Merge pull request #241843 from MicrosoftDocs/main

6/16/2023 PM Publish

Author: Taojunshen

articles/active-directory/cloud-infrastructure-entitlement-management/TOC.yml

@@ -1,9 +1,9 @@
-  - name: Permissions Management
+  - name: Microsoft Entra Permissions Management
     href: index.yml
   - name: Overview
     expanded: true
     items:
-      - name: What's Permissions Management?
+      - name: What's Microsoft Entra Permissions Management?
         href: overview.md       
   - name: How-to guides
     expanded: true

articles/active-directory/cloud-infrastructure-entitlement-management/index.yml

@@ -1,10 +1,10 @@
 ### YamlMime:Landing
 
-title: Permissions Management
-summary: Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities (users and workloads),  actions, and resources across cloud infrastructures. It detects, right-sizes, and monitors unused and excessive permissions and enables Zero Trust security through least privilege access in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
+title: Microsoft Entra Permissions Management
+summary: Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities (users and workloads),  actions, and resources across cloud infrastructures. It detects, right-sizes, and monitors unused and excessive permissions and enables Zero Trust security through least privilege access in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
 
 metadata:
-  title: Permissions Management
+  title: Microsoft Entra Permissions Management
   description: Learn how to use Permissions Management and Cloud Infrastructure Entitlement Management (CIEM)
   services: active-directory
   author: jenniferf-skc
@@ -13,7 +13,7 @@ metadata:
   ms.subservice: ciem
   ms.workload: identity
   ms.topic: landing-page
-  ms.date: 03/09/2022
+  ms.date: 06/16/2023
   ms.author: jfields
 
 
@@ -24,7 +24,7 @@ landingContent:
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
   # Card
-  - title: What's Permissions Management?
+  - title: What's Microsoft Entra Permissions Management?
     linkLists:
       - linkListType: overview
         links:

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md

@@ -8,13 +8,13 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/24/2023
+ms.date: 06/16/2023
 ms.author: jfields
 ---
 
-# Enable Permissions Management in your organization
+# Enable Microsoft Entra Permissions Management in your organization
 
-This article describes how to enable Permissions Management in your organization. Once you've enabled Permissions Management, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms.
+This article describes how to enable Microsoft Entra Permissions Management in your organization. Once you've enabled Permissions Management, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms.
 
 > [!NOTE]
 > To complete this task, you must have *Microsoft Entra Permissions Management Administrator* permissions. You can't enable Permissions Management as a user from another tenant who has signed in via B2B or via Azure Lighthouse.

articles/active-directory/cloud-infrastructure-entitlement-management/overview.md

@@ -8,15 +8,15 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: overview
-ms.date: 04/20/2022
+ms.date: 06/16/2023
 ms.author: jfields
 ---
 
-# What's Permissions Management?
+# What's Microsoft Entra Permissions Management?
 
 ## Overview
 
-Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
+Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
 
 Permissions Management  detects, automatically right-sizes, and continuously monitors unused and excessive permissions.
 
@@ -70,5 +70,6 @@ Once your organization has explored and implemented the discover, remediation an
 
 ## Next steps
 
-- For information on how to onboard Permissions Management for your organization, see [Enable Permissions Management in your organization](onboard-enable-tenant.md).
+- Deepen your learning with the [Introduction to Microsoft Entra Permissions Management](https://go.microsoft.com/fwlink/?linkid=2240016) learn module. 
+- Sign up for a [45-day free trial](https://aka.ms/TryPermissionsManagement) of Permissions Management.
 - For a list of frequently asked questions (FAQs) about Permissions Management, see [FAQs](faqs.md).

articles/active-directory/governance/entitlement-management-external-users.md

@@ -90,11 +90,11 @@ To ensure people outside of your organization can request access packages and ge
     > [!NOTE]
     > If you create a connected organization for an Azure AD tenant from a different Microsoft cloud, you also need to configure cross-tenant access settings appropriately. For more information on how to configure these settings, see [Configure cross-tenant access settings](../external-identities/cross-cloud-settings.md).
 
-### Review your Conditional Access policies (Preview)
+### Review your Conditional Access policies
 
 - Make sure to exclude the Entitlement Management app from any Conditional Access policies that impact guest users. Otherwise, a conditional access policy could block them from accessing MyAccess or being able to sign in to your directory. For example, guests likely don't have a registered device, aren't in a known location, and don't want to re-register for multi-factor authentication (MFA), so adding these requirements in a Conditional Access policy will block guests from using entitlement management. For more information, see [What are conditions in Azure Active Directory Conditional Access?](../conditional-access/concept-conditional-access-conditions.md).
 
-- A common policy for Entitlement Management customers is to block all apps from guests except Entitlement Management for guests. This policy allows guests to enter MyAccess and request an access package. This package should contain a group (it is called Guests from MyAccess in the example below), which should be excluded from the block all apps policy. Once the package is approved, the guest will be in the directory. Given that the end user has the access package assignment and is part of the group, the end user will be able to access all other apps. Other common policies include excluding Entitlement Management app from MFA and compliant device.   
+- A common policy for Entitlement Management customers is to block all apps from guests except Entitlement Management for guests. This policy allows guests to enter My Access and request an access package. This package should contain a group (it is called Guests from My Access in the example below), which should be excluded from the block all apps policy. Once the package is approved, the guest will be in the directory. Given that the end user has the access package assignment and is part of the group, the end user will be able to access all other apps. Other common policies include excluding Entitlement Management app from MFA and compliant device.   
 
     :::image type="content" source="media/entitlement-management-external-users/exclude-app-guests.png" alt-text="Screenshot of exclude app options.":::
 

articles/api-management/how-to-deploy-self-hosted-gateway-azure-arc.md

@@ -6,7 +6,7 @@ ms.author: danlep
 ms.service: api-management
 ms.custom: devx-track-azurecli
 ms.topic: article 
-ms.date: 05/25/2021
+ms.date: 06/12/2023
 ---
 
 # Deploy an Azure API Management gateway on Azure Arc (preview)
@@ -50,15 +50,15 @@ Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster
 
     ```azurecli
     az k8s-extension create --cluster-type connectedClusters --cluster-name <cluster-name> \
-      --resource-group <rg-name> --name <extension-name> --extension-type Microsoft.ApiManagement.Gateway \
-      --scope namespace --target-namespace <namespace> \
-      --configuration-settings gateway.endpoint='<Configuration URL>' \
-      --configuration-protected-settings gateway.authKey='<token>' \
-      --configuration-settings service.type='LoadBalancer' --release-train preview
+        --resource-group <rg-name> --name <extension-name> --extension-type Microsoft.ApiManagement.Gateway \
+        --scope namespace --target-namespace <namespace> \
+        --configuration-settings gateway.configuration.uri='<Configuration URL>' \
+        --config-protected-settings gateway.auth.token='<token>' \
+        --configuration-settings service.type='LoadBalancer' --release-train preview
     ```
 
     > [!TIP]
-    > `-protected-` flag for `authKey` is optional, but recommended. 
+    > `-protected-` flag for `gateway.auth.token` is optional, but recommended. 
 
 1. Verify deployment status using the following CLI command:
     ```azurecli
@@ -71,7 +71,7 @@ Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster
 ## Deploy the API Management gateway extension using Azure portal
 
 1. In the Azure portal, navigate to your Azure Arc-connected cluster.
-1. In the left menu, select **Extensions (preview)** > **+ Add** > **API Management gateway (preview)**.
+1. In the left menu, select **Extensions** > **+ Add** > **API Management gateway (preview)**.
 1. Select **Create**.
 1. In the **Install API Management gateway** window, configure the gateway extension:
     * Select the subscription and resource group for your API Management instance.
@@ -85,12 +85,16 @@ Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster
 
 ## Available extension configurations
 
+The self-hosted gateway extension for Azure Arc provides many configuration settings to customize the extension for your environment. This section lists required deployment settings and optional settings for integration with Log Analytics. For a complete list of settings, see the self-hosted gateway extension [reference](self-hosted-gateway-arc-reference.md).
+
+### Required settings
+
 The following extension configurations are **required**.
 
 | Setting | Description |
 | ------- | ----------- | 
-| `gateway.endpoint` | The gateway endpoint's Configuration URL. |
-| `gateway.authKey` | Token for access to the gateway. | 
+| `gateway.configuration.uri` | Configuration endpoint in API Management service for the self-hosted gateway. |
+| `gateway.auth.token` | Gateway token (authentication key) to authenticate to API Management service. Typically starts with `GatewayKey`. | 
 | `service.type` | Kubernetes service configuration for the gateway: `LoadBalancer`, `NodePort`, or `ClusterIP`. |
 
 ### Log Analytics settings
@@ -115,3 +119,4 @@ To enable monitoring of the self-hosted gateway, configure the following Log Ana
 * Discover all [Azure Arc-enabled Kubernetes extensions](../azure-arc/kubernetes/extensions.md). 
 * Learn more about [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md).
 * Learn more about guidance to [run the self-hosted gateway on Kubernetes in production](how-to-self-hosted-gateway-on-kubernetes-in-production.md).
+* For configuration options, see the self-hosted gateway extension [reference](self-hosted-gateway-arc-reference.md).

articles/api-management/self-hosted-gateway-overview.md

@@ -7,23 +7,23 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: conceptual
-ms.date: 07/11/2022
+ms.date: 06/14/2023
 ms.author: danlep
 ---
 
 # Self-hosted gateway overview
 
 The self-hosted gateway is an optional, containerized version of the default managed gateway included in every API Management service. It's useful for scenarios such as placing gateways in the same environments where you host your APIs. Use the self-hosted gateway to improve API traffic flow and address API security and compliance requirements.
 
-This article explains how the self-hosted gateway feature of Azure API Management enables hybrid and multi-cloud API management, presents its high-level architecture, and highlights its capabilities.
+This article explains how the self-hosted gateway feature of Azure API Management enables hybrid and multicloud API management, presents its high-level architecture, and highlights its capabilities.
 
 For an overview of the features across the various gateway offerings, see [API gateway in API Management](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways).
 
 [!INCLUDE [api-management-availability-premium-dev](../../includes/api-management-availability-premium-dev.md)]
 
-## Hybrid and multi-cloud API management
+## Hybrid and multicloud API management
 
-The self-hosted gateway feature expands API Management support for hybrid and multi-cloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
+The self-hosted gateway feature expands API Management support for hybrid and multicloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
 
 With the self-hosted gateway, customers have the flexibility to deploy a containerized version of the API Management gateway component to the same environments where they host their APIs. All self-hosted gateways are managed from the API Management service they're federated with, thus providing customers with the visibility and unified management experience across all internal and external APIs.
 
@@ -59,7 +59,7 @@ We provide a variety of container images for self-hosted gateways to meet your n
 
 You can find a full list of available tags [here](https://mcr.microsoft.com/product/azure-api-management/gateway/tags).
 
-<sup>1</sup>Preview versions are not officially supported and are for experimental purposes only.<br/> 
+<sup>1</sup>Preview versions aren't officially supported and are for experimental purposes only. See the [self-hosted gateway support policies](self-hosted-gateway-support-policies.md#self-hosted-gateway-container-image-support-coverage). <br/> 
 
 ### Use of tags in our official deployment options
 
@@ -101,7 +101,7 @@ To operate properly, each self-hosted gateway needs outbound connectivity on por
 | Description | Required for v1 | Required for v2 | Notes |
 |:------------|:---------------------|:---------------------|:------|
 | Hostname of the configuration endpoint | `<apim-service-name>.management.azure-api.net` | `<apim-service-name>.configuration.azure-api.net` | Connectivity to v2 endpoint requires DNS resolution of the default hostname. |
-| Public IP address of the API Management instance | ✔️ | ✔️ | IP addresses of primary location is sufficient. |
+| Public IP address of the API Management instance | ✔️ | ✔️ | IP address of primary location is sufficient. |
 | Public IP addresses of Azure Storage [service tag](../virtual-network/service-tags-overview.md) | ✔️ | Optional<sup>2</sup> | IP addresses must correspond to primary location of API Management instance. |
 | Hostname of Azure Blob Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<blob-storage-account-name>.blob.core.windows.net`) |
 | Hostname of Azure Table Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<table-storage-account-name>.table.core.windows.net`) |
@@ -120,6 +120,15 @@ To operate properly, each self-hosted gateway needs outbound connectivity on por
 > * The associated storage account names are listed in the service's **Network connectivity status** page in the Azure portal.
 > * Public IP addresses underlying the associated storage accounts are dynamic and can change without notice.
 
+### Authentication options
+
+To authenticate the connection between the self-hosted gateway and the cloud-based API Management instance's configuration endpoint, you have the following options in the gateway container's [configuration settings](self-hosted-gateway-settings-reference.md).
+
+|Option  |Considerations  |
+|---------|---------|
+| [Azure Active Directory authentication](self-hosted-gateway-enable-azure-ad.md)   | Configure one or more Azure AD apps for access to gateway<br/><br/>Manage access separately per app<br/><br/>Configure longer expiry times for secrets in accordance with your organization's policies<br/><br/>Use standard Azure AD procedures to assign or revoke user or group permissions to app and to rotate secrets<br/><br/>        |
+| Gateway access token (also called authentication key)    |  Token expires every 30 days at maximum and must be renewed in the containers<br/><br/>Backed by a gateway key that can be rotated independently (for example, to revoke access) <br/><br/>Regenerating gateway key invalidates all access tokens created with it        |
+
 ### Connectivity failures
 
 When connectivity to Azure is lost, the self-hosted gateway is unable to receive configuration updates, report its status, or upload telemetry.
@@ -207,7 +216,7 @@ As of v2.1.1 and above, you can manage the ciphers that are being used through t
 
 -   Learn more about the various gateways in our [API gateway overview](api-management-gateways-overview.md)
 -   Learn more about the support policy for the [self-hosted gateway](self-hosted-gateway-support-policies.md)
--   Learn more about [API Management in a Hybrid and Multi-Cloud World](https://aka.ms/hybrid-and-multi-cloud-api-management)
+-   Learn more about [API Management in a hybrid and multicloud world](https://aka.ms/hybrid-and-multi-cloud-api-management)
 -   Learn more about guidance for [running the self-hosted gateway on Kubernetes in production](how-to-self-hosted-gateway-on-kubernetes-in-production.md)
 -   [Deploy self-hosted gateway to Docker](how-to-deploy-self-hosted-gateway-docker.md)
 -   [Deploy self-hosted gateway to Kubernetes](how-to-deploy-self-hosted-gateway-kubernetes.md)