Merge pull request #203550 from MicrosoftDocs/main

6/30 PM Publish

Author: huypub

articles/active-directory-b2c/whats-new-docs.md

@@ -15,6 +15,27 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md) and [Azure AD B2C developer release notes](custom-policy-developer-notes.md)
 
+## June 2022
+
+### New articles
+
+- [Configure authentication in an Azure Static Web App by using Azure AD B2C](configure-authentication-in-azure-static-app.md)
+- [Configure authentication in an Azure Web App configuration file by using Azure AD B2C](configure-authentication-in-azure-web-app-file-based.md)
+- [Configure authentication in an Azure Web App by using Azure AD B2C](configure-authentication-in-azure-web-app.md)
+- [Enable authentication options in an Azure Static Web App by using Azure AD B2C](enable-authentication-azure-static-app-options.md)
+- [Enable authentication in your own Python web application using Azure Active Directory B2C](enable-authentication-python-web-app.md)
+- [Set up OAuth 2.0 client credentials flow in Azure Active Directory B2C](client-credentials-grant-flow.md)
+- [Configure WhoIAM Rampart with Azure Active Directory B2C](partner-whoiam-rampart.md)
+
+### Updated articles
+
+- [Configure authentication in a sample Python web app by using Azure AD B2C](configure-authentication-sample-python-web-app.md)
+- [Single-page application sign-in using the OAuth 2.0 implicit flow in Azure Active Directory B2C](implicit-flow-single-page-application.md)
+- [Set up OAuth 2.0 client credentials flow in Azure Active Directory B2C](client-credentials-grant-flow.md)
+- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](tutorial-create-user-flows.md)
+- [Configure TheAccessHub Admin Tool by using Azure Active Directory B2C](partner-n8identity.md)
+- [Monitor Azure AD B2C with Azure Monitor](azure-monitor.md)
+
 
 ## May 2022
 

articles/active-directory/app-provisioning/application-provisioning-quarantine-status.md

@@ -69,6 +69,20 @@ A job can go into quarantine regardless of failure counts for issues such as adm
 - A job with 20,000 failures and 100,000 success wouldn't go into quarantine because it does not exceed the 40% failure threshold or the 40,000 failure max.  
 - There's an absolute threshold of 60,000 failures that accounts for both reference and non-reference failures. For example, 40,000 users failed to be provisioned and 21,000 manager updates failed. The total is 61,000 failures and exceeds the 60,000 limit.
 
+**Retry duration**
+
+The logic documented here may be different for certain connectors to ensure best customer experience, but we generally have the below retry cycles after a failure:
+
+After the first failure, the first retry happens within the next 2 hours (usually in the next sync cycle).
+- The second retry happens 6 hours after the first failure.
+- The third retry happens 12 hours after the first failure.
+- The fourth retry happens 24 hours after the first failure.
+- The fifth retry happens 48 hours after the first failure.
+- The sixth retry happens 96 hours after the first failure
+- The seventh retry happens 168 hours after the first failure.
+
+After the 7th failure, entry is flagged and no further retries are run.
+
 
 ## How do I get my application out of quarantine?
 

articles/active-directory/authentication/howto-password-smart-lockout.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 06/14/2022
+ms.date: 07/20/2020
 
 ms.author: justinha
 author: justinha
 manager: karenhoran
-ms.reviewer: sajiang
+ms.reviewer: rogoya
 
 ms.collection: M365-identity-device-management
 ---
@@ -34,8 +34,8 @@ Smart lockout is always on, for all Azure AD customers, with these default setti
 
 Using smart lockout doesn't guarantee that a genuine user is never locked out. When smart lockout locks a user account, we try our best to not lock out the genuine user. The lockout service attempts to ensure that bad actors can't gain access to a genuine user account. The following considerations apply:
 
+* Each Azure AD data center tracks lockout independently. A user has (*threshold_limit * datacenter_count*) number of attempts, if the user hits each data center.
 * Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Unfamiliar and familiar locations both have separate lockout counters.
-* Due to the geo-distributed nature of the Azure AD authentication service, there may be slight variance in the total number of failed sign-in attempts before a user gets locked out. For example, if the lockout threshold is set to 10, up to 12 total failed sign-in attempts may occur before the account is locked out.
 
 Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS.
 
@@ -87,12 +87,16 @@ When the smart lockout threshold is triggered, you will get the following messag
 
 *Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.*
 
+When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service. In that scenario, because each Azure AD datacenter tracks lockout independently, it might take more than your defined lockout threshold number of attempts to cause a lockout. A user has a maximum of (*threshold_limit * datacenter_count*) number of bad attempts before being completely locked out.
+
 Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior won't cause the account to lock out.
 
+
 ## Default protections
 In addition to Smart lockout, Azure AD also protects against attacks by analyzing signals including IP traffic and identifying anomalous behavior. Azure AD will block these malicious sign-ins by default and return [AADSTS50053 - IdsLocked error code](../develop/reference-aadsts-error-codes.md), regardless of the password validity.
 
 ## Next steps
 
-- To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).
-- To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).
+To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).
+
+To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).

articles/active-directory/devices/faq.yml

@@ -270,7 +270,7 @@ sections:
           - For iOS and Android, you can use the Microsoft Authenticator application **Settings** > **Device Registration** and select **Unregister device**.
           - For macOS, you can use the Microsoft Intune Company Portal application to unenroll the device from management and remove any registration. 
           
-          For Windows 10/11 devices, this process can be automated with the [Workplace Join (WPJ) removal tool](https://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip)
+          For Windows 10 version 2004 and older, this process can be automated with the [Workplace Join (WPJ) removal tool](https://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip)
           
           > [!NOTE]
           > This tool removes all SSO accounts on the device. After this operation, all applications will lose SSO state, and the device will be unenrolled from management tools (MDM) and unregistered from the cloud. The next time an application tries to sign in, users will be asked to add the account again.

articles/active-directory/enterprise-users/TOC.yml

@@ -128,6 +128,8 @@
       href: ../fundamentals/active-directory-groups-settings-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
     - name: Manage group owners
       href: ../fundamentals/active-directory-accessmanagement-managing-group-owners.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
+    - name: Manage group writeback
+      href: groups-write-back-portal.md
     - name: Manage groups in groups
       href: ../fundamentals/active-directory-groups-membership-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
     - name: Add group access to SaaS apps

articles/active-directory/enterprise-users/groups-write-back-portal.md

@@ -0,0 +1,53 @@
+---
+title: Group writeback portal operations (preview) in Azure Active Directory
+description: The access points for group writeback to on-premises Active Directory in the Azure Active Directory admin center.
+keywords:
+author: curtand
+manager: karenhoran
+ms.author: curtand
+ms.reviewer: jordan.dahl
+ms.date: 06/18/2022
+ms.topic: how-to
+ms.service: active-directory
+ms.subservice: enterprise-users
+ms.workload: identity
+services: active-directory
+ms.custom: "it-pro"
+
+#Customer intent: As a new Azure AD identity administrator, user management is at the core of my work so I need to understand the user management tools such as groups, administrator roles, and licenses to manage users.
+ms.collection: M365-identity-device-management
+---
+
+# Group writeback in the Azure Active Directory admin center (preview)
+
+Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback. In this preview, you can specify in the Azure AD admin center which groups you want to write back and what you’d like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universal​.
+
+>[!NOTE]
+> If you were previously writing Microsoft 365 groups back to on-premises Active Directory as universal distribution groups, they will appear in the Azure portal as not enabled for writeback in both the **Groups** page and in the properties page for a group. This is to ensure backward compatibility with the legacy version of group writeback and to avoid breaking setups that customers currently have.
+
+## Show writeback columns
+
+From the **All groups** overview page, you can add the group writeback columns **Target writeback type** and **Writeback enabled** to the view.  The **Target writeback type** and **Writeback enabled** columns are available for the view whether or not you have writeback enabled in Azure AD Connect.
+
+​:::image type="content" source="./media/groups-write-back-portal/all-groups-columns.png" alt-text="Screenshot of selecting columns for writeback in the All groups list." lightbox="media/groups-write-back-portal/all-groups-columns.png":::
+
+## Writeback column settings
+
+The **Writeback enabled** column allows you to turn off the writeback capability for individual groups. The **Target writeback type** column allows you to specify to which group type you want this cloud group written back in your on-premises Active Directory. For an Azure AD Microsoft 365 group, you can write it back as a security group, a distribution group, or a mail-enabled security group. For an Azure AD security group, you can write it back only as a security group.
+
+:::image type="content" source="./media/groups-write-back-portal/all-groups-view.png" alt-text="Screenshot of writeback settings columns that are visible in the All groups page." lightbox="media/groups-write-back-portal/all-groups-view.png":::
+
+## Writeback settings in group properties
+
+You can also configure writeback settings for a group on the property page for the group. There's a **Group writeback state** setting allows you to turn off writeback for the group or to specify the writeback group type. When **No writeback** is selected, the group isn't being written back at all. If you select one of the other writeback types as an option (for example, Security), then you have:
+
+- Enabled the group for writeback
+- Targeted the writeback type as a security group
+
+:::image type="content" source="./media/groups-write-back-portal/groups-properties-view.png" alt-text="Screenshot of changing writeback settings in the group properties." lightbox="media/groups-write-back-portal/groups-properties-view.png":::
+ 
+## Next steps
+
+Check out the groups REST API documentation for the [preview writeback property on the settings template](../hybrid/how-to-connect-group-writeback.md).
+
+For more about group writeback operations, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback.md)