MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 310 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 310 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/authentication-scenarios.md
Lines changed: 17 additions & 0 deletions b/‎articles/active-directory/develop/authentication-scenarios.md
Lines changed: 17 additions & 0 deletions
diff --git a/‎articles/active-directory/devices/hybrid-azuread-join-plan.md
Lines changed: 3 additions & 1 deletion b/‎articles/active-directory/devices/hybrid-azuread-join-plan.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/license-users-groups.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/fundamentals/license-users-groups.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory/governance/entitlement-management-organization.md
Lines changed: 42 additions & 40 deletions b/‎articles/active-directory/governance/entitlement-management-organization.md
Lines changed: 42 additions & 40 deletions
@@ -74,6 +74,23 @@ Tokens are only valid for a limited amount of time. Usually the STS provides a p
 
 Access tokens are passed to a Web API as the bearer token in the `Authorization` header. An app can provide a refresh token to the STS, and if the user access to the app wasn't revoked, it will get back a new access token and a new refresh token. This is how the scenario of someone leaving the enterprise is handled. When the STS receives the refresh token, it won't issue another valid access token if the user is no longer authorized.
 
+### How each flow emits tokens and codes
+
+Depending on how your client is built, it can use one (or several) of the authentication flows supported by Azure AD. These flows can produce a variety of tokens (id_tokens, refresh tokens, access tokens) as well as authorization codes, and require different tokens to make them work. This chart provides an overview:
+
+|Flow | Requires | id_token | access token | refresh token | authorization code | 
+|-----|----------|----------|--------------|---------------|--------------------|
+|[Authorization code flow](v2-oauth2-auth-code-flow.md) | | x | x | x | x|  
+|[Implicit flow](v2-oauth2-implicit-grant-flow.md) | | x        | x    |      |                    |
+|[Hybrid OIDC flow](v2-protocols-oidc.md#get-access-tokens)| | x  | |          |            x   |
+|[Refresh token redemption](v2-oauth2-auth-code-flow.md#refresh-the-access-token) | refresh token | x | x | x| |
+|[On-behalf-of flow](v2-oauth2-on-behalf-of-flow.md) | access token| x| x| x| |
+|[Client credentials](v2-oauth2-client-creds-grant-flow.md) | | | x (app-only)| | |
+
+Tokens issued via the implicit mode have a length limitation due to being passed back to the browser via the URL (where `response_mode` is `query` or `fragment`).  Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it is too long.  Thus, these tokens do not have `groups` or `wids` claims. 
+
+Now that you have an overview of the basics, read on to understand the identity app model and API, learn how provisioning works in Azure AD, and get links to detailed information about common scenarios Azure AD supports.
+
 ## Application model
 
 Applications can sign in users themselves or delegate sign-in to an identity provider. See [Authentication flows and app scenarios](authentication-flows-app-scenarios.md) to learn about sign-in scenarios supported by Azure AD.
 
@@ -100,7 +100,9 @@ If your Windows 10 domain joined devices are [Azure AD registered](overview.md#g
 ### Additional considerations
 - If your environment uses virtual desktop infrastructure (VDI), see [Device identity and desktop virtualization](/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure).
 
-- Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Hybrid Azure AD join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Please contact your hardware OEM for support. Starting from Windows 10 1903 release, TPMs 1.2 are not used for hybrid Azure AD join and devices with those TPMs will be considered as if they don't have a TPM.
+- Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Hybrid Azure AD join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Please contact your hardware OEM for support. 
+
+- Starting from Windows 10 1903 release, TPMs 1.2 are not used with hybrid Azure AD join and devices with those TPMs will be considered as if they don't have a TPM.
 
 ## Review controlled validation of hybrid Azure AD join
 
 
@@ -132,6 +132,9 @@ You can remove a license from a user's Azure AD user page, from the group overvi
 1. Select **Remove license**.
 
     ![Licensed groups page with Remove license option highlighted](media/license-users-groups/license-products-group-blade-with-remove-option-highlight.png)
+    
+    > [!NOTE]
+    > When an on-premises user account synced to Azure AD falls out of scope for the sync or when the sync is removed, the user is soft-deleted in Azure AD. When this occurs, licenses assigned to the user directly or via group-based licensing will be marked as **suspended** rather than **deleted**.
 
 ## Next steps
 
 
@@ -18,28 +18,28 @@ ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
 
 
-#Customer intent: As a administrator, I want to allow users in certain partner organizations to request access packages so that our organization can collaborate on projects.
+#Customer intent: As an administrator, I want to allow users in certain partner organizations to request access packages so that our organizations can collaborate on projects.
 
 ---
 
 # Add a connected organization in Azure AD entitlement management
 
-Azure AD entitlement management enables you to collaborate with people outside your organization. If you frequently collaborate with users in an external Azure AD directory or domain, you can add them as a connected organization. This article describes how to add a connected organization so that you can allow users outside your organization to request resources in your directory.
+With Azure Active Directory (Azure AD) entitlement management, you can collaborate with people outside your organization. If you frequently collaborate with users in an external Azure AD directory or domain, you can add them as a connected organization. This article describes how to add a connected organization so that you can allow users outside your organization to request resources in your directory.
 
 ## What is a connected organization?
 
 A connected organization is an external Azure AD directory or domain that you have a relationship with.
 
 For example, suppose you work at Woodgrove Bank and you want to collaborate with two external organizations. These two organizations have different configurations:
 
-- Graphic Design Institute uses Azure AD and their users have a user principal name that ends with `graphicdesigninstitute.com`
-- Contoso does not yet use Azure AD. Contoso users have a user principal name that ends with `contoso.com`.
+- Graphic Design Institute uses Azure AD, and their users have a user principal name that ends with *graphicdesigninstitute.com*.
+- Contoso does not yet use Azure AD. Contoso users have a user principal name that ends with *contoso.com*.
 
-In this case, you can configure two connected organizations. You would create one connected organization for Graphic Design Institute and one for Contoso. If you then add those two connected organizations to a policy, users from each organization with a user principal name matching the policy can request access packages. Users with a user principal name that has a domain of graphicdesigninstitute.com would match the Graphic Design Institute connected organization and be allowed to submit requests, while users with a user principal name that has a domain of contoso.com would match the Contoso connected organization and would also be allowed to request packages. Furthermore, because Graphic Design Institute uses Azure AD, any users with a principal name matching a [verified domain](../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) added to their tenant, such as graphicdesigninstitute.example will also be able to request access packages using the same policy.
+In this case, you can configure two connected organizations. You create one connected organization for Graphic Design Institute and one for Contoso. If you then add the two connected organizations to a policy, users from each organization with a user principal name that matches the policy can request access packages. Users with a user principal name that has a domain of *graphicdesigninstitute.com* would match the Graphic Design Institute-connected organization and be allowed to submit requests. Users with a user principal name that has a domain of *contoso.com* would match the Contoso-connected organization and would also be allowed to request packages. And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches a [verified domain](../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) that's added to their tenant, such as *graphicdesigninstitute.example*, would also be able to request access packages by using the same policy.
 
 ![Connected organization example](./media/entitlement-management-organization/connected-organization-example.png)
 
-How users from the Azure AD directory or domain will authenticate depends on the authentication type. The authentication types for connected organizations are the following:
+How users from the Azure AD directory or domain authenticate depends on the authentication type. The authentication types for connected organizations are:
 
 - Azure AD
 - [Direct federation](../b2b/direct-federation.md)
@@ -51,85 +51,87 @@ For a demonstration of how to add a connected organization, watch the following
 
 ## Add a connected organization
 
-Follow these steps to add an external Azure AD directory or domain as a connected organization.
+To add an external Azure AD directory or domain as a connected organization, follow the instructions in this section.
 
-**Prerequisite role:** Global administrator, User administrator, or Guest inviter
+**Prerequisite role**: *Global administrator*, *User administrator*, or *Guest inviter*
 
-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
+1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.
 
-1. In the left menu, click **Connected organizations** and then click **Add connected organization**.
+1. In the left pane, select **Connected organizations**, and then select **Add connected organization**.
 
-    ![Identity Governance - Connected organizations - Add connected organization](./media/entitlement-management-organization/connected-organization.png)
+    ![The "Add connected organization" button](./media/entitlement-management-organization/connected-organization.png)
 
-1. On the **Basics** tab, enter a display name and description for the organization.
+1. Select the **Basics** tab, and then enter a display name and description for the organization.
 
-    ![Add connected organization - Basics tab](./media/entitlement-management-organization/organization-basics.png)
+    ![The "Add connected organization" Basics pane](./media/entitlement-management-organization/organization-basics.png)
 
-1. On the **Directory + domain** tab, click **Add directory + domain** to open the Select directories + domains pane.
+1. Select the **Directory + domain** tab, and then select **Add directory + domain**.
 
-1. Type a domain name to search for the Azure AD directory or domain. You must type the entire domain name.
+    The **Select directories + domains** pane opens.
 
-1. Verify it is the correct organization by the provided name and authentication type. How users will sign in depends on the authentication type.
+1. In the search box, enter a domain name to search for the Azure AD directory or domain. Be sure to enter the entire domain name.
 
-    ![Add connected organization - Select directories + domains](./media/entitlement-management-organization/organization-select-directories-domains.png)
+1. Verify that the organization name and authentication type are correct. How users sign in depends on the authentication type.
 
-1. Click **Add** to add the Azure AD directory or domain. Currently, you can only add one Azure AD directory or domain per connected organization.
+    ![The "Select directories + domains" pane](./media/entitlement-management-organization/organization-select-directories-domains.png)
+
+1. Select **Add** to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.
 
     > [!NOTE]
-    > All users from the Azure AD directory or domain will be able to request this access package. This includes users in Azure AD from all subdomains associated with the directory, unless those domains are blocked by the Azure B2B allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../b2b/allow-deny-list.md).
+    > All users from the Azure AD directory or domain will be able to request this access package. This includes users in Azure AD from all subdomains associated with the directory, unless those domains are blocked by the Azure AD business to business (B2B) allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../b2b/allow-deny-list.md).
 
-1. Once you have added the Azure AD directory or domain, click **Select**.
+1. After you've added the Azure AD directory or domain, select **Select**.
 
     The organization appears in the list.
 
-    ![Add connected organization - Directories tab](./media/entitlement-management-organization/organization-directory-domain.png)
+    ![The "Directory + domain" pane](./media/entitlement-management-organization/organization-directory-domain.png)
 
-1. On the **Sponsors** tab, add optional sponsors for this connected organization.
+1. Select the **Sponsors** tab, and then add optional sponsors for this connected organization.
 
     Sponsors are internal or external users already in your directory that are the point of contact for the relationship with this connected organization. Internal sponsors are member users in your directory. External sponsors are guest users from the connected organization that were previously invited and are already in your directory. Sponsors can be utilized as approvers when users in this connected organization request access to this access package. For information about how to invite a guest user to your directory, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../b2b/add-users-administrator.md).
 
-    When you click **Add/Remove**, a pane appears to select the internal or external sponsors. The pane displays an unfiltered list of users and groups in your directory.
+    When you select **Add/Remove**, a pane opens in which you can choose internal or external sponsors. The pane displays an unfiltered list of users and groups in your directory.
 
-    ![Access package - Policy - Add connected organization - Sponsors tab](./media/entitlement-management-organization/organization-sponsors.png)
+    ![The Sponsors pane](./media/entitlement-management-organization/organization-sponsors.png)
 
-1. On the **Review + create** tab, review your organization settings and then click **Create**.
+1. Select the **Review + create** tab, review your organization settings, and then select **Create**.
 
-    ![Access package - Policy - Add connected organization - Review + create tab](./media/entitlement-management-organization/organization-review-create.png)
+    ![The "Review + create" pane](./media/entitlement-management-organization/organization-review-create.png)
 
 ## Update a connected organization 
 
-If the connected organization changes to a different domain, if you have a new name for that organization, or you wish to change the sponsors, you can update the connected organization.
+If the connected organization changes to a different domain, the organization's name changes, or you want to change the sponsors, you can update the connected organization by following the instructions in this section.
 
-**Prerequisite role:** Global administrator, User administrator, or Guest inviter
+**Prerequisite role**: *Global administrator*, *User administrator*, or *Guest inviter*
 
-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
+1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.
 
-1. In the left menu, click **Connected organizations** and then click to open the connected organization.
+1. In the left pane, select **Connected organizations**, and then select the connected organization to open it.
 
-1. On the Overview page, click **Edit** to change the organization name or description.  
+1. In the connected organization's overview pane, select **Edit** to change the organization name or description.  
 
-1. On the Directory + domain page, click **Update directory + domain** to change to a different directory or domain.
+1. In the **Directory + domain** pane, select **Update directory + domain** to change to a different directory or domain.
 
-1. On the Sponsors page, click **Add internal sponsors** or **Add external sponsors** to add a user as a sponsor.  To remove a sponsor, click on the sponsor and on the menu on the right, click **Delete**.
+1. In the **Sponsors** pane, select **Add internal sponsors** or **Add external sponsors** to add a user as a sponsor. To remove a sponsor, select the sponsor and, in the right pane, select **Delete**.
 
 
 ## Delete a connected organization
 
 If you no longer have a relationship with an external Azure AD directory or domain, you can delete the connected organization.
 
-**Prerequisite role:** Global administrator, User administrator, or Guest inviter
+**Prerequisite role**: *Global administrator*, *User administrator*, or *Guest inviter*
 
-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
+1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.
 
-1. In the left menu, click **Connected organizations** and then click to open the connected organization.
+1. In the left pane, select **Connected organizations**, and then select the connected organization to open it.
 
-1. On the Overview page, click **Delete** to delete the connected organization.
+1. In the connected organization's overview pane, select **Delete** to delete it.
 
-    Currently, you can only delete a connected organization if there are no connected users.
+    Currently, you can delete a connected organization only if there are no connected users.
 
-    ![Identity Governance - Connected organizations - Delete connected organization](./media/entitlement-management-organization/organization-delete.png)
+    ![The connected organization Delete button](./media/entitlement-management-organization/organization-delete.png)
 
 ## Next steps
 
 - [Govern access for external users](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-external-users)
-- [For users not in your directory](entitlement-management-access-package-request-policy.md#for-users-not-in-your-directory)
+- [Govern access for users not in your directory](entitlement-management-access-package-request-policy.md#for-users-not-in-your-directory)