Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into 20220315-arc-data-march-release

Author: Mike Ray (Microsoft)

.openpublishing.redirection.active-directory.json

@@ -160,6 +160,46 @@
       "redirect_url": "/azure/active-directory/develop/workload-identity-federation-create-trust",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identities-overview.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identities-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identities-faqs.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identities-faqs",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identity-federation.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identity-federation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identity-federation-create-trust.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identity-federation-create-trust",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identity-federation-create-trust-user-assigned-managed-identity.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identity-federation-create-trust-user-assigned-managed-identity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identity-federation-create-trust-gcp.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identity-federation-create-trust-gcp",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identity-federation-block-using-azure-policy.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identity-federation-block-using-azure-policy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/workload-identity-federation-considerations.md",
+      "redirect_url": "/azure/active-directory/workload-identities/workload-identity-federation-considerations",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-v2-limitations.md",
       "redirect_url": "/azure/active-directory/develop/v2-overview",

articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md

@@ -4,7 +4,7 @@ description: Respond to changes to applications with continuous access evaluatio
 
 services: active-directory
 ms.service: active-directory
-ms.subservice: conditional-access
+ms.subservice: workload-identities
 ms.topic: conceptual
 ms.date: 07/22/2022
 

articles/active-directory/conditional-access/workload-identity.md

@@ -4,7 +4,7 @@ description: Protecting workload identities with Conditional Access policies
 
 services: active-directory
 ms.service: active-directory
-ms.subservice: conditional-access
+ms.subservice: workload-identities
 ms.topic: how-to
 ms.date: 01/05/2023
 
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 Conditional Access policies have historically applied only to users when they access apps and services like SharePoint online or the Azure portal. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. 
 
-A [workload identity](../develop/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:
+A [workload identity](../workload-identities/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:
 
 - Can’t perform multifactor authentication.
 - Often have no formal lifecycle process.

articles/active-directory/develop/TOC.yml

@@ -62,9 +62,7 @@
         - name: Application model
           href: application-model.md
         - name: Workload identities
-          href: workload-identities-overview.md
-        - name: Workload identities FAQs
-          href: workload-identities-faqs.md
+          href: ../workload-identities/workload-identities-overview.md
         - name: Applications and service principals
           href: app-objects-and-service-principals.md
         - name: How and why apps are added to Azure AD
@@ -162,16 +160,6 @@
               href: howto-handle-samesite-cookie-changes-chrome-browser.md
     - name: Connect
       items:
-        - name: Workload identity federation
-          href: workload-identity-federation.md
-        - name: Configure an app to trust an external identity provider
-          href: workload-identity-federation-create-trust.md
-        - name: Configure a managed identity to trust an external identity provider
-          href: workload-identity-federation-create-trust-user-assigned-managed-identity.md
-        - name: Access identity platform-protected resources from GCP
-          href: workload-identity-federation-create-trust-gcp.md
-        - name: Block creation of federated credentials
-          href: workload-identity-federation-block-using-azure-policy.md
         - name: Exchange AD FS SAML for Microsoft Graph access token
           displayName: exchange, swap, SAML token, OAuth token
           href: v2-saml-bearer-assertion.md
@@ -804,9 +792,7 @@
             - name: Signing key rollover
               href: active-directory-signing-key-rollover.md
             - name: UserInfo endpoint (OIDC)
-              href: userinfo.md
-            - name: Federated identity credentials considerations and limitations
-              href: workload-identity-federation-considerations.md
+              href: userinfo.md            
         - name: SAML 2.0
           items:
             - name: How Azure AD uses the SAML protocol

articles/active-directory/develop/console-quickstart-portal-nodejs.md

@@ -61,8 +61,8 @@ ms.custom: mode-api
 > ##### Global tenant administrator
 > 
 > If you are a global administrator, go to **API Permissions** page select **Grant admin consent for > Enter_the_Tenant_Name_Here**
-> > > [!div id="apipermissionspage"]
-> > > [Go to the API Permissions page]()
+> > [!div id="apipermissionspage"]
+> > [Go to the API Permissions page]()
 > 
 > ##### Standard user
 > 

articles/active-directory/develop/developer-glossary.md

@@ -8,14 +8,14 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
-ms.date: 05/28/2022
+ms.date: 03/15/2023
 ms.author: ryanwi
-ms.reviewer: mmacy
+ms.reviewer: 
 ---
 
 # Glossary: Microsoft identity platform
 
-You'll see these terms when you use our documentation, the Azure portal, our authentication libraries, and the Microsoft Graph API. Some terms are Microsoft-specific while others are related to protocols like OAuth or other technologies you use with the Microsoft identity platform.
+You see these terms when you use our documentation, the Azure portal, our authentication libraries, and the Microsoft Graph API. Some terms are Microsoft-specific while others are related to protocols like OAuth or other technologies you use with the Microsoft identity platform.
 
 ## Access token
 
@@ -52,7 +52,7 @@ For more information, see [Application and Service Principal Objects][AAD-App-SP
 
 In order to allow an application to integrate with and delegate Identity and Access Management functions to Azure AD, it must be registered with an Azure AD [tenant](#tenant). When you register your application with Azure AD, you're providing an identity configuration for your application, allowing it to integrate with Azure AD and use features like:
 
-- Robust management of Single Sign-On using Azure AD Identity Management and [OpenID Connect][OpenIDConnect] protocol implementation
+- Robust management of single sign-on using Azure AD Identity Management and [OpenID Connect][OpenIDConnect] protocol implementation
 - Brokered access to [protected resources](#resource-server) by [client applications](#client-application), via OAuth 2.0 [authorization server](#authorization-server)
 - [Consent framework](#consent) for managing client access to protected resources, based on resource owner authorization.
 
@@ -222,11 +222,11 @@ One of the endpoints implemented by the [authorization server](#authorization-se
 
 ## User-agent-based client
 
-A type of [client application](#client-application) that downloads code from a web server and executes within a user-agent (for instance, a web browser), such as a single-page application (SPA). Since all code is executed on a device, it is considered a "public" client due to its inability to store credentials privately/confidentially. For more information, see [OAuth 2.0 client types and profiles][OAuth2-Client-Types].
+A type of [client application](#client-application) that downloads code from a web server and executes within a user-agent (for instance, a web browser), such as a single-page application (SPA). Since all code is executed on a device, it's considered a "public" client due to its inability to store credentials privately/confidentially. For more information, see [OAuth 2.0 client types and profiles][OAuth2-Client-Types].
 
 ## User principal
 
-Similar to the way a service principal object is used to represent an application instance, a user principal object is another type of security principal, which represents a user. The Microsoft Graph [User resource type][Graph-User-Resource] defines the schema for a user object, including user-related properties like first and last name, user principal name, directory role membership, etc. This provides the user identity configuration for Azure AD to establish a user principal at run-time. The user principal is used to represent an authenticated user for Single Sign-On, recording [consent](#consent) delegation, making access control decisions, etc.
+Similar to the way a service principal object is used to represent an application instance, a user principal object is another type of security principal, which represents a user. The Microsoft Graph [User resource type][Graph-User-Resource] defines the schema for a user object, including user-related properties like first and last name, user principal name, directory role membership, etc. This provides the user identity configuration for Azure AD to establish a user principal at run-time. The user principal is used to represent an authenticated user for single sign-on, recording [consent](#consent) delegation, making access control decisions, etc.
 
 ## Web client
 

articles/active-directory/develop/workload-identities-overview.md

@@ -4,7 +4,7 @@ description: Workload identity risk in Azure Active Directory Identity Protectio
 
 services: active-directory
 ms.service: active-directory
-ms.subservice: identity-protection
+ms.subservice: workload-identities
 ms.topic: conceptual
 ms.date: 11/10/2022
 
@@ -16,7 +16,7 @@ ms.reviewer: etbasser
 ms.collection: M365-identity-device-management
 ---
 
-# Securing workload identities with Identity Protection
+# Securing workload identities
 
 Azure AD Identity Protection has historically protected users in detecting, investigating, and remediating identity-based risks. We're now extending these capabilities to workload identities to protect applications and service principals.
 

articles/active-directory/identity-protection/concept-workload-identity-risk.md

@@ -0,0 +1,43 @@
+- name: Microsoft Entra Workload Identities documentation
+  href: index.yml
+- name: Overview
+  expanded: true
+  items:
+  - name: What are workload identities?
+    href: workload-identities-overview.md
+  - name: Workload identities FAQs
+    href: workload-identities-faqs.md
+- name: Concepts
+  items:
+      - name: Applications and service principals
+        href: ../develop/app-objects-and-service-principals.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json     
+      - name: Managed identities
+        href: ../managed-identities-azure-resources/overview.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+      - name: Workload identity federation
+        href: workload-identity-federation.md
+      - name: Securing workload identities
+        href: ../identity-protection/concept-workload-identity-risk.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+      - name: Conditional Access for workload identities
+        href: ../conditional-access/workload-identity.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+      - name: Conditional access evaluation for workload identities
+        href: ../conditional-access/concept-continuous-access-evaluation-workload.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+- name: How-to guides
+  items:
+  - name: Connect workloads without managing secrets
+    items:
+      - name: Configure an app to trust an external identity provider
+        href: workload-identity-federation-create-trust.md
+      - name: Configure a managed identity to trust an external identity provider
+        href: workload-identity-federation-create-trust-user-assigned-managed-identity.md
+      - name: Access identity platform-protected resources from GCP
+        href: workload-identity-federation-create-trust-gcp.md
+      - name: Block creation of federated credentials
+        href: workload-identity-federation-block-using-azure-policy.md
+  - name: Create an access review
+    href: ../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+  - name: Manage custom security attributes for an app
+    href: ../manage-apps/custom-security-attributes-apps.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+  - name: Reference
+    items:
+    - name: Federated identity credentials considerations and limitations
+      href: workload-identity-federation-considerations.md