Merge pull request #255483 from MicrosoftDocs/main

10/18/2023 PM Publish

Author: Taojunshen

.openpublishing.redirection.azure-monitor.json

@@ -6378,6 +6378,11 @@
             "source_path_from_root": "/articles/azure-monitor/app/separate-resources.md",
             "redirect_url": "/azure/azure-monitor/app/create-workspace-resource#how-many-application-insights-resources-should-i-deploy",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/tutorial-app-dashboards.md",
+            "redirect_url": "/azure/azure-monitor/app/overview-dashboard#create-custom-kpi-dashboards-using-application-insights",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory-b2c/analytics-with-application-insights.md

@@ -323,6 +323,6 @@ To disable Application Insights logs, change the `DisableTelemetry` metadata to
 
 ## Next steps
 
-Learn how to [create custom KPI dashboards using Azure Application Insights](../azure-monitor/app/tutorial-app-dashboards.md).
+Learn how to [create custom KPI dashboards using Azure Application Insights](../azure-monitor/app/overview-dashboard.md#create-custom-kpi-dashboards-using-application-insights).
 
 ::: zone-end

articles/active-directory-b2c/index-web-app.yml

@@ -50,9 +50,3 @@ landingContent:
             url: enable-authentication-in-node-web-app-options.md
           - text: Python
             url: enable-authentication-python-web-app-options.md 
-  - title: "Sample"
-    linkLists:
-      - linkListType: sample
-        links:
-          - text: Java 
-            url: https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-b2c-web-sample

articles/active-directory-b2c/partner-saviynt.md

@@ -18,7 +18,7 @@ ms.subservice: B2C
 
 Learn to integrate Azure Active Directory B2C (Azure AD B2C) with the Saviynt Security Manager platform, which has visibility, security, and governance. Saviynt incorporates application risk and governance, infrastructure management, privileged account management, and customer risk analysis.
 
-Learn more: [Saviynt for Azure AD B2C](https://saviynt.com/integrations/azure-ad/for-b2c/)
+Learn more: [Saviynt for Azure AD B2C](https://saviynt.com/integrations/old-version-azure-ad/for-b2c/)
 
 Use the following instructions to set up access control delegated administration for Azure AD B2C users. Saviynt determines if a user is authorized to manage Azure AD B2C users with:
 
@@ -46,7 +46,7 @@ The Saviynt integration includes the following components:
 * **Azure AD B2C** – identity as a service for custom control of customer sign-up, sign-in, and profile management
   * See, [Azure AD B2C, Get started](https://azure.microsoft.com/services/active-directory/external-identities/b2c/) 
 * **Saviynt for Azure AD B2C** – identity governance for delegated administration of user life-cycle management and access governance
-  * See, [Saviynt for Azure AD B2C](https://saviynt.com/integrations/azure-ad/for-b2c/)
+  * See, [Saviynt for Azure AD B2C](https://saviynt.com/integrations/old-version-azure-ad/for-b2c/)
 * **Microsoft Graph API** – interface for Saviynt to manage Azure AD B2C users and their access
   * See, [Use the Microsoft Graph API](/graph/use-the-api)
 

articles/active-directory/architecture/resilience-with-monitoring-alerting.md

@@ -47,17 +47,17 @@ For example, track the following metrics, since a sudden drop in either will lea
 
    - **Previous period**: Create temporal charts to show changes in the Total requests and Success rate (%) over some previous period for reference purposes, for example, last week.
 
-- **Alerting**: Using log analytics define [alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule) that get triggered when there are sudden changes in the key indicators. These changes may negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:
+- **Alerting**: Using log analytics define [alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule) that get triggered when there are sudden changes in the key indicators. These changes might negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:
   - Alert against abrupt drop in Total requests: Trigger an alert when number of total requests drop abruptly. For example, when there's a 25% drop in the total number of requests compared to previous period, raise an alert.  
   - Alert against significant drop in Success rate (%): Trigger an alert when success rate of the selected policy significantly drops.
   - Upon receiving an alert, troubleshoot the issue using [Log Analytics](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview), [Application Insights](/azure/active-directory-b2c/troubleshoot-with-application-insights), and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) for Azure AD B2C. After you resolve the issue and deploy an updated application or policy, it continues to monitor the key indicators until they return back to normal range.
 
 - **Service alerts**: Use the [Azure AD B2C service level alerts](/azure/service-health/service-health-overview) to get notified of service issues, planned maintenance, health advisory, and security advisory.
 
 - **Reporting**: [By using log analytics](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md), build reports that help you gain understanding about user insights, technical challenges, and growth opportunities.
-  - **Health Dashboard**: Create [custom dashboards using Azure Dashboard](/azure/azure-monitor/app/tutorial-app-dashboards) feature, which supports adding charts using Log Analytics queries. For example, identify pattern of successful and failed sign-ins, failure reasons and telemetry about devices used to make the requests.
+  - **Health Dashboard**: Create [custom dashboards using Azure Dashboard](../../azure-monitor/app/overview-dashboard.md#create-custom-kpi-dashboards-using-application-insights) feature, which supports adding charts using Log Analytics queries. For example, identify pattern of successful and failed sign-ins, failure reasons and telemetry about devices used to make the requests.
   - **Abandon Azure AD B2C journeys**: Use the [workbook](https://github.com/azure-ad-b2c/siem#list-of-abandon-journeys) to track the list of abandoned Azure AD B2C journeys where user started the sign-in or sign-up journey but never finished it. It provides you details about policy ID and breakdown of steps that are taken by the user before abandoning the journey.
-  - **Azure AD B2C monitoring workbooks**: Use the [monitoring workbooks](https://github.com/azure-ad-b2c/siem) that include Azure AD B2C dashboard, Multi-factor authentication (MFA) operations, Conditional Access report, and Search logs by correlationId. This practice provides better insights into the health of your Azure AD B2C environment.
+  - **Azure AD B2C monitoring workbooks**: Use the [monitoring workbooks](https://github.com/azure-ad-b2c/siem) that include Azure AD B2C dashboard, Multifactor authentication (MFA) operations, Conditional Access report, and Search logs by correlationId. This practice provides better insights into the health of your Azure AD B2C environment.
 
 ## Next steps
 

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/15/2022
+ms.date: 10/18/2023
 
 ms.author: justinha
 author: justinha
@@ -23,7 +23,7 @@ Features like multifactor authentication (MFA) are a great way to secure your or
 | --- | --- | --- |
 | Passwordless | Windows 10 Device, phone, or security key | Biometric or PIN |
 
-Each organization has different needs when it comes to authentication. Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Microsoft Entra ID:
+Each organization has different needs when it comes to authentication. Microsoft Global Azure and Azure Government offer the following three passwordless authentication options that integrate with Microsoft Entra ID:
 
 - Windows Hello for Business
 - Microsoft Authenticator 
@@ -87,7 +87,7 @@ Users can register and then select a FIDO2 security key at the sign-in interface
 
 FIDO2 security keys can be used to sign in to their Microsoft Entra ID or Microsoft Entra hybrid joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.
 
-We have a reference document for which [browsers support FIDO2 authentication with Microsoft Entra ID](fido2-compatibility.md), as well as best practices for developers wanting to [support FIDO2 auth in the applications they develop](../develop/support-fido2-authentication.md).
+We have a reference document for which [browsers support FIDO2 authentication with Microsoft Entra ID](fido2-compatibility.md), and best practices for developers wanting to [support FIDO2 auth in the applications they develop](../develop/support-fido2-authentication.md).
 
 ![Sign in to Microsoft Edge with a security key](./media/concept-authentication-passwordless/concept-web-sign-in-security-key.png)
 
@@ -184,6 +184,14 @@ The following considerations apply:
 
 - Users may not register passwordless credentials within a tenant where they are a guest, the same way that they do not have a password managed in that tenant.  
 
+## Unsupported scenarios
+
+We recommend no more than 20 sets of keys for each passwordless method for any user account. As more keys are added, the user object size increases, and you may notice degradation for some operations. In that case, you should remove unnecessary keys. For more information and the PowerShell cmdlets to query and remove keys, see 
+[Using WHfBTools PowerShell module for cleaning up orphaned Windows Hello for Business Keys](https://support.microsoft.com/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb). The topic uses **/UserPrincipalName** optional parameter to query only keys for a specific user. The permissions required are to run as an administrator or the specified user.
+
+When you use PowerShell to create a CSV file with all of the existing keys, carefully identify the keys that you need to keep, and remove those rows from the CSV. Then use the modified CSV with PowerShell to delete the remaining keys to bring the account key count under the limit.
+ 
+It is safe to delete any key reported as "Orphaned"="True" in the CSV. An orphaned key is one for a device that is not longer registered in Entra ID. If removing all Orphans still doesn't bring the User account below the limit it is necessary to look at the "DeviceId" and "CreationTime" columns to identify which keys to target for deletion. Be careful to remove any row in the CSV for keys you want to keep. Keys for any DeviceID corresponding to devices the user actively uses should be removed from the CSV before the deletion step.
 
 ## Choose a passwordless method
 

articles/active-directory/authentication/how-to-mfa-registration-campaign.md

@@ -331,6 +331,11 @@ A nudge won't appear if a user is presented with the [terms of use (ToU)](../con
 
 A nudge won't appear if a user is redirected during sign-in due to [Conditional Access custom controls](../conditional-access/controls.md) settings.
 
+**Are there any plans to discontinue SMS and Voice as methods usable for MFA?**
+
+No, there are no such plans.
+
 ## Next steps
 
 [Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)
+

articles/active-directory/devices/manage-device-identities.md

@@ -106,6 +106,9 @@ To view or copy BitLocker keys, you need to be the owner of the device or have o
 - Intune Service Administrator
 - Security Administrator
 - Security Reader
+  
+> [!NOTE]
+> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Administrative unit scoped administrators will lose access to BitLocker recovery keys after device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys.
 
 ## View and filter your devices
 

articles/active-directory/fundamentals/licensing.md

@@ -0,0 +1,91 @@
+---
+title: 'Microsoft Entra ID licensing'
+description: This article documents licensing requirements for Microsoft Entra ID features.
+services: active-directory
+documentationcenter: ''
+author: barclayn
+manager: amycolannino
+editor: ''
+ms.service: active-directory
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 09/21/2023
+ms.subservice: hybrid
+ms.author: barclayn
+---
+
+# Microsoft Entra ID licensing
+
+This article discusses Microsoft Entra services' licensing. It is intended for IT decision makers, IT administrators, and IT professionals who are considering Microsoft Entra services for their organizations. This article isn't intended for end users.
+
+>[!IMPORTANT]
+> For licensing information on services not listed here, refer to the service's documentation or the [Azure Active Directory pricing page.](https://azure.microsoft.com/pricing/details/active-directory/)
+
+
+## App provisioning
+
+[!INCLUDE [App provisioning](../includes/licensing-app-provisioning.md)]
+
+## Authentication
+
+[!INCLUDE [Authentication](../includes/licensing-authentication.md)]
+
+## Microsoft Entra Connect
+
+[!INCLUDE [Information about free tier services](../includes/licensing-free-license.md)]
+
+## Microsoft Entra Connect health
+
+[!INCLUDE [Services available in the P1](../includes/licensing-p1-license.md)]
+
+## Microsoft Entra Conditional Access
+
+[!INCLUDE [Microsoft Entra Conditional access](../includes/licensing-conditional-access.md)]
+
+## Microsoft Entra ID Governance
+
+[!INCLUDE [Microsoft Entra ID Governance](../includes/licensing-governance.md)]
+
+## Microsoft Entra ID Protection
+
+[!INCLUDE [Microsoft Entra ID Protection](../includes/licensing-identity-protection.md)]
+
+## Managed identities
+
+[!INCLUDE [Managed identities](../includes/licensing-managed-identities.md)]
+
+## Multi-tenant organizations
+
+[!INCLUDE [Multi-tenant organizations](../includes/licensing-multi-tenant-organizations.md)]
+
+## Microsoft Entra Privileged Identity management
+
+[!INCLUDE [Microsoft Entra Privileged Identity](../includes/licensing-pim.md)]
+
+## Role based access control
+
+[!INCLUDE [Roles based access control](../includes/licensing-role-based-access-control.md)]
+
+### Roles
+
+[!INCLUDE [licensing-roles](../includes/licensing-roles.md)]
+
+## Microsoft Entra reporting and monitoring
+
+[!INCLUDE [Microsoft Entra reporting and monitoring](../includes/licensing-reports-monitoring.md)]
+
+## Microsoft Entra Verified ID
+
+[!INCLUDE [Microsoft Entra Verified ID](../includes/licensing-verified-id.md)]
+
+## Features in preview
+
+[!INCLUDE [features-preview](../includes/licensing-features-preview.md)]
+
+## Next steps
+
+- [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/)
+- [Azure AD B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/)
+- [Microsoft Entra Plans & Pricing](https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing?rtc=1)
+

articles/active-directory/fundamentals/toc.yml

@@ -65,6 +65,8 @@ items:
       href: licensing-whatis-azure-portal.md
     - name: Microsoft Entra ID preview program terms
       href: licensing-preview-terms.md
+    - name: Microsoft Entra ID licensing
+      href: licensing.md
     - name: Sign up for Microsoft Entra ID P1 or P2
       href: get-started-premium.md 
 - name: Quick security wins