Update Set-SPOTenantPreAuthSettings.md with new design

lw-msft · web-flow · commit d6f003461ad6 · 2024-12-08T18:31:07.000-08:00
diff --git a/sharepoint/sharepoint-ps/sharepoint-online/Set-SPOTenantPreAuthSettings.md b/sharepoint/sharepoint-ps/sharepoint-online/Set-SPOTenantPreAuthSettings.md
@@ -19,9 +19,9 @@ Sets the pre auth settings for the tenant.
 
 **What is pre auth?**
 
-SharePoint embeds self-issued tokens into some URLs called pre auth URLs or temp auth URLs to provide temporary access to a SharePoint resource, which helps support more rich user experiences. For example, a common scenario is downloading a file using a pre auth URL that includes the token in the `tempauth` query parameter like so: `https://<tenant>.sharepoint.com/sites/samplesite/_layouts/15/download.aspx?UniqueId=<id>&tempauth=v1.ey...`.
+SharePoint includes self-issued tokens into some URLs called pre auth URLs or temp auth URLs to provide temporary access to a SharePoint resource, which helps support more rich user experiences. For example, a common scenario is downloading a file using a pre auth URL that includes the token in the `tempauth` query parameter like so: `https://<tenant>.sharepoint.com/sites/samplesite/_layouts/15/download.aspx?UniqueId=<id>&tempauth=v1.ey...`.
 
-However, pre auth is currently being deprecated. So this command lets you control whether you want to disable the use of pre auth overall and define special cases to allow or deny the use of pre auth in based on app id and feature. 
+However, pre auth is currently being deprecated. So this command lets you control whether you want to disable the use of pre auth overall and define any special cases to allow or deny the use of pre auth in based on app id and feature. 
 
 ## SYNTAX
 
@@ -30,11 +30,11 @@ Set-SPOTenantPreAuthSettings -IsDisabled <bool> [<CommonParameters>]
 ```
 
 ```powershell
-Set-SPOTenantPreAuthSettings -Add -Type {Allow | Deny} [-AppIds <string>] [-Features <string>] [<CommonParameters>]
+Set-SPOTenantPreAuthSettings -Add -Type {Allow | Deny} [-IncludedApps <string>] [-ExcludedApps <string>] [-IncludedFeatures <string>] [-ExcludedFeatures <string>] [<CommonParameters>]
 ```
 
 ```powershell
-Set-SPOTenantPreAuthSettings -Remove -Type {Allow | Deny} -AppIds <string> -Features <string> [<CommonParameters>]
+Set-SPOTenantPreAuthSettings -Remove -Type {Allow | Deny} [-IncludedApps <string>] [-ExcludedApps <string>] [-IncludedFeatures <string>] [-ExcludedFeatures <string>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -56,41 +56,41 @@ Sets the pre auth settings for the tenant.
 ```powershell
 Set-SPOTenantPreAuthSettings -IsDisabled $true
 
-Set-SPOTenantPreAuthSettings -Add -Type Allow -AppIds "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111" -Features "All"
+Set-SPOTenantPreAuthSettings -Add -Type Allow -IncludedApps "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"
 ```
-This example disables pre auth for the tenant overall and adds 2 apps to the allow list so that both can continue using pre auth for all features, while the rest of the apps and features are denied from using pre auth.
+This example disables pre auth for the tenant overall and adds a setting that allows 2 apps continue using pre auth for all features, while the rest of the apps and features are denied from using pre auth.
+
+> [!NOTE]
+> This example relies on the default values for the `-ExcludedApps`, `-IncludedFeatures`, or `-ExcludedFeatures` parameters. So the following would be an equivalent command, where the empty quotes say that all other apps and features are included for the setting.
+>  `Set-SPOTenantPreAuthSettings -Add -Type Allow -IncludedApps "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111" -ExcludedApps "" -IncludedFeatures "" -ExcludedFeatures ""`
 
 ### Example 2
 ```powershell
-Set-SPOTenantPreAuthSettings -Remove -Type Allow -AppIds "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111" -Features "All"
+Set-SPOTenantPreAuthSettings -Remove -Type Allow -IncludedApps "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"
 ```
 This example removes an existing setting from the allow list.
 
 ### Example 3
 ```powershell
 Set-SPOTenantPreAuthSettings -IsDisabled $true
 
-Set-SPOTenantPreAuthSettings -Add -Type Allow -AppIds "00000000-0000-0000-0000-000000000000" -Features "All"
-
-Set-SPOTenantPreAuthSettings -Add -Type Deny -AppIds "00000000-0000-0000-0000-000000000000" -Features "Download,Embed"
+Set-SPOTenantPreAuthSettings -Add -Type Allow -ExcludedApps "00000000-0000-0000-0000-000000000000" -ExcludedFeatures "Download,Embed"
 ```
-This example disables pre auth for the tenant overall and allows app id 00000000-0000-0000-0000-000000000000 to continue using pre auth for all features apart from the Download and Embed features.
+This example disables pre auth for the tenant overall and allows all apps apart from 1 to continue using pre auth for all features except for Download and Embed. 
 
-In this case, the app with id 00000000-0000-0000-0000-000000000000 will not be allowed to use pre auth for the Download and Embed features, but it can use pre auth for all other features. This happens because the deny list takes precedence over the allow list, so for any overlapping settings between the two lists, the deny list will win (see the first note in the description).
+In this case, the app with id 00000000-0000-0000-0000-000000000000 will not be allowed to use pre auth for any feature because it is not an included app for the setting. Therefore, we will default to the IsDisabled setting, which disables the use of preAuth overall. Any other app will be allowed to use pre auth for all features except for Download and Embed.
 
 ### Example 4
 ```powershell
 Set-SPOTenantPreAuthSettings -IsDisabled $true
 
-Set-SPOTenantPreAuthSettings -Add -Type Allow -AppIds "None" -Features "Download,Embed"
+Set-SPOTenantPreAuthSettings -Add -Type Allow -IncludedApps "00000000-0000-0000-0000-000000000000" -IncludedFeatures "WAC,Embed,Download"
 
-Set-SPOTenantPreAuthSettings -Add -Type Allow -AppIds "11111111-1111-1111-1111-111111111111" -Features "All"
+Set-SPOTenantPreAuthSettings -Add -Type Deny -IncludedApps "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"
 ```
-This example disables pre auth for the tenant overall, but it has overlapping settings in the allow list. The first setting says that none of the apps are allowed to use pre auth for the Download and Embed features. The second setting says that the app with id 11111111-1111-1111-1111-111111111111 is allowed to use pre auth for all features. 
-
-In this case, pre auth will be allowed for all features including Download and Embed for the app with id 11111111-1111-1111-1111-111111111111 even though we said that no apps can use preauth for those two features. This happens because the second allow list setting overwrites the first allow list setting (see the second note in the description).
+This example enables pre auth for the tenant overall, but it has overlapping settings between the allow and deny lists. The allow list setting allows the app with id 00000000-0000-0000-0000-000000000000 to use pre auth for WAC, Embed, and Download features. But the deny list setting denies the same app from using pre auth for all features.
 
-If you swapped the order of the allow list settings, pre auth will no longer be allowed for the Download and Embed features for the app with id 11111111-1111-1111-1111-111111111111. But all other features should still be allowed to continue using pre auth for that app.  
+In this case, the app with id 00000000-0000-0000-0000-000000000000 will not be allowed to use pre auth for any feature (including all the allow-listed features) because the deny list takes precedence over the allow list. Any other app will be denied from using pre auth for any feature. 
 
 ## PARAMETERS
 
@@ -158,22 +158,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -AppIds
+### -IncludedApps
 
-String containing a comma-separated list of app ids for the allow list or deny list setting.
+String containing a comma-separated list of app ids that are included for the allow list or deny list setting.
 
 Possible Values:
-- `"All"`: Default. The allow or deny list setting will apply to all apps.
-- A comma-separated list of app ids (e.g. `"00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"`): The allow or deny list setting will apply to only the apps in the list.
-- `"None"`: The allow or deny list setting will apply to none of the apps.
+- `""`: Default. If both the -IncludedApps and -ExcludedApps parameters are empty strings, the allow or deny list setting will apply to all apps.
+- A comma-separated list of app ids (e.g. `"00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"`): The allow or deny list setting will apply to only the apps in the list and all other apps will not have the setting applied.
 
 ```yaml
 Type: String
 Parameter Sets: AddListItem
 Applicable: SharePoint Online
 Required: False
 Position: Named
-Default value: "All"
+Default value: ""
 Accept pipeline input: False
 Accept wildcard characters: False
 ```
@@ -182,20 +181,50 @@ Accept wildcard characters: False
 Type: String
 Parameter Sets: RemoveListItem
 Applicable: SharePoint Online
-Required: True
+Required: False
 Position: Named
-Default value: None
+Default value: ""
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludedApps
+
+String containing a comma-separated list of app ids that are excluded for the allow list or deny list setting.
+
+Possible Values:
+- `""`: Default. If both the -IncludedApps and -ExcludedApps parameters are empty strings, the allow or deny list setting will apply to all apps.
+- A comma-separated list of app ids (e.g. `"00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"`): The allow or deny list setting will not apply to the apps in the list and all other apps will have the setting applied.
+
+```yaml
+Type: String
+Parameter Sets: AddListItem
+Applicable: SharePoint Online
+Required: False
+Position: Named
+Default value: ""
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+```yaml
+Type: String
+Parameter Sets: RemoveListItem
+Applicable: SharePoint Online
+Required: False
+Position: Named
+Default value: ""
 Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -Features
+### -IncludedFeatures
 
-String containing a comma-separated list of features for the allow list or deny list setting.
+String containing a comma-separated list of features included for the allow list or deny list setting.
 
 Possible Values:
-- `"All"`: Default. The allow or deny list setting will apply to all features.
-- A comma-separated list of feature names (e.g. `"Whiteboard,Download,WAC"`): The allow or deny list setting will apply to only the features in the list (see the list below for all available features).
+- `""`: Default. If both the -IncludedFeatures and -ExcludedFeatures parameters are empty string, the allow or deny list setting will apply to all features.
+- A comma-separated list of features (e.g. `"Whiteboard,Download,WAC"`): The allow or deny list setting will apply to only the features in the list (see the list below for all available features) and all other features will not have the setting applied.
 
 Features:
 - "Whiteboard"
@@ -239,7 +268,7 @@ Parameter Sets: AddListItem
 Applicable: SharePoint Online
 Required: False
 Position: Named
-Default value: "All"
+Default value: ""
 Accept pipeline input: False
 Accept wildcard characters: False
 ```
@@ -248,9 +277,39 @@ Accept wildcard characters: False
 Type: String
 Parameter Sets: RemoveListItem
 Applicable: SharePoint Online
-Required: True
+Required: False
 Position: Named
-Default value: None
+Default value: ""
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludedFeatures
+
+String containing a comma-separated list of features excluded for the allow list or deny list setting.
+
+Possible Values:
+- `""`: Default. If both the -IncludedFeatures and -ExcludedFeatures parameters are empty string, the allow or deny list setting will apply to all features.
+- A comma-separated list of features (e.g. `"Whiteboard,Download,WAC"`): The allow or deny list setting will not apply to the features in the list (see the list above for all available features) and all other features will have the setting applied.
+
+```yaml
+Type: String
+Parameter Sets: AddListItem
+Applicable: SharePoint Online
+Required: False
+Position: Named
+Default value: ""
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+```yaml
+Type: String
+Parameter Sets: RemoveListItem
+Applicable: SharePoint Online
+Required: False
+Position: Named
+Default value: ""
 Accept pipeline input: False
 Accept wildcard characters: False
 ```
