Merge pull request #217789 from MicrosoftDocs/repo_sync_working_branch

Resolve syncing conflicts from repo_sync_working_branch to main

Author: rmca14

articles/active-directory/develop/active-directory-claims-mapping.md

@@ -123,7 +123,7 @@ In this example, you create a policy that emits a custom claim "JoinedData" to J
    1. To create the policy, run the following command:
 
       ```powershell
-      New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"extensionattribute1"},{"Source":"transformation","ID":"DataJoin","TransformationId":"JoinTheData","JwtClaimType":"JoinedData"}],"ClaimsTransformations":[{"ID":"JoinTheData","TransformationMethod":"Join","InputClaims":[{"ClaimTypeReferenceId":"extensionattribute1","TransformationClaimType":"string1"}], "InputParameters": [{"ID":"string2","Value":"sandbox"},{"ID":"separator","Value":"."}],"OutputClaims":[{"ClaimTypeReferenceId":"DataJoin","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "TransformClaimsExample" -Type "ClaimsMappingPolicy"
+      New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"extensionattribute1"},{"Source":"transformation","ID":"DataJoin","TransformationId":"JoinTheData","JwtClaimType":"JoinedData"}],"ClaimsTransformation":[{"ID":"JoinTheData","TransformationMethod":"Join","InputClaims":[{"ClaimTypeReferenceId":"extensionattribute1","TransformationClaimType":"string1"}], "InputParameters": [{"ID":"string2","Value":"sandbox"},{"ID":"separator","Value":"."}],"OutputClaims":[{"ClaimTypeReferenceId":"DataJoin","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "TransformClaimsExample" -Type "ClaimsMappingPolicy"
       ```
 
    2. To see your new policy, and to get the policy ObjectId, run the following command:

articles/active-directory/develop/msal-net-clear-token-cache.md

@@ -18,6 +18,12 @@ ms.custom: "devx-track-csharp, aaddev"
 
 # Clear the token cache using MSAL.NET
 
+## Web API and daemon apps
+
+There is no API to remove the tokens from the cache. Cache size should be handled by setting eviction policies on the underlying storage. See [Cache Serialization](msal-net-token-cache-serialization.md?tabs=aspnetcore) for details on how to use a memory cache or distributed cache.
+
+## Desktop, command line and mobile applications
+
 When you [acquire an access token](msal-acquire-cache-tokens.md) using the Microsoft Authentication Library for .NET (MSAL.NET), the token is cached. When the application needs a token, it should first call the `AcquireTokenSilent` method to verify if an acceptable token is in the cache. 
 
 Clearing the cache is achieved by removing the accounts from the cache. This does not remove the session cookie which is in the browser, though.  The following example instantiates a public client application, gets the accounts for the application, and removes the accounts.

articles/active-directory/devices/enterprise-state-roaming-windows-settings-reference.md

@@ -21,7 +21,7 @@ The following is a list of the settings that will be roamed or backed up in Wind
 
 ## Windows Settings details
 
-List of settings that can be configured to sync in recent Windows versions. These can be found in Windows 10 under **Settings** > **Accounts** > **Sync your settings** or **Settings** > **Accounts** > **Windows backup** > **Remember my preferences** on Windows 11.
+List of settings that can be configured to sync in recent Windows versions. These can be found in Windows 11 under **Settings** > **Accounts** > **Sync your settings** or **Settings** > **Accounts** > **Windows backup** > **Remember my preferences**.
 
 | Settings | Windows 10 (21H1 or newer) |
 | --- | --- |

articles/active-directory/enterprise-users/domains-admin-takeover.md

@@ -36,7 +36,7 @@ Some products that include SharePoint and OneDrive, such as Microsoft 365, do no
 
 1. Create a user context in the unmanaged organization through signing up for Power BI. For convenience of example, these steps assume that path.
 
-2. Open the [Power BI site](https://powerbi.com) and select **Start Free**. Enter a user account that uses the domain name for the organization; for example, `[email protected]`. After you enter in the verification code, check your email for the confirmation code.
+2. Open the [Power BI site](https://powerbi.microsoft.com) and select **Start Free**. Enter a user account that uses the domain name for the organization; for example, `[email protected]`. After you enter in the verification code, check your email for the confirmation code.
 
 3. In the confirmation email from Power BI, select **Yes, that's me**.
 

articles/active-directory/enterprise-users/groups-write-back-portal.md

@@ -58,8 +58,36 @@ You can also configure writeback settings for a group on the property page for t
 - Targeted the writeback type as a security group
 
 :::image type="content" source="./media/groups-write-back-portal/groups-properties-view.png" alt-text="Screenshot of changing writeback settings in the group properties." lightbox="media/groups-write-back-portal/groups-properties-view.png":::
+ 
+## Read the Writeback configuration using PowerShell
+
+You can use PowerShell to get a list of writeback enabled group using the following PowerShell Get-MgGroup cmdlet.
+
+```powershell-console
+Connect-MgGraph -Scopes @('Group.Read.all')
+Select-MgProfile -Name beta
+PS D:\> Get-MgGroup -All |Where-Object {$_.AdditionalProperties.writebackConfiguration.isEnabled -Like $true} |Select-Object Displayname,@{N="WriteBackEnabled";E={$_.AdditionalProperties.writebackConfiguration.isEnabled}}
+
+DisplayName WriteBackEnabled
+----------- ----------------
+CloudGroup1           True
+CloudGroup2           True
+```
+
+## Read the Writeback configuration using Graph Explorer
+
+Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and use the following endpoint ```https://graph.microsoft.com/beta/groups/{Group_ID}```.
+
+Replace the Group_ID with a cloud group id, and then click on Run query.
+In the **Response Preview**, scroll to the end to see the part of the JSON file.
+
+```JSON
+"writebackConfiguration": {
+        "isEnabled": true,
+```
 
 ## Next steps
 
 - Check out the groups REST API documentation for the [preview writeback property on the settings template](/graph/api/resources/group?view=graph-rest-beta&preserve-view=true).
-- For more about group writeback operations, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback.md)
+- For more about group writeback operations, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback.md).
+- For more information about the writebackConfiguration resource, read [writebackConfiguration resource type](/graph/api/resources/writebackconfiguration?view=graph-rest-beta).

articles/active-directory/hybrid/how-to-connect-health-adfs-risky-ip-workbook.md

@@ -61,7 +61,7 @@ Each item in the Risky IP report table shows aggregated information about failed
 | Detection Window Length | Shows the type of detection time window. The aggregation trigger types are per hour or per day. This is helpful to detect versus a high frequency brute force attack versus a slow attack where the number of attempts is distributed throughout the day. |
 | IP Address | The single risky IP address that had either bad password or extranet lockout sign-in activities. This could be an IPv4 or an IPv6 address. |
 | Bad Password Error Count (50126) | The count of Bad Password error occurred from the IP address during the detection time window. The Bad Password errors can happen multiple times to certain users. Notice this does not include failed attempts due to expired passwords. |
-| Extranet Lock Out Error Count (30030) | The count of Extranet Lockout error occurred from the IP address during the detection time window. The Extranet Lockout errors can happen multiple times to certain users. This will only be seen if Extranet Lockout is configured in AD FS (versions 2012R2 or higher). <b>Note</b> We strongly recommend turning this feature on if you allow extranet logins using passwords. |
+| Extranet Lock Out Error Count (300030) | The count of Extranet Lockout error occurred from the IP address during the detection time window. The Extranet Lockout errors can happen multiple times to certain users. This will only be seen if Extranet Lockout is configured in AD FS (versions 2012R2 or higher). <b>Note</b> We strongly recommend turning this feature on if you allow extranet logins using passwords. |
 | Unique Users Attempted | The count of unique user accounts attempted from the IP address during the detection time window. This provides a mechanism to differentiate a single user attack pattern versus multi-user attack pattern.  |
 
 Filter the report by IP address or user name to see an expanded view of sign-ins details for each risky IP event.

articles/active-directory/hybrid/how-to-connect-install-existing-tenant.md

@@ -23,7 +23,7 @@ You can manage some users on-premises and other in the cloud. A common scenario
 If you started to manage users in Azure AD that are also in on-premises AD and later want to use Connect, then there are some additional concerns you need to consider.
 
 ## Sync with existing users in Azure AD
-When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and tries to find an existing object to match. There are three attributes used for this process: **userPrincipalName**, **proxyAddresses**, and **sourceAnchor**/**immutableID**. A match on **userPrincipalName** and **proxyAddresses** is known as a **soft match**. A match on **sourceAnchor** is known as **hard match**. For the **proxyAddresses** attribute only the value with **SMTP:**, that is the primary email address, is used for the evaluation.
+When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and tries to find an existing object to match. There are three attributes used for this process: **userPrincipalName**, **proxyAddresses**, and **sourceAnchor**/**immutableID**. A match on **userPrincipalName** or **proxyAddresses** is known as a **soft match**. A match on **sourceAnchor** is known as **hard match**. For the **proxyAddresses** attribute only the value with **SMTP:**, that is the primary email address, is used for the evaluation.
 
 The match is only evaluated for new objects coming from Connect. If you change an existing object so it is matching any of these attributes, then you see an error instead.
 

articles/active-directory/hybrid/how-to-connect-install-prerequisites.md

@@ -57,7 +57,7 @@ To read more about securing your Active Directory environment, see [Best practic
 
 #### Installation prerequisites
 
-- Azure AD Connect must be installed on a domain-joined Windows Server 2019 or later - note that Windows Server 2022 is not yet supported. You can deploy Azure AD Connect on Windows Server 2016 but since WS2016 is in extended support, you may require [a paid support program](/lifecycle/policies/fixed#extended-support) if you require support for this configuration. 
+- Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later - note that Windows Server 2022 is not yet supported. You can deploy Azure AD Connect on Windows Server 2016 but since WS2016 is in extended support, you may require [a paid support program](/lifecycle/policies/fixed#extended-support) if you require support for this configuration. 
 - The minimum .Net Framework version required is 4.6.2, and newer versions of .Net are also supported.
 - Azure AD Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better. 
 - The Azure AD Connect server must have a full GUI installed. Installing Azure AD Connect on Windows Server Core isn't supported. 

articles/active-directory/hybrid/how-to-connect-selective-password-hash-synchronization.md

@@ -35,6 +35,9 @@ To reduce the configuration administrative effort, you should first consider the
 > [!IMPORTANT]
 > Configuring selective password hash synchronization directly influences password writeback. Password changes or password resets that are initiated in Azure Active Directory write back to on-premises Active Directory only if the user is in scope for password hash synchronization.
 
+> [!IMPORTANT]
+> Selective password hash synchronization is supported in 1.6.2.4 or later. If you are using a version lower than that, please upgrade to the latest version.
+
 ### The adminDescription attribute
 
 Both scenarios rely on setting the adminDescription attribute of users to a specific value.  This allows the rules to be applied and is what makes selective PHS work.

articles/active-directory/hybrid/how-to-connect-sync-configure-filtering.md

@@ -88,6 +88,8 @@ To change domain-based filtering, run the installation wizard: [domain and OU fi
 ## Organizational unit–based filtering
 To change OU-based filtering, run the installation wizard: [domain and OU filtering](how-to-connect-install-custom.md#domain-and-ou-filtering). The installation wizard automates all the tasks that are documented in this topic.
 
+> [!IMPORTANT]
+> If you explicitly select an OU for synchronization, Azure AD Connect will add the DistinguishedName of that OU in the inclusion list for the domain's sync scope. However, if you later rename that OU in Active Directory, the DistinguishedName of the OU is changed, and consequently, Azure AD Connect will no longer consider that OU in sync scope. This will not cause an immediate issue, but upon a full import step, Azure AD Connect will reevaluate the sync scope and delete (i.e. obsolete) any objects out of sync scope, which can potentially cause an unexpected mass deletion of objects in Azure AD. To prevent this issue, after renaming a OU, run Azure AD Connect Wizard and re-select the OU to be again included in sync scope.
 
 ## Attribute-based filtering
 Make sure that you're using the November 2015 ([1.0.9125](reference-connect-version-history.md)) or later build for these steps to work.