Merge pull request #214458 from MicrosoftDocs/main

10/13 AM Publish

Author: huypub

articles/active-directory/authentication/howto-sspr-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 03/18/2022
+ms.date: 10/13/2022
 
 ms.author: justinha
 author: justinha
@@ -17,9 +17,9 @@ ms.collection: M365-identity-device-management
 ---
 # Enable Azure Active Directory self-service password reset at the Windows sign-in screen
 
-Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the [SSPR portal](https://aka.ms/sspr). To improve the experience on computers that run Windows 7, 8, 8.1, and 10, you can enable users to reset their password at the Windows sign-in screen.
+Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the [SSPR portal](https://aka.ms/sspr). To improve the experience on computers that run Windows 7, 8, 8.1, 10, and 11 you can enable users to reset their password at the Windows sign-in screen.
 
-![Example Windows 7 and 10 login screens with SSPR link shown](./media/howto-sspr-windows/windows-reset-password.png)
+![Example Windows login screens with SSPR link shown](./media/howto-sspr-windows/windows-reset-password.png)
 
 > [!IMPORTANT]
 > This tutorial shows an administrator how to enable SSPR for Windows devices in an enterprise.
@@ -37,7 +37,6 @@ The following limitations apply to using SSPR from the Windows sign-in screen:
 - Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller.
 - If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. More information about this step can be found in the support article [Performance poor when using custom default user profile](https://support.microsoft.com/help/4056823/performance-issue-with-custom-default-user-profile).
 - The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices:
-    - If Ctrl+Alt+Del is required by policy in Windows 10, **Reset password** won't work.
     - If lock screen notifications are turned off, **Reset password** won't work.
     - *HideFastUserSwitching* is set to enabled or 1
     - *DontDisplayLastUserName* is set to enabled or 1
@@ -55,11 +54,11 @@ The following limitations apply to using SSPR from the Windows sign-in screen:
 > These limitations also apply to Windows Hello for Business PIN reset from the device lock screen.
 >
 
-## Windows 10 password reset
+## Windows 11 and 10 password reset
 
-To configure a Windows 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.
+To configure a Windows 11 or 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.
 
-### Windows 10 prerequisites
+### Windows 11 and 10 prerequisites
 
 - An administrator [must enable Azure AD self-service password reset from the Azure portal](tutorial-enable-sspr.md).
 - Users must register for SSPR before using this feature at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup)
@@ -71,17 +70,17 @@ To configure a Windows 10 device for SSPR at the sign-in screen, review the foll
     - Azure AD joined
     - Hybrid Azure AD joined
 
-### Enable for Windows 10 using Microsoft Endpoint Manager
+### Enable for Windows 11 and 10 using Microsoft Endpoint Manager
 
 Deploying the configuration change to enable SSPR from the login screen using Microsoft Endpoint Manager is the most flexible method. Microsoft Endpoint Manager allows you to deploy the configuration change to a specific group of machines you define. This method requires Microsoft Endpoint Manager enrollment of the device.
 
 #### Create a device configuration policy in Microsoft Endpoint Manager
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and select **Endpoint Manager**.
 1. Create a new device configuration profile by going to **Device configuration** > **Profiles**, then select **+ Create Profile**
-   - For **Platform** choose *Windows 10 and later*
+   - For **Platform** choose *Windows 11 and later*
    - For **Profile type**, choose *Custom*
-1. Select **Create**, then provide a meaningful name for the profile, such as *Windows 10 sign-in screen SSPR*
+1. Select **Create**, then provide a meaningful name for the profile, such as *Windows 11 sign-in screen SSPR*
 
     Optionally, provide a meaningful description of the profile, then select **Next**.
 1. Under *Configuration settings*, select **Add** and provide the following OMA-URI setting to enable the reset password link:
@@ -99,7 +98,7 @@ Deploying the configuration change to enable SSPR from the login screen using Mi
 1. Configure applicability rules as desired for your environment, such as to *Assign profile if OS edition is Windows 10 Enterprise*, then select **Next**.
 1. Review your profile, then select **Create**.
 
-### Enable for Windows 10 using the Registry
+### Enable for Windows 11 and 10 using the Registry
 
 To enable SSPR at the sign-in screen using a registry key, complete the following steps:
 
@@ -112,13 +111,13 @@ To enable SSPR at the sign-in screen using a registry key, complete the followin
        "AllowPasswordReset"=dword:00000001
     ```
 
-### Troubleshooting Windows 10 password reset
+### Troubleshooting Windows 11 and 10 password reset
 
 If you have problems with using SSPR from the Windows sign-in screen, the Azure AD audit log includes information about the IP address and *ClientType* where the password reset occurred, as shown in the following example output:
 
 ![Example Windows 7 password reset in the Azure AD Audit log](media/howto-sspr-windows/windows-7-sspr-azure-ad-audit-log.png)
 
-When users reset their password from the sign-in screen of a Windows 10 device, a low-privilege temporary account called `defaultuser1` is created. This account is used to keep the password reset process secure.
+When users reset their password from the sign-in screen of a Windows 11 or 10 device, a low-privilege temporary account called `defaultuser1` is created. This account is used to keep the password reset process secure.
 
 The account itself has a randomly generated password, which is validated against an organizations password policy, doesn't show up for device sign-in, and is automatically removed after the user resets their password. Multiple `defaultuser` profiles may exist but can be safely ignored.
 

articles/active-directory/fundamentals/license-users-groups.md

@@ -32,7 +32,7 @@ There are several license plans available for the Azure AD service, including:
 
 For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Azure AD premium license plans see [here](./active-directory-get-started-premium.md).
 
-Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory > Users > Profile > Settings** area in Azure AD. Any user whose usage location isn't specified inherits the location of the Azure AD organization.
+Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory > Users > Profile > Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization.
 
 ## View license plans and plan details
 
@@ -80,7 +80,7 @@ Make sure that anyone needing to use a licensed Azure AD service has the appropr
     The **Assign license** page updates to show that a user is selected and that the assignments are configured.
 
     > [!NOTE]
-    > Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the **Usage location**. You can set this value in the **Azure Active Directory > Users > Profile > Settings** area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
+    > Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the **Usage location**. You can set this value in the **Azure Active Directory > Users > Profile > Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization.
 
 1. Select **Assign**.
 

articles/active-directory/fundamentals/whats-new-sovereign-clouds.md

@@ -23,7 +23,7 @@ This page is updated monthly, so revisit it regularly.
 
 
 
-## September 2022
+## October 2022
 
 ### General Availability - Azure AD certificate-based authentication
 
@@ -65,6 +65,8 @@ For more information on how to use this feature, see: [Dynamic membership rule f
 
 ---
 
+## September 2022
+
 
 ### General Availability - No more waiting, provision groups on demand into your SaaS applications.
 

articles/active-directory/reports-monitoring/reports-faq.yml

@@ -89,6 +89,11 @@ sections:
           I see .XXX in part of the IP address from a user in my sign-in logs. Why is that happening?
         answer: |
           Azure AD may redact part of an IP address in the sign-in logs to protect user privacy when a user may not belong to the tenant viewing the logs. This action happens in two cases: first, during cross tenant sign ins, such as when a CSP technician signs into a tenant that CSP manages. Second, when our service wasn't able to determine the user's identity with sufficient confidence to be sure the user belongs to the tenant viewing the logs.
+      - question: |
+          I see "PII Removed" in the Device Details of a user in my sign-in logs. Why is that happening?
+        answer: |
+          Azure AD redacts Personally Identifiable Information (PII) generated by devices that do not belong to your tenant to ensure customer data does not spread beyond tenant boundaries without user and data owner consent.
+
 
   - name: Conditional Access
     questions:

articles/active-directory/saas-apps/sap-successfactors-writeback-tutorial.md

@@ -327,7 +327,7 @@ Once the SuccessFactors provisioning app configurations have been completed, you
    > ![Select Writeback scope](./media/sap-successfactors-inbound-provisioning/select-writeback-scope.png)
 
    > [!NOTE]
-   > The SuccessFactors Writeback provisioning app does not support "group assignment". Only "user assignment" is supported. 
+   > SuccessFactors Writeback provisioning apps created after 12-Oct-2022 support the "group assignment" feature. If you created the app prior to 12-Oct-2022, it will only have "user assignment" support. To use the "group assignment" feature, create a new instance of the SuccessFactors Writeback application and move your existing mapping configurations to this app. 
 
 1. Click **Save**.
 
@@ -350,4 +350,4 @@ Refer to the [Writeback scenarios section](../app-provisioning/sap-successfactor
 * [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
 * [Learn how to configure single sign-on between SuccessFactors and Azure Active Directory](successfactors-tutorial.md)
 * [Learn how to integrate other SaaS applications with Azure Active Directory](tutorial-list.md)
-* [Learn how to export and import your provisioning configurations](../app-provisioning/export-import-provisioning-configuration.md)
+* [Learn how to export and import your provisioning configurations](../app-provisioning/export-import-provisioning-configuration.md)

articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md

@@ -1,6 +1,6 @@
 ---
 title: Tutorial - Configure your tenant for Microsoft Entra Verified ID
-description: In this tutorial, you learn how to configure your tenant to support the Verifiable Credentials service. 
+description: In this tutorial, you learn how to configure your tenant to support the Verified ID service. 
 ms.service: decentralized-identity
 ms.subservice: verifiable-credentials
 author: barclayn
@@ -24,7 +24,7 @@ Specifically, you learn how to:
 
 > [!div class="checklist"]
 > - Create an Azure Key Vault instance.
-> - Set up the Verifiable Credentials service.
+> - Set up the Verified ID service.
 > - Register an application in Azure AD.
 
 The following diagram illustrates the Verified ID architecture and the component you configure.
@@ -77,6 +77,7 @@ The Verifiable credentials service request is the Request Service API, and it ne
 
 1. To save the changes, select **Add**.
 
+
 ## Set up Verified ID
 
 To set up Verified ID, follow these steps:
@@ -87,7 +88,7 @@ To set up Verified ID, follow these steps:
 
 1. Set up your organization by providing the following information:
 
-    1. **Organization name**: Enter a name to reference your business within Verifiable Credentials. Your customers don't see this name.
+    1. **Organization name**: Enter a name to reference your business within Verified IDs. Your customers don't see this name.
 
     1. **Domain**: Enter a domain that's added to a service endpoint in your decentralized identity (DID) document. The domain is what binds your DID to something tangible that the user might know about your business. Microsoft Authenticator and other digital wallets use this information to validate that your DID is linked to your domain. If the wallet can verify the DID, it displays a verified symbol. If the wallet can't verify the DID, it informs the user that the credential was issued by an organization it couldn't validate.
 
@@ -99,7 +100,7 @@ To set up Verified ID, follow these steps:
     1. Under **Advanced**, you may choose the **trust system** that you want to use for your tenant. You can choose from either **Web** or **ION**. Web means your tenant uses [did:web](https://w3c-ccg.github.io/did-method-web/) as the did method and ION means it uses [did:ion](https://identity.foundation/ion/).
 
         >[!IMPORTANT]
-        > The only way to change the trust system is to opt-out of verifiable credentials and redo the onboarding.
+        > The only way to change the trust system is to opt-out of the Verified ID service and redo the onboarding.
 
 
 1. Select **Save and get started**.  
@@ -156,7 +157,8 @@ You can choose to grant issuance and presentation permissions separately if you
 
 ## Service endpoint configuration
 
-1. Navigate to the Verified ID in the Azure portal.  
+
+1. Navigate to the Verified ID service in the Azure portal.  
 1. Select **Registration**.
 1. Notice that there are two sections:
     1. Website ID registration