Merge pull request #89299 from billmath/fixes1

updating

Author: tfosmark

articles/active-directory/hybrid/how-to-connect-sso-faq.md

@@ -22,19 +22,19 @@ ms.collection: M365-identity-device-management
 
 In this article, we address frequently asked questions about Azure Active Directory Seamless Single Sign-On (Seamless SSO). Keep checking back for new content.
 
-## What sign-in methods do Seamless SSO work with?
+**Q: What sign-in methods do Seamless SSO work with**
 
 Seamless SSO can be combined with either the [Password Hash Synchronization](how-to-connect-password-hash-synchronization.md) or [Pass-through Authentication](how-to-connect-pta.md) sign-in methods. However this feature cannot be used with Active Directory Federation Services (ADFS).
 
-## Is Seamless SSO a free feature?
+**Q: Is Seamless SSO a free feature?**
 
 Seamless SSO is a free feature and you don't need any paid editions of Azure AD to use it.
 
-## Is Seamless SSO available in the [Microsoft Azure Germany cloud](https://www.microsoft.de/cloud-deutschland) and the [Microsoft Azure Government cloud](https://azure.microsoft.com/features/gov/)?
+**Q: Is Seamless SSO available in the [Microsoft Azure Germany cloud](https://www.microsoft.de/cloud-deutschland) and the [Microsoft Azure Government cloud](https://azure.microsoft.com/features/gov/)?**
 
 No. Seamless SSO is only available in the worldwide instance of Azure AD.
 
-## What applications take advantage of `domain_hint` or `login_hint` parameter capability of Seamless SSO?
+**Q: What applications take advantage of `domain_hint` or `login_hint` parameter capability of Seamless SSO?**
 
 Listed below is a non-exhaustive list of applications that can send these parameters to Azure AD, and therefore provides users a silent sign-on experience using Seamless SSO (i.e., no need for your users to input their usernames or passwords):
 
@@ -55,21 +55,21 @@ In the above tables, replace "contoso.com" with your domain name to get to the r
 
 If you want other applications using our silent sign-on experience, let us know in the feedback section.
 
-## Does Seamless SSO support `Alternate ID` as the username, instead of `userPrincipalName`?
+**Q: Does Seamless SSO support `Alternate ID` as the username, instead of `userPrincipalName`?**
 
 Yes. Seamless SSO supports `Alternate ID` as the username when configured in Azure AD Connect as shown [here](how-to-connect-install-custom.md). Not all Office 365 applications support `Alternate ID`. Refer to the specific application's documentation for the support statement.
 
-## What is the difference between the single sign-on experience provided by [Azure AD Join](../active-directory-azureadjoin-overview.md) and Seamless SSO?
+**Q: What is the difference between the single sign-on experience provided by [Azure AD Join](../active-directory-azureadjoin-overview.md) and Seamless SSO?**
 
 [Azure AD Join](../active-directory-azureadjoin-overview.md) provides SSO to users if their devices are registered with Azure AD. These devices don't necessarily have to be domain-joined. SSO is provided using *primary refresh tokens* or *PRTs*, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.
 
 You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
 
-## I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use Seamless SSO instead?
+**Q: I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use Seamless SSO instead?**
 
 Yes, this scenario needs version 2.1 or later of the [workplace-join client](https://www.microsoft.com/download/details.aspx?id=53554).
 
-## How can I roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account?
+**Q: How can I roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account?**
 
 It is important to frequently roll over the Kerberos decryption key of the `AZUREADSSOACC` computer account (which represents Azure AD) created in your on-premises AD forest.
 
@@ -78,66 +78,66 @@ It is important to frequently roll over the Kerberos decryption key of the `AZUR
 
 Follow these steps on the on-premises server where you are running Azure AD Connect:
 
-### Step 1. Get list of AD forests where Seamless SSO has been enabled
+    **Step 1. Get list of AD forests where Seamless SSO has been enabled**
 
-1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
-2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
-3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
-5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
+    1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
+    2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
+    3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
+    4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
+    5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
 
-### Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on
+    **Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on**
 
-1. Call `$creds = Get-Credential`. When prompted, enter the Domain Administrator credentials for the intended AD forest.
+    1. Call `$creds = Get-Credential`. When prompted, enter the Domain Administrator credentials for the intended AD forest.
 
-   > [!NOTE]
-   > We use the Domain Administrator's username, provided in the User Principal Names (UPN) ([email protected]) format or the domain qualified sam-account name (contoso\johndoe or contoso.com\johndoe) format, to find the intended AD forest. If you use domain qualified sam-account name, we use the domain portion of the username to [locate the Domain Controller of the Domain Administrator using DNS](https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx). If you use UPN instead, we [translate it to a domain qualified sam-account name](https://docs.microsoft.com/windows/desktop/api/ntdsapi/nf-ntdsapi-dscracknamesa) before locating the appropriate Domain Controller.
+    > [!NOTE]
+    > We use the Domain Administrator's username, provided in the User Principal Names (UPN) ([email protected]) format or the domain qualified sam-account name (contoso\johndoe or contoso.com\johndoe) format, to find the intended AD forest. If you use domain qualified sam-account name, we use the domain portion of the username to [locate the Domain Controller of the Domain Administrator using DNS](https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx). If you use UPN instead, we [translate it to a domain qualified sam-account name](https://docs.microsoft.com/windows/desktop/api/ntdsapi/nf-ntdsapi-dscracknamesa) before locating the appropriate Domain Controller.
 
-2. Call `Update-AzureADSSOForest -OnPremCredentials $creds`. This command updates the Kerberos decryption key for the `AZUREADSSOACC` computer account in this specific AD forest and updates it in Azure AD.
-3. Repeat the preceding steps for each AD forest that you’ve set up the feature on.
+    2. Call `Update-AzureADSSOForest -OnPremCredentials $creds`. This command updates the Kerberos decryption key for the `AZUREADSSOACC` computer account in this specific AD forest and updates it in Azure AD.
+    3. Repeat the preceding steps for each AD forest that you’ve set up the feature on.
 
->[!IMPORTANT]
->Ensure that you _don't_ run the `Update-AzureADSSOForest` command more than once. Otherwise, the feature stops working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.
+    >[!IMPORTANT]
+    >Ensure that you _don't_ run the `Update-AzureADSSOForest` command more than once. Otherwise, the feature stops working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.
 
-## How can I disable Seamless SSO?
+**Q: How can I disable Seamless SSO?**
 
-### Step 1. Disable the feature on your tenant
+    **Step 1. Disable the feature on your tenant**
 
-#### Option A: Disable using Azure AD Connect
+        **Option A: Disable using Azure AD Connect**
 
-1. Run Azure AD Connect, choose **Change user sign-in page** and click **Next**.
-2. Uncheck the **Enable single sign on** option. Continue through the wizard.
+        1. Run Azure AD Connect, choose **Change user sign-in page** and click **Next**.
+        2. Uncheck the **Enable single sign on** option. Continue through the wizard.
 
-After completing the wizard, Seamless SSO will be disabled on your tenant. However, you will see a message on screen that reads as follows:
+        After completing the wizard, Seamless SSO will be disabled on your tenant. However, you will see a message on screen that reads as follows:
 
-"Single sign-on is now disabled, but there are additional manual steps to perform in order to complete clean-up. Learn more"
+        "Single sign-on is now disabled, but there are additional manual steps to perform in order to complete clean-up. Learn more"
 
-To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you are running Azure AD Connect.
+        To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you are running Azure AD Connect.
 
-#### Option B: Disable using PowerShell
+        **Option B: Disable using PowerShell**
 
-Run the following steps on the on-premises server where you are running Azure AD Connect:
+        Run the following steps on the on-premises server where you are running Azure AD Connect:
 
-1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
-2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
-3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
-5. Call `Enable-AzureADSSO -Enable $false`.
+        1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
+        2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
+        3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
+        4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
+        5. Call `Enable-AzureADSSO -Enable $false`.
 
->[!IMPORTANT]
->Disabling Seamless SSO using PowerShell will not change the state in Azure AD Connect. Seamless SSO will show as enabled in the **Change user sign-in** page.
+        >[!IMPORTANT]
+        >Disabling Seamless SSO using PowerShell will not change the state in Azure AD Connect. Seamless SSO will show as enabled in the **Change user sign-in** page.
 
-### Step 2. Get list of AD forests where Seamless SSO has been enabled
+    **Step 2. Get list of AD forests where Seamless SSO has been enabled**
 
-Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5 below.
+    Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5 below.
 
-1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
-2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
-3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
-5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
+    1. First, download, and install [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview).
+    2. Navigate to the `%programfiles%\Microsoft Azure Active Directory Connect` folder.
+    3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
+    4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator credentials.
+    5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
 
-### Step 3. Manually delete the `AZUREADSSOACCT` computer account from each AD forest that you see listed.
+    **Step 3. Manually delete the `AZUREADSSOACCT` computer account from each AD forest that you see listed.**
 
 ## Next steps
 

articles/active-directory/hybrid/how-to-connect-sso-how-it-works.md

@@ -39,7 +39,7 @@ Seamless SSO is enabled using Azure AD Connect as shown [here](how-to-connect-ss
 - The computer account's Kerberos decryption key is shared securely with Azure AD. If there are multiple AD forests, each computer account will have its own unique Kerberos decryption key.
 
 >[!IMPORTANT]
-> The `AZUREADSSOACC` computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled, and that no other account in Active Directory has delegation permissions on the `AZUREADSSOACC` computer account.. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access. The Kerberos decryption key on the computer account should also be treated as sensitive. We highly recommend that you [roll over the Kerberos decryption key](how-to-connect-sso-faq.md#how-can-i-roll-over-the-kerberos-decryption-key-of-the-azureadssoacc-computer-account) of the `AZUREADSSOACC` computer account at least every 30 days.
+> The `AZUREADSSOACC` computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled, and that no other account in Active Directory has delegation permissions on the `AZUREADSSOACC` computer account.. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access. The Kerberos decryption key on the computer account should also be treated as sensitive. We highly recommend that you [roll over the Kerberos decryption key](how-to-connect-sso-faq.md) of the `AZUREADSSOACC` computer account at least every 30 days.
 
 Once the set-up is complete, Seamless SSO works the same way as any other sign-in that uses Integrated Windows Authentication (IWA).
 
@@ -52,7 +52,7 @@ The sign-in flow on a web browser is as follows:
 3. The user types in their user name into the Azure AD sign-in page.
 
    >[!NOTE]
-   >For [certain applications](./how-to-connect-sso-faq.md#what-applications-take-advantage-of-domain_hint-or-login_hint-parameter-capability-of-seamless-sso), steps 2 & 3 are skipped.
+   >For [certain applications](./how-to-connect-sso-faq.md), steps 2 & 3 are skipped.
 
 4. Using JavaScript in the background, Azure AD challenges the browser, via a 401 Unauthorized response, to provide a Kerberos ticket.
 5. The browser, in turn, requests a ticket from Active Directory for the `AZUREADSSOACC` computer account (which represents Azure AD).

articles/active-directory/hybrid/how-to-connect-sso-quick-start.md

@@ -216,7 +216,7 @@ In Step 2, Azure AD Connect creates computer accounts (representing Azure AD) in
 >[!IMPORTANT]
 >The Kerberos decryption key on a computer account, if leaked, can be used to generate Kerberos tickets for any user in its AD forest. Malicious actors can then impersonate Azure AD sign-ins for compromised users. We highly recommend that you periodically roll over these Kerberos decryption keys - at least once every 30 days.
 
-For instructions on how to roll over keys, see [Azure Active Directory Seamless Single Sign-On: Frequently asked questions](how-to-connect-sso-faq.md#how-can-i-roll-over-the-kerberos-decryption-key-of-the-azureadssoacc-computer-account). We are working on a capability to introduce automated roll over of keys.
+For instructions on how to roll over keys, see [Azure Active Directory Seamless Single Sign-On: Frequently asked questions](how-to-connect-sso-faq.md). We are working on a capability to introduce automated roll over of keys.
 
 >[!IMPORTANT]
 >You don't need to do this step _immediately_ after you have enabled the feature. Roll over the Kerberos decryption keys at least once every 30 days.