You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/reports-monitoring/overview-recommendations.md
+25-32Lines changed: 25 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -74,47 +74,40 @@ The **Action plan** provides step-by-step instructions to implement a recommenda
74
74
75
75
## Roles and licenses
76
76
77
-
The following roles provide *read-only* access to recommendations:
78
-
79
-
- Reports Reader
80
-
- Security Reader
81
-
- Global Reader
82
-
83
-
The following roles provide *update and read-only* access to recommendations:
84
-
85
-
- Security Administrator
86
-
- Security Operator
87
-
- Cloud apps Administrator
88
-
- Apps Administrator
89
-
- Global Administrator
77
+
| Azure AD role | Access type |
78
+
|---- |---- |
79
+
| Reports Reader | Read-only |
80
+
| Security Reader | Read-only |
81
+
| Global Reader | Read-only |
82
+
| Cloud apps Administrator | Update and read |
83
+
| Apps Administrator | Update and read |
84
+
| Security Operator | Update and read |
85
+
| Security Administrator | Update and read |
90
86
91
87
The Azure AD recommendations feature is automatically enabled. If you'd like to disable this feature, go to **Azure AD** > **Preview features**. Locate the **Recommendations** feature, and change the **State**.
92
88
93
89
Azure AD only displays the recommendations that apply to your tenant, so you may not see all supported recommendations listed. Currently, all recommendations are available in all tenants, regardless of the license type.
94
90
95
-
### Recommendations available for all Azure AD tenants
96
-
97
-
The recommendations listed in the following table are available to all Azure AD tenants, regardless of license type. The table provides the impacted resources and links to available documentation.
|[Convert per-user MFA to Conditional Access MFA](recommendation-turn-off-per-user-mfa.md)| Users | Generally available |
102
-
|[Migrate applications from AD FS to Azure AD](recommendation-migrate-apps-from-adfs-to-azure-ad.md)| Users | Generally available |
103
-
|[Migrate to Microsoft Authenticator](recommendation-migrate-to-authenticator.md)| Users | Preview |
104
-
|[Minimize MFA prompts from known devices](recommendation-migrate-apps-from-adfs-to-azure-ad.md)| Users | Generally available |
91
+
### Recommendation availability and license requirements
105
92
106
-
### Recommendations available specific licenses
93
+
The recommendations listed in the following table are currently available as a public preview or general availability. The license requirements for recommendations in public preview are subject to change. The table provides the impacted resources and links to available documentation.
107
94
108
-
The recommendations listed in the following table are currently available to Azure AD tenants with a P2 license (subject to change).
|[Convert per-user MFA to Conditional Access MFA](recommendation-turn-off-per-user-mfa.md)| Users | All licenses | Generally available |
98
+
|[Migrate applications from AD FS to Azure AD](recommendation-migrate-apps-from-adfs-to-azure-ad.md)| Applications | All licenses | Generally available |
99
+
|[Migrate to Microsoft Authenticator](recommendation-migrate-to-authenticator.md)| Users | All licenses | Preview |
100
+
|[Minimize MFA prompts from known devices](recommendation-migrate-apps-from-adfs-to-azure-ad.md)| Users | All licenses | Generally available |
Copy file name to clipboardExpand all lines: articles/active-directory/reports-monitoring/recommendation-remove-unused-apps.md
+11-15Lines changed: 11 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,17 +20,11 @@ This article covers the recommendation to investigate unused applications. This
20
20
21
21
## Description
22
22
23
-
Applications registered with your tenant require permissions to access resources and services. These permissions could be misused if applications are registered but not actively used.
24
-
25
-
Application credentials, which are used to get a token that grants access to a resource or another service. Only applications actively used in your tenant should be registered.
26
-
27
23
This recommendation shows up if your tenant has applications that haven't been used in more than 30 days, so haven't been issued any tokens. Applications or service principals that were added but never used will show up as unused apps, which will also trigger this recommendation.
28
24
29
-
30
-
31
25
## Value
32
26
33
-
Removing unused applications improves the security posture and promotes good application hygiene. It reduces the risk of application compromise by someone discovering an unused application and misuse it to get tokens. Depending on the permissions granted to the application and the resources that it exposes, an application compromise could expose sensitive data in an organization.
27
+
Removing unused applications improves the security posture and promotes good application hygiene. It reduces the risk of application compromise by someone discovering an unused application and misusing it to get tokens. Depending on the permissions granted to the application and the resources that it exposes, an application compromise could expose sensitive data in an organization.
34
28
35
29
## Action plan
36
30
@@ -39,16 +33,18 @@ Removing unused applications improves the security posture and promotes good app
39
33
40
34
## Known limitations
41
35
42
-
The time frame for application usage that triggers this recommendation cannot be customized.
36
+
Take note of the following common scenarios or known limitations of the "Remove unused applications" recommendation.
37
+
38
+
* The time frame for application usage that triggers this recommendation cannot be customized.
43
39
44
-
The following apps will not show up as a part of this recommendation:
45
-
- Microsoft-owned applications
46
-
- Password single sign-on
47
-
- Linked single sign-on
48
-
- App proxy
49
-
- Add-in apps
40
+
*The following apps will not show up as a part of this recommendation, but are currently under review for future enhancements:
41
+
- Microsoft-owned applications
42
+
- Password single sign-on
43
+
- Linked single sign-on
44
+
- App proxy
45
+
- Add-in apps
50
46
51
-
This recommendation currently surfaces applications that were created within the past 30 days *and* shows as unused. Updates to the recommendation to filter out newly-created apps so that they can complete a full cycle are in progress.
47
+
*This recommendation currently surfaces applications that were created within the past 30 days *and* shows as unused. Updates to the recommendation to filter out newly-created apps so that they can complete a full cycle are in progress.
Copy file name to clipboardExpand all lines: articles/active-directory/reports-monitoring/recommendation-renew-expiring-application-credential.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,7 +40,7 @@ Renewing the app credential(s) before its expiration ensures the application con
40
40
41
41
## Known limitations
42
42
43
-
When looking for the application with the credential that needs to be rotated, only the app name is used. The services doesn't have the ability to show the resource ID for the app.
43
+
When looking for the application with the credential that needs to be rotated, only the app name is used. The service doesn't have the ability to show the resource ID for the app.
Copy file name to clipboardExpand all lines: articles/active-directory/reports-monitoring/recommendation-renew-expiring-service-principal-credential.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,8 +25,6 @@ An Azure Active Directory (Azure AD) service principal is the local representati
25
25
26
26
This recommendation shows up if your tenant has service principals with credentials that will expire soon.
27
27
28
-
29
-
30
28
## Value
31
29
32
30
Renewing the service principal credential(s) before expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.
@@ -36,10 +34,12 @@ Renewing the service principal credential(s) before expiration ensures the appli
36
34
1. Navigate to **Azure AD** > **Enterprise applications**.
37
35
- The status of the service principal appears in the **Certificate Expiry Status** column.
38
36
- Use the search box at the top of the list to find the service principal that was listed in the recommendation.
37
+
39
38
40
39
41
40
1. Select the service principal with the credential that needs to be rotated, then select **Single sign-on** from the side menu.
42
41
1. Edit the **SAML signing certificate** section and follow the prompts to add a new certificate.
42
+
43
43
44
44
45
45
1. After adding the certificate, change its properties to make the certificate active. This will make the other certificate inactive.
0 commit comments