Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into vnet-old-review-1

Author: asudbring

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -25,7 +25,7 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 - A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy.
 
 ## Deploying Azure AD provisioning agent
-The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a seperate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or seperate hosts, again as long as each SCIM endpoint is reachable by the agent.  
+The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a separate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or separate hosts, again as long as each SCIM endpoint is reachable by the agent.  
 
  1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on.
  2. Run the provisioning agent installer, agree to the terms of service, and select **Install**.

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 03/23/2023
 
 ms.author: justinha
 author: justinha
 manager: amycolannino
-ms.reviewer: jsimmons
+ms.reviewer: mimanans
 
 ms.collection: M365-identity-device-management
 ---
@@ -95,6 +95,7 @@ The following core requirements apply:
 
 > [!NOTE]
 > Some endpoints, such as the CRL endpoint, are not addressed in this article. For a list of all supported endpoints, see [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).
+>In addition, other endpoints are required for Azure portal authentication. For more information, see [Azure portal URLs for proxy bypass](/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-urls-for-proxy-bypass).
 
 ### Azure AD Password Protection DC agent
 
@@ -248,6 +249,8 @@ To install the Azure AD Password Protection proxy service, complete the followin
 
     Registration of the Azure AD Password Protection proxy service is necessary only once in the lifetime of the service. After that, the Azure AD Password Protection proxy service will automatically perform any other necessary maintenance.
 
+1. To make sure that the changes have taken effect, run `Test-AzureADPasswordProtectionDCAgentHealth -TestAll`. For help resolving errors, see [Troubleshoot: On-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-troubleshoot.md).
+
 1. Now register the on-premises Active Directory forest with the necessary credentials to communicate with Azure by using the `Register-AzureADPasswordProtectionForest` PowerShell cmdlet.
 
     > [!NOTE]
@@ -301,6 +304,8 @@ To install the Azure AD Password Protection proxy service, complete the followin
     
     For `Register-AzureADPasswordProtectionForest` to succeed, at least one DC running Windows Server 2012 or later must be available in the Azure AD Password Protection proxy server's domain. The Azure AD Password Protection DC agent software doesn't have to be installed on any domain controllers prior to this step.
 
+1. To make sure that the changes have taken effect, run `Test-AzureADPasswordProtectionDCAgentHealth -TestAll`. For help resolving errors, see [Troubleshoot: On-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-troubleshoot.md).
+
 ### Configure the proxy service to communicate through an HTTP proxy
 
 If your environment requires the use of a specific HTTP proxy to communicate with Azure, use the following steps to configure the Azure AD Password Protection service.

articles/active-directory/manage-apps/add-application-portal-assign-users.md

@@ -8,50 +8,51 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: quickstart
 ms.workload: identity
-ms.date: 03/24/2022
+ms.date: 03/23/2023
 ms.author: jomondi
 ms.reviewer: alamaral
-ms.custom: mode-other
+ms.custom: mode-other, enterprise-apps
 #Customer intent: As an administrator of an Azure AD tenant, I want to assign a user to an enterprise application.
 ---
 
 # Quickstart: Create and assign a user account
 
 In this quickstart, you use the Azure portal to create a user account in your Azure Active Directory (Azure AD) tenant. After you create the account, you can assign it to the enterprise application that you added to your tenant.
 
-It is recommended that you use a non-production environment to test the steps in this quickstart.
+It's recommended that you use a nonproduction environment to test the steps in this quickstart.
 
 ## Prerequisites
 
 To create a user account and assign it to an enterprise application, you need:
 
 - An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- One of the following roles: Global Administrator, or owner of the service principal.
 - Completion of the steps in [Quickstart: Add an enterprise application](add-application-portal.md).
 
 ## Create a user account
 
 To create a user account in your Azure AD tenant:
 
 1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. Browse to **Azure Active Directory** > **Users**.
+1. Browse to **Azure Active Directory** and select **Users**.
 1. Select **New user** at the top of the pane.
 
     :::image type="content" source="media/add-application-portal-assign-users/new-user.png" alt-text="Add a new user account to your Azure AD tenant.":::
 
 1. In the **User name** field, enter the username of the user account. For example, `[email protected]`. Be sure to change `contoso.com` to the name of your tenant domain.
 1. In the **Name** field, enter the name of the user of the account. For example, `contosouser1`.
-1. Leave **Auto-generate password** selected, and then select **Show password**. Write down the value that's displayed in the Password box.
+1. Enter the details required for the user under the **Groups and roles**, **Settings**, and **Job info** sections.
 1. Select **Create**.
 
 ## Assign a user account to an enterprise application
 
 To assign a user account to an enterprise application:
 
-1. In the [Azure portal](https://portal.azure.com), browse to **Azure Active Directory** > **Enterprise applications**, and then search for and select the application to which you want to assign the user account. For example, the application that you created in the previous quickstart named **Azure AD SAML Toolkit 1**.
+1. In the [Azure portal](https://portal.azure.com), browse to **Azure Active Directory** and select **Enterprise applications**.
+1. Search for and select the application to which you want to assign the user account. For example, the application that you created in the previous quickstart named **Azure AD SAML Toolkit 1**.
 1. In the left pane, select **Users and groups**, and then select **Add user/group**.
 
-    :::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to zn application in your Azure AD tenant.":::
+    :::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to an application in your Azure AD tenant.":::
 
 1. On the **Add Assignment** pane, select **None Selected** under **Users and groups**.
 1. Search for and select the user that you want to assign to the application. For example, `[email protected]`.
@@ -60,7 +61,7 @@ To assign a user account to an enterprise application:
 
 ## Clean up resources
 
-If you are planning to complete the next quickstart, keep the application that you created. Otherwise, you can consider deleting it to clean up your tenant.
+If you're planning to complete the next quickstart, keep the application that you created. Otherwise, you can consider deleting it to clean up your tenant.
 
 ## Next steps
 

articles/active-directory/manage-apps/add-application-portal.md

@@ -8,32 +8,32 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: quickstart
 ms.workload: identity
-ms.date: 03/24/2022
+ms.date: 03/22/2023
 ms.author: jomondi
 ms.reviewer: ergreenl
-ms.custom: mode-other
+ms.custom: mode-other, enterprise-apps
 #Customer intent: As an administrator of an Azure AD tenant, I want to add an enterprise application.
 ---
 
 # Quickstart: Add an enterprise application
 
-In this quickstart, you use the Azure portal to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been pre-integrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md).
+In this quickstart, you use the Azure portal to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been preintegrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md).
 
-It is recommended that you use a non-production environment to test the steps in this quickstart.
+It's recommended that you use a nonproduction environment to test the steps in this quickstart.
 
 ## Prerequisites
 
 To add an enterprise application to your Azure AD tenant, you need:
 
 - An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.
+- One of the following roles: Global Administrator, or Application Administrator.
 
 ## Add an enterprise application
 
 To add an enterprise application to your tenant:
 
 1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
+1. Browse to **Azure Active Directory** and select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
 1. In the **Enterprise applications** pane, select **New application**.
 1. The **Browse Azure AD Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons indicating whether they support federated single sign-on (SSO) and provisioning. Search for and select the application. In this quickstart, **Azure AD SAML Toolkit** is being used.
 
@@ -46,7 +46,7 @@ If you choose to install an application that uses OpenID Connect based SSO, inst
 
 ## Clean up resources
 
-If you are planning to complete the next quickstart, keep the enterprise application that you created. Otherwise, you can consider deleting it to clean up your tenant. For more information, see [Delete an application](delete-application-portal.md).
+If you're planning to complete the next quickstart, keep the enterprise application that you created. Otherwise, you can consider deleting it to clean up your tenant. For more information, see [Delete an application](delete-application-portal.md).
 
 ## Next steps
 

articles/active-directory/manage-apps/media/add-application-portal-assign-users/assign-user.png

@@ -8,33 +8,33 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: quickstart
-ms.date: 03/24/2022
+ms.date: 03/23/2023
 ms.author: jomondi
 ms.reviewer: alamaral
-ms.custom: mode-other
+ms.custom: mode-other, enterprise-apps
 #Customer intent: As an administrator of an Azure AD tenant, I want to search for and view the enterprise applications in the tenant.
 ---
 
 # Quickstart: View enterprise applications
 
 In this quickstart, you learn how to use the Azure portal to search for and view the enterprise applications that are already configured in your Azure Active Directory (Azure AD) tenant.
 
-It is recommended that you use a non-production environment to test the steps in this quickstart.
+It's recommended that you use a nonproduction environment to test the steps in this quickstart.
 
 ## Prerequisites
 
 To view applications that have been registered in your Azure AD tenant, you need:
 
 - An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- One of the following roles: Global Administrator, or owner of the service principal.
 - Completion of the steps in [Quickstart: Add an enterprise application](add-application-portal.md).
 
 ## View a list of applications
 
 To view the enterprise applications registered in your tenant:
 
 1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
+1. Browse to **Azure Active Directory** and select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
 
     :::image type="content" source="media/view-applications-portal/view-enterprise-applications.png" alt-text="View the registered applications in your Azure AD tenant.":::
 
@@ -52,17 +52,17 @@ To search for a particular application:
 
 Select options according to what you're looking for:
 
-1. You can view the applications by **Application Type**, **Application Status**, and **Application visibility**. These three options are the default filters. 
+1. The default filters are **Application Type** and **Application ID starts with**, and **Application visibility**. 
 1. Under **Application Type**, choose one of these options:
     - **Enterprise Applications** shows non-Microsoft applications.
     - **Microsoft Applications** shows Microsoft applications.
     - **Managed Identities** shows applications that are used to authenticate to services that support Azure AD authentication.
     - **All Applications** shows both non-Microsoft and Microsoft applications.
-1. Under **Application Status**, choose **Any**, **Disabled**, or **Enabled**. The **Any** option includes both disabled and enabled applications.
+1. Under **Application ID starts with**, enter the first few digits of the application ID if you know the application ID.
 1. Under **Application Visibility**, choose **Any**, or **Hidden**. The **Hidden** option shows applications that are in the tenant, but aren't visible to users.
 1. After choosing the options you want, select **Apply**.
-1. Select **Add filters** to add more options for filtering the search results. The other options are:
-   - **Application ID**
+1. Select **Add filters** to add more options for filtering the search results. The other options include:
+   - **Application Visibility**
    - **Created on**
    - **Assignment required**
    - **Is App Proxy**

articles/active-directory/manage-apps/media/add-application-portal-assign-users/new-user.png

@@ -47,6 +47,12 @@
         href: ../reports-monitoring/recommendation-remove-unused-credential-from-apps.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
       - name: Renew expiring application credentials
         href: ../reports-monitoring/recommendation-renew-expiring-application-credential.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+  - name: Enforce app management restrictions
+    items:
+      - name: All apps and service principals in a tenant
+        href: /graph/api/resources/tenantappmanagementpolicy?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+      - name: Specific apps and service principals
+        href: /graph/api/resources/appmanagementpolicy?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
   - name: Reference
     items:
     - name: Federated identity credentials considerations and limitations