Merge pull request #6394 from TheWriteDoc/kateditsdec2408

december 2024 refresh set 8

docs/identity/hybrid/connect/choose-ad-authn.md

@@ -105,7 +105,7 @@ Refer to [implementing password hash synchronization](how-to-connect-password-ha
 
 * **User experience**. To improve users' sign-in experience, use [Microsoft Entra joined devices](~/identity/devices/concept-directory-join.md) or [Microsoft Entra hybrid joined devices](~/identity/devices/how-to-hybrid-join.md). If you can't join your Windows devices to Microsoft Entra ID, we recommend deploying seamless SSO with password hash synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
 
-* **Advanced scenarios**. Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user's account state is disabled, locked out, or their [password expires](how-to-connect-pta-faq.yml#what-happens-if-my-user-s-password-has-expired-and-they-try-to-sign-in-by-using-pass-through-authentication-) or the logon attempt falls outside the hours when the user is allowed to sign in.
+* **Advanced scenarios**. Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user's account state is disabled, locked out, or their [password expires](how-to-connect-pta-faq.yml#what-happens-if-my-user-s-password-expired-and-they-try-to-sign-in-by-using-pass-through-authentication-) or the logon attempt falls outside the hours when the user is allowed to sign in.
 
 	Organizations that require multifactor authentication with pass-through authentication must use Microsoft Entra multifactor authentication or [Conditional Access custom controls](~/identity/conditional-access/controls.md#custom-controls-preview). Those organizations can't use a third-party or on-premises multifactor authentication method that relies on federation. Advanced features require that password hash synchronization is deployed whether or not you choose pass-through authentication. An example is the leaked credentials detection of Microsoft Entra ID Protection.
 

docs/identity/hybrid/connect/how-to-connect-preview.md

@@ -9,7 +9,7 @@ ms.assetid: c75cd8cf-3eff-4619-bbca-66276757cc07
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-pta-current-limitations.md

@@ -9,7 +9,7 @@ ms.assetid: 9f994aca-6088-40f5-b2cc-c753a4f41da7
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 
@@ -29,18 +29,18 @@ The following scenarios are supported:
 
 ## Unsupported scenarios
 
-The following scenarios are *not* supported:
+The following scenarios *aren't* supported:
 
 - Detection of users with [leaked credentials](~/id-protection/overview-identity-protection.md).
 - Microsoft Entra Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication *only* don't work for scenarios that need Microsoft Entra Domain Services.
-- Pass-through Authentication is not integrated with [Microsoft Entra Connect Health](./whatis-azure-ad-connect.md).
-- Signing in to Microsoft Entra joined (AADJ) devices with a temporary or expired password is not supported for Pass-through authentication users. The error "the sign-in method you're trying to use isn't allowed" will appear.  These users must sign in to a browser to update their temporary password.
+- Pass-through Authentication isn't integrated with [Microsoft Entra Connect Health](./whatis-azure-ad-connect.md).
+- Signing in to Microsoft Entra joined (AADJ) devices with a temporary or expired password isn't supported for Pass-through authentication users. The error "the sign-in method you're trying to use isn't allowed" will appear. These users must sign in to a browser to update their temporary password.
 
 > [!IMPORTANT]
 > As a workaround for unsupported scenarios *only* (except Microsoft Entra Connect Health integration), enable Password Hash Synchronization on the [Optional features](how-to-connect-install-custom.md#optional-features) page in the Microsoft Entra Connect wizard.
 > 
 > [!NOTE]
-> Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
+> Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization isn't automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
 
 ## Next steps
 - [Quick start](how-to-connect-pta-quick-start.md): Get up and running with Microsoft Entra pass-through authentication.

docs/identity/hybrid/connect/how-to-connect-pta-disable-do-not-configure.md

@@ -6,7 +6,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 
@@ -44,7 +44,7 @@ Before you begin, ensure that you have the following prerequisite.
 
 ## Use Microsoft Entra Connect
 
-If you're using pass-through authentication with Microsoft Entra Connect and you have it set to **Do not configure**, you can disable the setting. 
+If you're using pass-through authentication with Microsoft Entra Connect, and it's set to **Do not configure**, you can disable the setting. 
 
 >[!NOTE]
 >If you already have password hash synchronization enabled, disabling pass-through authentication will result in a tenant fallback to password hash synchronization.

docs/identity/hybrid/connect/how-to-connect-pta-faq.yml

@@ -10,7 +10,7 @@ metadata:
   ms.tgt_pltfrm: na
   ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
   ms.topic: faq
-  ms.date: 01/24/2024
+  ms.date: 12/20/2024
   ms.subservice: hybrid-connect
   ms.author: billmath
 
@@ -39,7 +39,7 @@ sections:
       - question: |
           Does Pass-through Authentication support "Alternate ID" as the username, instead of "userPrincipalName"?
         answer: |
-          Yes, both pass-through authentication (PTA) and password hash sync (PHS) support sign-in using a non-UPN value, such as an alternate email. For more information about [Alternate Login ID](~/identity/authentication/howto-authentication-use-email-signin.md).
+          Yes, both pass-through authentication (PTA) and password hash sync (PHS) support sign-in using a non-UPN value, such as an alternate email. For more information about [Alternate Sign-in ID](~/identity/authentication/howto-authentication-use-email-signin.md).
           
       - question: |
           Does password hash synchronization act as a fallback to Pass-through Authentication?
@@ -62,33 +62,33 @@ sections:
           For this feature to work, you need version 1.1.750.0 or later for Microsoft Entra Connect and 1.5.193.0 or later for the Pass-through Authentication Agent. Install all the software on servers with Windows Server 2012 R2 or later.
        
       - question: |
-          Why is my connector still using an older version and not auto-upgraded to latest version?
+          Why is my connector still using an older version and not automatically upgraded to latest version?
         answer: |
           This may be due to either the updater service not working correctly or if there are no new updates available that the service can install.
           The updater service is healthy if it’s running and there are no errors recorded in the event log (Applications and Services logs -> Microsoft -> AzureADConnect-Agent -> Updater -> Admin). 
          
          
-          Only major versions are released for auto-upgrade. We recommend updating your Agent manually only if it's necessary. For example, you can't wait for a major release, because you must fix a known problem or you want to use a new feature. For more information on new releases, the type of the release (download, auto-upgrade), bug fixes and new features see, [Microsoft Entra pass-through authentication agent: Version release history](./reference-connect-pta-version-history.md).
+          Only major versions are released for auto upgrade. We recommend updating your Agent manually only if it's necessary. For example, you can't wait for a major release, because you must fix a known problem or you want to use a new feature. For more information on new releases, the type of the release (download, auto upgrade), bug fixes, and new features see, [Microsoft Entra pass-through authentication agent: Version release history](./reference-connect-pta-version-history.md).
 
           To manually upgrade a connector:
 
           - Download the latest version of the Agent. (You find it under Microsoft Entra Connect Pass-through Authentication on the [Microsoft Entra admin center](https://entra.microsoft.com). You can also find the link at Microsoft Entra pass-through authentication: Version release history.
           - The installer restarts the Microsoft Entra Connect Authentication Agent services. In some cases, a server reboot is required if the installer can't replace all files. We recommend closing all applications before you start the upgrade.
-          - Run the installer. The upgrade process is quick and doesn't require providing any credentials and the Agent won't be re-registered.
+          - Run the installer. The upgrade process is quick and doesn't require providing any credentials and the Agent isn't re-registered.
 
       - question: |
-          What happens if my user's password has expired and they try to sign in by using Pass-through Authentication?
+          What happens if my user's password expired and they try to sign in by using Pass-through Authentication?
         answer: |
-          If you have configured [password writeback](~/identity/authentication/concept-sspr-writeback.md) for a specific user, and if the user signs in by using Pass-through Authentication, they can change or reset their passwords. The passwords are written back to on-premises Active Directory as expected.
+          If you've configured [password writeback](~/identity/authentication/concept-sspr-writeback.md) for a specific user, and if the user signs in by using Pass-through Authentication, they can change or reset their passwords. The passwords are written back to on-premises Active Directory as expected.
           
-          If you haven't configured password writeback for a specific user or if the user doesn't have a valid Microsoft Entra ID license assigned, the user can't update their password in the cloud. They can't update their password, even if their password has expired. The user instead sees this message: "Your organization doesn't allow you to update your password on this site. Update it according to the method recommended by your organization, or ask your admin if you need help." The user or the administrator must reset their password in on-premises Active Directory.
+          If you haven't configured password writeback for a specific user or if the user doesn't have a valid Microsoft Entra ID license assigned, the user can't update their password in the cloud. They can't update their password, even if their password expired. The user instead sees this message: "Your organization doesn't allow you to update your password on this site. Update it according to the method recommended by your organization, or ask your admin if you need help." The user or the administrator must reset their password in on-premises Active Directory.
           
       - question: |
-          The user logs on to Microsoft Entra ID with credentials (username, password). In the meantime the user’s password expires, but the user can still access Microsoft Entra resources. Why does this happen?
+          The user signs in to Microsoft Entra ID with credentials (username, password). In the meantime the user’s password expires, but the user can still access Microsoft Entra resources. Why does this happen?
         answer: |
-          The password expiry doesn't trigger the revocation of authentication tokens or cookies. Until the tokens or cookies are valid, the user is able to use them. This applies regardless of the authentication type (PTA, PHS and federated scenarios).
+          The password expiry doesn't trigger the revocation of authentication tokens or cookies. Until the tokens or cookies are valid, the user is able to use them. This applies regardless of the authentication type (PTA, PHS, and federated scenarios).
 
-          For more details please check the documentation below:
+          For more details please check the following documentation:
 
           [Microsoft identity platform access tokens - Microsoft identity platform | Microsoft Docs](~/identity-platform/access-tokens.md)
 
@@ -112,8 +112,8 @@ sections:
         answer: |
           Yes. If Web Proxy Auto-Discovery (WPAD) is enabled in your on-premises environment, Authentication Agents automatically attempt to locate and use a web proxy server on the network. For more information about using the outbound proxy server, see [Work with existing on-premises proxy servers](~/identity/app-proxy/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server).
           
-          If you don't have WPAD in your environment, you can add proxy information (as shown below) to allow a Pass-through Authentication Agent to communicate with Microsoft Entra ID:
-          - Configure proxy information in Internet Explorer before you install the Pass-through Authentication Agent on the server. This allows you to complete the installation of the Authentication Agent, but it will still show up as **Inactive** on the Admin portal.
+          If you don't have WPAD in your environment, you can add proxy information to allow a Pass-through Authentication Agent to communicate with Microsoft Entra ID:
+          - Configure proxy information in Internet Explorer before you install the Pass-through Authentication Agent on the server. This allows you to complete the installation of the Authentication Agent, but it still shows up as **Inactive** on the Admin portal.
           - On the server, navigate to "C:\Program Files\Microsoft Azure AD Connect Authentication Agent".
           - Edit the "AzureADConnectAuthenticationAgentService" configuration file and add the following lines (replace "http\://contosoproxy.com:8080" with your actual proxy address):
           
@@ -142,7 +142,7 @@ sections:
       - question: |
           How do I remove a Pass-through Authentication Agent?
         answer: |
-          As long as a Pass-through Authentication Agent is running, it remains active and continually handles user sign-in requests. If you want to uninstall an Authentication Agent, go to **Control Panel -> Programs -> Programs and Features** and uninstall both the **Microsoft Entra Connect Authentication Agent** and the **Microsoft Entra Connect Agent Updater** programs.
+          As long as a Pass-through Authentication Agent is running, it remains active and continually handles user sign-in requests. If you want to uninstall an Authentication Agent, go to **Control Panel -> Programs -> Programs and Features**. Uninstall both the **Microsoft Entra Connect Authentication Agent** and the **Microsoft Entra Connect Agent Updater** programs.
           
           If you check the Pass-through Authentication blade on the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](~/identity/role-based-access-control/permissions-reference.md#hybrid-identity-administrator). You should see the Authentication Agent showing as **Inactive**. This is *expected*. The Authentication Agent is automatically dropped from the list after 10 days.
           
@@ -217,7 +217,7 @@ sections:
 
           1. In the [Microsoft Entra admin center](https://entra.microsoft.com), go to the sign-in event.
           2. Select **Authentication Details**. In the **Authentication Method Detail** column, Agent ID details are shown in the format "Pass-through Authentication; PTA AgentId: 00001111-aaaa-2222-bbbb-3333cccc4444".
-          3. To get Agent ID details for the agent that's installed on your local server, log in to your local server and run following cmdlet: 
+          3. To get Agent ID details for the agent that's installed on your local server, sign-in to your local server and run following cmdlet: 
           
               `Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Authentication Agent' | Select *Instance*`
           

docs/identity/hybrid/connect/how-to-connect-pta-how-it-works.md

@@ -9,7 +9,7 @@ ms.assetid: 9f994aca-6088-40f5-b2cc-c753a4f41da7
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 
@@ -28,7 +28,7 @@ This article is an overview of how Microsoft Entra pass-through authentication w
 When a user tries to sign in to an application secured by Microsoft Entra ID, and if Pass-through Authentication is enabled on the tenant, the following steps occur:
 
 1. The user tries to access an application, for example, [Outlook Web App](https://outlook.office365.com/owa/).
-2. If the user is not already signed in, the user is redirected to the Microsoft Entra ID **User Sign-in** page.
+2. If the user isn't already signed in, the user is redirected to the Microsoft Entra ID **User Sign-in** page.
 3. The user enters their username into the Microsoft Entra sign-in page, and then selects the **Next** button.
 4. The user enters their password into the Microsoft Entra sign-in page, and then selects the **Sign in** button.
 5. Microsoft Entra ID, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.
@@ -45,7 +45,7 @@ The following diagram illustrates all the components and the steps involved:
 ![Pass-through Authentication](./media/how-to-connect-pta-how-it-works/pta2.png)
 
 ## Next steps
-- [Current limitations](how-to-connect-pta-current-limitations.md): Learn which scenarios are supported and which ones are not.
+- [Current limitations](how-to-connect-pta-current-limitations.md): Learn which scenarios are supported and which ones aren't.
 - [Quick Start](how-to-connect-pta-quick-start.md): Get up and running on Microsoft Entra pass-through authentication.
 - [Migrate your apps to Microsoft Entra ID](~/identity/enterprise-apps/migration-resources.md): Resources to help you migrate application access and authentication to Microsoft Entra ID.
 - [Smart Lockout](~/identity/authentication/howto-password-smart-lockout.md): Configure the Smart Lockout capability on your tenant to protect user accounts.

docs/identity/hybrid/connect/how-to-connect-pta-quick-start.md

@@ -9,7 +9,7 @@ ms.assetid: 9f994aca-6088-40f5-b2cc-c753a4f41da7
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/04/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-pta-security-deep-dive.md

@@ -8,7 +8,7 @@ manager: amycolannino
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 08/15/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-pta-upgrade-preview-authentication-agents.md

@@ -9,7 +9,7 @@ ms.assetid: 9f994aca-6088-40f5-b2cc-c753a4f41da7
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-pta-user-privacy.md

@@ -9,7 +9,7 @@ ms.assetid: 9f994aca-6088-40f5-b2cc-c753a4f41da7
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-pta.md

@@ -9,7 +9,7 @@ ms.assetid: 9f994aca-6088-40f5-b2cc-c753a4f41da7
 ms.service: entra-id
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 12/04/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath
 

docs/identity/hybrid/connect/how-to-connect-selective-password-hash-synchronization.md

@@ -6,7 +6,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id
 ms.topic: how-to
-ms.date: 12/06/2024
+ms.date: 12/20/2024
 ms.subservice: hybrid-connect
 ms.author: billmath