etherscan-io
diff --git a/‎articles/active-directory/develop/authentication-flows-app-scenarios.md
+1-1 b/‎articles/active-directory/develop/authentication-flows-app-scenarios.md
+1-1
diff --git a/‎articles/active-directory/devices/hybrid-azuread-join-federated-domains.md
+2 b/‎articles/active-directory/devices/hybrid-azuread-join-federated-domains.md
+2
diff --git a/‎articles/active-directory/devices/hybrid-azuread-join-manual.md
+2 b/‎articles/active-directory/devices/hybrid-azuread-join-manual.md
+2
diff --git a/‎articles/active-directory/manage-apps/application-provisioning-config-problem-no-users-provisioned.md
+1-1 b/‎articles/active-directory/manage-apps/application-provisioning-config-problem-no-users-provisioned.md
+1-1
@@ -140,7 +140,7 @@ For more information, read [Mobile app that calls web APIs](scenario-mobile-over
 
 ### Protected Web API
 
-You can use the Microsoft identity platform endpoint to secure web services, such as your app's RESTful Web API. A protected Web API is called with an access token to secure its data and to authenticate incoming requests. The caller of a Web API appends an access token in the authorization header of an HTTP request. If you want to protect you ASP.NET or ASP.NET Core Web API, you will need to validate the access token. For this, you'll use the ASP.NET JWT middleware. Under the hood, the validation is done by the [IdentityModel extensions for .NET](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki) library, not MSAL.NET
+You can use the Microsoft identity platform endpoint to secure web services, such as your app's RESTful Web API. A protected Web API is called with an access token to secure its data and to authenticate incoming requests. The caller of a Web API appends an access token in the authorization header of an HTTP request. If you want to protect your ASP.NET or ASP.NET Core Web API, you will need to validate the access token. For this, you'll use the ASP.NET JWT middleware. Under the hood, the validation is done by the [IdentityModel extensions for .NET](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki) library, not MSAL.NET
 
 For more information, read [Protected Web API](scenario-protected-web-api-overview.md).
 
 
@@ -92,6 +92,8 @@ If you don't use WPAD and want to configure proxy settings on your computer, you
 
 If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, you must configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.
 
+To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://gallery.technet.microsoft.com/Test-Device-Registration-3dc944c0) script.
+
 ## Configure hybrid Azure AD join
 
 To configure a hybrid Azure AD join by using Azure AD Connect, you need:
 
@@ -71,6 +71,8 @@ For Windows 10 devices on version 1703 or earlier, if your organization requires
 
 Beginning with Windows 10 1803, even if a hybrid Azure AD join attempt by a device in a federated domain through AD FS fails, and if Azure AD Connect is configured to sync the computer/device objects to Azure AD, the device will try to complete the hybrid Azure AD join by using the synced computer/device.
 
+To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://gallery.technet.microsoft.com/Test-Device-Registration-3dc944c0) script.
+
 ## Verify configuration steps
 
 You can configure hybrid Azure AD joined devices for various types of Windows device platforms. This topic includes the required steps for all typical configuration scenarios.  
 
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 # No users are being provisioned to an Azure AD Gallery application
 After automatic provisioning has been configured for an application (including verifying that the app credentials provided to Azure AD to connect to the app are valid), then users and/or groups are provisioned to the app. Provisioning is determined by the following things:
 
--   Which users and groups have been **assigned** to the application. For more information on assignment, see [Assign a user or group to an enterprise app in Azure Active Directory](assign-user-or-group-access-portal.md).
+-   Which users and groups have been **assigned** to the application. Note that provisioning nested groups or Office 365 groups is not supported. For more information on assignment, see [Assign a user or group to an enterprise app in Azure Active Directory](assign-user-or-group-access-portal.md).
 -   Whether or not **attribute mappings** are enabled, and configured to sync valid attributes from Azure AD to the app. For more information on attribute mappings, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Azure Active Directory](customize-application-attributes.md).
 -   Whether or not there is a **scoping filter** present that is filtering users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).