Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/hybrid/TOC.yml

@@ -31,7 +31,7 @@
      - name: What is Azure AD Connect and Connect Health?
        href: whatis-azure-ad-connect.md
      - name: Choose the right authentication
-       href: https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn
+       href: ./choose-ad-authn.md
      - name: Identity synchronization and duplicate attribute resiliency
        href: how-to-connect-syncservice-duplicate-attribute-resiliency.md
    - name: Password hash synchronization
@@ -343,7 +343,7 @@
   - name: Azure AD Pass-through Authentication agent version history
     href: reference-connect-pta-version-history.md
   - name: Connector version history
-    href: reference-connect-sync-connector-version-history.md
+    href: /microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history
   - name: Accounts and permissions
     href: reference-connect-accounts-permissions.md
   - name: Azure AD Connect FAQ
@@ -379,4 +379,4 @@
   - name: Understanding Azure AD Connect 1.4.xx.x device disappearance
     href: reference-connect-device-disappearance.md
   - name: Azure AD Connect version history archive
-    href:  reference-connect-version-history-archive.md
+    href:  reference-connect-version-history-archive.md

articles/active-directory/hybrid/choose-ad-authn.md

@@ -54,32 +54,32 @@ Azure AD improves the management for an organization's on-premises Active Direct
 
 * **Secure remote access and Conditional Access for on-premises applications**
 
-For many organizations, the first step in managing access from the cloud for on-premises AD-integrated web and remote desktop-based applications is to deploy the [application proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy) in front of those applications to provide secure remote access.
+For many organizations, the first step in managing access from the cloud for on-premises AD-integrated web and remote desktop-based applications is to deploy the [application proxy](../manage-apps/application-proxy.md) in front of those applications to provide secure remote access.
 
-After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy  provides remote access and single sign-on to Remote Desktop, SharePoint, as well as apps such as Tableau and Qlik, and line of business (LOB) applications. Furthermore, Conditional Access policies can include displaying the [terms of use](https://docs.microsoft.com/azure/active-directory/governance/active-directory-tou) and [ensuring the user has agreed to them](https://docs.microsoft.com/azure/active-directory/conditional-access/require-tou) before being able to access an application.
+After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy  provides remote access and single sign-on to Remote Desktop, SharePoint, as well as apps such as Tableau and Qlik, and line of business (LOB) applications. Furthermore, Conditional Access policies can include displaying the [terms of use](../conditional-access/terms-of-use.md) and [ensuring the user has agreed to them](../conditional-access/require-tou.md) before being able to access an application.
 
 ![App Proxy architecture](media/cloud-governed-management-for-on-premises/image2.png)
 
 * **Automatic lifecycle management for Active Directory accounts**
 
 Identity governance helps organizations achieve a balance between *productivity* --- how quickly can a person have access to the resources they need, such as when they join the organization? --- and *security* --- how should their access change over time, such as when that person's employment status changes? Identity lifecycle management is the foundation for identity governance, and effective governance at scale requires modernizing the identity lifecycle management infrastructure for applications.
 
-For many organizations, identity lifecycle for employees is tied to the representation of that user in a human capital management (HCM) system. For organizations using Workday as their HCM system, Azure AD can ensure user accounts in AD are [automatically provisioned and deprovisioned for workers in Workday](https://docs.microsoft.com/azure/active-directory/saas-apps/workday-inbound-tutorial). Doing so leads to improved user productivity through automation of birthright accounts and manages risk by ensuring application access is automatically updated when a user changes roles or leaves the organization. The Workday-driven user provisioning [deployment plan](https://aka.ms/WorkdayDeploymentPlan) is a step-by-step guide that walks organizations through the best practices implementation of Workday to Active Directory User Provisioning solution in a five-step process.
+For many organizations, identity lifecycle for employees is tied to the representation of that user in a human capital management (HCM) system. For organizations using Workday as their HCM system, Azure AD can ensure user accounts in AD are [automatically provisioned and deprovisioned for workers in Workday](../saas-apps/workday-inbound-tutorial.md). Doing so leads to improved user productivity through automation of birthright accounts and manages risk by ensuring application access is automatically updated when a user changes roles or leaves the organization. The Workday-driven user provisioning [deployment plan](https://aka.ms/WorkdayDeploymentPlan) is a step-by-step guide that walks organizations through the best practices implementation of Workday to Active Directory User Provisioning solution in a five-step process.
 
 Azure AD Premium also includes Microsoft Identity Manager, which can import records from other on-premises HCM systems, including SAP, Oracle eBusiness, and Oracle PeopleSoft.
 
-Business-to-business collaboration increasingly requires granting access to people outside your organization. [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/) collaboration enables organizations to securely share their applications and services with guest users and external partners while maintaining control over their own corporate data.
+Business-to-business collaboration increasingly requires granting access to people outside your organization. [Azure AD B2B](/azure/active-directory/b2b/) collaboration enables organizations to securely share their applications and services with guest users and external partners while maintaining control over their own corporate data.
 
-Azure AD can [automatically create accounts in AD for guest users](https://docs.microsoft.com/azure/active-directory/b2b/hybrid-cloud-to-on-premises) as needed, enabling business guests to access on-premises AD-integrated applications without needing another password. Organizations can set up [multi-factor authentication (MFA) policies for guest user](https://docs.microsoft.com/azure/active-directory/b2b/conditional-access)s so MFA checks are done during application proxy authentication. Also, any [access reviews](https://docs.microsoft.com/azure/active-directory/governance/manage-guest-access-with-access-reviews) that are done on cloud B2B users apply to on-premises users. For example, if the cloud user is deleted through lifecycle management policies, the on-premises user is also deleted.
+Azure AD can [automatically create accounts in AD for guest users](../external-identities/hybrid-cloud-to-on-premises.md) as needed, enabling business guests to access on-premises AD-integrated applications without needing another password. Organizations can set up [multi-factor authentication (MFA) policies for guest user](../external-identities/conditional-access.md)s so MFA checks are done during application proxy authentication. Also, any [access reviews](../governance/manage-guest-access-with-access-reviews.md) that are done on cloud B2B users apply to on-premises users. For example, if the cloud user is deleted through lifecycle management policies, the on-premises user is also deleted.
 
 **Credential management for Active Directory accounts**
-Azure AD's self-service password reset allows users who have forgotten their passwords to be reauthenticated and reset their passwords, with the changed passwords [written to on-premises Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-writeback). The password reset process can also use the on-premises Active Directory password policies: When a user resets their password, it's checked to ensure it meets the on-premises Active Directory policy before committing it to that directory. The self-service password reset [deployment plan](https://aka.ms/deploymentplans/sspr) outlines best practices to roll out self-service password reset to users via web and Windows-integrated experiences.
+Azure AD's self-service password reset allows users who have forgotten their passwords to be reauthenticated and reset their passwords, with the changed passwords [written to on-premises Active Directory](../authentication/concept-sspr-writeback.md). The password reset process can also use the on-premises Active Directory password policies: When a user resets their password, it's checked to ensure it meets the on-premises Active Directory policy before committing it to that directory. The self-service password reset [deployment plan](https://aka.ms/deploymentplans/sspr) outlines best practices to roll out self-service password reset to users via web and Windows-integrated experiences.
 
 ![Azure AD SSPR architecture](media/cloud-governed-management-for-on-premises/image3.png)
 
-Finally, for organizations that permit users to change their passwords in AD, AD can be configured to use the same password policy as the organization is using in Azure AD through the [Azure AD password protection feature](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-on-premises), currently in public preview.
+Finally, for organizations that permit users to change their passwords in AD, AD can be configured to use the same password policy as the organization is using in Azure AD through the [Azure AD password protection feature](../authentication/concept-password-ban-bad-on-premises.md), currently in public preview.
 
-When an organization is ready to move an AD-integrated application to the cloud by moving the operating system hosting the application to Azure, [Azure AD Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-overview) provides AD-compatible domain services (such as domain join, group policy, LDAP, and Kerberos/NTLM authentication). Azure AD Domain Services integrates with the organization's existing Azure AD tenant, making it possible for users to sign in using their corporate credentials. Additionally, existing groups and user accounts can be used to secure access to resources, ensuring a smoother 'lift-and-shift' of on-premises resources to Azure infrastructure services.
+When an organization is ready to move an AD-integrated application to the cloud by moving the operating system hosting the application to Azure, [Azure AD Domain Services](../../active-directory-domain-services/overview.md) provides AD-compatible domain services (such as domain join, group policy, LDAP, and Kerberos/NTLM authentication). Azure AD Domain Services integrates with the organization's existing Azure AD tenant, making it possible for users to sign in using their corporate credentials. Additionally, existing groups and user accounts can be used to secure access to resources, ensuring a smoother 'lift-and-shift' of on-premises resources to Azure infrastructure services.
 
 ![Azure AD Domain Services](media/cloud-governed-management-for-on-premises/image4.png)
 
@@ -103,7 +103,7 @@ Organizations need a process to manage access that is scalable. Users continue t
 
 Typically, IT delegates access approval decisions to business decision makers. Furthermore, IT can involve the users themselves. For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users also may be unaware of the handling requirements for data in an organization to which they've been invited.
 
-Organizations can automate the access lifecycle process through technologies such as [dynamic groups](https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-dynamic-membership), coupled with user provisioning to [SaaS applications](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list), or [applications integrated using the System for Cross-Domain Identity Management (SCIM](https://docs.microsoft.com/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups)) standard. Organizations also can control which [guest users have access to on-premises applications](https://docs.microsoft.com/azure/active-directory/b2b/hybrid-cloud-to-on-premises). These access rights can then be regularly reviewed using recurring [Azure AD access reviews](https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview).
+Organizations can automate the access lifecycle process through technologies such as [dynamic groups](../users-groups-roles/groups-dynamic-membership.md), coupled with user provisioning to [SaaS applications](../saas-apps/tutorial-list.md), or [applications integrated using the System for Cross-Domain Identity Management (SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md)) standard. Organizations also can control which [guest users have access to on-premises applications](../external-identities/hybrid-cloud-to-on-premises.md). These access rights can then be regularly reviewed using recurring [Azure AD access reviews](../governance/access-reviews-overview.md).
 
 ## Future directions
 
@@ -113,4 +113,4 @@ In hybrid environments, Microsoft's strategy is to enable deployments where the
 
 ## Next steps
 
-For more information on how to get started on this journey, see the Azure AD deployment plans, located at <https://aka.ms/deploymentplans> . They provide end-to-end guidance about how to deploy Azure Active Directory (Azure AD) capabilities. Each plan explains the business value, planning considerations, design, and operational procedures needed to successfully roll out common Azure AD capabilities. Microsoft continually updates the deployment plans with best practices learned from customer deployments and other feedback when we add new capabilities to managing from the cloud with Azure AD.
+For more information on how to get started on this journey, see the Azure AD deployment plans, located at <https://aka.ms/deploymentplans> . They provide end-to-end guidance about how to deploy Azure Active Directory (Azure AD) capabilities. Each plan explains the business value, planning considerations, design, and operational procedures needed to successfully roll out common Azure AD capabilities. Microsoft continually updates the deployment plans with best practices learned from customer deployments and other feedback when we add new capabilities to managing from the cloud with Azure AD.

articles/active-directory/hybrid/cloud-governed-management-for-on-premises.md

@@ -23,7 +23,7 @@ Azure AD Connect sync builds on declarative provisioning first introduced in For
 
 An essential part of declarative provisioning is the expression language used in attribute flows. The language used is a subset of Microsoft® Visual Basic® for Applications (VBA). This language is used in Microsoft Office and users with experience of VBScript will also recognize it. The Declarative Provisioning Expression Language is only using functions and is not a structured language. There are no methods or statements. Functions are instead nested to express program flow.
 
-For more details, see [Welcome to the Visual Basic for Applications language reference for Office 2013](https://msdn.microsoft.com/library/gg264383.aspx).
+For more details, see [Welcome to the Visual Basic for Applications language reference for Office 2013](/office/vba/api/overview/language-reference).
 
 The attributes are strongly typed. A function only accepts attributes of the correct type. It is also case-sensitive. Both function names and attribute names must have proper casing or an error is thrown.
 
@@ -94,5 +94,4 @@ For example:
 
 **Reference topics**
 
-* [Azure AD Connect sync: Functions Reference](reference-connect-sync-functions-reference.md)
-
+* [Azure AD Connect sync: Functions Reference](reference-connect-sync-functions-reference.md)

articles/active-directory/hybrid/concept-azure-ad-connect-sync-declarative-provisioning-expressions.md

@@ -35,9 +35,9 @@ Important points to be aware of when synchronizing groups from Active Directory
 
 * Azure AD Connect excludes built-in security groups from directory synchronization.
 
-* Azure AD Connect does not support synchronizing [Primary Group memberships](https://technet.microsoft.com/library/cc771489(v=ws.11).aspx) to Azure AD.
+* Azure AD Connect does not support synchronizing [Primary Group memberships](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771489(v=ws.11)) to Azure AD.
 
-* Azure AD Connect does not support synchronizing [Dynamic Distribution Group memberships](https://technet.microsoft.com/library/bb123722(v=exchg.160).aspx) to Azure AD.
+* Azure AD Connect does not support synchronizing [Dynamic Distribution Group memberships](/Exchange/recipients/dynamic-distribution-groups/dynamic-distribution-groups?view=exchserver-2019) to Azure AD.
 
 * To synchronize an Active Directory group to Azure AD as a mail-enabled group:
 
@@ -71,5 +71,4 @@ When an object has been exported to Azure AD then it is not allowed to change th
 
 ## Additional Resources
 * [Azure AD Connect Sync: Customizing Synchronization options](how-to-connect-sync-whatis.md)
-* [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)
-
+* [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)