Merge pull request #204589 from MicrosoftDocs/main

7/13 AM Publish

Author: huypub

articles/active-directory/cloud-sync/media/plan-cloud-provisioning-topologies/attributes-multiple-sources.png

@@ -20,18 +20,18 @@ This article describes various on-premises and Azure Active Directory (Azure AD)
 > [!IMPORTANT]
 > Microsoft doesn't support modifying or operating Azure AD Connect cloud sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect cloud sync. As a result, Microsoft can't provide technical support for such deployments.
 
-For more information see the following video.
+For more information, see the following video.
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWJ8l5]
 
 ## Things to remember about all scenarios and topologies
-The following is a list of information to keep in mind when selecting a solution.
+The information below should be kept in mind, when selecting a solution.
 
 - Users and groups must be uniquely identified across all forests
-- Matching across forests does not occur with cloud sync
+- Matching across forests doesn't occur with cloud sync
 - A user or group must be represented only once across all forests
 - The source anchor for objects is chosen automatically.  It uses ms-DS-ConsistencyGuid if present, otherwise ObjectGUID is used.
-- You cannot change the attribute that is used for source anchor.
+- You can't change the attribute that is used for source anchor.
 
 ## Single forest, single Azure AD tenant
 ![Diagram that shows the topology for a single forest and a single tenant.](media/tutorial-single-forest/diagram-2.png)
@@ -42,7 +42,7 @@ The simplest topology is a single on-premises forest, with one or multiple domai
 ## Multi-forest, single Azure AD tenant
 ![Topology for a multi-forest and a single tenant](media/plan-cloud-provisioning-topologies/multi-forest-2.png)
 
-A common topology is a multiple AD forests, with one or multiple domains, and a single Azure AD tenant.  
+Multiple AD forests is a common topology, with one or multiple domains, and a single Azure AD tenant.  
 
 ## Existing forest with Azure AD Connect, new forest with cloud Provisioning
 ![Diagram that shows the topology for an existing forest and a new forest.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
@@ -55,7 +55,29 @@ The piloting scenario involves the existence of both Azure AD Connect and Azure
 
 For an example of this scenario see [Tutorial: Pilot Azure AD Connect cloud sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
 
+## Merging objects from disconnected sources 
+### (Public Preview)
+![Diagram for merging objects from disconnected sources](media/plan-cloud-provisioning-topologies/attributes-multiple-sources.png)
+In this scenario, the attributes of a user are contributed to by two disconnected Active Directory forests. 
 
+An example would be:
+
+ - one forest (1) contains most of the attributes
+ - a second forest (2) contains a few attributes
+
+ Since the second forest doesn't have network connectivity to the Azure AD Connect server, the object can't be merged through Azure AD Connect. Cloud Sync in the second forest allows the attribute value to be retrieved from the second forest. The value can then be merged with the object in Azure AD that is synced by Azure AD Connect. 
+
+This configuration is advanced and there are a few caveats to this topology: 
+
+ 1. You must use `msdsConsistencyGuid` as the source anchor in the Cloud Sync configuration.
+ 2. The `msdsConsistencyGuid` of the user object in the second forest must match that of the corresponding object in Azure AD.
+ 3. You must populate the `UserPrincipalName` attribute and the `Alias` attribute in the second forest and it must match the ones that are synced from the first forest. 
+ 4. You must remove all attributes from the attribute mapping in the Cloud Sync configuration that don't have a value or may have a different value in the second forest – you can't have overlapping attribute mappings between the first forest and the second one. 
+ 5. If there's no matching object in the first forest, for an object that is synced from the second forest, then Cloud Sync will still create the object in Azure AD. The object will only have the attributes that are defined in the mapping configuration of Cloud Sync for the second forest. 
+ 6. If you delete the object from the second forest, it will be temporarily soft deleted in Azure AD. It will be restored automatically after the next Azure AD Connect sync cycle.  
+ 7. If you delete the object from the first forest, it will be soft deleted from Azure AD.  The object won't be restored unless a change is made to the object in the second forest. After 30 days the object will be hard deleted from Azure AD and if a change is made to the object in the second forest it will be created as a new object in Azure AD. 
+
+ 
 
 ## Next steps 
 

articles/active-directory/cloud-sync/plan-cloud-sync-topologies.md

@@ -102,15 +102,15 @@ services.Configure<MsalDistributedTokenCacheAdapterOptions>(options =>
     options.DisableL1Cache = false;
 
     // Or limit the memory (by default, this is 500 MB)
-    options.L1CacheOptions.SizeLimit = 1024 * 1024 * 1024, // 1 GB
+    options.L1CacheOptions.SizeLimit = 1024 * 1024 * 1024; // 1 GB
 
     // You can choose if you encrypt or not encrypt the cache
     options.Encrypt = false;
 
     // And you can set eviction policies for the distributed
     // cache.
     options.SlidingExpiration = TimeSpan.FromHours(1);
-  }
+  });
 
 // Then, choose your implementation of distributed cache
 // -----------------------------------------------------
@@ -708,4 +708,4 @@ The following samples illustrate token cache serialization.
 | ------ | -------- | ----------- |
 |[active-directory-dotnet-desktop-msgraph-v2](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | Desktop (WPF) | Windows Desktop .NET (WPF) application that calls the Microsoft Graph API. ![Diagram that shows a topology with a desktop app client flowing to Azure Active Directory by acquiring a token interactively and to Microsoft Graph.](media/msal-net-token-cache-serialization/topology.png)|
 |[active-directory-dotnet-v1-to-v2](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2) | Desktop (console) | Set of Visual Studio solutions that illustrate the migration of Azure AD v1.0 applications (using ADAL.NET) to Microsoft identity platform applications (using MSAL.NET). In particular, see [Token cache migration](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/blob/master/TokenCacheMigration/README.md) and [Confidential client token cache](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/ConfidentialClientTokenCache). |
-[ms-identity-aspnet-webapp-openidconnect](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) | ASP.NET (net472) | Example of token cache serialization in an ASP.NET MVC application (using MSAL.NET). In particular, see [MsalAppBuilder](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Utils/MsalAppBuilder.cs).
+[ms-identity-aspnet-webapp-openidconnect](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) | ASP.NET (net472) | Example of token cache serialization in an ASP.NET MVC application (using MSAL.NET). In particular, see [MsalAppBuilder](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Utils/MsalAppBuilder.cs).

articles/active-directory/develop/msal-net-token-cache-serialization.md

@@ -47,13 +47,6 @@ After each organization has completed these steps, Azure AD B2B collaboration be
 
 In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.
 
-> [!NOTE]
-> The admin experience is currently still deploying to national clouds. To access the admin experience in Microsoft Azure Government or Microsoft Azure China, you can use these links: 
->
->Microsoft Azure Government - https://aka.ms/cloudsettingsusgov
->
->Microsoft Azure China - https://aka.ms/cloudsettingschina
-
 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
 1. Select **External Identities**, and then select **Cross-tenant access settings**.
 1. Select **Microsoft cloud settings (Preview)**.

articles/active-directory/external-identities/cross-cloud-settings.md

@@ -77,13 +77,6 @@ To set up B2B collaboration, both organizations configure their Microsoft cloud
 
 For configuration steps, see [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md).
 
-> [!NOTE]
-> The admin experience is currently still deploying to national clouds. To access the admin experience in Microsoft Azure Government or Microsoft Azure China, you can use these links: 
->
->Microsoft Azure Government - https://aka.ms/cloudsettingsusgov
->
->Microsoft Azure China - https://aka.ms/cloudsettingschina
-
 ### Default settings in cross-cloud scenarios
 
 To collaborate with a partner tenant in a different Microsoft Azure cloud, both organizations need to mutually enable B2B collaboration with each other. The first step is to enable the partner's cloud in your cross-tenant settings. When you first enable another cloud, B2B collaboration is blocked for all tenants in that cloud. You need to add the tenant you want to collaborate with to your Organizational settings, and at that point your default settings go into effect for that tenant only. You can allow the default settings to remain in effect, or you can modify the organizational settings for the tenant.

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -231,6 +231,9 @@ With outbound settings, you select which of your users and groups will be able t
    - Select the user or group in the search results.
    - When you're done selecting the users and groups you want to add, choose **Select**.
 
+   > [!NOTE]
+   > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](https://docs.microsoft.com/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
+
 1. Select the **External applications** tab.
 
 1. Under **Access status**, select one of the following:

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -228,6 +228,9 @@ With outbound settings, you select which of your users and groups will be able t
    - In the **Select** pane, type the user name or the group name in the search box.
    - When you're done selecting users and groups, choose **Select**.
 
+   > [!NOTE]
+   > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](https://docs.microsoft.com/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
+
 1. Select **Save**.
 1. Select the **External applications** tab.
 1. Under **Access status**, select one of the following:

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -19,9 +19,9 @@ A common redirection scenario for many web applications is to support automatic
 A redirect type sets the response status code for the clients to understand the purpose of the redirect. The following types of redirection are supported:
 
 - 301 (Moved permanently): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource will use one of the enclosed URIs. Use 301 status code for HTTP to HTTPS redirection.
+- 303 (Permanent redirect): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource should use one of the enclosed URIs.
 - 302 (Found): Indicates that the target resource is temporarily under a different URI. Since the redirection can change on occasion, the client should continue to use the effective request URI for future requests.
 - 307 (Temporary redirect): Indicates that the target resource is temporarily under a different URI. The user agent MUST NOT change the request method if it does an automatic redirection to that URI. Since the redirection can change over time, the client ought to continue using the original effective request URI for future requests.
-- 308 (Permanent redirect): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource should use one of the enclosed URIs.
 
 ## Redirection capabilities
 

articles/application-gateway/redirect-overview.md

@@ -16,6 +16,8 @@
     href: az-region.md
   - name: Migration Guidance
     items:
+    - name: API Management
+      href: migrate-api-mgt.md
     - name: App Service Environment
       href: migrate-app-service-environment.md
     - name: App Service
@@ -26,6 +28,8 @@
       href: migrate-vm.md
     - name: Storage accounts
       href: migrate-storage.md
+    - name: Virtual Machines and Virtual Machine Scale Sets
+      href: migrate-vm.md
   - name: Terminology
     href: glossary.md
 - name: High Availability

articles/availability-zones/TOC.yml

@@ -93,7 +93,7 @@ In the Product Catalog, always-available services are listed as "non-regional" s
 | **Products**   | **Resiliency**   |
 | --- | --- |
 | [Azure Active Directory Domain Services](../active-directory-domain-services/overview.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
-| [Azure API Management](../api-management/zone-redundancy.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
+| [Azure API Management](migrate-api-mgt.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure App Configuration](../azure-app-configuration/faq.yml#how-does-app-configuration-ensure-high-data-availability) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure App Service](migrate-app-service.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure App Service: App Service Environment](migrate-app-service-environment.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) ![An icon that signifies this service is zonal](media/icon-zonal.svg) |