MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/how-to-certificate-based-authentication.md
Lines changed: 4 additions & 0 deletions b/‎articles/active-directory/authentication/how-to-certificate-based-authentication.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-users-groups.md
Lines changed: 8 additions & 8 deletions b/‎articles/active-directory/conditional-access/concept-conditional-access-users-groups.md
Lines changed: 8 additions & 8 deletions
diff --git a/‎articles/active-directory/enterprise-users/licensing-powershell-graph-examples.md
Lines changed: 30 additions & 31 deletions b/‎articles/active-directory/enterprise-users/licensing-powershell-graph-examples.md
Lines changed: 30 additions & 31 deletions
diff --git a/‎articles/active-directory/governance/licensing-fundamentals.md
Lines changed: 15 additions & 15 deletions b/‎articles/active-directory/governance/licensing-fundamentals.md
Lines changed: 15 additions & 15 deletions
diff --git a/‎articles/communication-services/concepts/voice-video-calling/includes/user-facing-diagnostics-android.md
Lines changed: 14 additions & 14 deletions b/‎articles/communication-services/concepts/voice-video-calling/includes/user-facing-diagnostics-android.md
Lines changed: 14 additions & 14 deletions
@@ -36,6 +36,10 @@ Make sure that the following prerequisites are in place:
 >[!IMPORTANT]
 >Make sure the PKI is secure and can't be easily compromised. In the event of a compromise, the attacker can create and sign client certificates and compromise any user in the tenant, both users whom are synchronized from on-premises and cloud-only users. However, a strong key protection strategy, along with other physical and logical controls, such as HSM activation cards or tokens for the secure storage of artifacts, can provide defense-in-depth to prevent external attackers or insider threats from compromising the integrity of the PKI. For more information, see [Securing PKI](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786443(v=ws.11)).
 
+>[!IMPORTANT]
+>Please visit the [Microsoft recommendations](/security/sdl/cryptographic-recommendations#security-protocol-algorithm-and-key-length-recommendations) for best practices for Microsoft Cryptographic involving algorithm choice, key length and data protection. Please make sure to use one of the recommended algorithms, key length and NIST approved curves.
+
+
 >[!NOTE]
 >When evaluating a PKI, it is important to review certificate issuance policies and enforcement. As mentioned, adding certificate authorities (CAs) to Azure AD configuration allows certificates issued by those CAs to authenticate any user in Azure AD. For this reason, it is important to consider how and when the CAs are allowed to issue certificates, and how they implement reusable identifiers. Where administrators need to ensure only a specific certificate is able to be used to authenticate a user, admins should exclusively use high-affinity bindings to achieve a higher level of assurance that only a specific certificate is able to authenticate the user. For more information, see [high-affinity bindings](concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-username-binding-policy).
 
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 10/03/2022
+ms.date: 08/07/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Conditional Access: Users, groups, and workload identities
 
-A Conditional Access policy must include a user, group, or workload identity assignment as one of the signals in the decision process. These can be included or excluded from Conditional Access policies. Azure Active Directory evaluates all policies and ensures that all requirements are met before granting access. 
+A Conditional Access policy must include a user, group, or workload identity assignment as one of the signals in the decision process. These identities can be included or excluded from Conditional Access policies. Azure Active Directory evaluates all policies and ensures that all requirements are met before granting access. 
 
 > [!VIDEO https://www.youtube.com/embed/5DsW1hB3Jqs]
 
@@ -42,9 +42,9 @@ The following options are available to include when creating a Conditional Acces
          - Other external users, or users not represented by the other user type selections
       - One or more tenants can be specified for the selected user type(s), or you can specify all tenants. 
    - Directory roles
-      - Allows administrators to select specific [built-in Azure AD directory roles](../roles/permissions-reference.md) used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the Global Administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
+      - Allows administrators to select specific [built-in Azure AD directory roles](../roles/permissions-reference.md) used to determine policy assignment. For example, organizations may create a more restrictive policy on users actively assigned the Global Administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
    - Users and groups
-      - Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Azure AD, including dynamic or assigned security and distribution groups. Policy will be applied to nested users and groups.
+      - Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Azure AD, including dynamic or assigned security and distribution groups. Policy is applied to nested users and groups.
 
 > [!IMPORTANT]
 > When selecting which users and groups are included in a Conditional Access Policy, there is a limit to the number of individual users that can be added directly to a Conditional Access policy. If there are a large amount of individual users that are needed to be added to directly to a Conditional Access policy, we recommend placing the users in a group, and assigning the group to the Conditional Access policy instead.
@@ -60,7 +60,7 @@ The following options are available to include when creating a Conditional Acces
 
 ## Exclude users
 
-When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. Exclusions are commonly used for emergency access or break-glass accounts. More information about emergency access accounts and why they're important can be found in the following articles: 
+When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy. Exclusions are commonly used for emergency access or break-glass accounts. More information about emergency access accounts and why they're important can be found in the following articles: 
 
 * [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md)
 * [Create a resilient access control management strategy with Azure Active Directory](../authentication/concept-resilient-controls.md)
@@ -79,15 +79,15 @@ The following options are available to exclude when creating a Conditional Acces
 - Directory roles
    - Allows administrators to select specific Azure AD directory roles used to determine assignment. For example, organizations may create a more restrictive policy on users assigned the Global Administrator role.
 - Users and groups
-   - Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of group in Azure AD, including dynamic or assigned security and distribution groups. Policy will be applied to nested users and groups.
+   - Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of group in Azure AD, including dynamic or assigned security and distribution groups. Policy is applied to nested users and groups.
 
 ### Preventing administrator lockout
 
-To prevent an administrator from locking themselves out of their directory when creating a policy applied to **All users** and **All apps**, they'll see the following warning.
+To prevent administrator lockout, when creating a policy applied to **All users** and **All apps**, the following warning appears.
 
 > Don't lock yourself out! We recommend applying a policy to a small set of users first to verify it behaves as expected. We also recommend excluding at least one administrator from this policy. This ensures that you still have access and can update a policy if a change is required. Please review the affected users and apps.
 
-By default the policy will provide an option to exclude the current user from the policy, but this default can be overridden by the administrator as shown in the following image. 
+By default the policy provides an option to exclude the current user from the policy, but an administrator can override as shown in the following image. 
 
 ![Warning, don't lock yourself out!](./media/concept-conditional-access-users-groups/conditional-access-users-and-groups-lockout-warning.png)
 
 
@@ -210,45 +210,44 @@ if ($count -le 0) {
 Connect-MgGraph -Scopes "User.Read.All"
 
 # Get all users using Get-MgUser with a filter
-$users = Get-MgUser -Filter "accountEnabled eq true"
-
-# Create a hash table to store the SKU IDs for each user
-$skus = @{}
+$users = Get-MgUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName | Select-Object DisplayName, AssignedLicenses -ExpandProperty LicenseAssignmentStates | Select-Object DisplayName, AssignedByGroup, State, Error, SkuId
 
-# Loop through all users and get their license details using Get-MgUserLicenseDetail
-foreach ($user in $users) {
-    $userSkus = @{}
+$output = @()
 
-    # Get the user's license details using Get-MgUserLicenseDetail
-    $licenseDetails = Get-MgUserLicenseDetail -UserId $user.Id
 
-    # Loop through all the licenses and add the SKU ID to the hash table
-    foreach ($license in $licenseDetails) {
-        $userSkus[$license.SkuId] = @{
-            AssignedDirectly = $license.AssignedLicenses.Count -gt 0
-            AssignedThroughGroups = $license.AssignedLicensesViaGroup.Count -gt 0
+# Loop through all users and get the AssignedByGroup Details which will list the groupId
+foreach ($user in $users) {
+    # Get the group ID if AssignedByGroup is not empty
+    if ($user.AssignedByGroup -ne $null)
+    {
+        $groupId = $user.AssignedByGroup
+        $groupName = Get-MgGroup -GroupId $groupId | Select-Object -ExpandProperty DisplayName  
+        Write-Host "$($user.DisplayName) is assigned by group - $($groupName)" -ErrorAction SilentlyContinue -ForegroundColor Yellow
+        $result = [pscustomobject]@{
+            User=$user.DisplayName
+            AssignedByGroup=$true
+            GroupName=$groupName
+            GroupId=$groupId
         }
+        $output += $result
     }
 
-    # Add the user's SKU IDs to the main hash table
-    $skus[$user.Id] = $userSkus
-}
-
-# Display the SKU IDs for each user
-foreach ($userId in $skus.Keys) {
-    $user = Get-MgUser -Filter "userPrincipalName eq '$userId'"
-    Write-Host "User: $($user.UserPrincipalName)"
-    Write-Host "SKU IDs:"
-
-    foreach ($skuId in $skus[$userId].Keys) {
-        $sku = Get-MgSubscribedSku -SubscribedSkuId $skuId
-        Write-Host "- $($sku.DisplayName)"
-        Write-Host "  Assigned directly: $($skus[$userId][$skuId].AssignedDirectly)"
-        Write-Host "  Assigned through groups: $($skus[$userId][$skuId].AssignedThroughGroups)"
+    else {
+    $result = [pscustomobject]@{
+            User=$user.DisplayName
+            AssignedByGroup=$false
+            GroupName="NA"
+            GroupId="NA"
+        }
+        $output += $result
+        Write-Host "$($user.DisplayName) is Not assigned by group" -ErrorAction SilentlyContinue -ForegroundColor Cyan
     }
-
-    Write-Host ""
+        
+    
 }
+
+# Display the result
+$output | ft
 ```
 
 
 
@@ -77,24 +77,24 @@ The following table shows what features are available with each license.  Note t
 |Automated user provisioning to SaaS apps|x|x|x|x|	 
 |Automated group provisioning to SaaS apps||x|x|x|	 
 |Automated provisioning to on-premises apps||x|x|x|
-|CA - Terms of use attestation||x|x|x| 
-|Entitlement Management (EM) - Basic entitlement management|||x|x|  
-|EM CA Scoping|||x|x| 
-|EM MyAccess Search|||x|x|  
-|EM with Verified ID||||x|  
-|EM + Custom Extensions (Logic Apps)||||x|  
-|EM + Auto Assignment Policies||||x|   
-|EM - Invite+Assign Any||||x| 
-|EM - Guest Conversion API||||x| 
-|EM - Grace Period - Public Preview|||x|x|  
-|EM - Sponsors Policy - Public Preview||||x| 
+|Conditional Access - Terms of use attestation||x|x|x| 
+|Entitlement management - Basic entitlement management|||x|x|  
+|Entitlement management - Conditional Access Scoping|||x|x| 
+|Entitlement management MyAccess Search|||x|x|  
+|Entitlement management with Verified ID||||x|  
+|Entitlement management + Custom Extensions (Logic Apps)||||x|  
+|Entitlement management + Auto Assignment Policies||||x|   
+|Entitlement management - Invite+Assign Any||||x| 
+|Entitlement management - Guest Conversion API||||x| 
+|Entitlement management - Grace Period - Public Preview|||x|x|  
+|Entitlement management - Sponsors Policy - Public Preview||||x| 
 |Privileged Identity Management (PIM)|||x|x| 
 |PIM For Groups|||x|x| 
 |PIM CA Controls|||x|x| 
-|Access Reviews (AR) - Basic access certifications and reviews|||x|x| 
-|AR - PIM For Groups - Public Preview||||x| 
-|AR - Inactive Users||||x| 
-|AR - Machine learning assisted access certifications and reviews||||x| 
+|Access Reviews - Basic access certifications and reviews|||x|x| 
+|Access reviews - PIM For Groups - Public Preview||||x| 
+|Access reviews - Inactive Users||||x| 
+|Access reviews - Machine learning assisted access certifications and reviews||||x| 
 |Lifecycle Workflows (LCW) J/M/L||||x|
 |LCW + Custom Extensions (Logic Apps)||||x|   
 |Identity governance dashboard - Public Preview||x|x|x|
 
@@ -17,15 +17,15 @@ ms.subservice: calling
 User-facing diagnostics is an extended feature of the core `Call` API and allows you to diagnose an active call.
 
 ```java
-DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.DIAGNOSTICS_CALL);
+DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.LOCAL_USER_DIAGNOSTICS);
 ```
 
 ## User Facing Diagnostic events
 
 - Get feature object and add listeners to the diagnostics events.
 
 ```java
-DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.DIAGNOSTICS_CALL);
+DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.LOCAL_USER_DIAGNOSTICS);
 
 /* NetworkDiagnostic */
 FlagDiagnosticChangedListener listener = (FlagDiagnosticChangedEvent args) -> {
@@ -34,36 +34,36 @@ FlagDiagnosticChangedListener listener = (FlagDiagnosticChangedEvent args) -> {
 };
 
 NetworkDiagnostics networkDiagnostics = diagnosticsCallFeature.getNetworkDiagnostics();
-networkDiagnostics.addOnNoNetworkChangedListener(listener);
+networkDiagnostics.addOnNetworkUnreachableChangedListener(listener);
 
 // To remove listener for network quality event
-networkDiagnostics.removeOnNoNetworkChangedListener(listener);
+networkDiagnostics.removeOnNetworkUnreachableChangedListener(listener);
 
 // Quality Diagnostics
-DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.DIAGNOSTICS_CALL);
+DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.LOCAL_USER_DIAGNOSTICS);
 QualityDiagnosticChangedListener listener = (QualityDiagnosticChangedEvent args) -> {
   DiagnosticQuality diagnosticQuality = args.getValue();
   // Handle new value for network reconnect diagnostic.
 };
 
 NetworkDiagnostics networkDiagnostics = diagnosticsCallFeature.getNetworkDiagnostics();
-networkDiagnostics.addOnNetworkReconnectChangedListener(listener);
+networkDiagnostics.addOnNetworkReconnectionQualityChangedListener(listener);
 
 // To remove listener for media flag event
-networkDiagnostics.removeOnNetworkReconnectChangedListener(listener);
+networkDiagnostics.removeOnNetworkReconnectionQualityChangedListener(listener);
 
 /* MediaDiagnostic */
-DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.DIAGNOSTICS_CALL);
+DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.LOCAL_USER_DIAGNOSTICS);
 FlagDiagnosticChangedListener listener = (FlagDiagnosticChangedEvent args) -> {
   Boolean mediaValue = args.getValue();
   // Handle new value for speaker not functioning diagnostic.
 };
 
 MediaDiagnostics mediaDiagnostics = diagnosticsCallFeature.getMedia();
-mediaDiagnostics.addOnSpeakerNotFunctioningChangedListener(listener);
+mediaDiagnostics.addOnIsSpeakerNotFunctioningChangedListener(listener);
 
 // To remove listener for media flag event
-mediaDiagnostics.removeOnSpeakerNotFunctioningChangedListener(listener);
+mediaDiagnostics.removeOnIsSpeakerNotFunctioningChangedListener(listener);
 
 ```
 
@@ -72,15 +72,15 @@ mediaDiagnostics.removeOnSpeakerNotFunctioningChangedListener(listener);
 - Get the latest diagnostic values that were raised in current call. If we still didn't receive a value for the diagnostic, an exception is thrown.
 
 ```java
-DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.DIAGNOSTICS_CALL);
+DiagnosticsCallFeature diagnosticsCallFeature = call.feature(Features.LOCAL_USER_DIAGNOSTICS);
 NetworkDiagnostics networkDiagnostics = diagnosticsCallFeature.getNetwork();
 MediaDiagnostics mediaDiagnostics = diagnosticsCallFeature.getMedia();
 
-NetworkDiagnosticValues latestNetwork = networkDiagnostics.getLatest();
-Boolean lastNetworkValue = latestNetwork.isNoNetwork(); // null if there isn't a value for this diagnostic.
+NetworkDiagnosticValues latestNetwork = networkDiagnostics.getLatestDiagnostics();
+Boolean lastNetworkValue = latestNetwork.isNetworkUnavailable(); // null if there isn't a value for this diagnostic.
 DiagnosticQuality lastReceiveQualityValue = latestNetwork.getNetworkReceiveQuality(); //  UNKNOWN if there isn't a value for this diagnostic.
 
-MediaDiagnosticValues latestMedia = networkDiagnostics.getLatest();
+MediaDiagnosticValues latestMedia = networkDiagnostics.getLatestDiagnostics();
 Boolean lastSpeakerNotFunctionValue = latestMedia.isSpeakerNotFunctioning(); // null if there isn't a value for this diagnostic.
 
 // Use the last values ...