Merge pull request #203833 from MicrosoftDocs/main

7/05 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -931,6 +931,12 @@
       "url": "https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples",
       "branch": "v3",
       "branch_mapping": {}
+    },
+    {
+      "path_to_root": "azure-cosmos-mongodb-dotnet",
+      "url": "https://github.com/Azure-Samples/cosmos-db-mongodb-api-dotnet-samples",
+      "branch": "quickstart-test",
+      "branch_mapping": {}
     }
   ],
   "branch_target_mapping": {

.openpublishing.redirection.defender-for-iot.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/plan-network-monitoring.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/best-practices/plan-network-monitoring",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-identify-required-appliances.md",
             "redirect_url": "/azure/defender-for-iot/organizations/ot-appliance-sizing",

articles/active-directory-domain-services/concepts-forest-trust.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 06/07/2021
+ms.date: 07/05/2022
 ms.author: justinha
 ---
 
@@ -280,11 +280,8 @@ Administrators can use *Active Directory Domains and Trusts*, *Netdom* and *Nlte
 
 ## Next steps
 
-To learn more about forest trusts, see [How do forest trusts work in Azure AD DS?][concepts-trust]
-
 To get started with creating a managed domain with a forest trust, see [Create and configure an Azure AD DS managed domain][tutorial-create-advanced]. You can then [Create an outbound forest trust to an on-premises domain][create-forest-trust].
 
 <!-- LINKS - INTERNAL -->
-[concepts-trust]: concepts-forest-trust.md
 [tutorial-create-advanced]: tutorial-create-instance-advanced.md
 [create-forest-trust]: tutorial-create-forest-trust.md

articles/active-directory/app-provisioning/media/provision-on-demand/on-demand-provision-user.png

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/17/2021
+ms.date: 07/05/2022
 ms.author: billmath
 ms.reviewer: arvinh
 ---
@@ -27,7 +27,6 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 To provision users to SCIM-enabled apps:
 
  1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
- 1. Copy the agent onto the virtual machine or server that your SCIM endpoint is hosted on.
  1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
  1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
  1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.

articles/active-directory/app-provisioning/media/provision-on-demand/success-on-demand-provision.png

@@ -1,5 +1,5 @@
 ---
-title: Provision a user on demand by using Azure Active Directory
+title: Provision a user or group on demand using the Azure Active Directory provisioning service
 description: Learn how to provision users on demand in Azure Active Directory.
 services: active-directory
 author: kenwith
@@ -8,13 +8,13 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/09/2022
+ms.date: 06/30/2022
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
 
 # On-demand provisioning in Azure Active Directory
-Use on-demand provisioning to provision a user into an application in seconds. Among other things, you can use this capability to:
+Use on-demand provisioning to provision a user or group in seconds. Among other things, you can use this capability to:
 
 * Troubleshoot configuration issues quickly.
 * Validate expressions that you've defined.
@@ -27,15 +27,16 @@ Use on-demand provisioning to provision a user into an application in seconds. A
 1. Select your application, and then go to the provisioning configuration page.
 1. Configure provisioning by providing your admin credentials.
 1. Select **Provision on demand**.
-1. Search for a user by first name, last name, display name, user principal name, or email address.
+1. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to 5 users. 
    > [!NOTE]
    > For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different. 
    > For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday. 
    > For SuccessFactors scenario, please provide "personIdExternal" of the user in SuccessFactors. 
  
 1. Select **Provision** at the bottom of the page.
 
-:::image type="content" source="media/provision-on-demand/on-demand-provision-user.jpg" alt-text="Screenshot that shows the Azure portal UI for provisioning a user on demand.":::
+:::image type="content" source="media/provision-on-demand/on-demand-provision-user.png" alt-text="Screenshot that shows the Azure portal UI for provisioning a user on demand." lightbox="media/provision-on-demand/on-demand-provision-user.png":::
+
 
 ## Understand the provisioning steps
 
@@ -121,7 +122,7 @@ Finally, the provisioning service takes an action, such as creating, updating, d
 
 Here's an example of what you might see after the successful on-demand provisioning of a user:
 
-:::image type="content" source="media/provision-on-demand/success-on-demand-provision.jpg" alt-text="Screenshot that shows the successful on-demand provisioning of a user.":::
+:::image type="content" source="media/provision-on-demand/success-on-demand-provision.png" alt-text="Screenshot that shows the successful on-demand provisioning of a user." lightbox="media/provision-on-demand/success-on-demand-provision.png":::
 
 #### View details
 
@@ -130,6 +131,7 @@ The **View details** section displays the attributes that were modified in the t
 #### Troubleshooting tips
 
 * Failures for exporting changes can vary greatly. Check the [documentation for provisioning logs](../reports-monitoring/concept-provisioning-logs.md#error-codes) for common failures.
+* On-demand provisioning says the group or user can't be provisioned because they're not assigned to the application. Note that there is a replicate delay of up to a few minutes between when an object is assigned to an application and that assignment being honored by on-demand provisioning. You may need to wait a few minutes and try again.  
 
 ## Frequently asked questions
 
@@ -145,9 +147,9 @@ There are currently a few known limitations to on-demand provisioning. Post your
 > The following limitations are specific to the on-demand provisioning capability. For information about whether an application supports provisioning groups, deletions, or other capabilities, check the tutorial for that application.
 
 * Amazon Web Services (AWS) application does not support on-demand provisioning. 
-* On-demand provisioning of groups and roles isn't supported.
+* On-demand provisioning of groups supports updating up to 5 members at a time
+* On-demand provisioning of roles isn't supported.
 * On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users won't appear when you search for a user.
-* Provisioning multiple roles on a user isn't supported by on-demand provisioning. 
 
 ## Next steps
 

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: conceptual
-ms.date: 02/15/2022
+ms.date: 07/05/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -63,7 +63,7 @@ Before configuring device identities in Azure AD for your VDI environment, famil
 
 <sup>2</sup> **Windows down-level** devices represent Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. For support information on Windows 7, see [Support for Windows 7 is ending](https://www.microsoft.com/microsoft-365/windows/end-of-windows-7-support). For support information on Windows Server 2008 R2, see [Prepare for Windows Server 2008 end of support](https://www.microsoft.com/cloud-platform/windows-server-2008).
 
-<sup>3</sup> A **Federated** identity infrastructure environment represents an environment with an identity provider such as AD FS or other third-party IDP.
+<sup>3</sup> A **Federated** identity infrastructure environment represents an environment with an identity provider such as AD FS or other third-party IDP. In a federated identity infrastructure environment, computers follow the [managed device registration flow](device-registration-how-it-works.md#hybrid-azure-ad-joined-in-managed-environments) based on the [AD Service Connection Point (SCP) settings](hybrid-azuread-join-manual.md#configure-a-service-connection-point).
 
 <sup>4</sup> A **Managed** identity infrastructure environment represents an environment with Azure AD as the identity provider deployed with either [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md).
 

articles/active-directory/app-provisioning/provision-on-demand.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: tutorial
-ms.date: 02/15/2022
+ms.date: 07/05/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -66,6 +66,8 @@ After these configurations are complete, follow the guidance to [verify registra
 
 Your devices use a service connection point (SCP) object during the registration to discover Azure AD tenant information. In your on-premises Active Directory instance, the SCP object for the hybrid Azure AD joined devices must exist in the configuration naming context partition of the computer's forest. There's only one configuration naming context per forest. In a multi-forest Active Directory configuration, the service connection point must exist in all forests that contain domain-joined computers.
 
+The SCP object contains two keywords values – `azureADid:<TenantID>` and `azureADName:<verified domain>`. The `<verified domain>` value in the `azureADName` keyword dictates the type of the device registration flow (federated or managed) the device will follow after reading the SCP value from your on-premises Active Directory instance. More about the managed and federated flows can be found in the article [How Azure AD device registration works](device-registration-how-it-works.md).    
+
 You can use the [**Get-ADRootDSE**](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617246(v=technet.10)) cmdlet to retrieve the configuration naming context of your forest.  
 
 For a forest with the Active Directory domain name *fabrikam.com*, the configuration naming context is:

articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md

@@ -7,21 +7,25 @@ manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 09/04/2019
+ms.date: 06/30/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # What is the Azure AD Connect Admin Agent? 
+
+>[!NOTE]
+>The Azure AD Connect Admin Agent is no longer part of the Azure AD Connect installation and cannot be used with Azure AD Connect versions 2.1.12.0 and newer.
+
 The Azure AD Connect Administration Agent is a new component of Azure Active Directory Connect that can be installed on an Azure Active Directory Connect server. It is used to collect specific data from your Active Directory environment that helps a Microsoft support engineer to troubleshoot issues when you open a support case. 
 
 >[!NOTE]
 >The admin agent is not installed and enabled by default.  You must install the agent in order to collect data to assist with support cases.
 
-When installed, the Azure AD Connect Administration Agent waits for specific requests for data from Azure Active Directory, gets the requested data from the sync environment and sends it to Azure Active Directory, where it is presented to the Microsoft support engineer. 
+The Azure AD Connect Administration Agent waits for specific requests for data from Azure Active Directory.  The agent then takes the requested data from the sync environment and sends it to Azure AD, where it is presented to the Microsoft support engineer. 
 
-The information that the Azure AD Connect Administration Agent retrieves from your environment is not stored in any way - it is only displayed to the Microsoft support engineer to assist them in investigating and troubleshooting the Azure Active Directory Connect related support case that you opened 
+The information that the Azure AD Connect Administration Agent retrieves from your environment is not stored.  The information is only displayed to the Microsoft support engineer to assist them in investigating and troubleshooting the Azure Active Directory Connect related support case. 
 The Azure AD Connect Administration Agent is not installed on the Azure AD Connect Server by default. 
 
 ## Install the Azure AD Connect Administration Agent on the Azure AD Connect server 
@@ -32,25 +36,30 @@ Prerequisites:
 
 ![admin agent](media/whatis-aadc-admin-agent/adminagent0.png)
 
-The Azure AD Connect Administration Agent binaries are placed in the AAD Connect server. To install the agent, do the following:
+The Azure AD Connect Administration Agent binaries are placed in the Azure AD Connect server. To install the agent, use the following steps:
 
-1.    Open powershell in admin mode
+1.    Open PowerShell in admin mode
 2.    Navigate to the directory where the application is located cd "C:\Program Files\Microsoft Azure Active Directory Connect\Tools"
 3.    Run ConfigureAdminAgent.ps1
 
-When prompted, please enter your Azure AD global admin credentials. This should be the same credentials entered during Azure AD Connect installation.
+When prompted, please enter your Azure AD global admin credentials. These credentials should be the same credentials entered during Azure AD Connect installation.
 
 After the agent is installed, you'll see the following two new programs in the "Add/Remove Programs" list in the Control Panel of your server: 
 
 ![Screenshot that shows the Add/Remove Programs list that includes the new programs you added.](media/whatis-aadc-admin-agent/adminagent1.png)
 
 ## What data in my Sync service is shown to the Microsoft service engineer? 
-When you open a support case  the Microsoft Support Engineer can see, for a given user, the relevant data in Active Directory, the Active Directory connector space in the Azure Active Directory Connect server, the Azure Active Directory connector space in the Azure Active Directory Connect server and the Metaverse in the Azure Active Directory Connect server. 
+When you open a support case, the Microsoft Support Engineer can see, for a given user:
+
+   - the relevant data in Active Directory
+   - the Active Directory connector space in the Azure Active Directory Connect server 
+   - the Azure Active Directory connector space in the Azure Active Directory Connect server
+   - the Metaverse in the Azure Active Directory Connect server. 
 
 The Microsoft Support Engineer cannot change any data in your system and cannot see any passwords. 
 
 ## What if I don't want the Microsoft support engineer to access my data? 
-Once the agent is installed, If you do not want the Microsoft service engineer to access your data for a support call, you can disable the functionality by modifying the service config file as described below: 
+Once the agent is installed, if you do not want the Microsoft service engineer to access your data for a support call, you can disable the functionality by modifying the service config file as described below: 
 
 1. Open **C:\Program Files\Microsoft Azure AD Connect Administration Agent\AzureADConnectAdministrationAgentService.exe.config** in notepad.
 2. Disable **UserDataEnabled** setting as shown below. If **UserDataEnabled** setting exists and is set to true, then set it to false. If the setting does not exist, then add the setting as shown below.    
@@ -68,4 +77,4 @@ Once the agent is installed, If you do not want the Microsoft service engineer t
 ![Screenshot that shows where to restart the Azure AD Administrator Agent service.](media/whatis-aadc-admin-agent/adminagent2.png)
 
 ## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)