MicrosoftDocs
diff --git a/‎articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Lines changed: 3 additions & 10 deletions b/‎articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Lines changed: 3 additions & 10 deletions
diff --git a/‎articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md
Lines changed: 1 addition & 4 deletions b/‎articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md
Lines changed: 1 addition & 4 deletions
diff --git a/‎articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Lines changed: 1 addition & 4 deletions b/‎articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Lines changed: 1 addition & 4 deletions
diff --git a/‎articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Lines changed: 7 additions & 12 deletions b/‎articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Lines changed: 7 additions & 12 deletions
diff --git a/‎articles/active-directory/develop/microsoft-identity-web.md
Lines changed: 27 additions & 21 deletions b/‎articles/active-directory/develop/microsoft-identity-web.md
Lines changed: 27 additions & 21 deletions
diff --git a/‎articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md
Lines changed: 9 additions & 1 deletion b/‎articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md
Lines changed: 9 additions & 1 deletion
@@ -7,17 +7,14 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 05/28/2021
+ms.date: 11/18/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Azure AD on-premises application provisioning architecture
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability (GA).
-
 ## Overview
 
 The following diagram shows an overview of how on-premises application provisioning works.
@@ -91,8 +88,8 @@ You can define one or more matching attribute(s) and prioritize them based on th
 
 
 ## Agent best practices
-- Ensure the auto Azure AD Connect Provisioning Agent Auto Update service is running. It's enabled by default when you install the agent. Auto-update is required for Microsoft to support your deployment.
-- Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
+- Using the same agent for the on-prem provisioning feature along with Workday / SuccessFactors / Azure AD Connect Cloud Sync is currently unsupported. We are actively working to support on-prem provisioning on the same agent as the other provisioning scenarios.
+- - Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
 - The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by:
   - Reducing the distance between the two ends of the hop.
   - Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links.
@@ -112,10 +109,6 @@ For the latest GA version of the provisioning agent, see [Azure AD connect provi
  2. Go to **Control Panel** > **Uninstall or Change a Program**.
  3. Look for the version that corresponds to the entry for **Microsoft Azure AD Connect Provisioning Agent**.
 
-### Does Microsoft automatically push provisioning agent updates?
-
-Yes. Microsoft automatically updates the provisioning agent if the Windows service Microsoft Azure AD Connect Agent Updater is up and running. Ensuring that your agent is up to date is required for support to troubleshoot issues.
-
 ### Can I install the provisioning agent on the same server running Azure AD Connect or Microsoft Identity Manager?
 
 Yes. You can install the provisioning agent on the same server that runs Azure AD Connect or Microsoft Identity Manager, but they aren't required.
 
@@ -7,17 +7,14 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 10/21/2021
+ms.date: 11/19/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Troubleshoot on-premises application provisioning
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 ## Troubleshoot test connection issues
 After you configure the provisioning agent and ECMA host, it's time to test connectivity from the Azure Active Directory (Azure AD) provisioning service to the provisioning agent, the ECMA host, and the application. To perform this end-to-end test, select **Test connection** in the application in the Azure portal. When the test connection fails, try the following troubleshooting steps:
 
 
@@ -7,7 +7,7 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/11/2021
+ms.date: 11/17/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -16,9 +16,6 @@ ms.collection: M365-identity-device-management
 
 # Export a Microsoft Identity Manager connector for use with the Azure AD ECMA Connector Host
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 You can import into the Azure Active Directory (Azure AD) ECMA Connector Host a configuration for a specific connector from a Forefront Identity Manager Synchronization Service or Microsoft Identity Manager Synchronization Service (MIM Sync) installation. The MIM Sync installation is only used for configuration, not for the ongoing synchronization from Azure AD.
 
 >[!IMPORTANT]
 
@@ -8,16 +8,13 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 10/16/2021
+ms.date: 11/17/2021
 ms.author: billmath
 ms.reviewer: arvinh
 ---
 
 # Azure AD on-premises application provisioning to SCIM-enabled apps
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Azure AD provisioning service to provision users into an on-premises application that's SCIM enabled. If you want to provision users into non-SCIM on-premises applications that use SQL as a data store, see the [Azure AD ECMA Connector Host Generic SQL Connector tutorial](tutorial-ecma-sql-connector.md). If you want to provision users into cloud apps such as DropBox and Atlassian, review the app-specific [tutorials](../../active-directory/saas-apps/tutorial-list.md).
 
 ![Diagram that shows SCIM architecture.](./media/on-premises-scim-provisioning/scim-4.png)
@@ -30,21 +27,19 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 ## On-premises app provisioning to SCIM-enabled apps
 To provision users to SCIM-enabled apps:
 
- 1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
- 1. Go to your app and select **Provisioning** > **Download the provisioning agent**.
- 1. Select **On-Premises Connectivity**, and download the provisioning agent.
+ 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
  1. Copy the agent onto the virtual machine or server that your SCIM endpoint is hosted on.
  1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
  1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
  1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
  1. Select **Confirm** to confirm the installation was successful.
- 1. Go back to your application, and select **On-Premises Connectivity**.
+ 1. Navigate to the Azure Portal and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
+ 1. Select **On-Premises Connectivity**, and download the provisioning agent. 1. Go back to your application, and select **On-Premises Connectivity**.
  1. Select the agent that you installed from the dropdown list, and select **Assign Agent(s)**.
- 1. Wait 10 minutes or restart the Azure AD Connect Provisioning agent service on your server or VM.
- 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim.
- 
+ 1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
+ 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim. 
      ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
- 1. Select **Test Connection**, and save the credentials.
+ 1. Select **Test Connection**, and save the credentials. Use the steps [here](https://docs.microsoft.com/azure/active-directory/app-provisioning/on-premises-ecma-troubleshoot#troubleshoot-test-connection-issues) if you run into connectivity issues. 
  1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
  1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
  1. Test provisioning a few users [on demand](provision-on-demand.md).
 
@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 10/09/2020
+ms.date: 11/19/2021
 ms.author: jmprieur
 ms.reviewer: marsma
 ms.custom: "devx-track-csharp, aaddev"
@@ -21,6 +21,8 @@ ms.custom: "devx-track-csharp, aaddev"
 
 Microsoft Identity Web is a set of ASP.NET Core libraries that simplifies adding authentication and authorization support to web apps and web APIs integrating with the Microsoft identity platform. It provides a single-surface API convenience layer that ties together ASP.NET Core, its authentication middleware, and the [Microsoft Authentication Library (MSAL) for .NET](https://github.com/azuread/microsoft-authentication-library-for-dotnet).
 
+You can get Microsoft.Identity.Web from NuGet or by using a Visual Studio project template to create a new app project.
+
 ## Supported application scenarios
 
 If you're building ASP.NET Core web apps or web APIs and want to use Azure Active Directory (Azure AD) or Azure AD B2C for identity and access management (IAM), we recommend using Microsoft Identity Web for all of these scenarios:
@@ -30,11 +32,7 @@ If you're building ASP.NET Core web apps or web APIs and want to use Azure Activ
 - [Protected web API that only authenticated users can access](scenario-protected-web-api-overview.md)
 - [Protected web API that calls another (downstream) web API on behalf of the signed-in user](scenario-web-api-call-api-overview.md)
 
-## Get the library
-
-You can get Microsoft Identity Web from [NuGet](#nuget), [.NET Core project templates](#project-templates), and [GitHub](#github).
-
-#### NuGet
+## Install from NuGet
 
 Microsoft Identity Web is available on NuGet as a set of packages that provide modular functionality based on your app's needs. Use the .NET CLI's `dotnet add` command or Visual Studio's **NuGet Package Manager** to install the packages appropriate for your project:
 
@@ -43,37 +41,45 @@ Microsoft Identity Web is available on NuGet as a set of packages that provide m
 - [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) - Optional. Provides simplified interaction with the Microsoft Graph API.
 - [Microsoft.Identity.Web.MicrosoftGraphBeta](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraphBeta) - Optional. Provides simplified interaction with the Microsoft Graph API [beta endpoint](/graph/api/overview?view=graph-rest-beta&preserve-view=true).
 
-#### Project templates
+## Install by using a Visual Studio project template
+
+Several project templates that use Microsoft Identity Web are included in .NET SDK versions 5.0 and above. The project templates aren't included in the ASP.NET Core 3.1 SDK, but you can install them separately.
 
-Microsoft Identity Web project templates are included in .NET 5.0 and are available for download for ASP.NET Core 3.1 projects.
+### .NET 5.0+ - Project templates included
 
-If you're using ASP.NET Core 3.1, install the templates with the .NET CLI:
+The Microsoft Identity Web project templates are included in .NET SDK versions 5.0 and above.
+
+This example .NET CLI command creates a Blazor Server project that includes Microsoft Identity Web.
 
 ```dotnetcli
-dotnet new --install Microsoft.Identity.Web.ProjectTemplates::1.0.0
+dotnet new blazorserver --auth SingleOrg --calls-graph --client-id "00000000-0000-0000-0000-000000000000" --tenant-id "11111111-1111-1111-1111-111111111111" --output my-blazor-app
 ```
 
-The following diagram shows a high-level view of the supported app types and their relevant arguments:
+Don't append a `2` to the application type argument (`blazorserver` in the example) if you're using the templates included in .NET SDK 5.0+. Include the `2` suffix *only* if you're on ASP.NET Core 3.1 and you installed the templates separately as described in the next section.
 
-:::image type="content" source="media/microsoft-identity-web-overview/diagram-microsoft-identity-web-templates.png" lightbox="media/microsoft-identity-web-overview/diagram-microsoft-identity-web-templates.png" alt-text="Diagram of the available dot net CLI project templates for Microsoft Identity Web":::
-<br /><sup><b>*</b></sup> `MultiOrg` is not supported with `webapi2`, but can be enabled in *appsettings.json* by setting tenant to `common` or `organizations`
-<br /><sup><b>**</b></sup> `--calls-graph` is not supported for Azure AD B2C
+### ASP.NET Core 3.1 - Install the project templates
 
-This example .NET CLI command, taken from our [Blazor Server tutorial](tutorial-blazor-server.md), generates a new Blazor Server project that includes the right packages and starter code (placeholder values shown):
+If you're using ASP.NET Core 3.1, install the project templates from NuGet.
 
 ```dotnetcli
-dotnet new blazorserver2 --auth SingleOrg --calls-graph --client-id "00000000-0000-0000-0000-000000000000" --tenant-id "11111111-1111-1111-1111-111111111111" --output my-blazor-app
+dotnet new --install Microsoft.Identity.Web.ProjectTemplates
 ```
 
-#### GitHub
+For ASP.NET Core 3.1 *only*, append a `2` to the application type argument when you create a new project:
+
+```dotnetcli
+dotnet new blazorserver2 --auth SingleOrg --calls-graph --client-id "00000000-0000-0000-0000-000000000000" --tenant-id "11111111-1111-1111-1111-111111111111" --output my-blazor-app
+```
 
-Microsoft Identity Web is an open-source project hosted on GitHub: <a href="https://github.com/AzureAD/microsoft-identity-web" target="_blank">AzureAD/microsoft-identity-web</a>
+The following diagram shows several of the available app type templates and their arguments. Append a `2` to the app type argument (`blazorserver2` in the example) only if you're using the ASP.NET Core 3.1 SDK and you installed the templates by using `dotnet new --install`.
 
-The [repository wiki](https://github.com/AzureAD/microsoft-identity-web/wiki) contains additional documentation, and if you need help or discover a bug, you can [file an issue](https://github.com/AzureAD/microsoft-identity-web/issues).
+:::image type="content" source="media/microsoft-identity-web-overview/diagram-microsoft-identity-web-templates.png" lightbox="media/microsoft-identity-web-overview/diagram-microsoft-identity-web-templates.png" alt-text="Diagram of the available dot net CLI project templates for Microsoft Identity Web":::
+<br /><sup><b>*</b></sup> `MultiOrg` is not supported with `webapi2`, but can be enabled in *appsettings.json* by setting tenant to `common` or `organizations`
+<br /><sup><b>**</b></sup> `--calls-graph` is not supported for Azure AD B2C
 
-## Features
+## Features of the project templates
 
-Microsoft Identity Web includes several features not provided if you use the default ASP.NET 3.1 project templates.
+Microsoft Identity Web includes several features not available in the default ASP.NET Core 3.1 project templates.
 
 | Feature                                                                                  | ASP.NET Core 3.1                                                     | Microsoft Identity Web                                                                                  |
 |------------------------------------------------------------------------------------------|----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
 
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/28/2021
+ms.date: 11/19/2021
 ms.author: curtand
 ms.reviewer: krbain
 ms.custom: it-pro
@@ -72,6 +72,14 @@ To apply published labels to groups, you must first enable the feature. These st
     Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $setting
     ```
 
+If you’re receiving a Request_BadRequest error, it's because the settings already exist in the tenant, so when you try to create a new property:value pair, the result is an error. In this case, take the following steps:
+
+1. Repeat steps 1-4 from [Enable sensitivity label support in PowerShell](#enable-sensitivity-label-support-in-powershell).
+1. Issue a `Get-AzureADDirectorySetting | FL` cmdlet and check the ID. If several ID values are present, use the one where you see the EnableMIPLabels property on the Values settings. You will need the ID in step 4.
+1. Set the EnableMIPLabels property variable: `$Setting["EnableMIPLabels"] = "True"`
+1. Issue the `Set-AzureADDirectorySetting -DirectorySetting $Setting -ID` cmdlet, using the ID that you retrieved in step 2.
+1. Ensure that the value is now correctly updated by issuing `$Setting.Values` again.
+
 You will also need to synchronize your sensitivity labels to Azure AD. For instructions, see [How to enable sensitivity labels for containers and synchronize labels](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).
 
 ## Assign a label to a new group in Azure portal