diff --git a/docs/external-id/auditing-and-reporting.md b/docs/external-id/auditing-and-reporting.md
index 6212fe19921..9705e541c97 100644
--- a/docs/external-id/auditing-and-reporting.md
+++ b/docs/external-id/auditing-and-reporting.md
@@ -6,7 +6,7 @@ description: Guest user properties are configurable in Microsoft Entra B2B colla
ms.service: active-directory
ms.subservice: B2B
ms.topic: how-to
-ms.date: 11/24/2022
+ms.date: 12/18/2023
ms.author: cmulligan
author: csmulligan
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
With guest users, you have auditing capabilities similar to with member users.
## Access reviews
-You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Microsoft Entra ID** under **Identity Governance** > **Access reviews**. To learn how to use access reviews, see [Manage guest access with Microsoft Entra access reviews](~/id-governance/manage-guest-access-with-access-reviews.md).
+You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Microsoft Entra ID** under **Identity governance** > **Access reviews**. To learn how to use access reviews, see [Manage guest access with Microsoft Entra access reviews](~/id-governance/manage-guest-access-with-access-reviews.md).
## Audit logs
@@ -29,7 +29,7 @@ The Microsoft Entra audit logs provide records of system and user activities, in
:::image type="content" source="media/auditing-and-reporting/audit-log.png" alt-text="Screenshot showing an example of audit log output." lightbox="media/auditing-and-reporting/audit-log-large.png":::
-You can dive into each of these events to get the details. For example, let's look at the user update details.
+You can dive into each of these events to get the details. For example, let's look at the user management details.
:::image type="content" source="media/auditing-and-reporting/activity-details.png" alt-text="Screenshot showing an example of activity details output." lightbox="media/auditing-and-reporting/activity-details-large.png":::
diff --git a/docs/external-id/customize-invitation-api.md b/docs/external-id/customize-invitation-api.md
index c670a64e221..a58b6e875ef 100644
--- a/docs/external-id/customize-invitation-api.md
+++ b/docs/external-id/customize-invitation-api.md
@@ -7,7 +7,7 @@ ms.service: active-directory
ms.subservice: B2B
ms.custom: has-azure-ad-ps-ref
ms.topic: how-to
-ms.date: 12/02/2022
+ms.date: 12/18/2023
ms.author: cmulligan
author: csmulligan
diff --git a/docs/external-id/hybrid-organizations.md b/docs/external-id/hybrid-organizations.md
index b17d6d0fc4d..83f8f328fe6 100644
--- a/docs/external-id/hybrid-organizations.md
+++ b/docs/external-id/hybrid-organizations.md
@@ -6,7 +6,7 @@ description: Give partners access to both on-premises and cloud resources with M
ms.service: active-directory
ms.subservice: B2B
ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 12/18/2023
ms.author: cmulligan
author: csmulligan
manager: celestedg
@@ -23,7 +23,7 @@ Microsoft Entra B2B collaboration makes it easy for you to give your external pa
## Grant B2B users in Microsoft Entra ID access to your on-premises apps
-If your organization uses [Microsoft Entra B2B](what-is-b2b.md) collaboration capabilities to invite guest users from partner organizations to your Microsoft Entra ID, you can now provide these B2B users access to on-premises apps.
+If your organization uses Microsoft Entra B2B collaboration capabilities to invite guest users from partner organizations to your Microsoft Entra ID, you can now provide these B2B users access to on-premises apps.
For apps that use SAML-based authentication, you can make these apps available to B2B users through the Azure portal, using Microsoft Entra application proxy for authentication.
@@ -47,5 +47,4 @@ For implementation details, see [Grant locally managed partner accounts access t
## Next steps
- [Grant Microsoft Entra B2B users access to your on-premises applications](hybrid-cloud-to-on-premises.md)
-- [B2B direct connect](b2b-direct-connect-overview.md)
- [Grant locally managed partner accounts access to cloud resources using Microsoft Entra B2B collaboration](hybrid-on-premises-to-cloud.md)
diff --git a/docs/external-id/media/auditing-and-reporting/activity-details-large.png b/docs/external-id/media/auditing-and-reporting/activity-details-large.png
index c40b698a43d..cbb3608aad8 100644
Binary files a/docs/external-id/media/auditing-and-reporting/activity-details-large.png and b/docs/external-id/media/auditing-and-reporting/activity-details-large.png differ
diff --git a/docs/external-id/media/auditing-and-reporting/activity-details.png b/docs/external-id/media/auditing-and-reporting/activity-details.png
index ff9a27bc365..cbb3608aad8 100644
Binary files a/docs/external-id/media/auditing-and-reporting/activity-details.png and b/docs/external-id/media/auditing-and-reporting/activity-details.png differ
diff --git a/docs/external-id/media/auditing-and-reporting/audit-log-large.png b/docs/external-id/media/auditing-and-reporting/audit-log-large.png
index 828dea8de96..34028965ed2 100644
Binary files a/docs/external-id/media/auditing-and-reporting/audit-log-large.png and b/docs/external-id/media/auditing-and-reporting/audit-log-large.png differ
diff --git a/docs/external-id/media/auditing-and-reporting/audit-log.png b/docs/external-id/media/auditing-and-reporting/audit-log.png
index aff1e08c0c8..34028965ed2 100644
Binary files a/docs/external-id/media/auditing-and-reporting/audit-log.png and b/docs/external-id/media/auditing-and-reporting/audit-log.png differ
diff --git a/docs/fundamentals/frontline-worker-management.md b/docs/fundamentals/frontline-worker-management.md
index 4bfa0bd805a..34306761fb5 100644
--- a/docs/fundamentals/frontline-worker-management.md
+++ b/docs/fundamentals/frontline-worker-management.md
@@ -6,7 +6,7 @@ services: active-directory
ms.service: active-directory
ms.subservice: fundamentals
ms.topic: conceptual
-ms.date: 06/16/2022
+ms.date: 12/18/2023
ms.author: cmulligan
author: csmulligan
manager: CelesteDG
@@ -33,7 +33,7 @@ Microsoft Entra ID in the My Staff portal enables delegation of user management.
## Accelerated onboarding with simplified authentication
-My Staff also enables frontline managers to register their team members' phone numbers for [SMS sign-in](~/identity/authentication/howto-authentication-sms-signin.md). In many verticals, frontline workers maintain a local username and password combination, a solution that is often cumbersome, expensive, and error-prone. When IT enables authentication using SMS sign-in, frontline workers can log in with [Single Sign-On (SSO)](~/identity/enterprise-apps/what-is-single-sign-on.md) for Microsoft Teams and other applications using just their phone number and a one-time passcode (OTP) sent via SMS. Single Sign-On makes signing in for frontline workers simple and secure, delivering quick access to the apps they need most.
+My Staff also enables frontline managers to register their team members' phone numbers for [SMS sign-in](~/identity/authentication/howto-authentication-sms-signin.md). In many verticals, frontline workers maintain a local username and password combination, a solution that is often cumbersome, expensive, and error-prone. When IT enables authentication using SMS sign-in, frontline workers can sign in with [single sign-on (SSO)](~/identity/enterprise-apps/what-is-single-sign-on.md) for Microsoft Teams and other applications using just their phone number and a one-time passcode (OTP) sent via SMS. Single sign-on makes signing in for frontline workers simple and secure, delivering quick access to the apps they need most.
diff --git a/docs/global-secure-access/how-to-configure-web-content-filtering.md b/docs/global-secure-access/how-to-configure-web-content-filtering.md
index ce3ea96b674..6a3d5b7b5f0 100644
--- a/docs/global-secure-access/how-to-configure-web-content-filtering.md
+++ b/docs/global-secure-access/how-to-configure-web-content-filtering.md
@@ -50,7 +50,7 @@ To enable the Microsoft Entra Internet Access forwarding profile to forward user
## Create a Web content filtering policy
-1. Browse to **Global Secure Access** > **Secure** **Web content filtering policy**.
+1. Browse to **Global Secure Access** > **Secure** > **Web content filtering policy**.
1. Select **Create policy**.
1. Enter a name and description for the policy and select **Next**.
1. Select **Add rule**.
diff --git a/docs/identity-platform/scenario-desktop-acquire-token-username-password.md b/docs/identity-platform/scenario-desktop-acquire-token-username-password.md
index 072de8e1a1a..123cf471b2c 100644
--- a/docs/identity-platform/scenario-desktop-acquire-token-username-password.md
+++ b/docs/identity-platform/scenario-desktop-acquire-token-username-password.md
@@ -4,41 +4,40 @@ description: Learn how to build a desktop app that calls web APIs to acquire a t
author: Dickson-Mwendia
manager: CelesteDG
ms.author: dmwendia
-ms.custom:
-ms.date: 07/10/2022
+ms.date: 12/18/2023
ms.service: active-directory
ms.subservice: develop
ms.topic: conceptual
#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
---
-# Desktop app that calls web APIs: Acquire a token using Username and Password
+# Desktop app that calls web APIs: Acquire a token using username and password
-You can also acquire a token by providing the username and password. This flow is limited and not recommended, but there are still use cases where it's necessary.
+In your desktop applications, you can use the username and password flow, also known as Resource Owner Password Credentials (ROPC), to acquire a token silently.
-## This flow isn't recommended
+>[!WARNING]
+> The username and password flow is **not recommended** as the application will be asking a user for their password directly, which is an insecure pattern. For more information about the risks and challenges the ROPC flow poses, refer to ["What’s the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).
-The username and password flow is *not recommended* because having your application ask a user for their password isn't secure. For more information, see [What's the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/) The preferred flow for acquiring a token silently on Windows domain joined machines is [integrated Windows authentication](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication). You can also use [device code flow](https://aka.ms/msal-net-device-code-flow).
+Additionally, by using a username and password, developers give up a number of things, including:
-Using a username and password is useful in some cases, such as DevOps scenarios. But if you want to use a username and password in interactive scenarios where you provide your own UI, think about how to move away from it. By using a username and password, you're giving up a number of things:
+- Core tenets of modern identity - A password can get phished and replayed because a shared secret can be intercepted.
+- Multi-factor authentication (MFA) - Users can't sign in because there's no interaction.
+- Single sign-on (SSO) capabilities.
-- Core tenets of modern identity. A password can get phished and replayed because a shared secret can be intercepted. It's incompatible with passwordless.
-- Users who need to do MFA can't sign in because there's no interaction.
-- Users can't do single sign-on (SSO).
+The username and password flow also has the following constraints:
-## Constraints
+- The username and password flow isn't compatible with Conditional Access and multi-factor authentication. If your app runs in a Microsoft Entra tenant where the admin requires multi-factor authentication, like most organizations do, you can't use this flow.
+- It only works for work and school accounts, not personal Microsoft Accounts.
+- The flow is available on .NET desktop and .NET Core, but not on UWP.
-The following constraints also apply:
+Using a username and password is useful in some cases, such as DevOps scenarios. However, if you want to use a username and password in interactive scenarios where you provide your own UI, consider moving away from it.
-- The username and password flow isn't compatible with Conditional Access and multi-factor authentication. As a consequence, if your app runs in a Microsoft Entra tenant where the tenant admin requires multi-factor authentication, you can't use this flow. Many organizations do that.
-- It works only for work and school accounts (not MSA).
-- The flow is available on .NET desktop and .NET Core, but not on UWP.
+The preferred flow for acquiring a token silently on Windows is using the [Windows authentication broker](scenario-desktop-acquire-token-wam.md). Alternatively, developers can also use the [Device code flow](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/device-code-flow) on devices without access to the web browser.
-## B2C specifics
+If you're building a desktop application that signs in users with social identities using the Resource Owner Password Credentials (ROPC) flow, see [how to sign in users with social identities by using Azure AD B2C](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/social-identities)
-For more information, see [Resource Owner Password Credentials (ROPC) with B2C](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics#resource-owner-password-credentials-ropc-with-b2c).
-## Use it
+## Use the ROPC flow
# [.NET](#tab/dotnet)
@@ -318,11 +317,11 @@ The following extract is from the [MSAL Java code samples](https://github.com/Az
# [macOS](#tab/macOS)
-This flow isn't supported on MSAL for macOS.
+The ROPC flow isn't supported on MSAL for macOS.
# [Node.js](#tab/nodejs)
-This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/username-password). In the code snippet below, the username and password are hardcoded for illustration purposes only. This should be avoided in production. Instead, a basic UI prompting the user to enter her username/password would be recommended.
+This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/username-password). In the following code snippet, the username and password are hardcoded for illustration purposes only. This should be avoided in production. Instead, a basic UI prompting the user to enter her username/password would be recommended.
```javascript
const msal = require("@azure/msal-node");
diff --git a/docs/identity/app-provisioning/on-premises-scim-provisioning.md b/docs/identity/app-provisioning/on-premises-scim-provisioning.md
index a05745e01de..ba0c05d54da 100644
--- a/docs/identity/app-provisioning/on-premises-scim-provisioning.md
+++ b/docs/identity/app-provisioning/on-premises-scim-provisioning.md
@@ -26,44 +26,12 @@ The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu
-## Download, install, and configure the Microsoft Entra Connect Provisioning Agent Package
+[!INCLUDE [app-provisioning-provisioning-agent-install.md](~/includes/app-provisioning-provisioning-agent-install.md)]
-If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](~/identity/role-based-access-control/permissions-reference.md#hybrid-identity-administrator).
-1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud sync** > **Agents**.
-
- :::image type="content" source="~/includes/media/entra-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="~/includes/media/entra-cloud-sync-how-to-install/new-ux-1.png":::
-
-1. Select **Download on-premises agent**, and select **Accept terms & download**.
-
- >[!NOTE]
- >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect cloud sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
-
- 1. Open the provisioning agent installer, agree to the terms of service, and select **next**.
- 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.
- 1. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
- 1. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
- 1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.
## Provisioning to SCIM-enabled application
Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator).
-1. Browse to **Identity** > **Applications** > **Enterprise applications**.
-1. Add the **On-premises SCIM app** from the [gallery](~/identity/enterprise-apps/add-application-portal.md).
-1. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
-1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
-1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
-1. Now either wait 10 minutes or restart the **Microsoft Entra Connect Provisioning Agent** before proceeding to the next step & testing the connection.
-1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim
-
- 
-
-1. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.
-
- > [!NOTE]
- > If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above.
1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
1. Add users to scope by [assigning users and groups](~/identity/enterprise-apps/add-application-portal-assign-users.md) to the application.
diff --git a/docs/identity/saas-apps/starmind-provisioning-tutorial.md b/docs/identity/saas-apps/starmind-provisioning-tutorial.md
new file mode 100644
index 00000000000..40460882971
--- /dev/null
+++ b/docs/identity/saas-apps/starmind-provisioning-tutorial.md
@@ -0,0 +1,139 @@
+---
+title: 'Tutorial: Configure Starmind for automatic user provisioning with Microsoft Entra ID'
+description: Learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Starmind.
+
+author: twimmers
+writer: twimmers
+manager: jeedes
+ms.assetid: 1898e52a-94da-4512-ab88-25ce81cd226b
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+
+ms.topic: tutorial
+ms.date: 12/18/2023
+ms.author: thwimmer
+---
+
+# Tutorial: Configure Starmind for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Starmind and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users to [Starmind](https://www.starmind.com/) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md).
+
+
+## Supported capabilities
+> [!div class="checklist"]
+> * Create users in Starmind.
+> * Remove users in Starmind when they do not require access anymore.
+> * Keep user attributes synchronized between Microsoft Entra ID and Starmind.
+> * [Single sign-on](starmind-tutorial.md) to Starmind (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [A Microsoft Entra tenant](~/identity-platform/quickstart-create-new-tenant.md)
+* A user account in Microsoft Entra ID with [permission](~/identity/role-based-access-control/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Starmind with Admin permissions.
+
+## Plan your provisioning deployment
+
+* Learn about [how the provisioning service works](~/identity/app-provisioning/user-provisioning.md).
+* Determine who will be in [scope for provisioning](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+* Determine what data to [map between Microsoft Entra ID and Starmind](~/identity/app-provisioning/customize-application-attributes.md).
+
+## Configure Starmind to support provisioning with Microsoft Entra ID
+
+Contact Starmind support to configure Starmind to support provisioning with Microsoft Entra ID.
+
+## Starmind from the Microsoft Entra application gallery
+
+Add Starmind from the Microsoft Entra application gallery to start managing provisioning to Starmind. If you have previously setup Starmind for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](~/identity/enterprise-apps/add-application-portal.md).
+
+## Define who will be in scope for provisioning
+
+The Microsoft Entra provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](~/identity/enterprise-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* If you need more roles, you can [update the application manifest](~/identity-platform/howto-add-app-roles-in-apps.md) to add new roles.
+
+## Configure automatic user provisioning to Starmind
+
+This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in Starmind based on user assignments in Microsoft Entra ID.
+
+
+
+### To configure automatic user provisioning for Starmind in Microsoft Entra ID:
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**
+
+ 
+
+1. In the applications list, select **Starmind**.
+
+ 
+
+1. Select the **Provisioning** tab.
+
+ 
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ 
+
+1. Under the **Admin Credentials** section, input your Starmind Tenant URL and Secret Token. Click **Test Connection** to ensure Microsoft Entra ID can connect to Starmind. If the connection fails, ensure your Starmind account has Admin permissions and try again.
+
+ 
+
+1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ 
+
+1. Select **Save**.
+
+1. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Starmind**.
+
+1. Review the user attributes that are synchronized from Microsoft Entra ID to Starmind in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Starmind for update operations. If you choose to change the [matching target attribute](~/identity/app-provisioning/customize-application-attributes.md), you need to ensure that the Starmind API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|Required by Starmind|
+ |---|---|---|---|
+ |userName|String|✓|✓
+ |active|Boolean||
+ |title|String||
+ |emails[type eq "work"].value|String||✓
+ |name.givenName|String||
+ |name.familyName|String||
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String||
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Microsoft Entra provisioning service for Starmind, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ 
+
+1. Define the users that you would like to provision to Starmind by choosing the desired values in **Scope** in the **Settings** section.
+
+ 
+
+1. When you're ready to provision, click **Save**.
+
+ 
+
+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running.
+
+## Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](~/identity/monitoring-health/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](~/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](~/identity/app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](~/identity/app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Microsoft Entra ID?](~/identity/enterprise-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](~/identity/app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
diff --git a/docs/identity/saas-apps/toc.yml b/docs/identity/saas-apps/toc.yml
index 114a25ea935..f666c55658c 100644
--- a/docs/identity/saas-apps/toc.yml
+++ b/docs/identity/saas-apps/toc.yml
@@ -3616,6 +3616,8 @@
href: splashtop-provisioning-tutorial.md
- name: StarLeaf
href: starleaf-provisioning-tutorial.md
+ - name: Starmind
+ href: starmind-provisioning-tutorial.md
- name: Storegate
href: storegate-provisioning-tutorial.md
- name: SurveyMonkey Enterprise
diff --git a/docs/includes/app-provisioning-provisioning-agent-install.md b/docs/includes/app-provisioning-provisioning-agent-install.md
new file mode 100644
index 00000000000..15058269ce5
--- /dev/null
+++ b/docs/includes/app-provisioning-provisioning-agent-install.md
@@ -0,0 +1,44 @@
+## Install and configure the Microsoft Entra Connect Provisioning Agent
+
+If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator).
+ 2. Browse to **Identity** > **Applications** > **Enterprise applications**.
+ 3. Search for the **On-premises ECMA app** application, give the app a name, and select **Create** to add it to your tenant.
+ 4. From the menu, navigate to the **Provisioning** page of your application.
+ 5. Select **Get started**.
+ 6. On the **Provisioning** page, change the mode to **Automatic**.
+
+ :::image type="content" source="media/app-provisioning-sql/configure-7.png" alt-text="Screenshot of selecting Automatic." lightbox="media/app-provisioning-sql/configure-7.png":::
+
+ 7. Under **On-premises Connectivity**, select **Download and install**, and select **Accept terms & download**.
+
+ :::image type="content" source="media/app-provisioning-sql/download-1.png" alt-text="Screenshot of download location for agent." lightbox="media/app-provisioning-sql/download-1.png":::
+
+ 8. Leave the portal and open the provisioning agent installer, agree to the terms of service, and select **next**.
+ 9. Open the provisioning agent wizard.
+ 10. In the **Select Extension** step, select **On-premises application provisioning** and then select **Next**.
+
+ :::image type="content" source="media/app-provisioning-sql/sync-agent-select-on-premises.png" alt-text="Screenshot that shows how to select on-premises provisioning." lightbox="media/app-provisioning-sql/sync-agent-select-on-premises.png":::
+
+ 11. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
+ 12. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
+ 13. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.
+
+## Configure the On-premises ECMA app
+
+ 1. In the portal, on the **On-Premises Connectivity** section, select the agent that you deployed and select **Assign Agent(s)**.
+
+ 
+
+ 2. Keep this browser window open, as you complete the next step of configuration using the configuration wizard.
+
+
+
+
+## Configure the Microsoft Entra ECMA Connector Host certificate
+
+ 1. On the Windows Server where the provisioning agent is installed, right click the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs.
+
+ 1. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The certificate SAN matches the host name.
+
+ [](.\\media\app-provisioning-sql\configure-1.png#lightbox)
\ No newline at end of file