Merge pull request #253803 from MicrosoftDocs/main

10/04 PM Publishing

Author: v-alje

.openpublishing.redirection.active-directory.json

@@ -12382,7 +12382,12 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-playbook.md",
-      "redirect_url": "/azure/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-user-guide",
+      "redirect_url": "/azure/active-directory/cloud-infrastructure-entitlement-management/permissions-management-quickstart-guide",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-user-guide.md",
+      "redirect_url": "/azure/active-directory/cloud-infrastructure-entitlement-management/permissions-management-quickstart-guide",
       "redirect_document_id": false
     },
     {

articles/active-directory/architecture/service-accounts-principal.md

@@ -33,7 +33,7 @@ An application instance has two properties: the ApplicationID (or ClientID) and
 
 > [!NOTE] 
 > The terms **application** and **service principal** are used interchangeably, when referring to an application in authentication tasks. However, they are two representations of applications in Microsoft Entra ID.
- 
+
 The ApplicationID represents the global application and is the same for application instances, across tenants. The ObjectID is a unique value for an application object. As with users, groups, and other resources, the ObjectID helps to identify an application instance in Microsoft Entra ID.
 
 To learn more, see [Application and service principal relationship in Microsoft Entra ID](../develop/app-objects-and-service-principals.md)
@@ -43,8 +43,9 @@ To learn more, see [Application and service principal relationship in Microsoft
 You can create an application and its service principal object (ObjectID) in a tenant using:
 
 * Azure PowerShell
+* Microsoft Graph PowerShell
 * Azure command-line interface (Azure CLI)
-* Microsoft Graph
+* Microsoft Graph API
 * The Azure portal
 * Other tools
 
@@ -85,17 +86,17 @@ When using service principals, use the following table to match challenges and m
 To find accounts, run the following commands using service principals with Azure CLI or PowerShell.
 
 * Azure CLI - `az ad sp list`
-* PowerShell - `Get-AzureADServicePrincipal -All:$true` 
+* PowerShell - `Get-MgServicePrincipal -All:$true` 
 
-For more information, see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal)
+For more information, see [Get-MgServicePrincipal](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal)
 
 ## Assess service principal security
 
 To assess the security, evaluate privileges and credential storage. Use the following table to help mitigate challenges:
 
 |Challenge | Mitigation|
 | - | - |
-| Detect the user who consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | - Run the following PowerShell to find multi-tenant apps <br>`Get-AzureADServicePrincipal -All:$true ? {$_.Tags -eq WindowsAzureActiveDirectoryIntegratedApp"}`</br> - Disable user consent </br> - Allow user consent from verified publishers, for selected permissions (recommended) </br> - Configure them in the user context </br> - Use their tokens to trigger the service principal|
+| Detect the user who consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | - Run the following PowerShell to find multi-tenant apps <br>`Get-MgServicePrincipal -All:$true | ? {$_.Tags -eq "WindowsAzureActiveDirectoryIntegratedApp"}`</br> - Disable user consent </br> - Allow user consent from verified publishers, for selected permissions (recommended) </br> - Configure them in the user context </br> - Use their tokens to trigger the service principal|
 |Use of a hard-coded shared secret in a script using a service principal|Use a certificate|
 |Tracking who uses the certificate or the secret| Monitor the service principal sign-ins using the Microsoft Entra sign-in logs|
 |Can't manage service principal sign-in with Conditional Access| Monitor the sign-ins using the Microsoft Entra sign-in logs
@@ -134,3 +135,5 @@ Conditional Access:
 Use Conditional Access to block service principals from untrusted locations. 
 
 See, [Create a location-based Conditional Access policy](../conditional-access/workload-identity.md#create-a-location-based-conditional-access-policy)
+
+

articles/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-user-guide.md

@@ -268,8 +268,9 @@ If you get an error message telling you that you used an invalid scope, you prob
 
 ### Did you forget to provide admin consent? Daemon apps need it!
 
-If you get an **Insufficient privileges to complete the operation** error when you call the API, the tenant administrator needs to grant permissions to the application. See step 6 of Register the client app above.
-You'll typically see an error that looks like this error:
+If you get an **Insufficient privileges to complete the operation** error when you call the API, the tenant administrator needs to grant permissions to the application. For guidance on how to grant admin consent for your application, see step 4 in [Quickstart: Acquire a token and call Microsoft Graph in a .NET Core console app](quickstart-console-app-netcore-acquire-token.md#step-4-admin-consent). 
+
+If you don't grant admin consent to your application, you'll run into the following error:
 
 ```json
 Failed to call the web API: Forbidden

articles/active-directory/develop/scenario-daemon-acquire-token.md

@@ -88,19 +88,19 @@ To get the PRT error code, run the `dsregcmd` command, and then locate the `SSO
 
 <a name='method-2-use-event-viewer-to-examine-azure-ad-analytic-and-operational-logs'></a>
 
-#### Method 2: Use Event Viewer to examine Microsoft Entra analytic and operational logs
+#### Method 2: Use Event Viewer to examine AAD analytic and operational logs
 
 1. Select **Start**, and then search for and select **Event Viewer**.
 1. If the console tree doesn't appear in the **Event Viewer** window, select the **Show/Hide Console Tree** icon to make the console tree visible.
 1. In the console tree, select **Event Viewer (Local)**. If child nodes don't appear underneath this item, double-click your selection to show them.
 1. Select the **View** menu. If a check mark isn't displayed next to **Show Analytic and Debug Logs**, select that menu item to enable that feature.
-1. In the console tree, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **Microsoft Entra ID**. The **Operational** and **Analytic** child nodes appear. 
+1. In the console tree, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **AAD**. The **Operational** and **Analytic** child nodes appear. 
 
    > [!NOTE]  
    > In the Microsoft Entra Cloud Authentication Provider (CloudAP) plug-in, **Error** events are written to the **Operational** event logs, and information events are written to the **Analytic** event logs. You have to examine both the **Operational** and **Analytic** event logs to troubleshoot PRT issues.
 
-1. In the console tree, select the **Analytic** node to view Microsoft Entra ID-related analytic events.
-1. In the list of analytic events, search for Event IDs 1006 and 1007. Event ID 1006 denotes the beginning of the PRT acquisition flow, and Event ID 1007 denotes the end of the PRT acquisition flow. All events in the **Microsoft Entra ID** logs (both **Analytic** and **Operational**) that occurred between Event ID 1006 and Event ID 1007 are logged as part of the PRT acquisition flow. The following table shows an example event listing.
+1. In the console tree, select the **Analytic** node to view AAD-related analytic events.
+1. In the list of analytic events, search for Event IDs 1006 and 1007. Event ID 1006 denotes the beginning of the PRT acquisition flow, and Event ID 1007 denotes the end of the PRT acquisition flow. All events in the **AAD** logs (both **Analytic** and **Operational**) that occurred between Event ID 1006 and Event ID 1007 are logged as part of the PRT acquisition flow. The following table shows an example event listing.
 
    | Level           | Date and Time            | Source  | Event ID | Task Category                  |
    |-----------------|--------------------------|---------|----------|--------------------------------|

articles/active-directory/devices/troubleshoot-primary-refresh-token.md

@@ -29,6 +29,8 @@ You can bulk download the members of a group in your organization to a comma-sep
 
    ![The Download Members command is on the profile page for the group](./media/groups-bulk-download-members/download-panel.png)
 
+[!INCLUDE [Bulk update warning](~/articles/active-directory/includes/bulk-export.md)]
+
 ## Check download status
 
 You can see the status of all of your pending bulk requests in the **Bulk operation results** page.

articles/active-directory/enterprise-users/groups-bulk-download-members.md

@@ -72,6 +72,8 @@ The rows in a downloaded CSV template are as follows:
 
 If there are errors, you can download and view the results file on the **Bulk operation results** page. The file contains the reason for each error. The file submission must match the provided template and include the exact column names.
 
+[!INCLUDE [Bulk update warning](~/articles/active-directory/includes/bulk-export.md)]
+
 ## Check status
 
 You can see the status of all of your pending bulk requests in the **Bulk operation results** page.

articles/active-directory/enterprise-users/users-bulk-add.md

@@ -52,6 +52,8 @@ The rows in a downloaded CSV template are as follows:
 
 If there are errors, you can download and view the results file on the **Bulk operation results** page. The file contains the reason for each error.
 
+[!INCLUDE [Bulk update warning](~/articles/active-directory/includes/bulk-export.md)]
+
 ## Check status
 
 You can see the status of all of your pending bulk requests in the **Bulk operation results** page.

articles/active-directory/enterprise-users/users-bulk-delete.md

@@ -76,6 +76,8 @@ You can see the status of your pending bulk requests in the **Bulk operation res
 
 Each bulk activity to export a list of users can run for up to one hour. This pace enables export and download of a list of up to 500,000 users.
 
+[!INCLUDE [Bulk update warning](~/articles/active-directory/includes/bulk-export.md)]
+
 ## Next steps
 
 - [Bulk add users](users-bulk-add.md)

articles/active-directory/enterprise-users/users-bulk-download.md

@@ -62,6 +62,8 @@ The rows in a downloaded CSV template are as follows:
 
 If there are errors, you can download and view the results file on the **Bulk operation results** page. The file contains the reason for each error.
 
+[!INCLUDE [Bulk update warning](~/articles/active-directory/includes/bulk-export.md)]
+
 ## Check status
 
 You can see the status of all of your pending bulk requests in the **Bulk operation results** page.