Syncing with main. Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into work-browser-syntax

Author: Heidilohr

.openpublishing.redirection.json

@@ -13241,7 +13241,7 @@
         },
         {
             "source_path_from_root": "/articles/logic-apps/logic-apps-monitor-your-logic-apps-oms.md",
-            "redirect_url": "/azure/logic-apps/monitor-logic-apps-log-analytics",
+            "redirect_url": "/azure/logic-apps/monitor-workflows-collect-diagnostic-data",
             "redirect_document_id": false
         },
         {
@@ -13339,6 +13339,12 @@
             "redirect_url": "/connectors/custom-connectors/submit-certification",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/logic-apps/monitor-logic-apps-log-analytics.md",
+            "redirect_url": "/azure/logic-apps/monitor-workflows-collect-diagnostic-data",
+            "redirect_document_id": true
+        },
+
         {
             "source_path_from_root": "/articles/connectors/connectors-create-api-sharepointonline.md",
             "redirect_url": "/azure/connectors/connectors-create-api-sharepoint",

articles/active-directory/authentication/concept-certificate-based-authentication-smartcard.md

@@ -54,6 +54,9 @@ Some customers may maintain different and sometimes may have non-routable UPN va
 >[!NOTE]
 >In all cases, a user supplied username login hint (X509UserNameHint) will be sent if provided. For more information, see [User Name Hint](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-user-name-hint)
 
+>[!IMPORTANT]
+> If a user supplies a username login hint (X509UserNameHint), the value provided **MUST** be in UPN Format.
+
 For more information about the Windows flow, see [Certificate Requirements and Enumeration (Windows)](/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration).
 
 ## Supported Windows platforms

articles/active-directory/authentication/howto-sspr-windows.md

@@ -78,8 +78,8 @@ Deploying the configuration change to enable SSPR from the login screen using Mi
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and select **Endpoint Manager**.
 1. Create a new device configuration profile by going to **Device configuration** > **Profiles**, then select **+ Create Profile**
-   - For **Platform** choose *Windows 11 and later*
-   - For **Profile type**, choose *Custom*
+   - For **Platform** choose *Windows 10 and later*
+   - For **Profile type**, choose Templates then select the Custom template below
 1. Select **Create**, then provide a meaningful name for the profile, such as *Windows 11 sign-in screen SSPR*
 
     Optionally, provide a meaningful description of the profile, then select **Next**.

articles/active-directory/cloud-sync/what-is-cloud-sync.md

@@ -51,7 +51,7 @@ The following table provides a comparison between Azure AD Connect and Azure AD
 | Allow basic customization for attribute flows |● |● |
 | Synchronize Exchange online attributes |● |● |
 | Synchronize extension attributes 1-15 |● |● |
-| Synchronize customer defined AD attributes (directory extensions) |● | |
+| Synchronize customer defined AD attributes (directory extensions) |● |●|
 | Support for Password Hash Sync |●|●|
 | Support for Pass-Through Authentication |●||
 | Support for federation |●|●|

articles/active-directory/external-identities/authentication-conditional-access.md

@@ -88,6 +88,25 @@ When configuring a Conditional Access policy, you have granular control over the
 
 Learn more about [Conditional Access user assignments](../conditional-access/concept-conditional-access-users-groups.md).
 
+### Comparing External Identities Conditional Access policies
+
+The following table gives a detailed comparison of the security policy and compliance options in Azure AD External Identities. Security policy and compliance are managed by the host/inviting organization under Conditional Access policies.
+
+|**Policy** |**B2B collaboration users**  |**B2B direct connect users**|
+| :------------ | :-------------- | :----- |
+|**Grant controls—Block access**   |   Supported       |   Supported      |
+|**Grant controls — Require multifactor authentication**     |  Supported        |   Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-direct-connect.md#to-change-inbound-trust-settings-for-mfa-and-device-state) to accept MFA claims from the external organization       |
+|**Grant controls — Require compliant device**     | Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) to accept compliant device claims from the external organization.      | Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-direct-connect.md#to-change-inbound-trust-settings-for-mfa-and-device-state) to accept compliant device claims from the external organization.         |
+|**Grant controls — Require Hybrid Azure AD joined device**   |  Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) to accept hybrid Azure AD joined device claims from the external organization  |   Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-direct-connect.md#to-change-inbound-trust-settings-for-mfa-and-device-state) to accept hybrid Azure AD joined device claims from the external organization       |
+|**Grant controls — Require approved client app**    | Not supported         |   Not supported       |
+|**Grant controls — Require app protection policy**     |  Not supported        |  Not supported        |
+|**Grant controls — Require password change**     |  Not supported        |    Not supported      |
+|**Grant controls — Terms of Use**     |  Supported       |  Not supported        |
+|**Session controls — Use app enforced restrictions**    |   Supported      |  Not supported        |
+|**Session controls — Use Conditional Access App control**     |  Supported       |   Not supported       |
+|**Session controls — Sign-in frequency**     |  Supported       |   Not supported       |
+|**Session controls — Persistent browser session**   |   Supported      |  Not supported        |
+
 ### MFA for Azure AD external users
 
 In an Azure AD cross-tenant scenario, the resource organization can create Conditional Access policies that require MFA or device compliance for all guest and external users. Generally, a B2B collaboration user accessing a resource is then required to set up their Azure AD MFA with the resource tenant. However, Azure AD now offers the ability to trust MFA claims from other Azure AD tenants. Enabling MFA trust with another tenant streamlines the sign-in process for B2B collaboration users and enables access for B2B direct connect users.

articles/active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.author: cmulligan
 author: csmulligan
 manager: celestedg
-ms.date: 05/10/2022
+ms.date: 02/16/2023
 ms.topic: quickstart
 ms.service: active-directory
 ms.subservice: B2B
@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
 
 With Azure AD [B2B collaboration](what-is-b2b.md), you can invite anyone to collaborate with your organization using their own work, school, or social account.
 
-In this quickstart, you'll learn how to add a new guest user to your Azure AD directory in the Azure portal. You'll also send an invitation and see what the guest user's invitation redemption process looks like. In addition to this quickstart, you can learn more about adding guest users [in the Azure portal](add-users-administrator.md), via [PowerShell](b2b-quickstart-invite-powershell.md), or [in bulk](tutorial-bulk-invite.md).
+In this quickstart, you'll learn how to add a new guest user to your Azure AD directory in the Azure portal. You'll also send an invitation and see what the guest user's invitation redemption process looks like. 
 
 If you don’t have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
@@ -93,4 +93,7 @@ When no longer needed, delete the test guest user.
 
 ## Next steps
 
-In this quickstart, you created a guest user in the Azure portal and sent an invitation to share apps. Then you viewed the redemption process from the guest user's perspective and verified that the guest user was able to access their My Apps page. To learn more about adding guest users for collaboration, see [Add Azure Active Directory B2B collaboration users in the Azure portal](add-users-administrator.md).
+In this quickstart, you created a guest user in the Azure portal and sent an invitation to share apps. Then you viewed the redemption process from the guest user's perspective, and verified that the guest user was able to access their My Apps page. 
+To learn more about adding guest users for collaboration, see [Add Azure Active Directory B2B collaboration users in the Azure portal](add-users-administrator.md).
+To learn more about adding guest users with PowerShell, see [Add and invite guests with PowerShell](b2b-quickstart-invite-powershell.md).
+You can also bulk invite guest users [via the portal](tutorial-bulk-invite.md) or [via PowerShell](bulk-invite-powershell.md). 

articles/active-directory/external-identities/external-identities-overview.md

@@ -85,7 +85,12 @@ The following table gives a detailed comparison of the scenarios you can enable
 | **Identity providers supported**  | External users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers, and social identity providers like Gmail and Facebook. |  External users collaborate using Azure AD work accounts or school accounts.   | Consumer users with local application accounts (any email address, user name, or phone number), Azure AD, various supported social identities, and users with corporate and government-issued identities via SAML/WS-Fed-based identity provider federation. |
 | **Single sign-on (SSO)**  | SSO to all Azure AD-connected apps is supported. For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.  |  SSO to a Teams shared channel. | SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported. |
 | **Licensing and billing**  | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md).  |  Based on monthly active users (MAU), including B2B collaboration, B2B direct connect, and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md).   | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for Azure AD B2C](../../active-directory-b2c/billing.md). |
-| **Security policy and compliance**        | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). |  Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). See also the [Teams documentation](/microsoftteams/security-compliance-overview).   |  Managed by the organization via Conditional Access and Identity Protection.        |
+| **Security policy and compliance**        | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). |  Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). See also the [Teams documentation](/microsoftteams/security-compliance-overview).   | Managed by the organization via [Conditional Access and Identity Protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md).         |
+| **Multi-factor Authentication (MFA)**   | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, the user is presented with an MFA challenge from the resource organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Azure AD external users.  | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, and Conditional Access policies require MFA, the user is blocked from accessing resources. You *must* configure your inbound trust settings to accept MFA claims from the organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Azure AD external users. | [Integrates directly](../../active-directory-b2c/multi-factor-authentication.md) with Azure AD Multi-Factor Authentication.   |
+| **Microsoft cloud settings**  | [Supported.](cross-cloud-settings.md)  | [Not supported.](cross-cloud-settings.md) | Not applicable.  |
+| **Entitlement management**  | [Supported.](../governance/entitlement-management-overview.md)  | Not supported. | Not applicable. |
+| **Line-of-business (LOB) apps**  | Supported.  | Not supported. Only B2B direct connect-enabled apps can be shared (currently, Teams Connect shared channels).  | Works with [RESTful API](../../active-directory-b2c/technical-overview.md#add-your-own-business-logic-and-call-restful-apis).   |
+| **Conditional Access**        | Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies. |  Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies.   |  Managed by the organization via [Conditional Access and Identity Protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md).        |
 | **Branding**  | Host/inviting organization's brand is used.  | For sign-in screens, the user’s home organization brand is used. In the shared channel, the resource organization's brand is used. | Fully customizable branding per application or organization.   |
 | **More information** | [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md)            |   [Documentation](b2b-direct-connect-overview.md)     | [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](../../active-directory-b2c/index.yml)       |