Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into del-samples

Author: asudbring

articles/active-directory/authentication/howto-mfa-mfasettings.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 05/17/2023
+ms.date: 05/30/2023
 
 ms.author: justinha
 author: justinha
@@ -78,14 +78,14 @@ To unblock a user, complete the following steps:
 
 ## Report suspicious activity
 
-A preview of **Report Suspicious Activity**, the updated MFA **Fraud Alert** feature, is now available. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using Microsoft Authenticator or through their phone. These alerts are integrated with [Identity Protection](../identity-protection/overview-identity-protection.md) for more comprehensive coverage and capability. 
+**Report suspicious activity**, the updated **MFA Fraud Alert** feature, is now available. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using Microsoft Authenticator or through their phone. These alerts are integrated with [Identity Protection](../identity-protection/overview-identity-protection.md) for more comprehensive coverage and capability. 
 
 Users who report an MFA prompt as suspicious are set to **High User Risk**. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the **Fraud Alert** automatic blocking feature and don't have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in. For more information about using risk-based policies, see [Risk-based access policies](../identity-protection/concept-identity-protection-policies.md).  
 
-To enable **Report Suspicious Activity** from the Authentication Methods Settings:   
+To enable **Report suspicious activity** from the Authentication Methods Settings:   
 
 1. In the Azure portal, click **Azure Active Directory** > **Security** > **Authentication Methods** > **Settings**. 
-1. Set **Report Suspicious Activity** to **Enabled**. 
+1. Set **Report suspicious activity** to **Enabled**. 
 1. Select **All users** or a specific group. 
 
 ### View suspicious activity events 
@@ -104,9 +104,9 @@ Once a user has reported a prompt as suspicious, the risk should be investigated
 
 ### Report suspicious activity and fraud alert 
 
-**Report Suspicious Activity** and the legacy **Fraud Alert** implementation can operate in parallel. You can keep your tenant-wide **Fraud Alert** functionality in place while you start to use **Report Suspicious Activity** with a targeted test group. 
+**Report suspicious activity** and the legacy **Fraud Alert** implementation can operate in parallel. You can keep your tenant-wide **Fraud Alert** functionality in place while you start to use **Report suspicious activity** with a targeted test group. 
 
-If **Fraud Alert** is enabled with Automatic Blocking, and **Report Suspicious Activity** is enabled, the user will be added to the blocklist and set as high-risk and in-scope for any other policies configured. These users will need to be removed from the blocklist and have their risk remediated to enable them to sign in with MFA. 
+If **Fraud Alert** is enabled with Automatic Blocking, and **Report suspicious activity** is enabled, the user will be added to the blocklist and set as high-risk and in-scope for any other policies configured. These users will need to be removed from the blocklist and have their risk remediated to enable them to sign in with MFA. 
 
 ## Notifications
 

articles/active-directory/reports-monitoring/concept-usage-insights-report.md

@@ -8,59 +8,96 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 01/10/2023
+ms.date: 05/30/2023
 ms.author: sarahlipsey
-ms.reviewer: besiler
+ms.reviewer: madansr7
 ---
 
 # Usage and insights in Azure Active Directory
 
-With the Azure Active Directory (Azure AD) **Usage and insights** reports, you can get an application-centric view of your sign-in data. Usage & insights also includes a report on authentication methods activity. You can find answers to the following questions:
+With the Azure Active Directory (Azure AD) **Usage and insights** reports, you can get an application-centric view of your sign-in data. Usage & insights includes a report on authentication methods, service principal sign-ins, and application credential activity. You can find answers to the following questions:
 
-*	What are the top used applications in my organization?
-*	What applications have the most failed sign-ins? 
-*	What are the top sign-in errors for each application?
+* What are the top used applications in my organization?
+* What applications have the most failed sign-ins? 
+* What are the top sign-in errors for each application?
+* What was the date of the last sign-in for an application?
 
-This article provides an overview of three reports that look sign-in data. 
+## Prerequisites
 
-## Access Usage & insights 
-
-Accessing the data from Usage and insights requires:
+To access the data from Usage and insights you must have:
 
 * An Azure AD tenant
 * An Azure AD premium (P1/P2) license to view the sign-in data
-* A user in the Global Administrator, Security Administrator, Security Reader, or Reports Reader roles.
+* A user in the Reports Reader, Security Reader, Security Administrator, or Global Administrator role.
+
+## Access Usage and insights 
+
+You can access the Usage and insights reports from the Azure portal and using Microsoft Graph.
 
-To access Usage & insights:
+### To access Usage & insights in the portal:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) using the appropriate least privileged role.
 1. Go to **Azure Active Directory** > **Usage & insights**.
 
-The **Usage & insights** report is also available from the **Enterprise applications** area of Azure AD. All users can access their own sign-ins at the [My Sign-Ins portal](https://mysignins.microsoft.com/security-info).
+The **Usage & insights** reports are also available from the **Enterprise applications** area of Azure AD. All users can access their own sign-ins at the [My Sign-Ins portal](https://mysignins.microsoft.com/security-info).
 
-## View the Usage & insights reports
+### To access Usage & insights using Microsoft Graph:
 
-There are currently three reports available in Azure AD Usage & insights. All three reports use sign-in data to provide helpful information an application usage and authentication methods.
+The reports can be viewed and managed using Microsoft Graph on the `/beta` endpoint in Graph Explorer.
 
-### Azure AD application activity (preview)
+1. Sign in to [Graph Explorer](https://aka.ms/ge).
+1. Select **GET** as the HTTP method from the dropdown.
+1. Set the API version to **beta**.
+
+Refer to the section on each report in this article for the specific objects and parameters to include. For more information, see the [Microsoft Graph documentation for Identity and access reports](/graph/api/resources/report-identity-access).
+
+## Azure AD application activity (preview)
 
 The **Azure AD application activity (preview)** report shows the list of applications with one or more sign-in attempts. Any application activity during the selected date range appears in the report. The report allows you to sort by the number of successful sign-ins, failed sign-ins, and the success rate.
 
 It's possible that activity for a deleted application may appear in the report if the activity took place during the selected date range and before the application was deleted. Other scenarios could include a user attempting to sign in to an application that doesn't have a service principal associated with the app. For these types of scenarios, you may need to review the audit logs or sign-in logs to investigate further.
 
-Select the **View sign in activity** link for an application to view more details. The sign-in graph per application counts interactive user sign-ins. The details of any sign-in failures appears below the table. 
+To view the details of the sign-in activity for an application, select the **View sign-in activity** link for the application.
 
 ![Screenshot shows Usage and insights for Application activity where you can select a range and view sign-in activity for different apps.](./media/concept-usage-insights-report/usage-insights-overview.png)
 
-Select a day in the application usage graph to see a detailed list of the sign-in activities for the application. This detailed list is actually the sign-in log with the filter set to the selected application and date.
+The sign-in activity graph uses interactive user sign-ins. Select a day in the application usage graph to see a detailed list of the sign-in activities for the application. This detailed list is actually the sign-in log with the filter set to the selected application and date. The details of any sign-in failures appear below the table. 
 
 ![Screenshot of the sign-in activity details for a selected application.](./media/concept-usage-insights-report/application-activity-sign-in-detail.png)
 
-### AD FS application activity
+### Application activity using Microsoft Graph
+
+You can view the `applicationSignInSummary` or `applicationSignInDetailedSummary` of Azure AD application activity with Microsoft Graph. 
+
+Add the following query to view the **sign-in summary**, then select the **Run query** button.
+
+   ```http
+   GET https://graph.microsoft.com/beta/reports/getAzureADApplicationSignInSummary(period='{period}')
+   ```
+
+Add the following query to view the **sign-in details**, then select the **Run query** button.
+
+   ```http
+   GET https://graph.microsoft.com/beta/reports/applicationSignInDetailedSummary/{id}
+   ```
+
+For more information, see [Application sign-in in Microsoft Graph](/graph/api/resources/applicationsigninsummary?view=graph-rest-beta&preserve-view=true).
+
+## AD FS application activity
 
 The **AD FS application activity** report in Usage & insights lists all Active Directory Federated Services (AD FS) applications in your organization that have had an active user login to authenticate in the last 30 days. These applications have not been migrated to Azure AD for authentication.
 
-### Authentication methods activity
+Viewing the AD FS application activity using Microsoft Graph retrieves a list of the `relyingPartyDetailedSummary` objects, which identifies the relying party to a particular Federation Service.
+
+Add the following query, then select the **Run query** button.
+
+   ```http
+   GET https://graph.microsoft.com/beta/reports/getRelyingPartyDetailedSummary
+   ```
+
+For more information, see [AD FS application activity in Microsoft Graph](/graph/api/resources/relyingpartydetailedsummary?view=graph-rest-beta&preserve-view=true).
+
+## Authentication methods activity
 
 The **Authentication methods activity** in Usage & insights displays visualizations of the different authentication methods used by your organization. The **Registration tab** displays statistics of users registered for each of your available authentication methods. Select the **Usage** tab at the top of the page to see actual usage for each authentication method. 
 
@@ -72,6 +109,108 @@ Looking for the details of a user and their authentication methods? Look at the
 
 Looking for the status of an authentication registration or reset event of a user? Look at the **Registration and reset events** report from the side menu and then search for a name or UPN. You'll be able to see the method used to attempt to register or reset an authentication method.
 
+## Service principal sign-in activity (preview)
+
+The Service principal sign-in activity (preview) report provides the last activity date for every service principal. The report provides you information on the usage of the service principal - whether it was used as a client or resource app and whether it was used in an app-only or delegated context. The report shows the last time the service principal was used.
+
+[ ![Screenshot of the service principal sign-in activity report.](./media/concept-usage-insights-report/service-principal-sign-ins.png) ](./media/concept-usage-insights-report/service-principal-sign-ins.png#lightbox)
+
+Select the **View more details** link to locate the client and object IDs for the application as well as specific service principal sign-in activity.
+
+[ ![Screenshot of the service principal sign-in activity details.](./media/concept-usage-insights-report/service-principal-sign-in-activity-details.png) ](./media/concept-usage-insights-report/service-principal-sign-in-activity-details.png#lightbox)
+
+### Service principal sign-in activity using Microsoft Graph
+
+The `servicePrincipalSignInActivity` reports can be viewed using Microsoft Graph in Graph Explorer.
+
+Add the following query to retrieve the service principal sign-in activity, then select the **Run query** button.
+
+```http
+GET https://graph.microsoft.com/beta/reports/servicePrincipalSignInActivities/{id}
+```
+
+The following is an example of the response:
+
+```json
+{
+     "@odata.context": "https://graph.microsoft.com/beta/$metadata#reports/servicePrincipalSignInActivities",
+     "id": "ODNmNDUyOTYtZmI4Zi00YWFhLWEzOTktYWM1MTA4NGUwMmI3",
+     "appId": "83f45296-fb8f-4aaa-a399-ac51084e02b7",    
+     "delegatedClientSignInActivity": {
+          "lastSignInDateTime": "2021-01-01T00:00:00Z",
+          "lastSignInRequestId": "2d245633-0f48-4b0e-8c04-546c2bcd61f5"
+     },
+     "delegatedResourceSignInActivity": {
+          "lastSignInDateTime": "2021-02-01T00:00:00Z",
+          "lastSignInRequestId": "d2b4c623-f930-42b5-9519-7851ca604b16"
+     },
+     "applicationAuthenticationClientSignInActivity": {
+          "lastSignInDateTime": "2021-03-01T00:00:00Z",
+          "lastSignInRequestId": "b71f24ec-f212-4306-b2ae-c229e15805ea"
+     },
+     "applicationAuthenticationResourceSignInActivity": {
+          "lastSignInDateTime": "2021-04-01T00:00:00Z",
+          "lastSignInRequestId": "53e6981f-2272-4deb-972c-c8272aca986d"
+     },
+     "lastSignInActivity": {
+          "lastSignInDateTime": "2021-04-01T00:00:00Z",
+          "lastSignInRequestId": "cd9733e8-d75a-468f-a63d-6e82bd48c05e"
+     }
+}
+```
+
+For more information, see [List service principal activity in Microsoft Graph](/graph/api/reportroot-list-serviceprincipalsigninactivities?view=graph-rest-beta&preserve-view=true).
+
+## Application credential activity (preview)
+
+The Application credential activity (preview) report provides the last credential activity date for every application credential. The report provides the credential type (certificate or client secret), the last used date, and the expiration date. With this report you can view the expiration dates of all your applications in one place. 
+
+To view the details of the application credential activity, select the **View more details** link. These details include the application object, service principal, and resource IDs. You can also see if the credential origin is the application or the service principal. 
+
+[ ![Screenshot of the app credential activity report.](media/concept-usage-insights-report/app-credential-activity.png) ](media/concept-usage-insights-report/app-credential-activity.png#lightbox)
+
+When you select the **View more details** link, you can see the application object ID and resource ID, in addition to the details visible in the report.
+
+[ ![Screenshot of the app credential activity details.](media/concept-usage-insights-report/app-credential-activity-details.png) ](media/concept-usage-insights-report/app-credential-activity-details.png#lightbox)
+
+### Application credential activity using Microsoft Graph
+
+Application credential activity can be viewed and managed using Microsoft Graph on the `/beta` endpoint. You can get the application credential sign-in activity by entity `id`, `keyId`, and `appId` .
+
+To get started, follow these instructions to work with `appCredentialSignInActivity` using Microsoft Graph in Graph Explorer.
+
+1. Sign in to [Graph Explorer](https://aka.ms/ge).
+1. Select **GET** as the HTTP method from the dropdown.
+1. Set the API version to **beta**.
+1. Add the following query to retrieve recommendations, then select the **Run query** button.
+
+    ```http
+    GET https://graph.microsoft.com/beta/reports/appCredentialSignInActivities/{id}
+    ```
+The following is an example of the response:
+
+```json
+{
+ "@odata.type": "#microsoft.graph.appCredentialSignInActivity",
+ "id": "ODNmNDUyOTYtZmI4Zi00YWFhLWEzOTktYWM1MTA4NGUwMmI3fGFwcGxpY2F0aW9u",
+ "keyId": "83f45296-fb8f-4aaa-a399-ac51084e02b7",
+ "keyType": "certificate",
+ "keyUsage": "sign",
+ "appId": "f4d9654f-0305-4072-878c-8bf266dfe146",
+ "appObjectId": "6920caa5-1cae-4bc8-bf59-9c0b8495d240",
+ "servicePrincipalObjectId": "cf533854-9fb7-4c01-9c0e-f68922ada8b6",
+ "resourceId": "a89dc091-a671-4da4-9fcf-3ef06bdf3ac3",
+ "credentialOrigin": "application",
+ "expirationDate": "2021-04-01T21:36:48-8:00",
+ "signInActivity": {
+     "lastSignInDateTime": "2021-04-01T00:00:00-8:00",
+     "lastSignInRequestId": "b0a282a3-68ec-4ec8-aef0-290ed4350271"
+ }
+}   
+```
+
+For more information, see [Application credential activity in Microsoft Graph](/graph/api/resources/appcredentialsigninactivity?view=graph-rest-beta&preserve-view=true).
+
 ## Next steps
 
 - [Learn about the sign-ins report](concept-sign-ins.md)

articles/active-directory/reports-monitoring/media/concept-usage-insights-report/app-credential-activity-details.png

@@ -7,6 +7,14 @@ ms.date: 04/18/2023
 # What's new in Azure Advisor?
 
 Learn what's new in the service. These items may be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with the service.
+## May 2023
+### Service retirement workbook
+
+It is important to be aware of the upcoming Azure service and feature retirements to understand their impact on your workloads and plan migration. The [Service Retirement workbook](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/workbooks) provides a single centralized resource level view of service retirements and helps you assess impact, evaluate options, and plan migration. 
+The workbook includes 35 services and features planned for retirement. You can view planned retirement dates, list and map of impacted resources and get information to make the necessary actions.
+
+To learn more, visit [Prepare migration of your workloads impacted by service retirements](advisor-how-to-plan-migration-workloads-service-retirement.md).
+
 ## April 2023
 
 ### VM/VMSS right-sizing recommendations with custom lookback period

articles/active-directory/reports-monitoring/media/concept-usage-insights-report/app-credential-activity.png

@@ -48,6 +48,8 @@
     href: advisor-security-recommendations.md
   - name: Improve reliability  
     href: advisor-how-to-improve-reliability.md
+  - name: Plan migration of workloads impacted by services retirement
+    href: advisor-how-to-plan-migration-workloads-service-retirement.md
   - name: Improve the performance of highly used VMs
     href: advisor-how-to-performance-resize-high-usage-vm-recommendations.md
   - name: Use tags to filter recommendations and score