MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/whats-new-docs.md
Lines changed: 8 additions & 1 deletion b/‎articles/active-directory-b2c/whats-new-docs.md
Lines changed: 8 additions & 1 deletion
diff --git a/‎articles/active-directory/app-provisioning/provision-on-demand.md
Lines changed: 14 additions & 14 deletions b/‎articles/active-directory/app-provisioning/provision-on-demand.md
Lines changed: 14 additions & 14 deletions
diff --git a/‎articles/active-directory/app-provisioning/skip-out-of-scope-deletions.md
Lines changed: 13 additions & 13 deletions b/‎articles/active-directory/app-provisioning/skip-out-of-scope-deletions.md
Lines changed: 13 additions & 13 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-phone-options.md
Lines changed: 12 additions & 0 deletions b/‎articles/active-directory/authentication/concept-authentication-phone-options.md
Lines changed: 12 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Lines changed: 1 addition & 0 deletions b/‎articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Lines changed: 1 addition & 0 deletions
@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory business-to-customer (B2C)"
 description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
-ms.date: 03/06/2023
+ms.date: 05/03/2023
 ms.service: active-directory
 ms.subservice: B2C
 ms.topic: reference
@@ -15,6 +15,13 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md) and [Azure AD B2C developer release notes](custom-policy-developer-notes.md)
 
+## April 2023
+
+### Updated articles
+
+- [Configure Transmit Security with Azure Active Directory B2C for passwordless authentication](partner-bindid.md) - Update partner-bindid.md
+- [Tutorial: Enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP](partner-f5.md) - Update partner-f5.md
+
 ## March 2023
 
 ### Updated articles
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: how-to
-ms.date: 01/23/2023
+ms.date: 05/03/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 zone_pivot_groups: app-provisioning-cross-tenant-synchronization
@@ -48,7 +48,7 @@ Use on-demand provisioning to provision a user or group in seconds. Among other
 
 5. Select **Provision on demand**.
 
-6. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to 5 users. 
+6. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to five users. 
    > [!NOTE]
    > For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different. 
    > For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday. 
@@ -61,7 +61,7 @@ Use on-demand provisioning to provision a user or group in seconds. Among other
 
 ## Understand the provisioning steps
 
-The on-demand provisioning process attempts to show the steps that the provisioning service takes when provisioning a user. There are typically five steps to provision a user. One or more of those steps, explained in the following sections, will be shown during the on-demand provisioning experience.
+The on-demand provisioning process attempts to show the steps that the provisioning service takes when provisioning a user. There are typically five steps to provision a user. One or more of those steps, explained in the following sections, are shown during the on-demand provisioning experience.
 
 ### Step 1: Test connection
 
@@ -116,7 +116,7 @@ The **View details** section shows the scoping conditions that were evaluated. Y
 
 #### Troubleshooting tips
 
-* Make sure that you've defined a valid scoping role. For example, avoid using the [Greater_Than operator](./define-conditional-rules-for-provisioning-user-accounts.md#create-a-scoping-filter) with a non-integer value.
+* Make sure that you've defined a valid scoping role. For example, avoid using the [Greater_Than operator](./define-conditional-rules-for-provisioning-user-accounts.md#create-a-scoping-filter) with a noninteger value.
 * If the user doesn't have the necessary role, review the [tips for provisioning users assigned to the default access role](./application-provisioning-config-problem-no-users-provisioned.md#provisioning-users-assigned-to-the-default-access-role).
 
 ### Step 4: Match user between source and target
@@ -125,11 +125,11 @@ In this step, the service attempts to match the user that was retrieved in the i
 
 #### View details
 
-The **View details** page shows the properties of the users that were matched in the target system. The properties that you see in the context pane vary as follows:
+The **View details** page shows the properties of the users that were matched in the target system. The context pane changes as follows:
 
-* If no users are matched in the target system, you won't see any properties.
-* If there's one user matched in the target system, you'll see the properties of that matched user from the target system.
-* If multiple users are matched, you'll see the properties of both matched users.
+* If no users are matched in the target system, no properties are shown.
+* If one user matches in the target system, the properties of that user are shown.
+* If multiple users match, the properties of both users are shown.
 * If multiple matching attributes are part of your attribute mappings, each matching attribute is evaluated sequentially and the matched users for that attribute are shown.
 
 #### Troubleshooting tips
@@ -152,11 +152,11 @@ The **View details** section displays the attributes that were modified in the t
 #### Troubleshooting tips
 
 * Failures for exporting changes can vary greatly. Check the [documentation for provisioning logs](../reports-monitoring/concept-provisioning-logs.md#error-codes) for common failures.
-* On-demand provisioning says the group or user can't be provisioned because they're not assigned to the application. Note that there's a replicate delay of up to a few minutes between when an object is assigned to an application and that assignment being honored by on-demand provisioning. You may need to wait a few minutes and try again.  
+* On-demand provisioning says the group or user can't be provisioned because they're not assigned to the application. There's a replication delay of up to a few minutes between when an object is assigned to an application and when that assignment is honored in on-demand provisioning. You may need to wait a few minutes and try again.  
 
 ## Frequently asked questions
 
-* **Do you need to turn provisioning off to use on-demand provisioning?** For applications that use a long-lived bearer token or a user name and password for authorization, no additional steps are required. Applications that use OAuth for authorization currently require the provisioning job to be stopped before using on-demand provisioning. Applications such as G Suite, Box, Workplace by Facebook, and Slack fall into this category. Work is in progress to support on-demand provisioning for all applications without having to stop provisioning jobs.
+* **Do you need to turn provisioning off to use on-demand provisioning?** For applications that use a long-lived bearer token or a user name and password for authorization, no more steps are required. Applications that use OAuth for authorization currently require the provisioning job to be stopped before using on-demand provisioning. Applications such as G Suite, Box, Workplace by Facebook, and Slack fall into this category. Work is in progress to support on-demand provisioning for all applications without having to stop provisioning jobs.
 
 * **How long does on-demand provisioning take?** On-demand provisioning typically takes less than 30 seconds.
 
@@ -168,12 +168,12 @@ There are currently a few known limitations to on-demand provisioning. Post your
 > [!NOTE]
 > The following limitations are specific to the on-demand provisioning capability. For information about whether an application supports provisioning groups, deletions, or other capabilities, check the tutorial for that application.
 
-* On-demand provisioning of groups supports updating up to 5 members at a time
+* On-demand provisioning of groups supports updating up to five members at a time
 ::: zone-end
-* Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft delete a user with on-demand provisioning and then restore the user, it can result in duplicate users.
+* Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft-delete a user with on-demand provisioning and then restore the user, it can result in duplicate users.
 * On-demand provisioning of roles isn't supported.
-* On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users won't appear when you search for a user.
-* On-demand provisioning does not support nested groups that are not directly assigned to the application.
+* On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users don't appear when you search for a user.
+* On-demand provisioning doesn't support nested groups that aren't directly assigned to the application.
 
 ## Next steps
 
 
@@ -1,14 +1,14 @@
 ---
 title: Skip deletion of out of scope users in Azure Active Directory Application Provisioning
-description: Learn how to override the default behavior of de-provisioning out of scope users in Azure Active Directory.
+description: Learn how to override the default behavior of deprovisioning out of scope users in Azure Active Directory.
 services: active-directory
 author: kenwith
 manager: 
 ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: how-to
 ms.workload: identity
-ms.date: 01/23/2023
+ms.date: 05/03/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -17,15 +17,15 @@ ms.reviewer: arvinh
 By default, the Azure AD provisioning engine soft deletes or disables users that go out of scope. However, for certain scenarios like Workday to AD User Inbound Provisioning, this behavior may not be the expected and you may want to override this default behavior.  
 
 This article describes how to use the Microsoft Graph API and the Microsoft Graph API explorer to set the flag ***SkipOutOfScopeDeletions*** that controls the processing of accounts that go out of scope. 
-* If ***SkipOutOfScopeDeletions*** is set to 0 (false), accounts that go out of scope will be disabled in the target.
-* If ***SkipOutOfScopeDeletions*** is set to 1 (true), accounts that go out of scope won't be disabled in the target. This flag is set at the *Provisioning App* level and can be configured using the Graph API. 
+* If ***SkipOutOfScopeDeletions*** is set to 0 (false), accounts that go out of scope are disabled in the target.
+* If ***SkipOutOfScopeDeletions*** is set to 1 (true), accounts that go out of scope aren't disabled in the target. This flag is set at the *Provisioning App* level and can be configured using the Graph API. 
 
-Because this configuration is widely used with the *Workday to Active Directory user provisioning* app, the following steps include screenshots of the Workday application. However, the configuration can also be used with *all other apps*, such as ServiceNow, Salesforce, and Dropbox and [cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-configure.md). Note that in order to successfully complete this procedure you must have first set up app provisioning for the app. Each app has its own configuration article. For example, to configure the Workday application, see [Tutorial: Configure Workday to Azure AD user provisioning](../saas-apps/workday-inbound-cloud-only-tutorial.md).
+Because this configuration is widely used with the *Workday to Active Directory user provisioning* app, the following steps include screenshots of the Workday application. However, the configuration can also be used with *all other apps*, such as ServiceNow, Salesforce, and Dropbox and [cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-configure.md). To successfully complete this procedure, you must have first set up app provisioning for the app. Each app has its own configuration article. For example, to configure the Workday application, see [Tutorial: Configure Workday to Azure AD user provisioning](../saas-apps/workday-inbound-cloud-only-tutorial.md).
 
 ## Step 1: Retrieve your Provisioning App Service Principal ID (Object ID)
 
-1. Launch the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your  provisioning application. For e.g. if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app. 
-1. In the Properties section of your provisioning app, copy the GUID value associated with the *Object ID* field. This value is also called the **ServicePrincipalId** of your App and it will be used in Graph Explorer operations.
+1. Launch the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your  provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app. 
+1. In the Properties section of your provisioning app, copy the GUID value associated with the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.
 
    ![Screenshot of Workday App Service Principal ID.](./media/skip-out-of-scope-deletions/wd_export_01.png)
 
@@ -36,7 +36,7 @@ Because this configuration is widely used with the *Workday to Active Directory
 
     ![Screenshot of Microsoft Graph Explorer Sign-in.](./media/skip-out-of-scope-deletions/wd_export_02.png)
 
-1. Upon successful sign-in, you'll see the user account details in the left-hand pane.
+1. Upon successful sign-in, the user account details appear in the left-hand pane.
 
 ## Step 3: Get existing app credentials and connectivity details
 
@@ -48,7 +48,7 @@ In the Microsoft Graph Explorer, run the following GET query replacing [serviceP
 
    ![Screenshot of GET job query.](./media/skip-out-of-scope-deletions/skip-03.png)
 
-Copy the Response into a text file. It will look like the JSON text shown below, with values highlighted in yellow specific to your deployment. Add the lines highlighted in green to the end and update the Workday connection password highlighted in blue. 
+Copy the Response into a text file. It looks like the JSON text shown, with values highlighted in yellow specific to your deployment. Add the lines highlighted in green to the end and update the Workday connection password highlighted in blue. 
 
    ![Screenshot of GET job response.](./media/skip-out-of-scope-deletions/skip-04.png)
 
@@ -63,9 +63,9 @@ Here's the JSON block to add to the mapping.
 
 ## Step 4: Update the secrets endpoint with the SkipOutOfScopeDeletions flag
 
-In the Graph Explorer, run the command below to update the secrets endpoint with the ***SkipOutOfScopeDeletions*** flag. 
+In the Graph Explorer, run the command to update the secrets endpoint with the ***SkipOutOfScopeDeletions*** flag. 
 
-In the URL below replace [servicePrincipalId]  with the **ServicePrincipalId** extracted from the [Step 1](#step-1-retrieve-your-provisioning-app-service-principal-id-object-id). 
+In the URL, replace [servicePrincipalId]  with the **ServicePrincipalId** extracted from the [Step 1](#step-1-retrieve-your-provisioning-app-service-principal-id-object-id). 
 
 ```http
    PUT https://graph.microsoft.com/beta/servicePrincipals/[servicePrincipalId]/synchronization/secrets
@@ -82,11 +82,11 @@ You should get the output as "Success – Status Code 204". If you receive an er
 
 ## Step 5: Verify that out of scope users don’t get disabled
 
-You can test this flag results in expected behavior by updating your scoping rules to skip a specific user. In the example below, we're excluding the employee with ID 21173 (who was earlier in scope) by adding a new scoping rule: 
+You can test this flag results in expected behavior by updating your scoping rules to skip a specific user. In the example, we're excluding the employee with ID 21173 (who was earlier in scope) by adding a new scoping rule: 
 
    ![Screenshot that shows the "Add Scoping Filter" section with an example user highlighted.](./media/skip-out-of-scope-deletions/skip-07.png)
 
-In the next provisioning cycle, the Azure AD provisioning service will identify that the user 21173 has gone out of scope and if the SkipOutOfScopeDeletions property is enabled, then the synchronization rule for that user will display a message as shown below: 
+In the next provisioning cycle, the Azure AD provisioning service identifies that the user 21173 has gone out of scope. If the `SkipOutOfScopeDeletions` property is enabled, then the synchronization rule for that user displays a message as shown: 
 
    ![Screenshot of scoping example.](./media/skip-out-of-scope-deletions/skip-08.png)
 
 
@@ -16,6 +16,7 @@ ms.collection: M365-identity-device-management
 
 # Customer intent: As an identity administrator, I want to understand how to use phone authentication methods in Azure AD to improve and secure user sign-in events.
 ---
+
 # Authentication methods in Azure Active Directory - phone options
 
 For direct authentication using text message, you can [Configure and enable users for SMS-based authentication](howto-authentication-sms-signin.md). SMS-based sign-in is great for Frontline workers. With SMS-based sign-in, users don't need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
@@ -84,6 +85,12 @@ If you have problems with phone authentication for Azure AD, review the followin
    * Have the user attempt to log in using a wi-fi connection by installing the Authenticator app.
    * Or, use SMS authentication instead of phone (voice) authentication.
 
+* Phone number is blocked and unable to be used for Voice MFA 
+
+   - There are a few country codes blocked for voice MFA unless your Azure AD administrator has opted in for those country codes. Have your Azure AD administrator opt-in to receive MFA for those country codes. 
+
+   - Or, use Microsoft Authenticator instead of voice authentication.
+
 ## Next steps
 
 To get started, see the [tutorial for self-service password reset (SSPR)][tutorial-sspr] and [Azure AD Multi-Factor Authentication][tutorial-azure-mfa].
@@ -96,6 +103,11 @@ Learn more about configuring authentication methods using the [Microsoft Graph R
 
 <!-- INTERNAL LINKS -->
 [tutorial-sspr]: tutorial-enable-sspr.md
+
 [tutorial-azure-mfa]: tutorial-enable-azure-mfa.md
+
 [concept-sspr]: concept-sspr-howitworks.md
+
 [concept-mfa]: concept-mfa-howitworks.md
+
+
@@ -50,6 +50,7 @@ Combined registration supports the authentication methods and actions in the fol
 | FIDO2 security keys*| Yes | No | Yes |
 
 > [!NOTE]
+> <b>Microsoft Authenticator</b> if the authentication mode set in policy for Microsoft Authenticator is passwordless, users will need to enable passwordless sign-in from within the Microsoft Authenticator app. Learn more on [user regsitration of passwordless phone sign-in here.](../authentication/howto-authentication-passwordless-phone.md#user-registration). <br />
 > <b>Alternate phone</b> can only be registered in *manage mode* on the [Security info](https://mysignins.microsoft.com/security-info) page and requires Voice calls to be enabled in the Authentication methods policy. <br /> 
 > <b>Office phone</b> can only be registered in *Interrupt mode* if the users *Business phone* property has been set. Office phone can be added by users in *Managed mode from the [Security info](https://mysignins.microsoft.com/security-info)* without this requirement.  <br />
 > <b>App passwords</b> are available only to users who have been enforced for per-user MFA. App passwords aren't available to users who are enabled for Azure AD Multi-Factor Authentication by a Conditional Access policy. <br />