MicrosoftDocs
diff --git a/‎articles/defender-for-iot/organizations/manage-users-on-premises-management-console.md
Lines changed: 6 additions & 3 deletions b/‎articles/defender-for-iot/organizations/manage-users-on-premises-management-console.md
Lines changed: 6 additions & 3 deletions
diff --git a/‎articles/defender-for-iot/organizations/manage-users-sensor.md
Lines changed: 6 additions & 2 deletions b/‎articles/defender-for-iot/organizations/manage-users-sensor.md
Lines changed: 6 additions & 2 deletions
diff --git a/‎articles/defender-for-iot/organizations/media/manage-users-on-premises-management-console/active-directory-config-example.png
63.6 KB b/‎articles/defender-for-iot/organizations/media/manage-users-on-premises-management-console/active-directory-config-example.png
63.6 KB
diff --git a/‎articles/defender-for-iot/organizations/media/manage-users-sensor/active-directory-integration-example.png
51.5 KB b/‎articles/defender-for-iot/organizations/media/manage-users-sensor/active-directory-integration-example.png
51.5 KB
@@ -134,9 +134,9 @@ For more information, see [Active Directory support on sensors and on-premises m
 
     |Field  |Description  |
     |---------|---------|
-    |**Domain Controller FQDN**     |  The fully qualified domain name (FQDN), exactly as it appears on your LDAP server. For example, enter `host1.subdomain.domain.com`.       |
+    |**Domain Controller FQDN**     |  The fully qualified domain name (FQDN), exactly as it appears on your LDAP server. For example, enter `host1.subdomain.contoso.com`. <br><br> If you encounter an issue with the integration using the FQDN, check your DNS configuration. You can also enter the explicit IP of the LDAP server instead of the FQDN when setting up the integration.      |
     |**Domain Controller Port**     |  The port on which your LDAP is configured.       |
-    |**Primary Domain**     |  The domain name, such as `subdomain.domain.com`, and then select the connection type for your LDAP configuration. <br><br>Supported connection types include: **LDAPS/NTLMv3** (recommended), **LDAP/NTLMv3**, or **LDAP/SASL-MD5**       |
+    |**Primary Domain**     |  The domain name, such as `subdomain.contoso.com`, and then select the connection type for your LDAP configuration. <br><br>Supported connection types include: **LDAPS/NTLMv3** (recommended), **LDAP/NTLMv3**, or **LDAP/SASL-MD5**       |
     |**Active Directory Groups**     | Select **+ Add** to add an Active Directory group to each permission level listed, as needed. <br><br>When you enter a group name, make sure that you enter the group name as it's defined in your Active Directory configuration on the LDAP server. Then, make sure to use these groups when creating new sensor users from Active Directory.<br><br>        Supported permission levels include **Read-only**, **Security Analyst**, **Admin**, and **Trusted Domains**.<br><br>        Add groups as **Trusted endpoints** in a separate row from the other Active Directory groups. To add a trusted domain, add the domain name and the connection type of a trusted domain. You can configure trusted endpoints only for users who were defined under users.|
 
     Select **+ Add Server** to add another server and enter its values as needed, and **Save** when you're done.
@@ -149,13 +149,16 @@ For more information, see [Active Directory support on sensors and on-premises m
     > - LDAP and LDAPS can't be configured for the same domain. However, you can configure each in different domains and then use them at the same time.
     >
 
+    For example: 
+
+    :::image type="content" source="media/manage-users-on-premises-management-console/active-directory-config-example.png" alt-text="Screenshot of Active Directory integration configuration on the on-premises management console.":::
+
 1. Create access group rules for on-premises management console users.
 
     If you configure Active Directory groups for on-premises management console users, you must also create an access group rule for each Active Directory group. Active Directory credentials won't work for on-premises management console users without a corresponding access group rule.
 
     For more information, see [Define global access permission for on-premises users](#define-global-access-permission-for-on-premises-users).
 
-
 ## Define global access permission for on-premises users
 
 Large organizations often have a complex user permissions model based on global organizational structures. To manage your on-premises Defender for IoT users, we recommend that you use a global business topology that's based on business units, regions, and sites, and then define user access permissions around those entities.
 
@@ -51,6 +51,7 @@ Your new user is added and is listed on the sensor **Users** page.
 To edit a user, select the **Edit** :::image type="icon" source="media/manage-users-on-premises-management-console/icon-edit.png" border="false"::: icon for the user you want to edit, and change any values as needed.
 
 To delete a user, select the **Delete** button for the user you want to delete.
+
 ## Integrate OT sensor users with Active Directory
 
 Configure an integration between your sensor and Active Directory to:
@@ -74,9 +75,9 @@ For more information, see [Active Directory support on sensors and on-premises m
 
     |Name  |Description  |
     |---------|---------|
-    |**Domain Controller FQDN**     | The fully qualified domain name (FQDN), exactly as it appears on your LDAP server. For example, enter `host1.subdomain.domain.com`.        |
+    |**Domain Controller FQDN**     | The fully qualified domain name (FQDN), exactly as it appears on your LDAP server. For example, enter `host1.subdomain.contoso.com`. <br><br> If you encounter an issue with the integration using the FQDN, check your DNS configuration. You can also enter the explicit IP of the LDAP server instead of the FQDN when setting up the integration.        |
     |**Domain Controller Port**     | The port where your LDAP is configured.        |
-    |**Primary Domain**     | The domain name, such as `subdomain.domain.com`, and then select the connection type for your LDAP configuration. <br><br>Supported connection types include: **LDAPS/NTLMv3** (recommended), **LDAP/NTLMv3**, or **LDAP/SASL-MD5**        |
+    |**Primary Domain**     | The domain name, such as `subdomain.contoso.com`, and then select the connection type for your LDAP configuration. <br><br>Supported connection types include: **LDAPS/NTLMv3** (recommended), **LDAP/NTLMv3**, or **LDAP/SASL-MD5**        |
     |**Active Directory Groups**     | Select **+ Add** to add an Active Directory group to each permission level listed, as needed. <br><br>        When you enter a group name, make sure that you enter the group name exactly as it's defined in your Active Directory configuration on the LDAP server. You'll use these group names when [adding new sensor users](#add-new-ot-sensor-users) with Active Directory.<br><br>        Supported permission levels include **Read-only**, **Security Analyst**, **Admin**, and **Trusted Domains**.        |
 
 
@@ -92,6 +93,9 @@ For more information, see [Active Directory support on sensors and on-premises m
 
 1. When you've added all your Active Directory servers, select **Save**.
 
+    For example: 
+    
+    :::image type="content" source="media/manage-users-sensor/active-directory-integration-example.png" alt-text="Screenshot of the active directory integration configuration on the sensor.":::
 
 ## Change a sensor user's password