Merge pull request #223968 from MicrosoftDocs/main

1/13 PM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -4381,6 +4381,21 @@
       "redirect_url": "/azure/active-directory/reports-monitoring/reports-faq",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/tutorial-access-api-with-certificates.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/troubleshoot-graph-api.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/concept-reporting-api.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/customize-branding.md",
       "redirect_url": "/azure/active-directory/fundamentals/customize-branding",

.openpublishing.redirection.json

@@ -1,5 +1,15 @@
 {
     "redirections": [
+        {
+            "source_path": "articles/storage/blobs/storage-quickstart-blobs-php.md",
+            "redirect_url": "/previous-versions/azure/storage/blobs/storage-quickstart-blobs-php",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "articles/storage/blobs/storage-quickstart-blobs-ruby.md",
+            "redirect_url": "/previous-versions/azure/storage/blobs/storage-quickstart-blobs-ruby",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/backup/backup-afs.md",
             "redirect_url": "/azure/backup/backup-azure-files",

articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md

@@ -84,7 +84,7 @@ The **Stay signed in?** prompt appears after a user successfully signs in. This
 
 The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device.
 
-KMSI is only available on the default custom branding. It can't be added to language-specific branding. Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.
+KMSI setting is available in User settings. Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.
 
 ![Diagram showing the user sign-in flow for a managed vs. federated tenant](media/customize-branding/kmsi-workflow.png)
 
@@ -106,7 +106,7 @@ Details about the sign-in error are found in the **Sign-in logs** in Azure AD. S
 * **Sign in error code**: 50140
 * **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.
 
-You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the advanced branding settings. This setting disables the KMSI prompt for all users in your Azure AD directory.
+You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory.
 
 You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.
 

articles/active-directory/fundamentals/how-to-customize-branding.md

@@ -20,12 +20,25 @@ ms.collection: M365-identity-device-management
 
 When users authenticate into your corporate intranet or web-based applications, Azure Active Directory (Azure AD) provides the identity and access management (IAM) service. You can add company branding that applies to all these sign-in experiences to create a consistent experience for your users.
 
-The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature.
+The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding will appear in your sign-in pages. You can customize this default experience with a custom background image or color, favicon, layout, header, and footer. You can also upload a custom CSS.
 
-For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 Instructions for the legacy company branding customization process can be found in the [Customize branding](customize-branding.md) article.
 
+## User experience
+
+You can customize the sign-in pages when users access your organization's tenant-specific apps. For Microsoft and SaaS applications (multi-tenant apps) such as <https://myapps.microsoft.com>, or <https://outlook.com> the customized sign-in page appears only after the user types their **Email**, or **Phone**, and select **Next**. 
+
+Some of the Microsoft applications support the home realm discovery `whr` query string parameter, or a domain variable. With the home realm discovery and domain parameter, the customized sign-in page will appear immediately in the first step. 
+
+In the following examples replace the contoso.com with your own tenant name, or verified domain name:
+
+- For Microsoft Outlook `https://outlook.com/contoso.com` 
+- For SharePoint online `https://contoso.sharepoint.com`
+- For my app portal `https://myapps.microsoft.com/?whr=contoso.com` 
+- Self-service password reset `https://passwordreset.microsoftonline.com/?whr=contoso.com`
+
 ## License requirements
 
 Adding custom branding requires one of the following licenses:
@@ -40,10 +53,6 @@ Azure AD Premium editions are available for customers in China using the worldwi
 
 ## Before you begin
 
-You can customize the sign-in pages when users access your organization's tenant-specific apps, such as `https://outlook.com/woodgrove.com`, or when passing a domain variable, such as `https://passwordreset.microsoftonline.com/?whr=woodgrove.com`.
-
-Custom branding appears after users authenticate for the first time. Users that start the sign-in process at a site like www\.office.com won't see the branding. After the first sign-in, the branding may take at least 15 minutes to appear.
-
 **All branding elements are optional. Default settings will remain, if left unchanged.** For example, if you specify a banner logo but no background image, the sign-in page shows your logo with a default background image from the destination site such as Microsoft 365. Additionally, sign-in page branding doesn't carry over to personal Microsoft accounts. If your users or guests authenticate using a personal Microsoft account, the sign-in page won't reflect the branding of your organization.
 
 **Images have different image and file size requirements.** Take note of the image requirements for each option. You may need to use a photo editor to create the right size images. The preferred image type for all images is PNG, but JPG is accepted. 
@@ -148,4 +157,4 @@ The process for customizing the experience is the same as the [default sign-in e
 
 - [Learn more about default user permissions in Azure AD](../fundamentals/users-default-permissions.md)
 
-- [Manage the 'stay signed in' prompt](active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt)
+- [Manage the 'stay signed in' prompt](active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt)

articles/active-directory/governance/workflows-faqs.md

@@ -23,6 +23,9 @@ In this article you will find questions to commonly asked questions about [Lifec
 
 Yes, custom workflows can be configured for members or guests in your tenant. Workflows can run for all types of external guests, external members, internal guests and internal members.
 
+### Why do I see "Lifecycle Management" instead of "Lifecycle Workflows"?
+For a small portion of our customers, Lifecycle Workflows may still be listed under the former name Lifecycle Management in the audit logs and enterprise applications.
+
 ### Do I need to map employeeHireDate in provisioning apps like WorkDay?
 
 Yes, key user properties like employeeHireDate and employeeType are supported for user provisioning from HR apps like WorkDay. To use these properties in Lifecycle workflows, you will need to map them in the provisioning process to ensure the values are set. The following is an example of the mapping: 

articles/active-directory/hybrid/how-to-connect-modify-group-writeback.md

@@ -28,7 +28,7 @@ This article walks you through the options for modifying the default behaviors o
 
 If the original version of group writeback is already enabled and in use in your environment, all your Microsoft 365 groups have already been written back to Active Directory. Instead of disabling all Microsoft 365 groups, review any use of the previously written-back groups. Disable only those that are no longer needed in on-premises Active Directory. 
 
-### Disable automatic writeback of all Microsoft 365 groups 
+### Disable automatic writeback of new Microsoft 365 groups 
 
 To configure directory settings to disable automatic writeback of newly created Microsoft 365 groups, use one of these methods:
 
@@ -45,13 +45,32 @@ To configure directory settings to disable automatic writeback of newly created
 
 - Microsoft Graph: Use the [directorySetting](/graph/api/resources/directorysetting?view=graph-rest-beta&preserve-view=true) resource type. 
 
-### Disable writeback for each existing Microsoft 365 group 
+### Disable writeback for all existing Microsoft 365 group 
+
+To disable writeback of all Microsoft 365 groups that were created before these modifications, use one of the folowing methods:
 
 - Portal: Use the [Microsoft Entra admin portal](../enterprise-users/groups-write-back-portal.md).
-- PowerShell: Use the [Microsoft Identity Tools PowerShell module](https://www.powershellgallery.com/packages/MSIdentityTools/2.0.16). For example: 
+- PowerShell: Use the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). For example: 
+  
+  ```PowerShell
+    #Import-module
+    Import-module Microsoft.Graph
+
+    #Connect to MgGraph and select the Beta API Version
+    Connect-MgGraph -Scopes Group.ReadWrite.All
+    Select-MgProfile -Name beta
+
+    #List all Microsoft 365 Groups
+    $Groups = Get-MgGroup -All | Where-Object {$_.GroupTypes -like "*unified*"}
+
+    #Disable Microsoft 365 Groups
+    Foreach ($group in $Groups) 
+    {
+        Update-MgGroup -GroupId $group.id -WritebackConfiguration @{isEnabled=$false}
+    }
+> We recomend using Microsoft Graph PowerShell SDK with [Windows PowerShell 7](/powershell/scripting/whats-new/migrating-from-windows-powershell-51-to-powershell-7?view=powershell-7.3&preserve-view=true)
   
-  `Get-mggroup -filter "groupTypes/any(c:c eq 'Unified')" | Update-MsIdGroupWritebackConfiguration -WriteBackEnabled $false` 
-- Microsoft Graph: Use a [group object](/graph/api/group-update?tabs=http&view=graph-rest-beta&preserve-view=true). 
+- Microsoft Graph Explorer: Use a [group object](/graph/api/group-update?tabs=http&view=graph-rest-beta&preserve-view=true). 
 
 ## Delete groups when they're disabled for writeback or soft deleted