MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 12 additions & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 12 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.azure-resource-manager.json
Lines changed: 30 additions & 0 deletions b/‎.openpublishing.redirection.azure-resource-manager.json
Lines changed: 30 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory-domain-services/concepts-custom-attributes.md
Lines changed: 5 additions & 5 deletions b/‎articles/active-directory-domain-services/concepts-custom-attributes.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/active-directory/app-provisioning/how-provisioning-works.md
Lines changed: 10 additions & 10 deletions b/‎articles/active-directory/app-provisioning/how-provisioning-works.md
Lines changed: 10 additions & 10 deletions
diff --git a/‎articles/active-directory/authentication/how-to-authentication-methods-manage.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/authentication/how-to-authentication-methods-manage.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/how-to-certificate-based-authentication.md
Lines changed: 7 additions & 1 deletion b/‎articles/active-directory/authentication/how-to-certificate-based-authentication.md
Lines changed: 7 additions & 1 deletion
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-report-only.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/conditional-access/concept-conditional-access-report-only.md
Lines changed: 2 additions & 2 deletions
@@ -878,6 +878,12 @@
       "branch": "docs-snippets",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "ms-identity-python-webapp",
+      "url": "https://github.com/Azure-Samples/ms-identity-python-webapp",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "ms-identity-node",
       "url": "https://github.com/Azure-Samples/ms-identity-node",
@@ -937,6 +943,12 @@
       "url": "https://github.com/Azure-Samples/azure-cache-redis-samples",
       "branch": "main",
       "branch_mapping": {}
+    },
+    {
+      "path_to_root": "microsoft-graph",
+      "url": "https://github.com/MicrosoftGraph/microsoft-graph-docs",
+      "branch": "main",
+      "branch_mapping": {}
     }
   ],
   "branch_target_mapping": {
 
@@ -45,6 +45,16 @@
             "redirect_url": "/azure/azure-monitor/app/app-insights-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/correlation.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/distributed-tracing-telemetry-correlation",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/distributed-tracing.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/distributed-tracing-telemetry-correlation",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/console.md",
             "redirect_url": "/previous-versions/azure/azure-monitor/app/console",
 
@@ -1395,6 +1395,11 @@
             "redirect_url": "/azure/azure-resource-manager/managed-applications/cli-samples",
             "redirect_document_id": false
         },
+        {
+          "source_path_from_root": "/articles/azure-resource-manager/managed-applications/cli-samples.md",
+          "redirect_url": "/azure/azure-resource-manager/managed-applications/publish-service-catalog-app",
+          "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/managed-applications/concepts-custom-providers-built-in-policy.md",
             "redirect_url": "/azure/azure-resource-manager/custom-providers/concepts-built-in-policy",
@@ -1585,6 +1590,11 @@
             "redirect_url": "/azure/azure-resource-manager/managed-applications/powershell-samples",
             "redirect_document_id": false
         },
+        {
+          "source_path_from_root": "/articles/azure-resource-manager/managed-applications/powershell-samples.md",
+          "redirect_url": "/azure/azure-resource-manager/managed-applications/publish-service-catalog-app",
+          "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/managed-applications/publish-managed-app-definition-quickstart.md",
             "redirect_url": "/azure/azure-resource-manager/managed-applications/publish-service-catalog-app",
@@ -1889,6 +1899,26 @@
             "source_path_from_root": "/articles/xplat-cli-azure-resource-manager.md",
             "redirect_url": "/azure/azure-resource-manager/management/manage-resources-cli",
             "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/azure-resource-manager/managed-applications/scripts/managed-application-define-create-cli-sample.md",
+          "redirect_url": "/azure/azure-resource-manager/managed-applications/publish-service-catalog-app",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/azure-resource-manager/managed-applications/scripts/managed-application-powershell-sample-create-definition.md",
+          "redirect_url": "/azure/azure-resource-manager/managed-applications/publish-service-catalog-app",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/azure-resource-manager/managed-applications/scripts/managed-application-poweshell-sample-create-application.md",
+          "redirect_url": "/azure/azure-resource-manager/managed-applications/deploy-service-catalog-quickstart",
+          "redirect_document_id": false
+        },
+        {
+          "source_path_from_root": "/articles/azure-resource-manager/managed-applications/scripts/managed-application-powershell-sample-get-managed-group-resize-vm.md",
+          "redirect_url": "/azure/azure-resource-manager/managed-applications/overview",
+          "redirect_document_id": false
         }
     ]
 }
@@ -7548,6 +7548,11 @@
             "redirect_url": "/azure/reliability/reliability-functions",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-functions/functions-bindings-triggers-python.md",
+            "redirect_url": "/azure/azure-functions/functions-reference-python?pivots=python-mode-decorators#triggers-and-inputs",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-government/documentation-government-k8.md",
             "redirect_url": "/azure/azure-government",
 
@@ -23,13 +23,13 @@ Azure AD supports adding custom data to resources using [extensions](/graph/exte
 - [onPremisesExtensionAttributes](/graph/extensibility-overview?tabs=http#extension-attributes) are a set of 15 attributes that can store extended user string attributes. 
 - [Directory extensions](/graph/extensibility-overview?tabs=http#directory-azure-ad-extensions) allow the schema extension of specific directory objects, such as users and groups, with strongly typed attributes through registration with an application in the tenant. 
 
-Both types of extensions can be configured By using Azure AD Connect for users who are managed on-premises, or MSGraph APIs for cloud-only users. 
+Both types of extensions can be configured by using Azure AD Connect for users who are managed on-premises, or Microsoft Graph APIs for cloud-only users. 
 
 >[!Note] 
 >The following types of extensions aren't supported for synchronization:  
->- Custom Security Attributes in Azure AD (Preview)
->- MSGraph Schema Extensions
->- MSGraph Open Extensions
+>- Custom security attributes in Azure AD (Preview)
+>- Microsoft Graph schema extensions
+>- Microsoft Graph open extensions
 
 
 ## Requirements 
@@ -72,4 +72,4 @@ To check the backfilling status, click **Azure AD DS Health** and verify the **S
 
 To configure onPremisesExtensionAttributes or directory extensions for cloud-only users in Azure AD, see [Custom data options in Microsoft Graph](/graph/extensibility-overview?tabs=http#custom-data-options-in-microsoft-graph). 
 
-To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md). 
+To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md). 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 03/30/2023
+ms.date: 03/31/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -104,7 +104,7 @@ When the provisioning service is started, the first cycle will:
 
 5. If a matching user is found, it's updated using the attributes provided by the source system. After the user account is matched, the provisioning service detects and caches the target system's ID for the new user. This ID is used to run all future operations on that user.
 
-6. If the attribute mappings contain "reference" attributes, the service does additional updates on the target system to create and link the referenced objects. For example, a user may have a "Manager" attribute in the target system, which is linked to another user created in the target system.
+6. If the attribute mappings contain "reference" attributes, the service does more updates on the target system to create and link the referenced objects. For example, a user may have a "Manager" attribute in the target system, which is linked to another user created in the target system.
 
 7. Persist a watermark at the end of the initial cycle, which provides the starting point for the later incremental cycles.
 
@@ -124,7 +124,7 @@ After the initial cycle, all other cycles will:
 
 5. If a matching user is found, it's updated using the attributes provided by the source system. If it's a newly assigned account that is matched, the provisioning service detects and caches the target system's ID for the new user. This ID is used to run all future operations on that user.
 
-6. If the attribute mappings contain "reference" attributes, the service does additional updates on the target system to create and link the referenced objects. For example, a user may have a "Manager" attribute in the target system, which is linked to another user created in the target system.
+6. If the attribute mappings contain "reference" attributes, the service does more updates on the target system to create and link the referenced objects. For example, a user may have a "Manager" attribute in the target system, which is linked to another user created in the target system.
 
 7. If a user that was previously in scope for provisioning is removed from scope, including being unassigned, the service disables the user in the target system via an update.
 
@@ -137,10 +137,10 @@ After the initial cycle, all other cycles will:
 > [!NOTE]
 > You can optionally disable the **Create**, **Update**, or **Delete** operations by using the **Target object actions** check boxes in the [Mappings](customize-application-attributes.md) section. The logic to disable a user during an update is also controlled via an attribute mapping from a field such as *accountEnabled*.
 
-The provisioning service continues running back-to-back incremental cycles indefinitely, at intervals defined in the [tutorial specific to each application](../saas-apps/tutorial-list.md). Incremental cycles continue until one of the following events occurs:
+The provisioning service continues running back-to-back incremental cycles indefinitely, at intervals defined in the [tutorial specific to each application](../saas-apps/tutorial-list.md). Incremental cycles continue until one of the events occurs:
 
 - The service is manually stopped using the Azure portal, or using the appropriate Microsoft Graph API command.
-- A new initial cycle is triggered using the **Restart provisioning** option in the Azure portal, or using the appropriate Microsoft Graph API command. This action clears any stored watermark and causes all source objects to be evaluated again. This won't break the links between source and target objects. To break the links use [Restart synchronizationJob](/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http&preserve-view=true) with the following request: 
+- A new initial cycle is triggered using the **Restart provisioning** option in the Azure portal, or using the appropriate Microsoft Graph API command. The action clears any stored watermark and causes all source objects to be evaluated again. Also, the action doesn't break the links between source and target objects. To break the links, use [Restart synchronizationJob](/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http&preserve-view=true) with the request: 
 
 <!-- {
   "blockType": "request",
@@ -157,7 +157,7 @@ Content-type: application/json
 }
 ```
 - A new initial cycle is triggered because of a change in attribute mappings or scoping filters. This action also clears any stored watermark and causes all source objects to be evaluated again.
-- The provisioning process goes into quarantine (see below) because of a high error rate, and stays in quarantine for more than four weeks. In this event, the service will be automatically disabled.
+- The provisioning process goes into quarantine (see example) because of a high error rate, and stays in quarantine for more than four weeks. In this event, the service will be automatically disabled.
 
 ### Errors and retries
 
@@ -200,7 +200,7 @@ Confirm the mapping for *active* for your application. If your using an applicat
 
 **Configure your application to delete a user**
 
-The following scenarios will trigger a disable or a delete: 
+The scenarios will trigger a disable or a delete: 
 * A user is soft deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false).
     30 days after a user is deleted in Azure AD, they're permanently deleted from the tenant. At this point, the provisioning service sends a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can [manually delete a user permanently](../fundamentals/active-directory-users-restore.md), which sends a delete request to the application.
 * A user is permanently deleted / removed from the recycle bin in Azure AD.
@@ -211,13 +211,13 @@ The following scenarios will trigger a disable or a delete:
 
 By default, the Azure AD provisioning service soft deletes or disables users that go out of scope. If you want to override this default behavior, you can set a flag to [skip out-of-scope deletions.](skip-out-of-scope-deletions.md)
 
-If one of the above four events occurs and the target application doesn't support soft deletes, the provisioning service will send a DELETE request to permanently delete the user from the app.
+If one of the four events occurs and the target application doesn't support soft deletes, the provisioning service will send a DELETE request to permanently delete the user from the app.
 
 If you see an attribute IsSoftDeleted in your attribute mappings, it's used to determine the state of the user and whether to send an update request with active = false to soft delete the user.
 
 **Deprovisioning events**
 
-The following table describes how you can configure deprovisioning actions with the Azure AD provisioning service. These rules are written with the non-gallery / custom application in mind, but generally apply to applications in the gallery. However, the behavior for gallery applications can differ as they have been optimized to meet the needs of the application. For example, the Azure AD provisioning service may always sende a request to hard delete users in certain applications rather than soft deleting, if the target application doesn't support soft deleting users. 
+The table describes how you can configure deprovisioning actions with the Azure AD provisioning service. These rules are written with the non-gallery / custom application in mind, but generally apply to applications in the gallery. However, the behavior for gallery applications can differ as they've been optimized to meet the needs of the application. For example, the Azure AD provisioning service may always sende a request to hard delete users in certain applications rather than soft deleting, if the target application doesn't support soft deleting users. 
 
 |Scenario|How to configure in Azure AD|
 |--|--|
@@ -230,7 +230,7 @@ The following table describes how you can configure deprovisioning actions with
 
 **Known limitations**
 
-* If a user that was previously managed by the provisioning service is unassigned from an app, or from a group assigned to an app we will send a disable request. At that point, the user isn't managed by the service and we won't send a delete request when they're deleted from the directory.
+* If a user that was previously managed by the provisioning service is unassigned from an app, or from a group assigned to an app then a disable request is sent. At that point, the user isn't managed by the service and a delete request isn't sent when the user is deleted from the directory.
 * Provisioning a user that is disabled in Azure AD isn't supported. They must be active in Azure AD before they're provisioned.
 * When a user goes from soft-deleted to active, the Azure AD provisioning service will activate the user in the target app, but won't automatically restore the group memberships. The target application should maintain the group memberships for the user in inactive state. If the target application doesn't support this, you can restart provisioning to update the group memberships. 
 
 
@@ -38,7 +38,7 @@ If you aren't using SSPR and aren't yet using the Authentication methods policy,
 
 ### Review the legacy MFA policy
 
-Start by documenting which methods are available in the legacy MFA policy. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). Go to **Azure Active Directory** > **Security** > **Multifactor Authentication** > **Additional cloud-based multifactor authentication settings** to view the settings. These settings are tenant-wide, so there's no need for user or group information. 
+Start by documenting which methods are available in the legacy MFA policy. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). Go to **Azure Active Directory** > **Users** > **All users** > **Per-user MFA** > **service settings** to view the settings. These settings are tenant-wide, so there's no need for user or group information. 
 
 :::image type="content" border="false" source="media/how-to-authentication-methods-manage/legacy-mfa-policy.png" alt-text="Screenshot the shows the legacy Azure AD MFA policy." lightbox="media/how-to-authentication-methods-manage/legacy-mfa-policy.png":::
 
 
@@ -72,7 +72,10 @@ To enable the certificate-based authentication and configure user bindings in th
 1. To delete a CA certificate, select the certificate and click **Delete**.
 1. Click **Columns** to add or delete columns.
 
-### Configure certification authorities using PowerShell
+>[!NOTE]
+>Upload of new CAs will fail when any of the existing CAs are expired. Tenant Admin should delete the expired CAs and then upload the new CA.
+
+### Configure certification authorities(CA) using PowerShell
 
 Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can only be HTTP URLs. Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs aren't supported.
 
@@ -87,6 +90,9 @@ Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can
 [!INCLUDE [Get-AzureAD](../../../includes/active-directory-authentication-get-trusted-azuread.md)]
 ### Add
 
+>[!NOTE]
+>Upload of new CAs will fail when any of the existing CAs are expired. Tenant Admin should delete the expired CAs and then upload the new CA.
+
 [!INCLUDE [New-AzureAD](../../../includes/active-directory-authentication-new-trusted-azuread.md)]
 
 **AuthorityType**
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 01/24/2023
+ms.date: 03/30/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -31,7 +31,7 @@ Report-only mode is a new Conditional Access policy state that allows administra
 > [!WARNING]
 > Policies in report-only mode that require compliant devices may prompt users on Mac, iOS, and Android to select a device certificate during policy evaluation, even though device compliance is not enforced. These prompts may repeat until the device is made compliant. To prevent end users from receiving prompts during sign-in, exclude device platforms Mac, iOS and Android from report-only policies that perform device compliance checks. Note that report-only mode is not applicable for Conditional Access policies with "User Actions" scope.
 
-![Report-only tab in Azure AD sign-in log](./media/concept-conditional-access-report-only/report-only-detail-in-sign-in-log.png)
+![Screenshot showing the report-only tab in a sign-in log.](./media/concept-conditional-access-report-only/report-only-detail-in-sign-in-log.png)
 
 ## Policy results