Merge pull request #6398 from MicrosoftDocs/main

12/20/2024 PM Publish

docs/global-secure-access/concept-connectors.md

@@ -107,6 +107,22 @@ Another factor that affects performance is the quality of the networking between
 
 For more information about optimizing your network, see [Network topology considerations when using Microsoft Entra application proxy](../identity/app-proxy/application-proxy-network-topology.md).
 
+## Specifications and Sizing Requirements
+The following specifications are recommended for each Entra Private Network Connector:
+
+- **Memory:** 8 GiB or more
+- **CPU:** 4 CPU cores  or more
+
+Ensure that your connectors are less than 70% for peak memory utilization and peak CPU utilization. If your CPU or memory utilization is above the suggested maximum, you may want to consider adding more connectors to distribute your workloads effectively. 
+
+- **Throughput:** 
+Each connector, configured with the above specifications, can support up to 1.5 Gbps throughput over TCP on an Azure VM. Throughput is measured as the total of both inbound and outbound traffic. Higher throughput can be achieved by running the connector on VMs with increased memory, CPU resources, and enhanced network link speeds.
+
+**Additional Details:**  
+- Sizing recommendations made above are based on performance testing done on a test tenant using iPerf3 tool with TCP data streams. Actual performance can vary under different testing environments. More details on specific test cases will be published as part of this documentation in coming months. 
+- Once a connector is enrolled, it establishes outbound TLS tunnels to the Private Access cloud infrastructure. These tunnels handle all data path traffic. In addition, we have some control plane channel, driving keep-alive heartbeat, health reporting, connector upgrades and so on utilizing minimal bandwidth.
+- You can deploy additional connectors within the same connector group to increase overall throughput, provided adequate network and internet connectivity is available. It is recommended to maintain a minimum of two healthy connectors to ensure resiliency and consistent availability. For best practices regarding high availability, refer to the guidance [here](https://learn.microsoft.com/entra/identity/app-proxy/application-proxy-high-availability-load-balancing#best-practices-for-high-availability-of-connectors).
+
 ## Domain joining
 
 Connectors can run on a machine that isn't domain-joined. However, if you want single sign-on (SSO) to applications that use integrated Windows authentication (IWA), you need a domain-joined machine. In this case, the connector machines must be joined to a domain that can perform [Kerberos](https://web.mit.edu/kerberos) Constrained Delegation on behalf of the users for the published applications.

docs/identity/authentication/howto-authentication-sms-signin.md

@@ -5,7 +5,7 @@ description: Learn how to configure and enable users to sign-in to Microsoft Ent
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/27/2024
+ms.date: 12/19/2024
 ms.author: justinha
 author: justinha
 manager: amycolannino
@@ -42,6 +42,7 @@ Here are some known issues:
 * SMS-based authentication isn't supported for B2B accounts.
 * Federated users won't authenticate in the home tenant. They only authenticate in the cloud.
 * If a user's default sign-in method is a text or call to your phone number, then the SMS code or voice call is sent automatically during multifactor authentication. As of June 2021, some apps will ask users to choose **Text** or **Call** first. This option prevents sending too many security codes for different apps. If the default sign-in method is the Microsoft Authenticator app ([which we highly recommend](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752)), then the app notification is sent automatically.
+* [Cross-tenant synchronization](/entra/identity/app-provisioning/known-issues?pivots=cross-tenant-synchronization) does not support users with SMS sign-in enabled. 
 
 
 ## Enable the SMS-based authentication method
@@ -120,7 +121,7 @@ To test the user account that's now enabled for SMS-based sign-in, complete the
 
 ## Troubleshoot SMS-based sign-in
 
-The following scenarios and troubleshooting steps can used if you have problems with enabling and using SMS-based sign-in. 
+You can use the following scenarios and troubleshooting steps if you have problems with enabling and using SMS-based sign-in. 
 For a list of apps that support using SMS-based sign-in, see [App support for SMS-based authentication](how-to-authentication-sms-supported-apps.md).
 
 

docs/identity/hybrid/TOC.yml

@@ -538,6 +538,8 @@
       href: connect/howto-troubleshoot-upn-changes.md
     - name: End-to-end troubleshooting of objects and attributes
       href: /troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes
+    - name: Clear on-premises attributes from migrated Microsoft Entra ID users and groups
+      href: connect/tshoot-clear-on-premises-attributes.md
   - name: Reference
     items:
     - name: Hybrid Identity Required Ports and Protocols

docs/identity/hybrid/connect/choose-ad-authn.md

@@ -105,7 +105,7 @@ Refer to [implementing password hash synchronization](how-to-connect-password-ha
 
 * **User experience**. To improve users' sign-in experience, use [Microsoft Entra joined devices](~/identity/devices/concept-directory-join.md) or [Microsoft Entra hybrid joined devices](~/identity/devices/how-to-hybrid-join.md). If you can't join your Windows devices to Microsoft Entra ID, we recommend deploying seamless SSO with password hash synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
 
-* **Advanced scenarios**. Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user's account state is disabled, locked out, or their [password expires](how-to-connect-pta-faq.yml#what-happens-if-my-user-s-password-has-expired-and-they-try-to-sign-in-by-using-pass-through-authentication-) or the logon attempt falls outside the hours when the user is allowed to sign in.
+* **Advanced scenarios**. Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user's account state is disabled, locked out, or their [password expires](how-to-connect-pta-faq.yml#what-happens-if-my-user-s-password-expired-and-they-try-to-sign-in-by-using-pass-through-authentication-) or the logon attempt falls outside the hours when the user is allowed to sign in.
 
 	Organizations that require multifactor authentication with pass-through authentication must use Microsoft Entra multifactor authentication or [Conditional Access custom controls](~/identity/conditional-access/controls.md#custom-controls-preview). Those organizations can't use a third-party or on-premises multifactor authentication method that relies on federation. Advanced features require that password hash synchronization is deployed whether or not you choose pass-through authentication. An example is the leaked credentials detection of Microsoft Entra ID Protection.
 

docs/identity/hybrid/connect/how-to-connect-preview.md

@@ -9,7 +9,7 @@ ms.assetid: c75cd8cf-3eff-4619-bbca-66276757cc07
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-pta-current-limitations.md

@@ -9,7 +9,7 @@ ms.assetid: 9f994aca-6088-40f5-b2cc-c753a4f41da7
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 
@@ -29,18 +29,18 @@ The following scenarios are supported:
 
 ## Unsupported scenarios
 
-The following scenarios are *not* supported:
+The following scenarios *aren't* supported:
 
 - Detection of users with [leaked credentials](~/id-protection/overview-identity-protection.md).
 - Microsoft Entra Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication *only* don't work for scenarios that need Microsoft Entra Domain Services.
-- Pass-through Authentication is not integrated with [Microsoft Entra Connect Health](./whatis-azure-ad-connect.md).
-- Signing in to Microsoft Entra joined (AADJ) devices with a temporary or expired password is not supported for Pass-through authentication users. The error "the sign-in method you're trying to use isn't allowed" will appear.  These users must sign in to a browser to update their temporary password.
+- Pass-through Authentication isn't integrated with [Microsoft Entra Connect Health](./whatis-azure-ad-connect.md).
+- Signing in to Microsoft Entra joined (AADJ) devices with a temporary or expired password isn't supported for Pass-through authentication users. The error "the sign-in method you're trying to use isn't allowed" will appear. These users must sign in to a browser to update their temporary password.
 
 > [!IMPORTANT]
 > As a workaround for unsupported scenarios *only* (except Microsoft Entra Connect Health integration), enable Password Hash Synchronization on the [Optional features](how-to-connect-install-custom.md#optional-features) page in the Microsoft Entra Connect wizard.
 > 
 > [!NOTE]
-> Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
+> Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization isn't automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
 
 ## Next steps
 - [Quick start](how-to-connect-pta-quick-start.md): Get up and running with Microsoft Entra pass-through authentication.

docs/identity/hybrid/connect/how-to-connect-pta-disable-do-not-configure.md

@@ -6,7 +6,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 
@@ -44,7 +44,7 @@ Before you begin, ensure that you have the following prerequisite.
 
 ## Use Microsoft Entra Connect
 
-If you're using pass-through authentication with Microsoft Entra Connect and you have it set to **Do not configure**, you can disable the setting. 
+If you're using pass-through authentication with Microsoft Entra Connect, and it's set to **Do not configure**, you can disable the setting. 
 
 >[!NOTE]
 >If you already have password hash synchronization enabled, disabling pass-through authentication will result in a tenant fallback to password hash synchronization.