Merge pull request #193567 from MicrosoftDocs/main

3/31 AM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -10779,6 +10779,11 @@
       "source_path": "articles/active-directory/manage-apps/get-it-now-azure-marketplace.md",
       "redirect_url": "/azure/active-directory/manage-apps/add-application-portal",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md",
+      "redirect_url": "/azure/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on",
+      "redirect_document_id": false
     }
 
   ]

.openpublishing.redirection.json

@@ -27798,6 +27798,11 @@
       "redirect_url": "/azure/storsimple/storsimple-virtual-array-update-06-release-notes",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/private-5g-core/activate-sims.md",
+      "redirect_url": "/azure/private-5g-core/provision-sims-azure-portal",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-resource-manager/resource-manager-template-lock.md",
       "redirect_url": "/azure/templates/microsoft.authorization/locks",

articles/active-directory/hybrid/tshoot-connect-connectivity.md

@@ -26,7 +26,7 @@ This article explains how connectivity between Azure AD Connect and Azure AD wor
 Azure AD Connect uses the MSAL library for authentication. The installation wizard and the sync engine proper require machine.config to be properly configured since these two are .NET applications.
 
 >[!NOTE]
->Azure AD Connect v1.6.xx.x uses the ADAL library.  The ADAL library is being depricated and support will end in June 2022.  Microsot recommendeds that you upgrade to the latest version of [Azure AD Connect v2](whatis-azure-ad-connect-v2.md).
+>Azure AD Connect v1.6.xx.x uses the ADAL library.  The ADAL library is being depricated and support will end in June 2022.  Microsoft recommends that you upgrade to the latest version of [Azure AD Connect v2](whatis-azure-ad-connect-v2.md).
 
 In this article, we show how Fabrikam connects to Azure AD through its proxy. The proxy server is named fabrikamproxy and is using port 8080.
 

articles/active-directory/manage-apps/toc.yml

@@ -26,6 +26,8 @@
       href: tutorial-manage-access-security.md
     - name: Govern and monitor
       href: tutorial-govern-monitor.md
+    - name: Manage certificates
+      href: tutorial-manage-certificates-for-federated-single-sign-on.md 
   - name: Samples
     items: 
     - name: Overview of App Management samples
@@ -53,8 +55,6 @@
         href: what-is-access-management.md
       - name: Certificate signing options
         href: certificate-signing-options.md
-      - name: Manage certificates
-        href: manage-certificates-for-federated-single-sign-on.md 
       - name: Tenant restrictions
         href: tenant-restrictions.md
       - name: Configure SAML token encryption

articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md renamed to articles/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md

@@ -1,39 +1,39 @@
 ---
-title: Manage federation certificates
-description: Learn how to customize the expiration date for your federation certificates, and how to renew certificates that will soon expire.
+title: "Tutorial: Manage federation certificates"
+description: In this tutorial, you'll learn how to customize the expiration date for your federation certificates, and how to renew certificates that will soon expire.
 titleSuffix: Azure AD
 services: active-directory
 author: davidmu1
 manager: CelesteDG
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
-ms.topic: conceptual
-ms.date: 04/04/2019
+ms.topic: tutorial
+ms.date: 03/31/2022
 ms.author: davidmu
-ms.reviewer: saumadan
+ms.reviewer: jeedes
 ms.collection: M365-identity-device-management
+
+#customer intent: As an admin of an application, I want to learn how to manage federated SAML certificates by customizing expiration dates and renewing certificates.
 ---
 
-# Manage certificates for federated single sign-on
+# Tutorial: Manage certificates for federated single sign-on
 
 In this article, we cover common questions and information related to certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your software as a service (SaaS) applications. Add applications from the Azure AD app gallery or by using a non-gallery application template. Configure the application by using the federated SSO option.
 
-This article is relevant only to apps that are configured to use Azure AD SSO through [Security Assertion Markup Language](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML) federation.
+This tutorial is relevant only to apps that are configured to use Azure AD SSO through [Security Assertion Markup Language](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML) federation.
 
 ## Auto-generated certificate for gallery and non-gallery applications
 
 When you add a new application from the gallery and configure a SAML-based sign-on (by selecting **Single sign-on** > **SAML** from the application overview page), Azure AD generates a certificate for the application that is valid for three years. To download the active certificate as a security certificate (**.cer**) file, return to that page (**SAML-based sign-on**) and select a download link in the **SAML Signing Certificate** heading. You can choose between the raw (binary) certificate or the Base64 (base 64-encoded text) certificate. For gallery applications, this section might also show a link to download the certificate as federation metadata XML (an **.xml** file), depending on the requirement of the application.
 
-![SAML active signing certificate download options](./media/manage-certificates-for-federated-single-sign-on/active-certificate-download-options.png)
-
 You can also download an active or inactive certificate by selecting the **SAML Signing Certificate** heading's **Edit** icon (a pencil), which displays the **SAML Signing Certificate** page. Select the ellipsis (**...**) next to the certificate you want to download, and then choose which certificate format you want. You have the additional option to download the certificate in privacy-enhanced mail (PEM) format. This format is identical to Base64 but with a **.pem** file name extension, which isn't recognized in Windows as a certificate format.
 
-![SAML signing certificate download options (active and inactive)](./media/manage-certificates-for-federated-single-sign-on/all-certificate-download-options.png)
+:::image type="content" source="media/manage-certificates-for-federated-single-sign-on/all-certificate-download-options.png" alt-text="SAML signing certificate download options (active and inactive).":::
 
 ## Customize the expiration date for your federation certificate and roll it over to a new certificate
 
-By default, Azure configures a certificate to expire after three years when it is created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you have to:
+By default, Azure configures a certificate to expire after three years when it's created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you have to:
 
 1. Create a new certificate with the desired date.
 1. Save the new certificate.
@@ -48,16 +48,18 @@ The following two sections help you perform these steps.
 First, create and save new certificate with a different expiration date:
 
 1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/). The **Azure Active Directory admin center** page appears.
-1. In the left pane, select **Enterprise applications**. A list of the enterprise applications in your account appears.
-1. Select the affected application. An overview page for the application appears.
-1. In the left pane of the application overview page, select **Single sign-on**.
+1. Select **Enterprise applications**.
+1. From the list of applications, select your desired application.
+1. Under the **Manage** section, select **Single sign-on**.
 1. If the **Select a single sign-on method** page appears, select **SAML**.
-1. In the **Set up Single Sign-On with SAML - Preview** page, find the **SAML Signing Certificate** heading and select the **Edit** icon (a pencil). The **SAML Signing Certificate** page appears, which displays the status (**Active** or **Inactive**), expiration date, and thumbprint (a hash string) of each certificate.
+1. In the **Set up Single Sign-On with SAML** page, find the **SAML Signing Certificate** heading and select the **Edit** icon (a pencil). The **SAML Signing Certificate** page appears, which displays the status (**Active** or **Inactive**), expiration date, and thumbprint (a hash string) of each certificate.
 1. Select **New Certificate**. A new row appears below the certificate list, where the expiration date defaults to exactly three years after the current date. (Your changes haven't been saved yet, so you can still modify the expiration date.)
 1. In the new certificate row, hover over the expiration date column and select the **Select Date** icon (a calendar). A calendar control appears, displaying the days of a month of the new row's current expiration date.
 1. Use the calendar control to set a new date. You can set any date between the current date and three years after the current date.
-1. Select **Save**. The new certificate now appears with a status of **Inactive**, the expiration date that you chose, and a thumbprint. **Note**- When you have an existing certificate that is already expired and you generate a new certificate, the new certificate will be considered for signing tokens, even though you have not activated it yet.
-1. Select the **X** to return to the **Set up Single Sign-On with SAML - Preview** page.
+1. Select **Save**. The new certificate now appears with a status of **Inactive**, the expiration date that you chose, and a thumbprint. 
+   > [!NOTE]
+   > When you have an existing certificate that is already expired and you generate a new certificate, the new certificate will be considered for signing tokens, even though you haven't activated it yet.
+1. Select the **X** to return to the **Set up Single Sign-On with SAML** page.
 
 ### Upload and activate a certificate
 
@@ -73,7 +75,7 @@ Next, download the new certificate in the correct format, upload it to the appli
 1. When you want to roll over to the new certificate, go back to the **SAML Signing Certificate** page, and in the newly saved certificate row, select the ellipsis (**...**) and select **Make certificate active**. The status of the new certificate changes to **Active**, and the previously active certificate changes to a status of **Inactive**.
 1. Continue following the application's SAML sign-on configuration instructions that you displayed earlier, so that you can upload the SAML signing certificate in the correct encoding format.
 
-If your application does not have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Please ensure your application can validate the certificate's expiration date.
+If your application doesn't have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate the certificate's expiration date.
 
 ## Add email notification addresses for certificate expiration
 
@@ -85,9 +87,9 @@ Azure AD will send an email notification 60, 30, and 7 days before the SAML cert
 1. For each email address you want to delete, select the **Delete** icon (a garbage can) next to the email address.
 1. Select **Save**.
 
-You can add up to 5 email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.
+You can add up to five email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.
 
-You will receive the notification email from [email protected]. To avoid the email going to your spam location, add this email to your contacts.
+You'll receive the notification email from [email protected]. To avoid the email going to your spam location, add this email to your contacts.
 
 ## Renew a certificate that will soon expire
 
@@ -103,7 +105,7 @@ If a certificate is about to expire, you can renew it using a procedure that res
 1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. If your application certificate isn't updated after a new certificate is updated in Azure Active Directory, authentication on your app may fail.
 1. Sign in to the application to make sure that the certificate works correctly.
 
-If your application does not validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Please ensure your application can validate certificate expiration.
+If your application doesn't validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate certificate expiration.
 
 ## Related articles
 

articles/active-directory/reports-monitoring/recommendation-migrate-apps-from-adfs-to-azure-ad.md

@@ -0,0 +1,63 @@
+---
+title: Azure Active Directory recommendation - Migrate apps from ADFS to Azure AD in Azure AD | Microsoft Docs
+description: Learn why you should migrate apps from ADFS to Azure AD in Azure AD
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: karenhoran
+editor: ''
+
+ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
+ms.service: active-directory
+ms.topic: reference
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 03/31/2022
+ms.author: markvi
+ms.reviewer: hafowler
+
+ms.collection: M365-identity-device-management
+---
+
+# Azure AD recommendation: Migrate apps from ADFS to Azure AD 
+
+[Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
+
+
+This article covers the recommendation to migrate apps from ADFS to Azure AD. 
+
+
+## Description
+
+As an admin responsible for managing applications, I want my applications to use Azure AD’s security features and maximize their value. 
+
+
+
+
+## Logic 
+
+If a tenant has apps on AD FS, and any of these apps are deemed 100% migratable, this recommendation shows up. 
+
+## Value 
+
+Using Azure AD gives you granular per-application access controls to secure access to applications. With Azure AD's B2B collaboration, you can increase user productivity. Automated app provisioning automates the user identity lifecycle in cloud SaaS apps such as Dropbox, Salesforce and more. 
+
+## Action plan
+
+1. [Install Azure AD Connect Health](../hybrid/how-to-connect-install-roadmap.md) on your AD FS server. Azure AD Connect Health installation. 
+
+2. [Review the AD FS application activity report](../manage-apps/migrate-adfs-application-activity.md) to get insights about your AD FS applications. 
+
+3. Read the solution guide for [migrating applications to Azure AD](../manage-apps/migrate-adfs-apps-to-azure.md). 
+
+4. Migrate applications to Azure AD. For more information, use [the deployment plan for enabling single sign-on](https://go.microsoft.com/fwlink/?linkid=2110877&clcid=0x409).
+ 
+
+ 
+
+## Next steps
+
+- [What is Azure Active Directory recommendations](overview-recommendations.md)
+
+- [Azure AD reports overview](overview-reports.md)

articles/active-directory/reports-monitoring/recommendation-convert-to-conditional-access-mfa.md renamed to articles/active-directory/reports-monitoring/recommendation-turn-off-per-user-mfa.md

@@ -1,6 +1,6 @@
 ---
-title: Azure Active Directory recommendation - Convert from per-user MFA to conditional access MFA in Azure AD | Microsoft Docs
-description: Learn why you should convert from per-user MFA to conditional access MFA in Azure AD
+title: Azure Active Directory recommendation - Turn off per user MFA in Azure AD | Microsoft Docs
+description: Learn why you should turn off per user MFA in Azure AD
 services: active-directory
 documentationcenter: ''
 author: MarkusVi
@@ -13,19 +13,19 @@ ms.topic: reference
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 03/21/2022
+ms.date: 03/31/2022
 ms.author: markvi
 ms.reviewer: hafowler
 
 ms.collection: M365-identity-device-management
 ---
 
-# Azure AD recommendation: Convert from per-user MFA to conditional access MFA 
+# Azure AD recommendation: Turn off per user MFA 
 
 [Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
 
 
-This article covers the recommendation to convert from per-user MFA to conditional access MFA. 
+This article covers the recommendation to turn off per user MFA. 
 
 
 ## Description

articles/active-directory/reports-monitoring/toc.yml

@@ -140,9 +140,13 @@
       href: workbook-sensitive-operations-report.md
 - name: Recommendations
   items:
+    - name: Convert to conditional access MFA
+      href: recommendation-turn-off-per-user-mfa.md
     - name: Integrate your third party apps
       href: recommendation-integrate-third-party-apps.md
-    - name: Minimize MFA prompts from known devices
-      href: recommendation-mfa-from-known-devices.md
     - name: Migrate to Microsoft authenticator
-      href: recommendation-migrate-to-authenticator.md
+      href: recommendation-migrate-to-authenticator.md
+    - name: Migrate apps from AD FS to Azure AD
+      href: recommendation-migrate-apps-from-adfs-to-azure-ad.md
+    - name: Minimize MFA prompts from known devices
+      href: recommendation-mfa-from-known-devices.md

articles/app-service/app-service-web-tutorial-custom-domain.md

@@ -25,7 +25,7 @@ In this tutorial, you learn how to:
 ## 1. Prepare your environment
 
 * [Create an App Service app](./index.yml), or use an app that you created for another tutorial. The web app's [App Service plan](overview-hosting-plans.md) must be a paid tier and not **Free (F1)**. See [Scale up an app](manage-scale-up.md#scale-up-your-pricing-tier) to update the tier.
-* Make sure you can edit DNS records for your custom domain. To edit DNS records, you need access to the DNS registry for your domain provider, such as GoDaddy. For example, to add DNS entries for `contoso.com` and `www.contoso.com`, you must be able to configure the DNS settings for the `contoso.com` root domain.
+* Make sure you can edit the DNS records for your custom domain. To edit DNS records, you need access to the DNS registry for your domain provider, such as GoDaddy. For example, to add DNS entries for `contoso.com` and `www.contoso.com`, you must be able to configure the DNS settings for the `contoso.com` root domain. Your custom domains must be in a public DNS zone; private DNS zone is only supported on Internal Load Balancer (ILB) App Service Environment (ASE).
 * If you don't have a custom domain yet, you can [purchase an App Service domain](manage-custom-dns-buy-domain.md).
 
 ## 2. Get a domain verification ID