From ab25285dcddf323696259afd181ed5173e2bc129 Mon Sep 17 00:00:00 2001 From: Arie Heinrich Date: Fri, 25 Apr 2025 00:39:59 +0200 Subject: [PATCH] Spelling - Remove spaces MD038 - Add table separators MD 055 - 056 --- ...nnect-configure-ad-ds-connector-account.md | 20 ++++++++-------- .../connect/how-to-connect-fed-whatis.md | 1 + .../connect/how-to-connect-health-adfs.md | 2 +- .../how-to-connect-health-alert-catalog.md | 1 + ...ow-to-connect-install-automatic-upgrade.md | 2 +- .../connect/how-to-connect-install-custom.md | 4 ++-- .../connect/how-to-connect-install-roadmap.md | 6 ++++- .../how-to-connect-install-sql-delegation.md | 4 ++-- ...o-connect-password-hash-synchronization.md | 2 +- .../how-to-connect-single-object-sync.md | 2 +- .../hybrid/connect/how-to-connect-sso.md | 12 +++++----- ...how-to-connect-sync-configure-filtering.md | 2 +- ...nect-sync-service-manager-ui-connectors.md | 1 + .../how-to-connect-sync-staging-server.md | 2 +- .../connect/how-to-connect-sync-whatis.md | 1 + .../connect/reference-connect-adsync.md | 6 ++--- .../connect/reference-connect-adsynctools.md | 4 ++-- .../reference-connect-government-cloud.md | 2 +- .../hybrid/connect/reference-connect-ports.md | 3 ++- ...ce-connect-sync-attributes-synchronized.md | 10 ++++++-- ...ference-connect-version-history-archive.md | 24 +++++++++---------- .../reference-connect-version-history.md | 10 ++++---- .../tshoot-clear-on-premises-attributes.md | 4 ++-- ...onnect-largeobjecterror-usercertificate.md | 2 +- .../hybrid/connect/whatis-azure-ad-connect.md | 2 +- 25 files changed, 72 insertions(+), 57 deletions(-) diff --git a/docs/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account.md b/docs/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account.md index 5335487cab8..67b240d14bc 100644 --- a/docs/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account.md +++ b/docs/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account.md @@ -292,16 +292,16 @@ This cmdlet sets the following permissions: |Type |Name |Access |Applies To| |-----|-----|-----|-----| -|Allow |SYSTEM |Full Control |This object -|Allow |Enterprise Admins |Full Control |This object -|Allow |Domain Admins |Full Control |This object -|Allow |Administrators |Full Control |This object -|Allow |Enterprise Domain Controllers |List Contents |This object -|Allow |Enterprise Domain Controllers |Read All Properties |This object -|Allow |Enterprise Domain Controllers |Read Permissions |This object -|Allow |Authenticated Users |List Contents |This object -|Allow |Authenticated Users |Read All Properties |This object -|Allow |Authenticated Users |Read Permissions |This object +|Allow |SYSTEM |Full Control |This object | +|Allow |Enterprise Admins |Full Control |This object | +|Allow |Domain Admins |Full Control |This object | +|Allow |Administrators |Full Control |This object | +|Allow |Enterprise Domain Controllers |List Contents |This object | +|Allow |Enterprise Domain Controllers |Read All Properties |This object | +|Allow |Enterprise Domain Controllers |Read Permissions |This object | +|Allow |Authenticated Users |List Contents |This object | +|Allow |Authenticated Users |Read All Properties |This object | +|Allow |Authenticated Users |Read Permissions |This object | ## Next Steps - [Microsoft Entra Connect: Accounts and permissions](reference-connect-accounts-permissions.md) diff --git a/docs/identity/hybrid/connect/how-to-connect-fed-whatis.md b/docs/identity/hybrid/connect/how-to-connect-fed-whatis.md index aec9575de55..d8c89e922a8 100644 --- a/docs/identity/hybrid/connect/how-to-connect-fed-whatis.md +++ b/docs/identity/hybrid/connect/how-to-connect-fed-whatis.md @@ -22,6 +22,7 @@ This topic is the home for information on federation-related functionalities for ## Microsoft Entra Connect: federation topics + | Topic | What it covers and when to read it | |:--- |:--- | | **Microsoft Entra Connect user sign-in options** | | diff --git a/docs/identity/hybrid/connect/how-to-connect-health-adfs.md b/docs/identity/hybrid/connect/how-to-connect-health-adfs.md index 6e5820052a4..6abc091d4bf 100644 --- a/docs/identity/hybrid/connect/how-to-connect-health-adfs.md +++ b/docs/identity/hybrid/connect/how-to-connect-health-adfs.md @@ -259,7 +259,7 @@ To select additional metrics, specify a time range, or to change the grouping, r | --- | --- | | All | Shows the count of total number of requests processed by all AD FS servers.| | Application | Groups the total requests based on the targeted relying party. This grouping is useful to understand which application is receiving how much percentage of the total traffic. | -| Server |Groups the total requests based on the server that processed the request. This grouping is useful to understand the load distribution of the total traffic. +| Server |Groups the total requests based on the server that processed the request. This grouping is useful to understand the load distribution of the total traffic. | | Workplace Join |Groups the total requests based on whether they are coming from devices that are workplace joined (known). This grouping is useful to understand if your resources are accessed using devices that are unknown to the identity infrastructure. | | Authentication Method | Groups the total requests based on the authentication method used for authentication. This grouping is useful to understand the common authentication method that gets used for authentication. Following are the possible authentication methods
  1. Windows Integrated Authentication (Windows)
  2. Forms Based Authentication (Forms)
  3. SSO (Single Sign On)
  4. X509 Certificate Authentication (Certificate)

    5. If the federation servers receive the request with an SSO Cookie, that request is counted as SSO (Single Sign On). In such cases, if the cookie is valid, the user is not asked to provide credentials and gets seamless access to the application. This behavior is common if you have multiple relying parties protected by the federation servers. | | Network Location | Groups the total requests based on the network location of the user. It can be either intranet or extranet. This grouping is useful to know what percentage of the traffic is coming from the intranet versus extranet. | diff --git a/docs/identity/hybrid/connect/how-to-connect-health-alert-catalog.md b/docs/identity/hybrid/connect/how-to-connect-health-alert-catalog.md index 9873a57a875..4a52232753d 100644 --- a/docs/identity/hybrid/connect/how-to-connect-health-alert-catalog.md +++ b/docs/identity/hybrid/connect/how-to-connect-health-alert-catalog.md @@ -44,6 +44,7 @@ Microsoft Entra Connect Health alerts get resolved on a success condition. Micro | Export to Microsoft Entra ID was Stopped. Accidental delete threshold was reached |The export operation to Microsoft Entra ID failed. There were more objects to be deleted than the configured threshold. As a result, no objects were exported. | The number of objects marked for deletion is greater than the maximum threshold set. To evaluate the objects pending deletion, see [prevent accidental deletes](/entra/identity/hybrid/connect/how-to-connect-sync-feature-prevent-accidental-deletes). | ## Alerts for Active Directory Federation Services + | Alert Name | Description | Remediation | | --- | --- | ----- | |Test Authentication Request (Synthetic Transaction) failed to obtain a token | The test authentication requests (Synthetic Transactions) initiated from this server failed to obtain a token after five retries. This might be caused due to transient network issues, AD DS Domain Controller availability or a mis-configured AD FS server. As a result, authentication requests processed by the federation service might fail. The agent uses the Local Computer Account context to obtain a token from the Federation Service. | Ensure that the following steps are taken to validate the health of the server.
    1. Validate that there are no additional unresolved alerts for this or other AD FS servers in your farm.
    2. Validate that this condition isn't a transient failure by logging on with a test user from the AD FS sign-in page available at https://{your_adfs_server_name}/adfs/ls/idpinitiatedsignon.aspx
    3. Go to https://testconnectivity.microsoft.com and choose the ‘Office 365’ tab. Perform the ‘Office 365 single sign-on Test’.
    4. Verify if your AD FS service name can be resolved from this server by executing the following command from a command prompt on this server. nslookup your_adfs_server_name

    If the service name can't be resolved, refer to the FAQ section for instructions of adding a HOST file entry of your AD FS service with the IP address of this server. This allows the synthetic transaction module running on this server to request a token

    | diff --git a/docs/identity/hybrid/connect/how-to-connect-install-automatic-upgrade.md b/docs/identity/hybrid/connect/how-to-connect-install-automatic-upgrade.md index 1f3d336da6d..bd294b72a09 100644 --- a/docs/identity/hybrid/connect/how-to-connect-install-automatic-upgrade.md +++ b/docs/identity/hybrid/connect/how-to-connect-install-automatic-upgrade.md @@ -58,7 +58,7 @@ Automatic upgrade will not be eligible to proceed if any of the following condit | Result Message | Description | | --- | --- | -|UpgradeNotSupportedTLSVersionIncorrect|Your TLS version is lower than 1.2. Follow [our guide](reference-connect-tls-enforcement.md) to update your TLS. +|UpgradeNotSupportedTLSVersionIncorrect|Your TLS version is lower than 1.2. Follow [our guide](reference-connect-tls-enforcement.md) to update your TLS.| |UpgradeNotSupportedCustomizedSyncRules|There are custom synchronization rules configured in Microsoft Entra Connect.
    **Note:** After version 2.2.1.0, this condition no longer prevents auto upgrade.| |UpgradeNotSupportedInvalidPersistedState|The installation isn't an Express settings or a DirSync upgrade.| |UpgradeNotSupportedNonLocalDbInstall|You aren't using a SQL Server Express LocalDB database.| diff --git a/docs/identity/hybrid/connect/how-to-connect-install-custom.md b/docs/identity/hybrid/connect/how-to-connect-install-custom.md index 224522d8fcc..668f7701e8c 100644 --- a/docs/identity/hybrid/connect/how-to-connect-install-custom.md +++ b/docs/identity/hybrid/connect/how-to-connect-install-custom.md @@ -63,11 +63,11 @@ After installing the required components, select your users' single sign-on meth | Single sign-on option | Description | | --- | --- | | Password hash synchronization |Users can sign in to Microsoft cloud services, such as Microsoft 365, by using the same password they use in their on-premises network. User passwords are synchronized to Microsoft Entra ID as a password hash. Authentication occurs in the cloud. For more information, see [Password hash synchronization](how-to-connect-password-hash-synchronization.md). | -|Pass-through authentication|Users can sign in to Microsoft cloud services, such as Microsoft 365, by using the same password they use in their on-premises network. User passwords are validated by being passed through to the on-premises Active Directory domain controller. +|Pass-through authentication|Users can sign in to Microsoft cloud services, such as Microsoft 365, by using the same password they use in their on-premises network. User passwords are validated by being passed through to the on-premises Active Directory domain controller. | | Federation with AD FS |Users can sign in to Microsoft cloud services, such as Microsoft 365, by using the same password they use in their on-premises network. Users are redirected to their on-premises Azure Directory Federation Services (AD FS) instance to sign in. Authentication occurs on-premises. | | Federation with PingFederate|Users can sign in to Microsoft cloud services, such as Microsoft 365, by using the same password they use in their on-premises network. Users are redirected to their on-premises PingFederate instance to sign in. Authentication occurs on-premises. | | Do not configure |No user sign-in feature is installed or configured. Choose this option if you already have a third-party federation server or another solution in place. | -|Enable single sign-on|This option is available with both password hash sync and pass-through authentication. It provides a single sign-on experience for desktop users on corporate networks. For more information, see [Single sign-on](how-to-connect-sso.md).

    **Note:** For AD FS customers, this option is unavailable. AD FS already offers the same level of single sign-on.
    +|Enable single sign-on|This option is available with both password hash sync and pass-through authentication. It provides a single sign-on experience for desktop users on corporate networks. For more information, see [Single sign-on](how-to-connect-sso.md).

    **Note:** For AD FS customers, this option is unavailable. AD FS already offers the same level of single sign-on.
    | diff --git a/docs/identity/hybrid/connect/how-to-connect-install-roadmap.md b/docs/identity/hybrid/connect/how-to-connect-install-roadmap.md index dfcbe279f2b..382ebfdda7a 100644 --- a/docs/identity/hybrid/connect/how-to-connect-install-roadmap.md +++ b/docs/identity/hybrid/connect/how-to-connect-install-roadmap.md @@ -37,6 +37,7 @@ You can find the download for Microsoft Entra Connect on [Microsoft Download Cen ### Next steps to Install Microsoft Entra Connect + |Topic |Link| | --- | --- | |Download Microsoft Entra Connect | [Download Microsoft Entra Connect](https://go.microsoft.com/fwlink/?LinkId=615771)| @@ -74,11 +75,12 @@ The [prevent accidental deletes](how-to-connect-sync-feature-prevent-accidental- [Automatic upgrade](how-to-connect-install-automatic-upgrade.md) is enabled by default for express settings installations and ensures your Microsoft Entra Connect is always up to date with the latest release. ### Next steps to configure sync features + |Topic |Link| | --- | --- | |Configure filtering | [Microsoft Entra Connect Sync: Configure filtering](how-to-connect-sync-configure-filtering.md)| |Password hash synchronization | [Password hash synchronization](how-to-connect-password-hash-synchronization.md)| -|Pass-through Authentication | [Pass-through authentication](how-to-connect-pta.md) +|Pass-through Authentication | [Pass-through authentication](how-to-connect-pta.md)| |Password writeback | [Getting started with password management](~/identity/authentication/tutorial-enable-sspr.md)| |Device writeback | [Enabling device writeback in Microsoft Entra Connect](how-to-connect-device-writeback.md)| |Prevent accidental deletes | [Microsoft Entra Connect Sync: Prevent accidental deletes](how-to-connect-sync-feature-prevent-accidental-deletes.md)| @@ -98,6 +100,7 @@ The configuration model in sync is called [declarative provisioning](concept-azu ### Next steps to customize Microsoft Entra Connect Sync + |Topic |Link| | --- | --- | |All Microsoft Entra Connect Sync articles | [Microsoft Entra Connect Sync](how-to-connect-sync-whatis.md)| @@ -122,6 +125,7 @@ ADFS can be configured to support [multiple domains](how-to-connect-install-mult If your ADFS server isn't configured to update certificates from Microsoft Entra ID automatically, or if you use a non-ADFS solution, then you'll be notified when you have to [update certificates](how-to-connect-fed-o365-certs.md). ### Next steps to configure federation features + |Topic |Link| | --- | --- | |All AD FS articles | [Microsoft Entra Connect and federation](how-to-connect-fed-whatis.md)| diff --git a/docs/identity/hybrid/connect/how-to-connect-install-sql-delegation.md b/docs/identity/hybrid/connect/how-to-connect-install-sql-delegation.md index 9fe271fe856..64caf740d3b 100644 --- a/docs/identity/hybrid/connect/how-to-connect-install-sql-delegation.md +++ b/docs/identity/hybrid/connect/how-to-connect-install-sql-delegation.md @@ -23,9 +23,9 @@ To use this feature, you need to realize that there are several moving parts and |Role|Description| |-----|-----| -|Domain or Forest AD administrator|Creates the domain level service account that is used by Microsoft Entra Connect to run the sync service. For more information on service accounts, see [Accounts and permissions](reference-connect-accounts-permissions.md). +|Domain or Forest AD administrator|Creates the domain level service account that is used by Microsoft Entra Connect to run the sync service. For more information on service accounts, see [Accounts and permissions](reference-connect-accounts-permissions.md).| |SQL administrator|Creates the ADSync database and grants login + dbo access to the Microsoft Entra Connect administrator and the service account created by the domain/forest admin.| -Microsoft Entra Connect administrator|Installs Microsoft Entra Connect and specifies the service account during custom installation. +|Microsoft Entra Connect administrator|Installs Microsoft Entra Connect and specifies the service account during custom installation.| diff --git a/docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md b/docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md index 0546e5f5743..eb619cd381f 100644 --- a/docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md +++ b/docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md @@ -223,7 +223,7 @@ If you use Microsoft Entra Domain Services to provide legacy authentication for * Generates a random initialization vector needed for the first round of encryption. * Extracts Kerberos password hashes from the *supplementalCredentials* attributes. * Checks the Microsoft Entra Domain Services security configuration *SyncNtlmPasswords* setting. - * If this setting is disabled, generates a random, high-entropy NTLM hash (different from the user's password). This hash is then combined with the exacted Kerberos password hashes from the *supplementalCrendetials* attribute into one data structure. + * If this setting is disabled, generates a random, high-entropy NTLM hash (different from the user's password). This hash is then combined with the exacted Kerberos password hashes from the *supplementalCredentials* attribute into one data structure. * If enabled, combines the value of the *unicodePwd* attribute with the extracted Kerberos password hashes from the *supplementalCredentials* attribute into one data structure. * Encrypts the single data structure using the AES symmetric key. * Encrypts the AES symmetric key using the tenant's Microsoft Entra Domain Services public key. diff --git a/docs/identity/hybrid/connect/how-to-connect-single-object-sync.md b/docs/identity/hybrid/connect/how-to-connect-single-object-sync.md index 8b7d4d472e1..b39973fe07d 100644 --- a/docs/identity/hybrid/connect/how-to-connect-single-object-sync.md +++ b/docs/identity/hybrid/connect/how-to-connect-single-object-sync.md @@ -82,7 +82,7 @@ To run the Single Object Sync tool, perform the following steps: |-----|----| |DistinguishedName|This is a required string parameter.

    This is the Active Directory object’s distinguished name that needs synchronization and troubleshooting.| |StagingMode|This is an optional switch parameter.

    This parameter can be used to prevent exporting the changes to Microsoft Entra ID.

    **Note**: The cmdlet commits the sync operation.

    **Note**: Microsoft Entra Connect Staging server won't export the changes to Microsoft Entra ID.| -|NoHtmlReport|This is an optional switch parameter.

    This parameter can be used to prevent generating the HTML report. +|NoHtmlReport|This is an optional switch parameter.

    This parameter can be used to prevent generating the HTML report.| ## Single Object Sync throttling diff --git a/docs/identity/hybrid/connect/how-to-connect-sso.md b/docs/identity/hybrid/connect/how-to-connect-sso.md index fe52f390088..b91ded143fb 100644 --- a/docs/identity/hybrid/connect/how-to-connect-sso.md +++ b/docs/identity/hybrid/connect/how-to-connect-sso.md @@ -61,12 +61,12 @@ For more information on how SSO works with Windows 10 using PRT, see: [Primary R - It's supported on web browser-based clients and Office clients that support [modern authentication](/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016) on platforms and browsers capable of Kerberos authentication: | OS\Browser |Internet Explorer|Microsoft Edge\*\*\*\*|Google Chrome|Mozilla Firefox|Safari| -| --- | --- |--- | --- | --- | -- -|Windows 10|Yes\*|Yes|Yes|Yes\*\*\*|N/A -|Windows 8.1|Yes\*|Yes*\*\*\*|Yes|Yes\*\*\*|N/A -|Windows 8|Yes\*|N/A|Yes|Yes\*\*\*|N/A -|Windows Server 2012 R2 or above|Yes\*\*|N/A|Yes|Yes\*\*\*|N/A -|Mac OS X|N/A|N/A|Yes\*\*\*|Yes\*\*\*|Yes\*\*\* +| --- | --- |--- | --- | --- | -- | +|Windows 10|Yes\*|Yes|Yes|Yes\*\*\*|N/A| +|Windows 8.1|Yes\*|Yes*\*\*\*|Yes|Yes\*\*\*|N/A| +|Windows 8|Yes\*|N/A|Yes|Yes\*\*\*|N/A| +|Windows Server 2012 R2 or above|Yes\*\*|N/A|Yes|Yes\*\*\*|N/A| +|Mac OS X|N/A|N/A|Yes\*\*\*|Yes\*\*\*|Yes\*\*\*| > [!NOTE] >Microsoft Edge legacy is no longer supported diff --git a/docs/identity/hybrid/connect/how-to-connect-sync-configure-filtering.md b/docs/identity/hybrid/connect/how-to-connect-sync-configure-filtering.md index ef10ae26ff8..57d78bc6b5c 100644 --- a/docs/identity/hybrid/connect/how-to-connect-sync-configure-filtering.md +++ b/docs/identity/hybrid/connect/how-to-connect-sync-configure-filtering.md @@ -184,7 +184,7 @@ If you changed the configuration by using **domain** or **organizational-unit** If you changed the configuration by using **attribute** filtering, then you need to do a **Full Synchronization**. -As a best practice, make sure your server is in [Staging mode ](/entra/identity/hybrid/connect/how-to-connect-sync-staging-server#change-currently-active-sync-server-to-staging-mode)and start an **Initial** sync cycle which will run a full import and full synchronization on all connectors using the PowerShell command `Start-ADSyncSyncCycle -PolicyType Initial`. +As a best practice, make sure your server is in [Staging mode](/entra/identity/hybrid/connect/how-to-connect-sync-staging-server#change-currently-active-sync-server-to-staging-mode)and start an **Initial** sync cycle which will run a full import and full synchronization on all connectors using the PowerShell command `Start-ADSyncSyncCycle -PolicyType Initial`. To manually start a run profile, do the following steps: diff --git a/docs/identity/hybrid/connect/how-to-connect-sync-service-manager-ui-connectors.md b/docs/identity/hybrid/connect/how-to-connect-sync-service-manager-ui-connectors.md index bb7a1e38b68..111e0e2de6e 100644 --- a/docs/identity/hybrid/connect/how-to-connect-sync-service-manager-ui-connectors.md +++ b/docs/identity/hybrid/connect/how-to-connect-sync-service-manager-ui-connectors.md @@ -22,6 +22,7 @@ ms.custom: H1Hack27Feb2017 The Connectors tab is used to manage all systems the sync engine is connected to. ## Connector actions + | Action | Comment | | --- | --- | | Create |Don't use. For connecting to additional AD forests, use the installation wizard. | diff --git a/docs/identity/hybrid/connect/how-to-connect-sync-staging-server.md b/docs/identity/hybrid/connect/how-to-connect-sync-staging-server.md index bf85d915205..1c25f997135 100644 --- a/docs/identity/hybrid/connect/how-to-connect-sync-staging-server.md +++ b/docs/identity/hybrid/connect/how-to-connect-sync-staging-server.md @@ -115,7 +115,7 @@ You may need to perform a failover of the Sync Servers for several reasons, such - The staging server has the synchronization scheduler enabled and has synchronized with Microsoft Entra ID recently - In case of any updates in synchronization rules or in sync scope, run an initial sync cycle - Confirm that your Microsoft Entra Connect Sync Server is configured to [prevent accidental deletes](how-to-connect-sync-feature-prevent-accidental-deletes.md) -- [Verify ](#verify)the pending exports and confirm that there aren't significant updates, and such updates are expected +- [Verify](#verify)the pending exports and confirm that there aren't significant updates, and such updates are expected - Check if [Microsoft Entra Connect Health](whatis-azure-ad-connect.md#what-is-microsoft-entra-connect-health) agent is updated by checking the server in [Microsoft Entra Connect Health](https://aka.ms/aadconnecthealth) portal - Switch the current active server to staging mode, before switching the staging server to active diff --git a/docs/identity/hybrid/connect/how-to-connect-sync-whatis.md b/docs/identity/hybrid/connect/how-to-connect-sync-whatis.md index 3d7d9736f0f..06224d2aed8 100644 --- a/docs/identity/hybrid/connect/how-to-connect-sync-whatis.md +++ b/docs/identity/hybrid/connect/how-to-connect-sync-whatis.md @@ -34,6 +34,7 @@ The sync service consists of two components, the on-premises **Microsoft Entra C ## Microsoft Entra Connect Sync topics + | Topic | What it covers and when to read | | --- | --- | | **Microsoft Entra Connect Sync fundamentals** | | diff --git a/docs/identity/hybrid/connect/reference-connect-adsync.md b/docs/identity/hybrid/connect/reference-connect-adsync.md index e1938b3a36c..965f1363eb0 100644 --- a/docs/identity/hybrid/connect/reference-connect-adsync.md +++ b/docs/identity/hybrid/connect/reference-connect-adsync.md @@ -52,7 +52,7 @@ The following documentation provides reference information for the `ADSync` Powe PS C:\> (Get-ADsyncConnector -Identifier 'b891884f-051e-4a83-95af-2544101c9083').ConnectivityParameters['UserName'].Value # Get the Microsoft Entra credential PS C:\> $credEntra = Get-Credential - # Add or updatethe synchronization service account + # Add or update the synchronization service account PS C:\> Add-ADSyncAADServiceAccount -AADCredential $credEntra -Name Sync_CONNECT01 ``` @@ -1638,7 +1638,7 @@ The following documentation provides reference information for the `ADSync` Powe ### PARAMETERS #### -AutoUpgradeState - The AtuoUpgrade state. Accepted values: Suspended, Enabled, Disabled. + The AutoUpgrade state. Accepted values: Suspended, Enabled, Disabled. ```yaml Type: AutoUpgradeConfigurationState @@ -1858,7 +1858,7 @@ The following documentation provides reference information for the `ADSync` Powe #### Example 1 ```powershell - PS C:\> Set-ADSyncSchedulerConnectorOverride -Connectorname "contoso.com" -FullImportRequired $true + PS C:\> Set-ADSyncSchedulerConnectorOverride -ConnectorName "contoso.com" -FullImportRequired $true -FullSyncRequired $false ``` diff --git a/docs/identity/hybrid/connect/reference-connect-adsynctools.md b/docs/identity/hybrid/connect/reference-connect-adsynctools.md index d8557d857b0..ac9b9d08f70 100644 --- a/docs/identity/hybrid/connect/reference-connect-adsynctools.md +++ b/docs/identity/hybrid/connect/reference-connect-adsynctools.md @@ -90,7 +90,7 @@ Connect-ADSyncToolsSqlDatabase -Server 'sqlserver01.contoso.com' -Database 'ADSy ``` #### EXAMPLE 2 ``` -Connect-ADSyncToolsSqlDatabase -Server 'sqlserver01.contoso.com' -Instance 'INTANCE01' -Database 'ADSync' +Connect-ADSyncToolsSqlDatabase -Server 'sqlserver01.contoso.com' -Instance 'INSTANCE01' -Database 'ADSync' ``` ### PARAMETERS #### -Server @@ -1260,7 +1260,7 @@ Remove-ADSyncToolsExpiredCertificates [-TargetOU] [[-BackupOnly] ] ``` ### DESCRIPTION -This script takes all the objects from a target Organizational Unit in your Active Directory domain - filtered by Object Class (User/Computer) and deletes all expired certificates present in the UserCertificate attribute. By default (BackupOnly mode) it will only backup expired certificates to a file and not do any changes in AD. If you use `-BackupOnly $false` then any Expired Certificate present in UserCertificate attribute for these objects will be removed from Active Directory after being copied to file. Each certificate will be backed up to a separated filename: `ObjectClass_ObjectGUID_CertThumprint.cer`. The script will also create a log file in CSV format showing all the users with certificates that either are valid or expired including the actual action taken (Skipped/Exported/Deleted). +This script takes all the objects from a target Organizational Unit in your Active Directory domain - filtered by Object Class (User/Computer) and deletes all expired certificates present in the UserCertificate attribute. By default (BackupOnly mode) it will only backup expired certificates to a file and not do any changes in AD. If you use `-BackupOnly $false` then any Expired Certificate present in UserCertificate attribute for these objects will be removed from Active Directory after being copied to file. Each certificate will be backed up to a separated filename: `ObjectClass_ObjectGUID_CertThumbprint.cer`. The script will also create a log file in CSV format showing all the users with certificates that either are valid or expired including the actual action taken (Skipped/Exported/Deleted). ### EXAMPLES #### EXAMPLE 1 diff --git a/docs/identity/hybrid/connect/reference-connect-government-cloud.md b/docs/identity/hybrid/connect/reference-connect-government-cloud.md index 1edaaa66ce1..06cf87977ec 100644 --- a/docs/identity/hybrid/connect/reference-connect-government-cloud.md +++ b/docs/identity/hybrid/connect/reference-connect-government-cloud.md @@ -43,7 +43,7 @@ Before you deploy the Pass-through Authentication agent, verify whether a firewa |-----|-----| |*.msappproxy.us
    *.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Microsoft Entra cloud service. | |`mscrl.microsoft.us:80`
    `crl.microsoft.us:80`
    `ocsp.msocsp.us:80`
    `www.microsoft.us:80`| The agent uses these URLs to verify certificates.| -|login.windows.us
    secure.aadcdn.microsoftonline-p.com
    *.microsoftonline.us
    *.microsoftonline-p.us
    *.msauth.net
    *.msauthimages.net
    *.msecnd.net
    *.msftauth.net
    *.msftauthimages.net
    *.phonefactor.net
    enterpriseregistration.windows.net
    management.azure.com
    policykeyservice.dc.ad.msft.net
    ctldl.windowsupdate.us:80| The agent uses these URLs during the registration process. +|login.windows.us
    secure.aadcdn.microsoftonline-p.com
    *.microsoftonline.us
    *.microsoftonline-p.us
    *.msauth.net
    *.msauthimages.net
    *.msecnd.net
    *.msftauth.net
    *.msftauthimages.net
    *.phonefactor.net
    enterpriseregistration.windows.net
    management.azure.com
    policykeyservice.dc.ad.msft.net
    ctldl.windowsupdate.us:80| The agent uses these URLs during the registration process.| ### Install the agent for the Azure Government cloud diff --git a/docs/identity/hybrid/connect/reference-connect-ports.md b/docs/identity/hybrid/connect/reference-connect-ports.md index 2638ec68ed8..083fe144997 100644 --- a/docs/identity/hybrid/connect/reference-connect-ports.md +++ b/docs/identity/hybrid/connect/reference-connect-ports.md @@ -79,6 +79,7 @@ This table describes the ports and protocols that are required for communication The following tables describes the ports and protocols that are required for communication between the Microsoft Entra Connect and Microsoft Entra ID. ### Table 6a - Pass-through Authentication with SSO + | Protocol | Ports | Description | | --- | --- | --- | | HTTP |80 (TCP)|Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates. Also needed for the connector auto-update capability to function properly. | @@ -90,7 +91,7 @@ In addition, Microsoft Entra Connect needs to be able to make direct IP connecti | Protocol | Ports | Description | | --- | --- | --- | -| HTTPS |443 (TCP)|Used to enable SSO registration (required only for the SSO registration process). +| HTTPS | 443 (TCP) | Used to enable SSO registration (required only for the SSO registration process). | In addition, Microsoft Entra Connect needs to be able to make direct IP connections to the [Azure data center IP ranges](https://www.microsoft.com/download/details.aspx?id=41653). Again, this is only required for the SSO registration process. diff --git a/docs/identity/hybrid/connect/reference-connect-sync-attributes-synchronized.md b/docs/identity/hybrid/connect/reference-connect-sync-attributes-synchronized.md index 8b83cabb362..802bd21df26 100644 --- a/docs/identity/hybrid/connect/reference-connect-sync-attributes-synchronized.md +++ b/docs/identity/hybrid/connect/reference-connect-sync-attributes-synchronized.md @@ -30,6 +30,7 @@ In this case, start with the list of attributes in this topic and identify those > ## Microsoft 365 Apps for enterprise + | Attribute Name | User | Comment | | --- |:---:| --- | | accountEnabled |X |Defines if an account is enabled. | @@ -43,6 +44,7 @@ In this case, start with the list of attributes in this topic and identify those | userPrincipalName |X |UPN is the login ID for the user. Most often the same as [mail] value. | ## Exchange Online + | Attribute Name | User | Contact | Group | Comment | | --- |:---:|:---:|:---:| --- | | accountEnabled |X | | |Defines if an account is enabled. | @@ -166,6 +168,7 @@ In this case, start with the list of attributes in this topic and identify those | wWWHomePage |X |X | | | ## SharePoint Online + | Attribute Name | User | Contact | Group | Comment | | --- |:---:|:---:|:---:| --- | | accountEnabled |X | | |Defines if an account is enabled. | @@ -243,12 +246,12 @@ In this case, start with the list of attributes in this topic and identify those | title |X |X | | | | unauthOrig |X |X |X | | | url |X |X | | | -| usageLocation |X | | |mechanical property. The user’s country/region -. Used for license assignment. | +| usageLocation |X | | |mechanical property. The user’s country/region. Used for license assignment. | | userPrincipalName |X | | |UPN is the login ID for the user. Most often the same as [mail] value. | | wWWHomePage |X |X | | | ## Teams and Skype for Business Online + | Attribute Name | User | Contact | Group | Comment | | --- |:---:|:---:|:---:| --- | | accountEnabled |X | | |Defines if an account is enabled. | @@ -298,6 +301,7 @@ In this case, start with the list of attributes in this topic and identify those | wWWHomePage |X |X | | | ## Azure RMS + | Attribute Name | User | Contact | Group | Comment | | --- |:---:|:---:|:---:| --- | | accountEnabled |X | | |Defines if an account is enabled. | @@ -314,6 +318,7 @@ In this case, start with the list of attributes in this topic and identify those | userPrincipalName |X | | |This UPN is the login ID for the user. Most often the same as [mail] value. | ## Intune + | Attribute Name | User | Contact | Group | Comment | | --- |:---:|:---:|:---:| --- | | accountEnabled |X | | |Defines if an account is enabled. | @@ -333,6 +338,7 @@ In this case, start with the list of attributes in this topic and identify those | userPrincipalName |X | | |UPN is the login ID for the user. Most often the same as [mail] value. | ## Dynamics CRM + | Attribute Name | User | Contact | Group | Comment | | --- |:---:|:---:|:---:| --- | | accountEnabled |X | | |Defines if an account is enabled. | diff --git a/docs/identity/hybrid/connect/reference-connect-version-history-archive.md b/docs/identity/hybrid/connect/reference-connect-version-history-archive.md index efd68ad3974..dd3172c6c6f 100644 --- a/docs/identity/hybrid/connect/reference-connect-version-history-archive.md +++ b/docs/identity/hybrid/connect/reference-connect-version-history-archive.md @@ -557,18 +557,18 @@ Lock down access to the AD DS account by implementing the following permission c * Remove all ACEs on the specific object, except ACEs specific to SELF. We want to keep the default permissions intact when it comes to SELF. * Assign these specific permissions: -Type | Name | Access | Applies To ----------|-------------------------------|----------------------|--------------| -Allow | SYSTEM | Full Control | This object | -Allow | Enterprise Admins | Full Control | This object | -Allow | Domain Admins | Full Control | This object | -Allow | Administrators | Full Control | This object | -Allow | Enterprise Domain Controllers | List Contents | This object | -Allow | Enterprise Domain Controllers | Read All Properties | This object | -Allow | Enterprise Domain Controllers | Read Permissions | This object | -Allow | Authenticated Users | List Contents | This object | -Allow | Authenticated Users | Read All Properties | This object | -Allow | Authenticated Users | Read Permissions | This object | +| Type | Name | Access | Applies To | +|-------|-------------------------------|---------------------|-------------| +| Allow | SYSTEM | Full Control | This object | +| Allow | Enterprise Admins | Full Control | This object | +| Allow | Domain Admins | Full Control | This object | +| Allow | Administrators | Full Control | This object | +| Allow | Enterprise Domain Controllers | List Contents | This object | +| Allow | Enterprise Domain Controllers | Read All Properties | This object | +| Allow | Enterprise Domain Controllers | Read Permissions | This object | +| Allow | Authenticated Users | List Contents | This object | +| Allow | Authenticated Users | Read All Properties | This object | +| Allow | Authenticated Users | Read Permissions | This object | #### PowerShell script to tighten a pre-existing service account diff --git a/docs/identity/hybrid/connect/reference-connect-version-history.md b/docs/identity/hybrid/connect/reference-connect-version-history.md index c9a2fb941a6..9721451afb8 100644 --- a/docs/identity/hybrid/connect/reference-connect-version-history.md +++ b/docs/identity/hybrid/connect/reference-connect-version-history.md @@ -36,10 +36,10 @@ Get notified about when to revisit this page for updates by copying and pasting The following table lists related topics: -Topic | Details ---------- | --------- | -Steps to upgrade from Microsoft Entra Connect | Different methods to [upgrade from a previous version to the latest](how-to-upgrade-previous-version.md) Microsoft Entra Connect release. -Required permissions | For permissions required to apply an update, see [Microsoft Entra Connect: Accounts and permissions](reference-connect-accounts-permissions.md#upgrade). +| Topic | Details | +| --------- | --------- | +| Steps to upgrade from Microsoft Entra Connect | Different methods to [upgrade from a previous version to the latest](how-to-upgrade-previous-version.md) Microsoft Entra Connect release. | +| Required permissions | For permissions required to apply an update, see [Microsoft Entra Connect: Accounts and permissions](reference-connect-accounts-permissions.md#upgrade). | @@ -160,7 +160,7 @@ To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade] - Updated Default Rule: "onPremisesObjectIdentifier" attribute added to the **In from AD - User Account Enabled** sync rule. Adding this rule allows the sync engine to pick the **onPremisesObjectIdentifier** attribute from the user who is enabled, in a scenario where: - the same user is represented across different forests, and - the user is disabled in one of the forests -- Introduced a registry key that allows you to set the precedence number for custom rules to be more than 100, if needed. The precedence of the first standard rule can be set using the key **HLKM:\SOFTWARE\Microsoft\Azure AD Connect\FirstStandardRulePrecedence,** allowing for more custom rules. If no value is set, 100 is the default. +- Introduced a registry key that allows you to set the precedence number for custom rules to be more than 100, if needed. The precedence of the first standard rule can be set using the key **HKLM:\SOFTWARE\Microsoft\Azure AD Connect\FirstStandardRulePrecedence,** allowing for more custom rules. If no value is set, 100 is the default. - Cmdlets in ADSync PowerShell module that communicate with Microsoft Entra ID now require Microsoft Entra ID login, for example, `Add-ADSyncAADServiceAccount` or `Get-ADSyncExportDeletionThreshold` diff --git a/docs/identity/hybrid/connect/tshoot-clear-on-premises-attributes.md b/docs/identity/hybrid/connect/tshoot-clear-on-premises-attributes.md index 63a66cfae7d..7d8c45c47a9 100644 --- a/docs/identity/hybrid/connect/tshoot-clear-on-premises-attributes.md +++ b/docs/identity/hybrid/connect/tshoot-clear-on-premises-attributes.md @@ -92,7 +92,7 @@ Function Set-ADSyncToolsOnPremisesAttribute 1.5.2 ADSyncTools Get all the details of a cmdlet (i.e., Syntax, Examples, etc.) with Get-Help <cmdlet> -Full: - ```Get-Help Get-ADSyncToolsOnPremisesAttribute -Full ``` + ```Get-Help Get-ADSyncToolsOnPremisesAttribute -Full``` ## Get-ADSyncToolsOnPremisesAttribute @@ -157,7 +157,7 @@ This operation requires Microsoft Graph PowerShell SDK, preauthenticated with `C Clear-ADSyncToolsOnPremisesAttribute 'User1@Contoso.com' -All ``` -You can also use `Clear-ADSyncToolsOnPremisesAttribute ` to clear any of the following on-premises attributes individually: +You can also use `Clear-ADSyncToolsOnPremisesAttribute` to clear any of the following on-premises attributes individually: - onPremisesDistinguishedName - onPremisesDomainName diff --git a/docs/identity/hybrid/connect/tshoot-connect-largeobjecterror-usercertificate.md b/docs/identity/hybrid/connect/tshoot-connect-largeobjecterror-usercertificate.md index 19748d8e0f9..a203e4dff9f 100644 --- a/docs/identity/hybrid/connect/tshoot-connect-largeobjecterror-usercertificate.md +++ b/docs/identity/hybrid/connect/tshoot-connect-largeobjecterror-usercertificate.md @@ -109,7 +109,7 @@ The new sync rule must have the same **scoping filter** and **higher precedence* | --- | --- | --- | | Name | *Provide a name* | E.g., *“Out to Microsoft Entra ID – Custom override for userCertificate”* | | Description | *Provide a description* | E.g., *“If userCertificate attribute has more than 15 values, export NULL.”* | - | Connected System | *Select the Microsoft Entra Connector* | + | Connected System | *Select the Microsoft Entra Connector* | | | Connected System Object Type | **user** | | | Metaverse Object Type | **person** | | | Link Type | **Join** | | diff --git a/docs/identity/hybrid/connect/whatis-azure-ad-connect.md b/docs/identity/hybrid/connect/whatis-azure-ad-connect.md index d1aa466ad0b..651fbfc6074 100644 --- a/docs/identity/hybrid/connect/whatis-azure-ad-connect.md +++ b/docs/identity/hybrid/connect/whatis-azure-ad-connect.md @@ -88,7 +88,7 @@ Key benefits and best practices: |Enhanced security|[Extranet lockout trends](how-to-connect-health-adfs.md#usage-analytics-for-ad-fs)
    [Failed sign-ins report](how-to-connect-health-adfs-risky-ip.md)
    [In privacy compliant](reference-connect-health-user-privacy.md)| |Get alerted on [all critical ADFS system issues](how-to-connect-health-alert-catalog.md#alerts-for-active-directory-federation-services)|Server configuration and availability
    [Performance and connectivity](how-to-connect-health-adfs.md#performance-monitoring-for-ad-fs)
    Regular maintenance| |Easy to deploy and manage|[Quick agent installation](how-to-connect-health-agent-install.md#install-the-agent-for-ad-fs)
    Agent auto upgrade to the latest
    Data available in portal within minutes| -Rich [usage metrics](how-to-connect-health-adfs.md#usage-analytics-for-ad-fs)|Top applications usage
    Network locations and TCP connection
    Token requests per server| +|Rich [usage metrics](how-to-connect-health-adfs.md#usage-analytics-for-ad-fs)|Top applications usage
    Network locations and TCP connection
    Token requests per server| |Great user experience|Dashboard fashion from [Microsoft Entra admin center](https://entra.microsoft.com)
    [Alerts through emails](how-to-connect-health-adfs.md#alerts-for-ad-fs)|