update hybrid connect to hybrid cloud sync in governance articles for…

… GWB
MicrosoftDocs · Nov 17, 2023 · 1c88c23 · 1c88c23
1 parent a15102c
commit 1c88c23
Show file tree

Hide file tree

Showing 8 changed files with 13 additions and 13 deletions.
diff --git a/docs/id-governance/access-reviews-application-preparation.md b/docs/id-governance/access-reviews-application-preparation.md
@@ -75,8 +75,8 @@ Now that you have identified the integration pattern for the application, check
 1. Browse to > **Identity** > **Applications** > **Enterprise Applications**. 
 1. Here you can check to see whether your application is on the [list of enterprise applications](~/identity/enterprise-apps/view-applications-portal.md) in your tenant.
 1. If the application is not already listed, then check if the application is available the [application gallery](~/identity/enterprise-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](~/identity/saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](~/identity/app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning.  
-1. If the application is not already listed, but uses AD security groups and is a web application, [add the application for remote access through Application Proxy](~/identity/app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md).
-1. If the application is not already listed, uses AD security groups and is not a web application, then [configure group writeback to AD](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md) and continue at the next section.
+1. If the application is not already listed, but uses AD security groups and is a web application, [add the application for remote access through Application Proxy](~/identity/app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md).
+1. If the application is not already listed, uses AD security groups and is not a web application, then [configure group writeback to AD](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md) and continue at the next section.
 1. Once the application is in the list of enterprise applications in your tenant, select the application from the list.
 1. Change to the **Properties** tab.  Verify that the **User assignment required?** option is set to **Yes**. If it's set to **No**, all users in your directory, including external identities, can access the application, and you can't review access to the application.
 
@@ -144,7 +144,7 @@ Once the reviews have started, you can monitor their progress, and update the ap
 
 1. If you had previously configured provisioning of users to the application, then when the results are applied, Microsoft Entra ID will begin deprovisioning denied users from the application. You can [monitor the process of deprovisioning users](~/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). If provisioning indicates an error with the application, you can [download the provisioning log](~/identity/monitoring-health/concept-provisioning-logs.md) to investigate if there was a problem with the application.
 
-1. If you had configured [group writeback](~/identity/users/groups-write-back-portal.md) for the reviewed groups, then wait until group writeback completes in Microsoft Entra Connect and the changes propagate to all the domain controllers.
+1. If you had configured [group writeback](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md) for the reviewed groups, then wait until group writeback completes in Microsoft Entra Cloud Sync and the changes propagate to all the domain controllers.
 
 1. If provisioning wasn't configured for your application, then you will need to separately copy the list of denied users to the application. For example, in access reviews for a Windows Server AD-managed group, use this [PowerShell sample script](https://github.com/microsoft/access-reviews-samples/tree/master/AzureADAccessReviewsOnPremises). The script outlines the required Microsoft Graph calls and exports the Windows Server AD PowerShell cmdlets to carry out the changes.
 

diff --git a/docs/id-governance/deploy-access-reviews.md b/docs/id-governance/deploy-access-reviews.md
@@ -307,7 +307,7 @@ To learn how to review guest users' access to group memberships, see [Manage gue
 
 ### Review access to on-premises groups
 
-Access reviews can't change the group membership of groups that you synchronize from on-premises with [Microsoft Entra Connect](~/identity/hybrid/connect/whatis-azure-ad-connect.md). This restriction is because the source of authority is on-premises.
+Access reviews can't change the group membership of groups that you synchronize from on-premises AD with [Microsoft Entra Connect](~/identity/hybrid/connect/whatis-azure-ad-connect.md). This restriction is because the source of authority is on-premises.  To control access to AD group-based apps, use [Microsoft Entra Cloud Sync group writeback](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md).
 
 You can still use access reviews to schedule and maintain regular reviews of on-premises groups. Reviewers will then take action in the on-premises group. This strategy keeps access reviews as the tool for all reviews.
 

diff --git a/docs/id-governance/entitlement-management-access-package-resources.md b/docs/id-governance/entitlement-management-access-package-resources.md
@@ -50,7 +50,7 @@ If you need to add resources to an access package, you should check whether the
 
 1. If the resources aren't already in the catalog, and you're an administrator or a catalog owner, you can [add resources to a catalog](entitlement-management-catalog-create.md#add-resources-to-a-catalog). The types of resources you can add are groups, applications, and SharePoint Online sites. For example:
 
-   * Groups can be cloud-created Microsoft 365 Groups or cloud-created Microsoft Entra security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Microsoft Entra ID. To give users access to an application that uses AD security group memberships, create a new group in Microsoft Entra ID, configure [group writeback to AD](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](~/identity/users/groups-write-back-portal.md). Groups that originate in Exchange Online as Distribution groups can't be modified in Microsoft Entra ID either.
+   * Groups can be cloud-created Microsoft 365 Groups or cloud-created Microsoft Entra security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Microsoft Entra ID. To give users access to an application that uses AD security group memberships, create a new group in Microsoft Entra ID, configure [group writeback to AD](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md), and [enable that group to be written to AD](entitlement-management-group-writeback.md). Groups that originate in Exchange Online as Distribution groups can't be modified in Microsoft Entra ID either.
    * Applications can be Microsoft Entra enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Microsoft Entra ID. If your application hasn't yet been integrated with Microsoft Entra ID, see [govern access for applications in your environment](identity-governance-applications-prepare.md) and [integrate an application with Microsoft Entra ID](identity-governance-applications-integrate.md).
    * Sites can be SharePoint Online sites or SharePoint Online site collections.
 

diff --git a/docs/id-governance/entitlement-management-catalog-create.md b/docs/id-governance/entitlement-management-catalog-create.md
@@ -78,7 +78,7 @@ To include resources in an access package, the resources must exist in a catalog
 
 * Groups can be cloud-created Microsoft 365 Groups or cloud-created Microsoft Entra security groups.
 
-  * Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Microsoft Entra ID. To give a user access to an application that uses AD security group memberships, create a new security group in Microsoft Entra ID, configure [group writeback to AD](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](~/identity/users/groups-write-back-portal.md), so that the cloud-created group can be used by an AD-based application.
+  * Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Microsoft Entra ID. To give a user access to an application that uses AD security group memberships, create a new security group in Microsoft Entra ID, configure [group writeback to AD](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md), and [enable that group to be written to AD](entitlement-management-group-writeback.md), so that the cloud-created group can be used by an AD-based application.
 
   * Groups that originate in Exchange Online as Distribution groups can't be modified in Microsoft Entra ID either, so cannot be added to catalogs.
 

diff --git a/docs/id-governance/entitlement-management-group-writeback.md b/docs/id-governance/entitlement-management-group-writeback.md
@@ -34,7 +34,7 @@ Using group writeback, you can now sync security groups that are part of access
 
 1. Create a Microsoft Entra security group.
 
-1. Set the group to be written back to on-premises Active Directory. For instructions, see [Group writeback in the Microsoft Entra admin center](~/identity/users/groups-write-back-portal.md). 
+1. Set the group to be written back to on-premises Active Directory. For instructions, see [Group writeback in the Microsoft Entra admin center](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory). 
 
 1. Add the group to an access package as a resource role. See [Create a new access package](entitlement-management-access-package-create.md#select-resource-roles) for guidance. 
 

diff --git a/docs/id-governance/identity-governance-applications-integrate.md b/docs/id-governance/identity-governance-applications-integrate.md
@@ -77,7 +77,7 @@ Next, if the application implements a provisioning protocol, then you should con
 
      |Application supports| Next steps|
      |----|-----|
-     | Kerberos | Configure Microsoft Entra Connect [group writeback to AD](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md), create groups in Microsoft Entra ID and [write those groups to AD](~/identity/users/groups-write-back-portal.md) |
+     | Kerberos | Configure Microsoft Entra Cloud Sync [group writeback to AD](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md), create groups in Microsoft Entra ID and [write those groups to AD](entitlement-management-group-writeback.md) |
 
    * Otherwise, if this is an on-premises or IaaS hosted application, and isn't integrated with AD, then configure provisioning to that application, either via SCIM or to the underlying database or directory of the application.
 
@@ -105,7 +105,7 @@ However, if the application already existed in your environment, then it's possi
 1. If the application wasn't using Microsoft Entra ID or AD, and doesn't support a provisioning protocol, then [obtain a list of users from the application and create application role assignments for each of them](identity-governance-applications-not-provisioned-users.md).
 1. If the application was using AD security groups, then you need to review the membership of those security groups.
 1. If the application had its own directory or database and wasn't integrated for provisioning, then once the review is complete, you may need to manually update the application's internal database or directory to remove those users who were denied.
-1. If the application was using AD security groups, and those groups were created in AD, then once the review is complete, you need to manually update the AD groups to remove memberships of those users who were denied.  Subsequently, to have denied access rights removed automatically, you can either update the application to use an AD group that was created in Microsoft Entra ID and [written back to Microsoft Entra ID](~/identity/users/groups-write-back-portal.md), or move the membership from the AD group to the Microsoft Entra group, and nest the written back group as the only member of the AD group.
+1. If the application was using AD security groups, and those groups were created in AD, then once the review is complete, you need to manually update the AD groups to remove memberships of those users who were denied.  Subsequently, to have denied access rights removed automatically, you can either update the application to use an AD group that was created in Microsoft Entra ID and [written back to Microsoft Entra ID](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md), or move the membership from the AD group to the Microsoft Entra group, and [nest the written back group as the only member of the AD group](~/identity/hybrid/cloud-sync/govern-on-premises-groups.md).
 1. Once the review has been completed and the application access updated, or if no users have access, then continue on to the next steps to deploy Conditional Access and entitlement management policies for the application.
 
 Now that you have a baseline that ensures existing access has been reviewed, then you can [deploy the organization's policies](identity-governance-applications-deploy.md) for ongoing access and any new access requests.

diff --git a/docs/id-governance/identity-governance-overview.md b/docs/id-governance/identity-governance-overview.md
@@ -54,7 +54,7 @@ Organizations need a process to manage access beyond what was initially provisio
 
 Typically, IT delegates access approval decisions to business decision makers.  Furthermore, IT can involve the users themselves.  For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users may be unaware of the handling requirements for data in an organization to which they've been invited.
 
-Organizations can automate the access lifecycle process through technologies such as [dynamic groups](~/identity/users/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](~/identity/saas-apps/tutorial-list.md) or [apps integrated with SCIM](~/identity/app-provisioning/use-scim-to-provision-users-and-groups.md). Microsoft Entra ID can also provision access to apps that use [AD groups](~/identity/users/groups-write-back-portal.md), [other on-premises directories](~/identity/app-provisioning/on-premises-ldap-connector-configure.md) or [databases](~/identity/app-provisioning/on-premises-sql-connector-configure.md), or that have a [SOAP or REST API](~/identity/app-provisioning/on-premises-web-services-connector.md) including [SAP](sap.md).  Organizations can also control which [guest users have access to on-premises applications](~/external-id/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Microsoft Entra access reviews](access-reviews-overview.md).   [Microsoft Entra entitlement management](entitlement-management-overview.md) also enables you to define how users request access across packages of group and team memberships, application roles, and SharePoint Online roles.  For more information, see the [simplifying identity governance tasks with automation](#simplifying-identity-governance-tasks-with-automation) section below to select the appropriate Microsoft Entra features for your access lifecycle automation scenarios.
+Organizations can automate the access lifecycle process through technologies such as [dynamic groups](~/identity/users/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](~/identity/saas-apps/tutorial-list.md) or [apps integrated with SCIM](~/identity/app-provisioning/use-scim-to-provision-users-and-groups.md). Microsoft Entra ID can also provision access to apps that use [AD groups](entitlement-management-group-writeback.md), [other on-premises directories](~/identity/app-provisioning/on-premises-ldap-connector-configure.md) or [databases](~/identity/app-provisioning/on-premises-sql-connector-configure.md), or that have a [SOAP or REST API](~/identity/app-provisioning/on-premises-web-services-connector.md) including [SAP](sap.md).  Organizations can also control which [guest users have access to on-premises applications](~/external-id/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Microsoft Entra access reviews](access-reviews-overview.md).   [Microsoft Entra entitlement management](entitlement-management-overview.md) also enables you to define how users request access across packages of group and team memberships, application roles, and SharePoint Online roles.  For more information, see the [simplifying identity governance tasks with automation](#simplifying-identity-governance-tasks-with-automation) section below to select the appropriate Microsoft Entra features for your access lifecycle automation scenarios.
 
 Lifecycle access can be automated using workflows. [Workflows can be created](create-lifecycle-workflow.md) to automatically add user to groups, where access to applications and resources are granted. Users can also be moved when their condition within the organization changes to different groups, and can even be removed entirely from all groups.
 

diff --git a/docs/id-governance/lifecycle-workflow-tasks.md b/docs/id-governance/lifecycle-workflow-tasks.md
@@ -349,7 +349,7 @@ Example of usage within the workflow:
 ### Add user to groups
 
 
-Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Microsoft Entra Connect group writeback](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md). 
+Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises AD group-based applications and resources, you need to enable group writeback. For more information, see [Microsoft Entra Cloud Sync group writeback](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md) and [using group writeback with entitlement management](entitlement-management-group-writeback.md). 
 
 
 You're able to customize the task name and description for this task.
@@ -528,7 +528,7 @@ For Microsoft Graph, the parameters for the **Disable user account** task are as
 
 ### Remove user from selected groups
 
-Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Microsoft Entra Connect group writeback](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md). 
+Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises AD group-based applications and resources, you need to enable group writeback. For more information, see [Microsoft Entra Cloud Sync group writeback](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md) and [using group writeback with entitlement management](entitlement-management-group-writeback.md). 
 
 
 You're able to customize the task name and description for this task in the Microsoft Entra admin center.
@@ -568,7 +568,7 @@ For Microsoft Graph, the parameters for the **Remove user from selected groups**
 
 ### Remove users from all groups
 
-Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Microsoft Entra Connect group writeback](~/identity/hybrid/connect/how-to-connect-group-writeback-v2.md).
+Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises AD-group-based applications and resources, you need to enable group writeback. For more information, see [Microsoft Entra Cloud Sync group writeback](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md).