Merge branch 'main' into release-cogsvcs-orchestration

Author: v-alje

articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md

@@ -88,7 +88,7 @@ Based on the attribute-mapping, during full sync Azure AD provisioning service s
 
 For each SuccessFactors user, the provisioning service looks for an account in the target (Azure AD/on-premises Active Directory) using the matching attribute defined in the mapping. For example: if *personIdExternal* maps to *employeeId* and is set as the matching attribute, then the provisioning service uses the *personIdExternal* value to search for the user with *employeeId* filter. If a user match is found, then it updates the target attributes. If no match is found, then it creates a new entry in the target. 
 
-To validate the data returned by your OData API endpoint for a specific `personIdExternal`, update the `SuccessFactorsAPIEndpoint` in the API query below with your API data center server URL and use a tool like [Postman](https://www.postman.com/downloads/) to invoke the query. 
+To validate the data returned by your OData API endpoint for a specific `personIdExternal`, update the `SuccessFactorsAPIEndpoint` in the API query below with your API data center server URL and use a tool like [Postman](https://www.postman.com/downloads/) to invoke the query. If the "in" filter does not work, you can try the "eq" filter. 
 
 ```
 https://[SuccessFactorsAPIEndpoint]/odata/v2/PerPerson?$format=json&
@@ -137,10 +137,11 @@ By using JSONPath transformation, you can customize the behavior of the Azure AD
 This section covers how you can customize the provisioning app for the following HR scenarios: 
 * [Retrieving additional attributes](#retrieving-additional-attributes)
 * [Retrieving custom attributes](#retrieving-custom-attributes)
-* [Handling worker conversion scenario](#handling-worker-conversion-scenario)
-* [Handling rehire scenario](#handling-rehire-scenario)
+* [Handling worker conversion and rehire scenario](#handling-worker-conversion-and-rehire-scenario)
 * [Handling global assignment scenario](#handling-global-assignment-scenario)
 * [Handling concurrent jobs scenario](#handling-concurrent-jobs-scenario)
+* [Retrieving position details](#retrieving-position-details)
+* [Provisioning users in the Onboarding module](#provisioning-users-in-the-onboarding-module)
 
 ### Retrieving additional attributes
 
@@ -192,9 +193,18 @@ Extending this scenario:
 * If you want to map *custom35* attribute from the *User* entity, then use the JSONPath `$.employmentNav.results[0].userNav.custom35`
 * If you want to map *customString35* attribute from the *EmpEmployment* entity, then use the JSONPath `$.employmentNav.results[0].customString35`
 
-### Handling worker conversion scenario
+### Handling worker conversion and rehire scenario
 
-Worker conversion is the process of converting an existing full-time employee to a contractor or a contractor to full-time. In this scenario, Employee Central adds a new *EmpEmployment* entity along with a new *User* entity for the same *Person* entity. The *User* entity nested under the previous *EmpEmployment* entity is set to null. To handle this scenario so that the new employment data shows up when a conversion occurs, you can bulk update the provisioning app schema using the steps listed below:  
+**About worker conversion scenario:** Worker conversion is the process of converting an existing full-time employee to a contractor or a contractor to full-time. In this scenario, Employee Central adds a new *EmpEmployment* entity along with a new *User* entity for the same *Person* entity. The *User* entity nested under the previous *EmpEmployment* entity is set to null. 
+
+**About rehire scenario:** In SuccessFactors, there are two options to process rehires: 
+* Option 1: Create a new person profile in Employee Central
+* Option 2: Reuse existing person profile in Employee Central
+
+If your HR process uses Option 1, then no changes are required to the provisioning schema. 
+If your HR process uses Option 2, then Employee Central adds a new *EmpEmployment* entity along with a new *User* entity for the same *Person* entity. 
+
+To handle both these scenarios so that the new employment data shows up when a conversion or rehire occurs, you can bulk update the provisioning app schema using the steps listed below:  
 
 1. Open the attribute-mapping blade of your SuccessFactors provisioning app. 
 1. Scroll down and click **Show advanced options**.
@@ -207,41 +217,15 @@ Worker conversion is the process of converting an existing full-time employee to
    >![Screenshot shows the Schema editor with Download select to save a copy of the schema.](media/sap-successfactors-integration-reference/download-schema.png#lightbox)
 1. In the schema editor, press Ctrl-H key to open the find-replace control.
 1. In the find text box, copy, and paste the value `$.employmentNav.results[0]`
-1. In the replace text box, copy, and paste the value `$.employmentNav.results[?(@.userNav != null)]`. Note the whitespace surrounding the `!=` operator, which is important for successful processing of the JSONPath expression. 
-   >![find-replace-conversion](media/sap-successfactors-integration-reference/find-replace-conversion-scenario.png#lightbox)
-1. Click on the "replace all" option to update the schema. 
-1. Save the schema. 
-1. The above process updates all JSONPath expressions as follows: 
-   * Old JSONPath: `$.employmentNav.results[0].jobInfoNav.results[0].departmentNav.name_localized`
-   * New JSONPath: `$.employmentNav.results[?(@.userNav != null)].jobInfoNav.results[0].departmentNav.name_localized`
-1. Restart provisioning. 
-
-### Handling rehire scenario
-
-Usually there are two options to process rehires: 
-* Option 1: Create a new person profile in Employee Central
-* Option 2: Reuse existing person profile in Employee Central
-
-If your HR process uses Option 1, then no changes are required to the provisioning schema. 
-If your HR process uses Option 2, then Employee Central adds a new *EmpEmployment* entity along with a new *User* entity for the same *Person* entity. Unlike the conversion scenario, the *User* entity in the previous *EmpEmployment* entity is not set to null. 
-
-To handle this rehire scenario (option 2), so that the latest employment data shows up for rehire profiles, you can bulk update the provisioning app schema using the steps listed below:  
-
-1. Open the attribute-mapping blade of your SuccessFactors provisioning app. 
-1. Scroll down and click **Show advanced options**.
-1. Click on the link **Review your schema here** to open the schema editor.   
-1. Click on the **Download** link to save a copy of the schema before editing.   
-1. In the schema editor, press Ctrl-H key to open the find-replace control.
-1. In the find text box, copy, and paste the value `$.employmentNav.results[0]`
 1. In the replace text box, copy, and paste the value `$.employmentNav.results[-1:]`. This JSONPath expression returns the latest *EmpEmployment* record.   
+   >![find-replace-conversion](media/sap-successfactors-integration-reference/find-replace-conversion-scenario.png#lightbox)
 1. Click on the "replace all" option to update the schema. 
 1. Save the schema. 
 1. The above process updates all JSONPath expressions as follows: 
    * Old JSONPath: `$.employmentNav.results[0].jobInfoNav.results[0].departmentNav.name_localized`
    * New JSONPath: `$.employmentNav.results[-1:].jobInfoNav.results[0].departmentNav.name_localized`
 1. Restart provisioning. 
 
-This schema change also supports the worker conversion scenario. 
 
 ### Handling global assignment scenario
 
@@ -257,7 +241,7 @@ To fetch attributes belonging to the standard assignment and global assignment u
 1. Click on the **Download** link to save a copy of the schema before editing.   
 1. In the schema editor, press Ctrl-H key to open the find-replace control.
 1. In the find text box, copy, and paste the value `$.employmentNav.results[0]`
-1. In the replace text box, copy, and paste the value `$.employmentNav.results[?(@.assignmentClass == 'ST')]`. 
+1. In the replace text box, copy, and paste the value `$.employmentNav.results[?(@.assignmentClass == 'ST')]`. Note the whitespace surrounding the == operator, which is important for successful processing of the JSONPath expression.
 1. Click on the "replace all" option to update the schema. 
 1. Save the schema. 
 1. The above process updates all JSONPath expressions as follows: 
@@ -339,7 +323,7 @@ Usually the *personIdExternal* attribute value in SuccessFactors matches the *us
 1. Ensure that an extensionAttribute *(extensionAttribute1-15)* in Azure AD always stores the *userId* of every worker's active employment record. This can be achieved by mapping SuccessFactors *userId* attribute to an extensionAttribute in Azure AD. 
     > [!div class="mx-imgBorder"]
     > ![Inbound UserID attribute mapping](./media/sap-successfactors-integration-reference/inbound-userid-attribute-mapping.png)
-1. For guidance regarding JSONPath settings, refer to the section [Handling rehire scenario](#handling-rehire-scenario) to ensure the *userId* value of the active employment record flows into Azure AD. 
+1. For guidance regarding JSONPath settings, refer to the section [Handling worker conversion and rehire scenario](#handling-worker-conversion-and-rehire-scenario) to ensure the *userId* value of the active employment record flows into Azure AD. 
 1. Save the mapping. 
 1. Run the provisioning job to ensure that the *userId* values flow into Azure AD. 
     > [!NOTE]

articles/active-directory/app-provisioning/workday-integration-reference.md

@@ -298,6 +298,10 @@ The following *Get_Workers* request queries for effective-dated updates that hap
 
 If any of the above queries returns a future-dated hire, then the following *Get_Workers* request is used to fetch information about a future-dated new hire. The *WID* attribute of the new hire is used to perform the lookup and the effective date is set to the date and time of hire. 
 
+>[!NOTE]
+>Future-dated hires in Workday have the Active field set to "0" and it changes to "1" on the hire date. The connector by design queries for future-hire information effective on the date of hire and that is why it always gets future hire Worker profile with Active field set to "1". This allows you to setup the Azure AD profile for future hires in advance with the all the right information pre-populated. If you'd like to delay the enabling of the Azure AD account for future hires, use the transformation function [DateDiff](functions-for-customizing-application-data.md#datediff). 
+
+
 ```xml
 <!-- Workday incremental sync query to get new hire data effective as on hire date/first day of work -->
 <!-- Replace version with Workday Web Services version present in your connection URL -->
@@ -451,6 +455,10 @@ To get this data, as part of the *Get_Workers* response, use the following XPATH
 
 ## Handling different HR scenarios
 
+This section covers how you can customize the provisioning app for the following HR scenarios: 
+* [Support for worker conversions](#support-for-worker-conversions)
+* [Retrieving international job assignments and secondary job details](#retrieving-international-job-assignments-and-secondary-job-details)
+
 ### Support for worker conversions
 
 When a worker converts from employee to contingent worker or from contingent worker to employee, the Workday connector automatically detects this change and links the AD account to the active worker profile so that all AD attributes are in sync with the active worker profile. No configuration changes are required to enable this functionality. Here is the description of the provisioning behavior when a conversion happens. 

articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md

@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 
 Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error state. In this article, we explain the reasons why users might end up in this state.
 
-When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail. For example, when you execute the PowerShell cmdlet `Set-MsolUserLicense` on a user system, the cmdlet can fail for many reasons that are related to business logic. For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is immediately reported back to you.
+When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail for reasons that are related to business logic. For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is immediately reported back to you.
 
 When you're using group-based licensing, the same errors can occur, but they happen in the background while the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately. Instead, they're recorded on the user object and then reported via the administrative portal. The original intent to license the user is never lost, but it's recorded in an error state for future investigation and resolution.
 

articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: msi
 ms.topic: how-to
 ms.workload: identity
-ms.date: 03/04/2022
+ms.date: 03/08/2022
 ms.author: barclayn 
 ms.custom: devx-track-azurecli
 zone_pivot_groups: identity-mi-methods
@@ -81,13 +81,13 @@ In some environments, administrators choose to limit who can manage user-assigne
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
 1. A list of the user-assigned managed identities for your subscription is returned. Select the user-assigned managed identity that you want to manage.
-1. Select **Azure role assignments**, and then select **Add role assignment**.
-1. In the **Add role assignment** pane, configure the following values, and then select **Save**:
-   - **Role**: The role to assign.
-   - **Assign access to**: The resource to assign the user-assigned managed identity.
-   - **Select**: The member to assign access.
-   
-   ![Screenshot that shows the user-assigned managed identity IAM.](media/how-manage-user-assigned-managed-identities/assign-role-screenshot-02.png)
+1. Select **Access control (IAM)**.
+1. Choose **Add role assignment**.
+  
+   ![Screenshot that shows the user-assigned managed identity access control screen](media/how-manage-user-assigned-managed-identities/role-assign.png)
+
+1. In the **Add role assignment** pane, choose the role to assign and choose **Next**.
+1. Choose who should have the role assigned.
 
 >[!NOTE]
 >You can find information on assigning roles to managed identities in [Assign a managed identity access to a resource by using the Azure portal](../../role-based-access-control/role-assignments-portal-managed-identity.md)

articles/active-directory/managed-identities-azure-resources/media/how-manage-user-assigned-managed-identities/role-assign.png

@@ -0,0 +1,92 @@
+---
+title: Azure Active Directory SLA performance | Microsoft Docs
+description: Learn about the Azure AD SLA performance
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: karenhoran
+editor: ''
+
+ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
+ms.service: active-directory
+ms.topic: reference
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 03/15/2022
+ms.author: markvi
+ms.reviewer: besiler
+
+ms.collection: M365-identity-device-management
+---
+
+# Azure Active Directory SLA performance 
+
+As an identity admin, you may need to track Azure AD's service-level agreement (SLA) performance to make sure Azure AD can support your vital apps. This article shows how the Azure AD service has performed according to the [SLA for Azure Active Directory (Azure AD)](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/). 
+
+You can use this article in discussions with app or business owners to help them understand the performance they can expect from Azure AD. 
+
+
+## Service availability commitment 
+
+Microsoft offers Premium Azure AD customers the opportunity to get a service credit if Azure AD fails to meet the documented SLA. When you request a service credit, Microsoft evaluates the SLA for your specific tenant; however, this global SLA can give you an indication of the general health of Azure AD over time. 
+
+The SLA covers the following scenarios that are vital to businesses:
+
+- **User authentication:** Users are able to login to the Azure Active Directory service.
+
+- **App access:** Azure Active Directory successfully emits the authentication and authorization tokens required for users to log into applications connected to the service.
+
+For full details on SLA coverage and instructions on requesting a service credit, see the [SLA for Azure Active Directory (Azure AD)](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/).
+
+
+## No planned downtime 
+
+You rely on Azure AD to provide identity and access management for your vital systems. To ensure Azure AD is available when business operations require it, Microsoft does not plan downtime for Azure AD system maintenance. Instead, maintenance is performed as the service runs, without customer impact. 
+
+## Recent worldwide SLA performance 
+
+To help you plan for moving workloads to Azure AD, we publish past SLA performance. These numbers show the level at which Azure AD met the requirements in the [SLA for Azure Active Directory (Azure AD)](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/), for all tenants. 
+
+For each month, we truncate the SLA attainment at three places after the decimal. Numbers are not rounded up, so actual SLA attainment is higher than indicated. 
+
+
+| Month     | 2021    | 2022    |
+| ---       | ---     | ---     |
+| January   |         | 99.999% |
+| February  | 99.999% | 99.999% |
+| March     | 99.568% |         |
+| April     | 99.999% |         |
+| May       | 99.999% |         |
+| June      | 99.999% |         |
+| July      | 99.999% |         |
+| August    | 99.999% |         |
+| September | 99.999% |         |
+| October   | 99.999% |         |
+| November  | 99.998% |         |
+| December  | 99.978% |         |
+
+
+
+### How is Azure AD SLA measured? 
+
+The Azure AD SLA is measured in a way that reflects customer authentication experience, rather than simply reporting on whether the system is available to outside connections. This means that the calculation is based on whether:
+
+- Users can authenticate 
+- Azure AD successfully issues tokens for target apps after authentication
+  
+The numbers above are a global total of Azure AD authentications across all customers and geographies. 
+  
+
+## Incident history 
+
+All incidents that seriously impact Azure AD performance are documented in the [Azure status history](https://status.azure.com/status/history/). Not all events documented in Azure status history are serious enough to cause Azure AD to go below its SLA. You can view information about the impact of incidents, as well as a root cause analysis of what caused the incident and what steps Microsoft took to prevent future incidents. 
+
+ 
+
+
+## Next steps
+
+* [Azure AD reports overview](overview-reports.md)
+* [Programmatic access to Azure AD reports](concept-reporting-api.md)
+* [Azure Active Directory risk detections](../identity-protection/overview-identity-protection.md)

articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md

@@ -104,6 +104,8 @@
 - name: Reference
   expanded: true
   items:
+  - name: Azure Active Directory SLA performance
+    href: reference-azure-ad-sla-performance.md
   - name: Basic info in the sign-in logs
     href: reference-basic-info-sign-in-logs.md
   - name: Azure AD PowerShell cmdlets for reporting