Merge pull request #158078 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: ttorble

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -8,10 +8,9 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 04/28/2021
+ms.date: 05/10/2021
 ms.author: kenwith
 ms.reviewer: arvinh
-ms.custom: contperf-fy21q2
 ---
 # Tutorial: Develop and plan provisioning for a SCIM endpoint
 
@@ -78,7 +77,7 @@ To design your schema, follow these steps:
 |lastName|name.familyName|surName|
 |workMail|emails[type eq “work”].value|Mail|
 |manager|manager|manager|
-|tag|urn:ietf:params:scim:schemas:extension:2.0:CustomExtension:tag|extensionAttribute1|
+|tag|urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag|extensionAttribute1|
 |status|active|isSoftDeleted (computed value not stored on user)|
 
 **Example list of required attributes**
@@ -98,7 +97,7 @@ To design your schema, follow these steps:
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
      "Manager": "123456"
    },
-     "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomAttribute:User": {
+     "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
      "tag": "701984",
    },
    "meta": {

articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 05/07/2021
+ms.date: 05/10/2021
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -50,8 +50,9 @@ The following Linux distributions are currently supported during the preview of
 The following Azure regions are currently supported during the preview of this feature:
 
 - Azure Global
-- Azure Government
-- Azure China
+
+> [!Note]
+> The preview of this feature will be supported in Azure Government and Azure China by June of 2021.
  
 It's not supported to use this extension on Azure Kubernetes Service (AKS) clusters. For more information, see [Support policies for AKS](../../aks/support-policies.md).
 
@@ -67,24 +68,24 @@ VM network configuration must permit outbound access to the following endpoints
 
 For Azure Global
 
-- https://packages.microsoft.com – For package installation and upgrades.
-- http://169.254.169.254 – Azure Instance Metadata Service endpoint.
-- https://login.microsoftonline.com – For PAM (pluggable authentication modules) based authentication flows.
-- https://pas.windows.net – For Azure RBAC flows.
+- `https://packages.microsoft.com` – For package installation and upgrades.
+- `http://169.254.169.254` – Azure Instance Metadata Service endpoint.
+- `https://login.microsoftonline.com` – For PAM (pluggable authentication modules) based authentication flows.
+- `https://pas.windows.net` – For Azure RBAC flows.
 
 For Azure Government
 
-- https://packages.microsoft.com – For package installation and upgrades.
-- http://169.254.169.254 – Azure Instance Metadata Service endpoint.
-- https://login.microsoftonline.us – For PAM (pluggable authentication modules) based authentication flows.
-- https://pasff.usgovcloudapi.net – For Azure RBAC flows.
+- `https://packages.microsoft.com` – For package installation and upgrades.
+- `http://169.254.169.254` – Azure Instance Metadata Service endpoint.
+- `https://login.microsoftonline.us` – For PAM (pluggable authentication modules) based authentication flows.
+- `https://pasff.usgovcloudapi.net` – For Azure RBAC flows.
 
 For Azure China
 
-- https://packages.microsoft.com – For package installation and upgrades.
-- http://169.254.169.254 – Azure Instance Metadata Service endpoint.
-- https://login.chinacloudapi.cn – For PAM (pluggable authentication modules) based authentication flows.
-- https://pas.chinacloudapi.cn – For Azure RBAC flows.
+- `https://packages.microsoft.com` – For package installation and upgrades.
+- `http://169.254.169.254` – Azure Instance Metadata Service endpoint.
+- `https://login.chinacloudapi.cn` – For PAM (pluggable authentication modules) based authentication flows.
+- `https://pas.chinacloudapi.cn` – For Azure RBAC flows.
 
 ### Virtual machine
 
@@ -366,6 +367,9 @@ For customers who are using previous version of Azure AD login for Linux that wa
                 --resource-group myResourceGroup \
                 --vm-name myVM
       ```
+## Using Azure Policy to ensure standards and assess compliance
+
+Use Azure policy to ensure Azure AD login is enabled for your new and existing Linux virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Linux VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Linux VMs that do not have Azure AD login enabled, as well as remediate existing Linux VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag Linux VMs that have non-approved local accounts created on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
 
 ## Troubleshoot sign-in issues
 
@@ -430,10 +434,6 @@ Solution 2: Perform these actions:
 
 Virtual machine scale set VM connections may fail if the virtual machine scale set instances are running an old model. Upgrading virtual machine scale set instances to the latest model may resolve issues, especially if an upgrade has not been done since the Azure AD Login extension was installed. Upgrading an instance applies a standard virtual machine scale set configuration to the individual instance.
 
-### Other limitations
-
-Users that inherit access rights through nested groups or role assignments aren't currently supported. The user or group must be directly assigned the required role assignments. For example, the use of management groups or nested group role assignments won't grant the correct permissions to allow the user to sign in.
-
 ## Preview feedback
 
 Share your feedback about this preview feature or report issues using it on the [Azure AD feedback forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166032).

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 07/20/2020
+ms.date: 05/10/2021
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -27,7 +27,7 @@ There are many security benefits of using Azure AD based authentication to login
 - With Conditional Access, configure policies to require multi-factor authentication and other signals such as low user and sign in risk before you can RDP to Windows VMs. 
 - Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag use of no approved local account on the VMs.
 - Login to Windows VMs with Azure Active Directory also works for customers that use Federation Services.
-- Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. MDM enrollment does not apply to Windows Server 2019 VM depolyments
+- Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. Auto MDM enrollment requires Azure AD P1 license. Windows Server 2019 VMs do not support MDM enrollment.
 
 
 > [!NOTE]
@@ -75,7 +75,7 @@ For Azure China
 - `https://enterpriseregistration.partner.microsoftonline.cn` - For device registration.
 - `http://169.254.169.254` - Azure Instance Metadata Service endpoint.
 - `https://login.chinacloudapi.cn` - For authentication flows.
-- `https://pas.chinacloudapi.cn' - For Azure RBAC flows.
+- `https://pas.chinacloudapi.cn` - For Azure RBAC flows.
 
 
 ## Enabling Azure AD login in for Windows VM in Azure
@@ -241,7 +241,7 @@ You are now signed in to the Windows Server 2019 Azure virtual machine with the
 
 ## Using Azure Policy to ensure standards and assess compliance
 
-Use Azure policy to ensure Azure AD login is enabled for your new and existing Windows virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Windows VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Windows VMs that do not have Azure AD login enabled, as well as remediate existing Windows VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag VMs have non-approved local accounts on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
+Use Azure policy to ensure Azure AD login is enabled for your new and existing Windows virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Windows VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Windows VMs that do not have Azure AD login enabled, as well as remediate existing Windows VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag Windows VMs that have non-approved local accounts created on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
 
 ## Troubleshoot
 

articles/active-directory/fundamentals/service-accounts-managed-identities.md

@@ -51,8 +51,6 @@ For more information about control and data planes, see [Control plane and data
 
 All Azure services will eventually support managed identities. For more information, see [Services that support managed identities for Azure resources](../managed-identities-azure-resources/services-support-managed-identities.md).
 
-##  
-
 ## Types of managed identities
 
 There are two types of managed identities—system-assigned and user-assigned.

articles/active-directory/fundamentals/whats-new-archive.md

@@ -631,7 +631,7 @@ You can now assign Azure AD built-in roles to cloud groups with this new feature
 **Service category:** Azure AD roles  
 **Product capability:** Access Control
 
-Users in the Insights Business Leader role can access a set of dashboards and insights via the [M365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-business-leader)
+Users in the Insights Business Leader role can access a set of dashboards and insights via the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-business-leader)
 
 ---
 
@@ -641,7 +641,7 @@ Users in the Insights Business Leader role can access a set of dashboards and in
 **Service category:** Azure AD roles  
 **Product capability:** Access Control
 
-Users in the Insights Administrator role can access the full set of administrative capabilities in the [M365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-administrator)
+Users in the Insights Administrator role can access the full set of administrative capabilities in the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-administrator)
 
 --- 
 

articles/active-directory/fundamentals/whats-new.md

@@ -340,6 +340,17 @@ Azure AD Application Proxy native support for header-based authentication is now
 
 ---
 
+### Azure AD Connect cloud sync general availability refresh 
+**Type:** Changed feature  
+**Service category:** Azure AD Connect Cloud Sync 
+**Product capability:** Directory
+
+Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we have changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members. 
+
+Check out the newly available [expression builder](../cloud-sync/how-to-expression-builder.md#deploy-the-expression) for cloud sync, which, helps you build complex expressions as well as simple expressions when you do transformations of attribute values from AD to Azure AD using attribute mapping.
+
+---
+
 ### Two-way SMS for MFA Server is no longer supported
 
 **Type:** Deprecated  
@@ -349,7 +360,7 @@ Azure AD Application Proxy native support for header-based authentication is now
 
 Two-way SMS for MFA Server was originally deprecated in 2018, and will not be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS.
 
-Email notifications and Azure Portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md).
+Email notifications and Azure portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md).
 
 ---
 
@@ -1045,4 +1056,4 @@ Enhanced dynamic group service is now in Public Preview. New customers that crea
 
 The new service also aims to complete member addition and removal because of attribute changes within a few minutes. Also, single processing failures won't block tenant processing. To learn more about creating dynamic groups, see our [documentation](../enterprise-users/groups-create-rule.md).
 
----
+---

articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md

@@ -153,7 +153,6 @@ Learn More About [Azure AD Administrative Roles](../roles/permissions-reference.
 
 *Always apply the concept of least privileges to reduce the risk of an account compromise*. Consider implementing [Privileged Identity Management](../privileged-identity-management/pim-configure.md) to further secure your organization.
 
-##  
 
 ## Deploy Azure AD reporting and monitoring