Merge branch 'MicrosoftDocs:main' into master

Author: noakup

articles/active-directory-b2c/identity-provider-microsoft-account.md

@@ -40,7 +40,7 @@ To enable sign-in for users with a Microsoft account in Azure Active Directory B
 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**.
 1. Select **New registration**.
 1. Enter a **Name** for your application. For example, *MSAapp1*.
-1. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
+1. Under **Supported account types**, select **personal Microsoft accounts (e.g. Skype, Xbox)**.
 
    For more information on the different account type selections, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
 1. Under **Redirect URI (optional)**, select **Web** and enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your Azure AD B2C tenant, and `your-domain-name` with your custom domain.

articles/active-directory-b2c/manage-users-portal.md

@@ -73,6 +73,17 @@ To reset a user's password:
 
 For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/active-directory-users-restore.md).
 
+
+## Export consumer users
+
+1. In your Azure AD B2C directory, search for **Azure Active Directory**. 
+2. Select **Users**, and then select **Bulk Operations** and **Download Users**.
+3. Select **Start**, and then select **File is ready! Click here to download**.
+ 
+
+When downloading users via Bulk Operations option, the CSV file will bring users with their UPN attribute with the format *objectID@B2CDomain*. This is by design since that's the way the UPN information is stored in the B2C tenant.
+
+
 ## Next steps
 
 For automated user management scenarios, for example migrating users from another identity provider to your Azure AD B2C directory, see [Azure AD B2C: User migration](user-migration.md).

articles/active-directory/app-provisioning/on-premises-custom-connector.md

@@ -0,0 +1,53 @@
+---
+title: Azure AD provisioning to applications using custom connectors
+description: This document describes how to configure Azure AD to provision users with external systems that offer REST and SOAP APIs.
+services: active-directory
+author: billmath
+manager: amycolannino
+ms.service: active-directory
+ms.subservice: app-provisioning
+ms.topic: how-to
+ms.workload: identity
+ms.date: 05/19/2023
+ms.author: billmath
+ms.reviewer: arvinh
+---
+
+
+# Provisioning with the custom connectors
+
+Azure AD supports preintegrated connectors for applications that support the following protocols and standards:  
+
+> [!div class="checklist"]
+> - [SCIM 2.0](on-premises-scim-provisioning.md)
+> - [SQL](tutorial-ecma-sql-connector.md)
+> - [LDAP](on-premises-ldap-connector-configure.md)
+> - [REST](on-premises-ldap-connector-configure.md)
+> - [SOAP](on-premises-ldap-connector-configure.md)
+
+For connectivity to applications that don't support the aforementioned protocols and standards, customers and [partners](https://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-mim-2016-management-agents-from-partners.aspx) have built custom [ECMA 2.0](https://learn.microsoft.com/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for Microsoft Identity Manager (MIM) 2016. You can now use those ECMA 2.0 connectors with the lightweight Azure AD provisioning agent, without needing MIM sync deployed.  
+
+## Limitations 
+
+Custom connectors built for MIM rely on the [ECMA framework](https://learn.microsoft.com/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)). The following table includes capabilities of the ECMA framework that are either partially supported or not supported by the Azure AD provisioning agent. For a list of known limitations for the Azure AD provisioning service and on-premises application provisioning, see [here](https://learn.microsoft.com/azure/active-directory/app-provisioning/known-issues?pivots=app-provisioning#on-premises-application-provisioning).  
+
+
+| **Capability / feature**   | **Support**   | **Comments**   | 
+| --- | --- | --- | 
+| Object type  | Partially supported  | Supports one object type  | 
+| Partitions  | Partially supported  | Supports one partition  | 
+| Hierarchies  | Not supported  |   | 
+| Full export   | Not supported  |   | 
+| DeleteAddAsReplace  | Not supported  |   | 
+| ExportPasswordInFirstPass  | Not supported  |   | 
+| Normalizations  | Not supported  |   | 
+| Concurrent operations  | Not supported  |   |
+ 
+
+## Next steps
+
+- [App provisioning](user-provisioning.md)
+- [ECMA Connector Host generic SQL connector](tutorial-ecma-sql-connector.md)
+- [ECMA Connector Host LDAP connector](on-premises-ldap-connector-configure.md)
+
+

articles/active-directory/app-provisioning/on-premises-ldap-connector-prepare-directory.md

@@ -80,7 +80,7 @@ Now that we have configured the certificate and granted the network service acco
     - Place a check in the SSL box
    [![Screenshot that shows the Ldp tool connection configuration.](../../../includes/media/active-directory-app-provisioning-ldap/ldp-2.png)](../../../includes/media/active-directory-app-provisioning-ldap/ldp-2.png#lightbox)</br>
  5.  You should see a response similar to the screenshot below.
-   [![Screenshot taht shows the Ldp tool connection configuration success.](../../../includes/media/active-directory-app-provisioning-ldap/ldp-3.png)](../../../includes/media/active-directory-app-provisioning-ldap/ldp-3.png#lightbox)</br>
+   [![Screenshot that shows the Ldp tool connection configuration success.](../../../includes/media/active-directory-app-provisioning-ldap/ldp-3.png)](../../../includes/media/active-directory-app-provisioning-ldap/ldp-3.png#lightbox)</br>
  6.  At the top, under **Connection** select **Bind**.
  7. Leave the defaults and click **OK**.
    [![Screenshot that shows the Ldp tool bind operation.](../../../includes/media/active-directory-app-provisioning-ldap/ldp-4.png)](../../../includes/media/active-directory-app-provisioning-ldap/ldp-4.png#lightbox)</br>
@@ -137,7 +137,7 @@ New-SelfSignedCertificate -DnsName $DNSName -CertStoreLocation $CertLocation
 #Create directory
 New-Item -Path $logpath -Name $dirname -ItemType $dirtype
 
-#Export the certifcate from the local machine personal store
+#Export the certificate from the local machine personal store
 Get-ChildItem -Path cert:\LocalMachine\my | Export-Certificate -FilePath c:\test\allcerts.sst -Type SST
 
 #Import the certificate in to the trusted root

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -57,7 +57,7 @@ Once the agent is installed, no further configuration is necessary on-premises,
  6.  In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png) 
  7.  Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
  >[!NOTE]
-> If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the aplication contains the entire URL provided above. 
+> If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above. 
 
  8.  Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
  9.  Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.

articles/active-directory/app-provisioning/toc.yml

@@ -33,6 +33,8 @@ items:
         href: on-premises-powershell-connector.md
       - name: Provisioning with the web services connector
         href: on-premises-web-services-connector.md
+      - name: Provisioning with custom connectors
+        href: on-premises-custom-connector.md
     - name: Customize attribute mappings
       href: customize-application-attributes.md
   - name: Concepts

articles/active-directory/app-proxy/application-proxy-deployment-plan.md

@@ -292,7 +292,7 @@ These logs provide detailed information about logins to applications configured
 
 #### Application Proxy Connector monitoring
 
-The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Azure portal. For more information about connector maintainence see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).
+The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Azure portal. For more information about connector maintenance see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).
 
 ![Example: Azure AD Application Proxy connectors](./media/application-proxy-connectors/app-proxy-connectors.png)
 

articles/active-directory/authentication/concept-authentication-web-browser-cookies.md

@@ -30,7 +30,7 @@ Persistent session tokens are stored as persistent cookies on the web browser's
 | ESTSAUTHLIGHT | Common  | Contains Session GUID Information. Lite session state cookie used exclusively by client-side JavaScript in order to facilitate OIDC sign-out. Security feature. |
 | SignInStateCookie | Common | Contains list of services accessed to facilitate sign-out. No user information. Security feature. |
 | CCState | Common | Contains session information state to be used between Azure AD and the [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). |
-| buid | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. |
+| build | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. |
 | fpc | Common | Tracks browser related information. Used for tracking requests and throttling. |
 | esctx | Common | Session context cookie information. For CSRF protection. Binds a request to a specific browser instance so the request can't be replayed outside the browser. No user information. |
 | ch | Common | ProofOfPossessionCookie. Stores the Proof of Possession cookie hash to the user agent. |

articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md

@@ -166,7 +166,7 @@ For step-by-step directions on this process, see [Configure the AD FS servers](/
 
 Once you've configured the servers, you can add Azure AD MFA as an additional authentication method. 
 
-![Screen shot showing the Edit authentication methods screen with Azure AD MFA and Azure Mutli-factor authentication Server selected](./media/how-to-migrate-mfa-server-to-mfa-user-authentication/edit-authentication-methods.png)
+![Screen shot showing the Edit authentication methods screen with Azure AD MFA and Azure Multi-factor authentication Server selected](./media/how-to-migrate-mfa-server-to-mfa-user-authentication/edit-authentication-methods.png)
 
 ## Prepare Azure AD and implement migration
 

articles/active-directory/authentication/howto-authentication-use-email-signin.md

@@ -112,7 +112,7 @@ To support this hybrid authentication approach, you synchronize your on-premises
 
 In both configuration options, the user submits their username and password to Azure AD, which validates the credentials and issues a ticket. When users sign in to Azure AD, it removes the need for your organization to host and manage an AD FS infrastructure.
 
-One of the user attributes that's automatically synchronized by Azure AD Connect is *ProxyAddresses*. If users have an email address defined in the on-premesis AD DS environment as part of the *ProxyAddresses* attribute, it's automatically synchronized to Azure AD. This email address can then be used directly in the Azure AD sign-in process as an alternate login ID.
+One of the user attributes that's automatically synchronized by Azure AD Connect is *ProxyAddresses*. If users have an email address defined in the on-premises AD DS environment as part of the *ProxyAddresses* attribute, it's automatically synchronized to Azure AD. This email address can then be used directly in the Azure AD sign-in process as an alternate login ID.
 
 > [!IMPORTANT]
 > Only emails in verified domains for the tenant are synchronized to Azure AD. Each Azure AD tenant has one or more verified domains, for which you have proven ownership, and are uniquely bound to your tenant.