensionAttribute10 properties on devices |
+> | microsoft.directory/devices/extensionAttributeSet3/update | Update the extensionAttribute11 to extensionAttribute15 properties on devices |
+> | microsoft.directory/devices/registeredOwners/update | Update registered owners of devices |
+> | microsoft.directory/devices/registeredUsers/update | Update registered users of devices |
+> | microsoft.directory/groups.security/create | Create Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/delete | Delete Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/basic/update | Update basic properties on Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/classification/update | Update the classification property on Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/dynamicMembershipRule/update | Update dynamic membership rule of Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/members/update | Update members of Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/owners/update | Update owners of Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/visibility/update | Update the visibility property on Security groups, excluding role-assignable groups |
+> | microsoft.directory/deviceManagementPolicies/standard/read | Read standard properties on device management application policies |
+> | microsoft.directory/deviceRegistrationPolicy/standard/read | Read standard properties on device registration policies |
+> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
+> | microsoft.cloudPC/allEntities/allProperties/allTasks | Manage all aspects of Windows 365 |
+> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
+> | microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
+> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
+
 ## Windows Update Deployment Administrator
 
 Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define  settings for when and how updates are deployed, and specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress.
 
@@ -59,12 +59,12 @@ az extension update --name aks-preview
 
 ### Limitations
 
-* You can't run WebAssebmlies and containers in the same node pool.
+* You can't run WebAssemblies and containers in the same node pool.
 * Only the WebAssembly(WASI) runtime is available, using the Wasmtime provider.
 * The WASM/WASI node pools can't be used for system node pool.
 * The *os-type* for WASM/WASI node pools must be Linux.
 * Krustlet doesn't work with Azure CNI at this time. For more information, see the [CNI Support for Kruslet GitHub issue][krustlet-cni-support].
-* Krustlet doesn't provide networking configuration for WebAssemblies. The WebAssebmly manifest must provide the networking configuration, such as IP address.
+* Krustlet doesn't provide networking configuration for WebAssemblies. The WebAssembly manifest must provide the networking configuration, such as IP address.
 
 ## Add a WASM/WASI node pool to an existing AKS Cluster