Merge branch 'main' into release-arcscvmm-pup2

Author: v-alje

.openpublishing.redirection.json

@@ -24515,6 +24515,14 @@
             "source_path_from_root": "/articles/aks/command-invoke.md",
             "redirect_url": "/azure/aks/access-private-cluster",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/orbital/space-partner-program-overview.md",
+            "redirect_url": "/azure/orbital/overview",
+            "redirect_document_id": false
         }
+
+
+        
     ]
 }

articles/active-directory/app-provisioning/provision-on-demand.md

@@ -173,6 +173,7 @@ There are currently a few known limitations to on-demand provisioning. Post your
 * On-demand provisioning of roles isn't supported.
 * On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users don't appear when you search for a user.
 * On-demand provisioning doesn't support nested groups that aren't directly assigned to the application.
+* The on-demand provisioning request API can only accept a single group with up to 5 members at a time.
 
 ## Next steps
 

articles/active-directory/authentication/TOC.yml

@@ -9,7 +9,7 @@
   items:
   - name: Enable self-service password reset
     href: tutorial-enable-sspr.md
-  - name: Enable Azure AD Multi-Factor Authentication
+  - name: Enable Microsoft Entra multifactor authentication
     href: tutorial-enable-azure-mfa.md
   - name: Enable cloud sync password writeback
     href: tutorial-enable-cloud-sync-sspr-writeback.md
@@ -54,7 +54,7 @@
       href: concept-sspr-policy.md
     - name: Licenses
       href: concept-sspr-licensing.md
-  - name: Multifactor Authentication
+  - name: Multifactor authentication
     items:
     - name: How MFA works
       href: concept-mfa-howitworks.md
@@ -130,13 +130,13 @@
         href: /windows/security/identity-protection/hello-for-business/hello-identity-verification
       - name: Certificate-based authentication
         items:
-        - name: Azure AD CBA
+        - name: Microsoft Entra CBA
           items:
           - name: Overview
             href: concept-certificate-based-authentication.md
-          - name: How Azure AD CBA works
+          - name: How Microsoft Entra CBA works
             href: concept-certificate-based-authentication-technical-deep-dive.md
-          - name: Configure Azure AD CBA
+          - name: Configure Microsoft Entra CBA
             href: how-to-certificate-based-authentication.md
           - name: Windows smart card logon
             href: concept-certificate-based-authentication-smartcard.md
@@ -150,7 +150,7 @@
             href: concept-certificate-based-authentication-migration.md
           - name: FAQ
             href: certificate-based-authentication-faq.yml
-        - name: Federated CBA with Azure AD
+        - name: Federated CBA with Microsoft Entra ID
           items:
           - name: Configure CBA with federation
             href: certificate-based-authentication-federation-get-started.md
@@ -180,7 +180,7 @@
       href: howto-sspr-authenticationdata.md
     - name: SSPR for Windows clients
       href: howto-sspr-windows.md
-  - name: Azure AD Multi-Factor Authentication
+  - name: Microsoft Entra multifactor authentication
     items:
     - name: Deployment guide
       href: howto-mfa-getstarted.md
@@ -212,7 +212,7 @@
         href: howto-mfa-nps-extension.md
       - name: Advanced configuration for NPS extension
         href: howto-mfa-nps-extension-advanced.md
-      - name: Azure VPN and Azure AD MFA
+      - name: Azure VPN and Microsoft Entra multifactor authentication
         href: ../../vpn-gateway/vpn-gateway-radius-mfa-nsp.md
       - name: Remote Desktop Gateway
         href: howto-mfa-nps-extension-rdg.md
@@ -238,7 +238,7 @@
       href: howto-password-ban-bad-on-premises-faq.yml
     - name: Agent version history
       href: howto-password-ban-bad-on-premises-agent-versions.md
-  - name: Azure AD smart lockout
+  - name: Microsoft Entra smart lockout
     href: howto-password-smart-lockout.md
   - name: Reporting
     items:
@@ -252,7 +252,7 @@
       href: howto-mfa-reporting-datacollection.md
   - name: MFA Server
     items:
-    - name: Migrate MFA Server to Azure AD MFA
+    - name: Migrate MFA Server to Microsoft Entra multifactor authentication
       items:
       - name: Overview
         href: how-to-migrate-mfa-server-to-azure-mfa.md

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -1,7 +1,7 @@
 ### YamlMime:FAQ
 metadata:
-  title: Azure AD certificate-based authentication (CBA) FAQ
-  description: Frequently asked questions and answers related to Azure AD certificate-based authentication (CBA). 
+  title: Microsoft Entra certificate-based authentication (CBA) FAQ
+  description: Frequently asked questions and answers related to Microsoft Entra certificate-based authentication (CBA). 
 
   services: multi-factor-authentication
   ms.service: active-directory
@@ -14,17 +14,17 @@ metadata:
   manager: amycolannino
   ms.reviewer: vimrang
   ms.collection: M365-identity-device-management
-title: Frequently asked questions about Azure AD certificate-based authentication (CBA)
+title: Frequently asked questions about Microsoft Entra certificate-based authentication (CBA)
 summary: |
-  This article addresses frequently asked questions about how Azure AD certificate-based authentication (CBA) works. 
+  This article addresses frequently asked questions about how Microsoft Entra certificate-based authentication (CBA) works. 
   Keep checking back for updated content.
 
 
 sections:
   - name: General
     questions:
       - question: |
-          Why don't I see an option to sign in to Azure Active Directory by using certificates after I enter my username?
+          Why don't I see an option to sign in to Microsoft Entra ID by using certificates after I enter my username?
         answer: |
           An administrator needs to enable CBA for the tenant to make the sign-in with certificate option available for users. For more information, see [Step 3: Configure authentication binding policy](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy).
 
@@ -35,22 +35,22 @@ sections:
           To get more diagnostic information, check the **Sign-ins report**.
 
       - question: |
-          How can an administrator enable Azure AD CBA?
+          How can an administrator enable Microsoft Entra CBA?
         answer: |        
           1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
           2. Browse to **Protection** > **Authentication methods** > **Policies**.
           3. Select policy: **Certificate-based Authentication**.
           4. On the **Enable and Target** tab, select the **Enable** toggle to enable certificate-based authentication.
 
       - question: |
-          Is Azure AD CBA a free feature?
+          Is Microsoft Entra CBA a free feature?
         answer: |
           Certificate-based authentication is a free feature. 
           Every edition of Azure AD includes Azure AD CBA.
           For more information about features in each Azure AD edition, see [Azure AD pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
 
       - question: |
-          Does Azure AD CBA support Alternate ID as the username instead of userPrincipalName?
+          Does Microsoft Entra CBA support Alternate ID as the username instead of userPrincipalName?
         answer: |
           No, sign-in using a non-UPN value, such as an alternate email, isn't supported now.
           

articles/active-directory/authentication/certificate-based-authentication-federation-android.md

@@ -16,9 +16,9 @@ ms.reviewer: annaba
 
 ms.collection: M365-identity-device-management
 ---
-# Azure Active Directory certificate-based authentication with federation on Android
+# Microsoft Entra certificate-based authentication with federation on Android
 
-Android devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:
+Android devices can use certificate-based authentication (CBA) to authenticate to Microsoft Entra ID using a client certificate on their device when connecting to:
 
 * Office mobile applications such as Microsoft Outlook and Microsoft Word
 * Exchange ActiveSync (EAS) clients
@@ -47,14 +47,14 @@ The device OS version must be Android 5.0 (Lollipop) and above.
 
 A federation server must be configured.
 
-For Azure Active Directory to revoke a client certificate, the AD FS token must have the following claims:
+For Microsoft Entra ID to revoke a client certificate, the AD FS token must have the following claims:
 
 * `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>`
   (The serial number of the client certificate)
 * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>`
   (The string for the issuer of the client certificate)
 
-Azure Active Directory adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
+Microsoft Entra ID adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
 
 As a best practice, you should update your organization's AD FS error pages with the following information:
 
@@ -63,7 +63,7 @@ As a best practice, you should update your organization's AD FS error pages with
 
 For more information, see [Customizing the AD FS Sign-in Pages](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)).
 
-Office apps with modern authentication enabled send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
+Office apps with modern authentication enabled send '*prompt=login*' to Microsoft Entra ID in their request. By default, Microsoft Entra ID translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Microsoft Entra behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
 You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task:
 
 ```powershell

articles/active-directory/authentication/certificate-based-authentication-federation-get-started.md

@@ -16,17 +16,17 @@ ms.reviewer: annaba
 
 ms.collection: M365-identity-device-management
 ---
-# Get started with certificate-based authentication in Azure Active Directory with federation
+# Get started with certificate-based authentication in Microsoft Entra ID with federation
 
-Certificate-based authentication (CBA) with federation enables you to be authenticated by Azure Active Directory with a client certificate on a Windows, Android, or iOS device when connecting your Exchange online account to:
+Certificate-based authentication (CBA) with federation enables you to be authenticated by Microsoft Entra ID with a client certificate on a Windows, Android, or iOS device when connecting your Exchange online account to:
 
 - Microsoft mobile applications such as Microsoft Outlook and Microsoft Word
 - Exchange ActiveSync (EAS) clients
 
 Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
 
 >[!NOTE]
->As an alternative, organizations can deploy Azure AD CBA without needing federation. For more information, see [Overview of Azure AD certificate-based authentication against Azure Active Directory](concept-certificate-based-authentication.md).
+>As an alternative, organizations can deploy Microsoft Entra CBA without needing federation. For more information, see [Overview of Microsoft Entra certificate-based authentication against Microsoft Entra ID](concept-certificate-based-authentication.md).
 
 This topic:
 
@@ -37,16 +37,16 @@ This topic:
 
 To configure CBA with federation, the following statements must be true:
 
-- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication, or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Azure AD CBA without needing federation, see [How to configure Azure AD certificate-based authentication](how-to-certificate-based-authentication.md).
-- The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
+- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication, or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Microsoft Entra CBA without needing federation, see [How to configure Microsoft Entra certificate-based authentication](how-to-certificate-based-authentication.md).
+- The root certificate authority and any intermediate certificate authorities must be configured in Microsoft Entra ID.
 - Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.
-- You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.
-- For Exchange ActiveSync clients, the client certificate must have the user's routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.
+- You must have at least one certificate authority configured in Microsoft Entra ID. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.
+- For Exchange ActiveSync clients, the client certificate must have the user's routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Microsoft Entra ID maps the RFC822 value to the Proxy Address attribute in the directory.
 - Your client device must have access to at least one certificate authority that issues client certificates.
 - A client certificate for client authentication must have been issued to your client.
 
 >[!IMPORTANT]
->The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds.  If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.
+>The maximum size of a CRL for Microsoft Entra ID to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds.  If Microsoft Entra ID can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.
 
 ## Step 1: Select your device platform
 

articles/active-directory/authentication/certificate-based-authentication-federation-ios.md

@@ -1,6 +1,6 @@
 ---
 title: Certificate-based authentication with federation on iOS
-description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication for Azure Active Directory in solutions with iOS devices
+description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication for Microsoft Entra ID in solutions with iOS devices
 
 services: active-directory
 ms.service: active-directory
@@ -15,9 +15,9 @@ manager: amycolannino
 
 ms.collection: M365-identity-device-management
 ---
-# Azure Active Directory certificate-based authentication with federation on iOS
+# Microsoft Entra certificate-based authentication with federation on iOS
 
-To improve security, iOS devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory (Azure AD) using a client certificate on their device when connecting to the following applications or services:
+To improve security, iOS devices can use certificate-based authentication (CBA) to authenticate to Microsoft Entra ID using a client certificate on their device when connecting to the following applications or services:
 
 * Office mobile applications such as Microsoft Outlook and Microsoft Word
 * Exchange ActiveSync (EAS) clients
@@ -56,7 +56,7 @@ The following Active Directory Federation Services (AD FS) requirements and cons
 
 ## Configure AD FS
 
-For Azure AD to revoke a client certificate, the AD FS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
+For Microsoft Entra ID to revoke a client certificate, the AD FS token must have the following claims. Microsoft Entra ID adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
 
 * `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` - add the serial number of your client certificate
 * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` - add the string for the issuer of your client certificate
@@ -70,7 +70,7 @@ For more information, see [Customizing the AD FS sign in page](/previous-version
 
 ## Use modern authentication with Office apps
 
-Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to AD FS as `wauth=usernamepassworduri` (asks AD FS to do U/P Auth) and `wfresh=0` (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.
+Some Office apps with modern authentication enabled send `prompt=login` to Microsoft Entra ID in their request. By default, Microsoft Entra ID translates `prompt=login` in the request to AD FS as `wauth=usernamepassworduri` (asks AD FS to do U/P Auth) and `wfresh=0` (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Microsoft Entra behavior.
 
 To update the default behavior, set the '*PromptLoginBehavior*' in your federated domain settings to *Disabled*. You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task, as shown in the following example: