Merge pull request #189732 from MicrosoftDocs/main

Merge Main to Live, 4 AM

Author: PMEds28

articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/21/2021
+ms.date: 02/25/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -167,7 +167,7 @@ To obtain the values, look at the OpenID Connect discovery metadata for each of
 
 Perform these steps for each Azure AD tenant that should be used to sign in:
 
-1. Open your browser and go to the OpenID Connect metadata URL for the tenant. Find the **issuer** object and record its value. It should look similar to `https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/.well-known/openid-configuration`.
+1. Open your browser and go to the OpenID Connect metadata URL for the tenant. Find the `issuer` object and record its value. It should look similar to `https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0`.
 1. Copy and paste the value into the **ValidTokenIssuerPrefixes** key. Separate multiple issuers with a comma. An example with two issuers appears in the previous `ClaimsProvider` XML sample.
 
 [!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)]

articles/active-directory-b2c/oauth2-error-technical-profile.md

@@ -9,14 +9,14 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 01/25/2022
+ms.date: 02/25/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
 
 # Define an OAuth2 custom error technical profile in an Azure Active Directory B2C custom policy
 
-This article describes how to handle an OAuth2 custom error with Azure Active Directory B2C (Azure AD B2C). Use this technical profile if something logic goes wrong within your policy. The technical profile returns error to your OAuth2 or OpenId Connect relying party application.
+This article describes how to handle an OAuth2 custom error with Azure Active Directory B2C (Azure AD B2C). Use this technical profile if something logic goes wrong within your policy. The technical profile returns error to your OAuth2 or OpenId Connect relying party application. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/technical-profiles/oauth2-error) of the OAuth2 custom error technical profile. 
 
 To handle custom OAuth2 error message:
 
@@ -89,7 +89,7 @@ The CryptographicKeys element contains the following key:
 
 ## Invoke the technical profile
 
-You can call the OAuth2 error technical profile from a user journey, or sub journey. Set the [orchestration step](userjourneys.md#orchestrationsteps) type to `SendClaims` with a reference to your OAuth2 error technical profile.
+You can call the OAuth2 error technical profile from a [user journey](userjourneys.md), or [sub journey](subjourneys.md) (type of `transfer`). Set the [orchestration step](userjourneys.md#orchestrationsteps) type to `SendClaims` with a reference to your OAuth2 error technical profile.
 
 If your user journey or sub journey already has another `SendClaims` orchestration step, set the `DefaultCpimIssuerTechnicalProfileReferenceId` attribute to the token issuer technical profile.
 

articles/active-directory-b2c/session-behavior.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/30/2021
+ms.date: 02/25/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -79,11 +79,12 @@ You can configure the Azure AD B2C session behavior, including:
   - **Application** - This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, you can use this setting if you want the user to sign in to Contoso Pharmacy regardless of whether the user is already signed into Contoso Groceries.
   - **Policy** - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. For example, if the user has already signed in and completed a multi-factor authentication (MFA) step, the user can be given access to higher-security parts of multiple applications, as long as the session tied to the user flow doesn't expire.
   - **Suppressed** - This setting forces the user to run through the entire user flow upon every execution of the policy.
-- **Keep me signed in (KMSI)** - Extends the session lifetime through the use of a persistent cookie. If this feature is enabled and the user selects it, the session remains active even after the user closes and reopens the browser. The session is revoked only when the user signs out. The KMSI feature only applies to sign-in with local accounts. The KMSI feature takes precedence over the session lifetime.
 
 ::: zone pivot="b2c-user-flow"
 
-To configure the session behavior:
+### Configure the user flow
+
+To configure the session behavior in your user flow, follow these steps:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
@@ -99,15 +100,49 @@ To configure the session behavior:
 
 ::: zone pivot="b2c-custom-policy"
 
-To change your session behavior and SSO configurations, you add a **UserJourneyBehaviors** element inside of the [RelyingParty](relyingparty.md) element.  The **UserJourneyBehaviors** element must immediately follow the **DefaultUserJourney**. Your **UserJourneyBehavors** element should look like this example:
+### Configure the custom policy
+
+To configure the session behavior in your custom policy, follow these steps:
+
+1. Open the relying party (RP) file, for example *SignUpOrSignin.xml*
+1. If it doesn't already exist, add the following `<UserJourneyBehaviors>` element to the `<RelyingParty>` element. It must be located immediately after `<DefaultUserJourney ReferenceId="UserJourney Id"/>`.
+
+    ```xml
+    <UserJourneyBehaviors>
+      <SingleSignOn Scope="Application" />
+      <SessionExpiryType>Absolute</SessionExpiryType>
+      <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
+    </UserJourneyBehaviors>
+    ```
+    
+    After you add the user journey behavior elements, the `RelyingParty` element should look like the following example:
+    
+    ```xml
+    <RelyingParty>
+      <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
+      <UserJourneyBehaviors>
+        <SingleSignOn Scope="Application" />
+        <SessionExpiryType>Absolute</SessionExpiryType>
+        <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
+      </UserJourneyBehaviors>
+      <TechnicalProfile Id="PolicyProfile">
+        <DisplayName>PolicyProfile</DisplayName>
+        <Protocol Name="OpenIdConnect" />
+        <OutputClaims>
+          <OutputClaim ClaimTypeReferenceId="displayName" />
+          <OutputClaim ClaimTypeReferenceId="givenName" />
+          ...
+        </OutputClaims>
+        <SubjectNamingInfo ClaimType="sub" />
+      </TechnicalProfile>
+    </RelyingParty>
+    ```
+    
+
+1. Change the value of the `Scope` attribute to one of the possible value: `Suppressed`, `Tenant`, `Application`, or `Policy`. For more information, check out the [RelyingParty](relyingparty.md) reference article.
+1. Set the `SessionExpiryType` element to `Rolling` or `Absolute`. For more information, check out the [RelyingParty](relyingparty.md) reference article.
+1. Set the `SessionExpiryInSeconds` element to a numeric value  between 900 seconds (15 minutes) and 86,400 seconds(24 hours). For more information, check out the [RelyingParty](relyingparty.md) reference article.
 
-```xml
-<UserJourneyBehaviors>
-   <SingleSignOn Scope="Application" />
-   <SessionExpiryType>Absolute</SessionExpiryType>
-   <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
-</UserJourneyBehaviors>
-```
 ::: zone-end
 
 ## Enable Keep me signed in (KMSI)

articles/active-directory/cloud-infrastructure-entitlement-management/TOC.yml

@@ -146,11 +146,11 @@
     items:
     - name: Troubleshoot issues
       href: cloudknox-troubleshoot.md
-  #- name: Training material
-    #expanded: false
-    #items:
-    #- name: Get started with CloudKnox training videos
-      #href: cloudknox-training-videos.md
+  - name: Training videos
+    expanded: false
+    items:
+    - name: Get started with CloudKnox training videos
+      href: cloudknox-training-videos.md
   - name: Reference
     expanded: false
     items:

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-multi-cloud-glossary.md

@@ -26,9 +26,9 @@ This glossary provides a list of some of the commonly used cloud terms in CloudK
 |-----------------------|-----------------------------------------------------|
 | ACL                  | Access control list. A list of files or resources that contain information about which users or groups have permission to access those resources or modify those files.    |
 | ARN                  | Azure Resource Notification    |
-| ASIM                  | Azure Sentinel Information Model    |
+| Authorization System                   | CIEM supports AWS accounts, Azure Subscriptions, GCP projects as the Authorization systems     |
+| Authorization System Type                  | Any system which provides the authorizations by assigning the permissions to the identities, resources. CIEM supports AWS, Azure, GCP as the Authorization System Types     |
 | Cloud security        | A form of cybersecurity that protects data stored online on cloud computing platforms from theft, leakage, and deletion. Includes firewalls, penetration testing, obfuscation, tokenization, virtual private networks (VPN), and avoiding public internet connections.     |
-| CASB                  | Cloud Access Security Broker. Products and services that address security gaps in an organization’s use of cloud services. Designed to protect and control access to data that’s stored in someone else’s systems. Deliver differentiated, cloud-specific capabilities that may not be available as features in traditional security products. They provide a central location for policy and governance concurrently across multiple cloud services. They also provide granular visibility into and control over user activities and sensitive data from both inside and outside the enterprise perimeter, including cloud-to-cloud access.                   | 
 | Cloud storage         | A service model in which data is maintained, managed, and backed up remotely. Available to users over a network.                |
 | CIAM                 | Cloud Infrastructure Access Management     |
 | CIEM                 | Cloud Infrastructure Entitlement Management. The next generation of solutions for enforcing least privilege in the cloud. It addresses cloud-native security challenges of managing identity access management in cloud environments.      |
@@ -37,9 +37,9 @@ This glossary provides a list of some of the commonly used cloud terms in CloudK
 | CNAPP                | Cloud-Native Application Protection. The convergence of cloud security posture management (CSPM), cloud workload protection (CWP), cloud infrastructure entitlement management (CIEM), and cloud applications security broker (CASB). An integrated security approach that covers the entire lifecycle of cloud-native applications. | 
 | CSPM                 | Cloud Security Posture Management. Addresses risks of compliance violations and misconfigurations in enterprise cloud environments. Also focuses on the resource level to identify deviations from best practice security settings for cloud governance and compliance.      |
 | CWPP                  | Cloud Workload Protection Platform    |
-| DRI                   | Data risk index. A comprehensive, integrated representation of data risk.    |
-| Data risk management  | The process an organization uses when acquiring, storing, transforming, and using its data, from creation to retirement, to eliminate data risk.    |
+| Data Collector | Virtual entity which stores the data collection configuration |
 | Delete task          | A high-risk task that allows users to permanently delete a resource.     |
+| ED | Enterprise directory |
 | Entitlement          | An abstract attribute that represents different forms of user permissions in a range of infrastructure systems and business applications.|
 | Entitlement management     | Technology that grants, resolves, enforces, revokes, and administers fine-grained access entitlements (that is, authorizations, privileges, access rights, permissions and rules). Its purpose is to execute IT access policies to structured/unstructured data, devices, and services. It can be delivered by different technologies, and is often different across platforms, applications, network components, and devices. |
 | High-risk task       | A task in which a user can cause data leakage, service disruption, or service degradation.     |
@@ -51,6 +51,7 @@ This glossary provides a list of some of the commonly used cloud terms in CloudK
 | Identity lifecycle management | Maintain digital identities, their relationships with the organization, and their attributes during the entire process from creation to eventual archiving, using one or more identity life cycle patterns. |
 | IGA                   | Identity governance and administration. Technology solutions that conduct identity management and access governance operations. IGA includes the tools, technologies, reports, and compliance activities required for identity lifecycle management. It includes every operation from account creation and termination to user provisioning, access certification, and enterprise password management. It looks at automated workflow and data from authoritative sources capabilities, self-service user provisioning, IT governance, and password management. |
 | ITSM 	                | Information Technology Security Management. Tools that enable IT operations organizations (infrastructure and operations managers), to better support the production environment. Facilitate the tasks and workflows associated with the management and delivery of quality IT services.      |
+| JEP | Just Enough Permissions |
 | JIT	                | Just in Time access can be seen as a way to enforce the principle of least privilege to ensure users and non-human identities are given the minimum level of privileges. It also ensures that privileged activities are conducted in accordance with an organization’s Identity Access Management (IAM), IT Service Management (ITSM), and Privileged Access Management (PAM) policies, with its entitlements and workflows. JIT access strategy enables organizations to maintain a full audit trail of privileged activities so they can easily identify who or what gained access to which systems, what they did at what time, and for how long.     |
 | Least privilege        | Ensures that users only gain access to the specific tools they need to complete a task.  |
 | Multi-tenant	        | A single instance of the software and its supporting infrastructure serves multiple customers. Each customer shares the software application and also shares a single database.	                |
@@ -68,7 +69,6 @@ This glossary provides a list of some of the commonly used cloud terms in CloudK
 | Resource              | Any entity that uses compute capabilities can be accessed by users and services to perform actions. |
 | Role	                | An IAM identity that has specific permissions. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A role doesn't have standard long-term credentials such as a password or access keys associated with.                  |
 | SCIM	                | System for Cross–domain Identity Management |
-| SCI–M 	            | Security Compliance Identity and Management    |
 | SIEM	                | Security Information and Event Management. Technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting).      |
 | SOAR                  | Security orchestration, automation and response (SOAR). Technologies that enable organizations to take inputs from various sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These workflows can be orchestrated via integrations with other technologies and automated to achieve the desired outcome and greater visibility. Other capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes.    |
 | Super user / Super identity     | A powerful account used by IT system administrators that can be used to make configurations to a system or application, add or remove users, or delete data.  |
@@ -79,4 +79,4 @@ This glossary provides a list of some of the commonly used cloud terms in CloudK
 
 ## Next steps
 
-- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md).
+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md).

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-aws.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/23/2022
+ms.date: 02/24/2022
 ms.author: v-ydequadros
 ---
 
@@ -26,6 +26,11 @@ This article describes how to onboard an Amazon Web Services (AWS) account on Cl
 > [!NOTE] 
 > A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable CloudKnox on your Azure Active Directory tenant](cloudknox-onboard-enable-tenant.md).
 
+## Prerequisites
+
+- To enable the CloudKnox **Feature highlights** tile in the Azure AD portal, [select this link to run the script in your browser](https://aka.ms/ciem-prod).
+- To use the CloudKnox public preview, we encourage you to fill out a consent form that provides other terms and conditions for the public preview product. To open the form, select [CloudKnox Permissions Management Public Preview: Terms and Conditions](https://aka.ms/ciem-terms).
+
 ## Onboard an AWS account
 
 1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches: 

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-azure.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/23/2022
+ms.date: 02/24/2022
 ms.author: v-ydequadros
 ---
 
@@ -31,8 +31,15 @@ This article describes how to onboard a Microsoft Azure subscription or subscrip
 To add CloudKnox to your Azure AD tenant:
 - You must have an Azure AD user account and an Azure command-line interface (Azure CLI) on your system, or an Azure subscription. If you don't already have one, [create a free account](https://azure.microsoft.com/free/).
 - You must have **Microsoft.Authorization/roleAssignments/write** permission at the subscription or management group scope to perform these tasks. If you don't have this permission, you can ask someone who has this permission to perform these tasks for you.
+- To enable the CloudKnox **Feature highlights** tile in the Azure AD portal, [select this link to run the script in your browser](https://aka.ms/ciem-prod).
+- To use the CloudKnox public preview, we encourage you to fill out a consent form that provides other terms and conditions for the public preview product. To open the form, select [CloudKnox Permissions Management Public Preview: Terms and Conditions](https://aka.ms/ciem-terms).
 
-## Onboard an Azure subscription
+## View a training video on enabling CloudKnox
+
+To view a video on how to enable CloudKnox in your Azure AD tenant, select
+[Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).
+
+## How to onboard an Azure subscription
 
 1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches: