Merge pull request #178586 from MicrosoftDocs/master

11/03 PM Publish

Author: huypub

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -105,26 +105,6 @@ The following process is used when a user signs in with a FIDO2 security key:
 8. Azure AD verifies the signed nonce using the FIDO2 public key.
 9. Azure AD returns PRT to enable access to on-premises resources.
 
-While there are many keys that are FIDO2 certified by the FIDO Alliance, Microsoft requires some optional extensions of the FIDO2 Client-to-Authenticator Protocol (CTAP) specification to be implemented by the vendor to ensure maximum security and the best experience.
-
-A security key MUST implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible. Authenticator vendor must implement both FIDO_2_0 and FIDO_2_1 version of the spec. For more information, see the [Client to Authenticator Protocol](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html).
-
-| # | Feature / Extension trust | Why is this feature or extension required? |
-| --- | --- | --- |
-| 1 | Resident/Discoverable key | This feature enables the security key to be portable, where your credential is stored on the security key and is discoverable which makes usernameless flows possible. |
-| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface.<br>Both [PIN protocol 1](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#pinProto1) and [PIN protocol 2](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#pinProto2) MUST be implemented. |
-| 3 | hmac-secret | This extension ensures you can sign in to your device when it's off-line or in airplane mode. |
-| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory. |
-| 5 | Credential Management    | This feature allows users to manage their credentials on security keys on platforms and applies to security keys that do not have this capability built-in.<br>Authenticator MUST implement [authenticatorCredentialManagement](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorCredentialManagement) and [credentialMgmtPreview](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#prototypeAuthenticatorCredentialManagement) commands for this feature.  |
-| 6 | Bio Enrollment           | This feature allows users to enroll their biometrics on their authenticators and applies to security keys that do not have this capability built in.<br> Authenticator MUST implement [authenicatorBioEnrollment](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorBioEnrollment) and [userVerificationMgmtPreview](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#prototypeAuthenticatorBioEnrollment) commands for this feature. |
-| 7 | pinUvAuthToken           | This feature allows platform to have auth tokens using PIN or BIO match which helps in better user experience when multiple credentials are present on the authenticator.  |
-| 8 | forcePinChange           | This feature allows enterprises to ask users to change their PIN in remote deployments.  |
-| 9 | setMinPINLength          | This feature allows enterprises to have custom minimum PIN length for their users. Authenticator MUST implement minPinLength extension and have maxRPIDsForSetMinPINLength of value at least 1.  |
-| 10 | alwaysUV                | This feature allows enterprises or users to always require user verification to use this security key. Authenticator MUST implement toggleAlwaysUv subcommand. It is up to vendor to decide the default value of alwaysUV. At this point due to nature of various RPs adoption and OS versions, recommended value for biometric based authenticators is true and non-biometric based authenticators is false.  |
-| 11 | credBlob                | This extension allows websites to store small information in the security key. maxCredBlobLength MUST be atleast 32 bytes.  |
-| 12 | largeBlob               | This extension allows websites to store larger information like certificates in the security key. maxSerializedLargeBlobArray MUST be atleast 1024 bytes.  |
-
-
 ### FIDO2 security key providers
 
 The following providers offer FIDO2 security keys of different form factors that are known to be compatible with the passwordless experience. We encourage you to evaluate the security properties of these keys by contacting the vendor as well as FIDO Alliance.

articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md

@@ -47,15 +47,15 @@ Based on gaps you found, require administrators to use multi-factor authenticati
 
 - Run the [MFA enablement wizard](https://aka.ms/MFASetupGuide) to choose your MFA policy.
 
-- If you assign custom or built-in admin roles in [Privileged Identity Management](/privileged-identity-management/pim-configure.md), require multi-factor authentication upon role activation.
+- If you assign custom or built-in admin roles in [Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure), require multi-factor authentication upon role activation.
 
 ## Use Passwordless and phishing resistant authentication methods for your administrators
 
 After your admins are enforced for multi-factor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method: 
 
 - [Phone Sign-in (with Microsoft Authenticator)](concept-authentication-authenticator-app.md)
 - [FIDO2](concept-authentication-passwordless.md#fido2-security-keys)
-- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview.md)
+- [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview)
 
 You can read more about these authentication methods and their security considerations in [Azure AD authentication methods](concept-authentication-methods.md).
 

articles/active-directory/develop/apple-sso-plugin.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.date: 08/10/2021
 ms.author: brandwe
 ms.reviewer: brandwe
-ms.custom: aaddev, has-adal-ref
+ms.custom: aaddev
 ---
 
 # Microsoft Enterprise SSO plug-in for Apple devices (preview)
@@ -218,7 +218,7 @@ Use the bundle IDs to configure SSO for the apps.
 
 #### Allow users to sign in from unknown applications and the Safari browser
 
-By default, the Microsoft Enterprise SSO plug-in provides SSO for authorized apps only when a user has signed in from an app that uses a Microsoft identity platform library like MSAL or Azure Active Directory Authentication Library (ADAL). The Microsoft Enterprise SSO plug-in can also acquire a shared credential when it's called by another app that uses a Microsoft identity platform library during a new token acquisition.
+By default, the Microsoft Enterprise SSO plug-in provides SSO for authorized apps only when a user has signed in from an app that uses a Microsoft identity platform library like MSAL. The Microsoft Enterprise SSO plug-in can also acquire a shared credential when it's called by another app that uses a Microsoft identity platform library during a new token acquisition.
 
 When you enable the `browser_sso_interaction_enabled` flag, apps that don't use a Microsoft identity platform library can do the initial bootstrapping and get a shared credential. The Safari browser can also do the initial bootstrapping and get a shared credential. 
 

articles/active-directory/develop/registration-config-sso-how-to.md

@@ -19,7 +19,7 @@ ROBOTS: NOINDEX
 
 Enabling federated single sign-on (SSO) in your app is automatically enabled when federating through Azure AD for OpenID Connect, SAML 2.0, or WS-Fed. If your end users are having to sign in despite already having an existing session with Azure AD, it’s likely your app may be misconfigured.
 
-* If you’re using ADAL/MSAL, make sure you have **PromptBehavior** set to **Auto** rather than **Always**.
+* If you’re using Microsoft Authentication Library (MSAL), make sure you have **PromptBehavior** set to **Auto** rather than **Always**.
 
 * If you’re building a mobile app, you may need additional configurations to enable brokered or non-brokered SSO.
 
@@ -39,4 +39,4 @@ For iOS, see [Enabling Cross App SSO in iOS](../azuread-dev/howto-v1-enable-sso-
 
 [Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md)<br>
 
-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)
+[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

articles/active-directory/enterprise-users/directory-service-limits-restrictions.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.topic: reference
 ms.workload: identity
-ms.date: 09/01/2021
+ms.date: 10/27/2021
 ms.author: curtand
 ms.custom: aaddev;it-pro
 ms.reviewer: jeffsta

articles/active-directory/governance/TOC.yml

@@ -74,6 +74,8 @@
       items:
       - name: Create a catalog of resources
         href: entitlement-management-catalog-create.md
+      - name: Create a custom extension (logic apps) for catalogs
+        href: entitlement-management-logic-apps-integration.md
       - name: Delegate to access package managers
         href: entitlement-management-delegate-managers.md
     - name: Access package managers and Access package assignment managers

articles/active-directory/governance/entitlement-management-logic-apps-integration.md

@@ -0,0 +1,132 @@
+---
+title: Trigger custom Logic Apps with Azure AD entitlement management
+description: Learn how to configure and use custom Logic Apps in Azure Active Directory entitlement management.
+services: active-directory
+documentationCenter: ''
+author: ajburnle
+manager: karenhoran
+editor: 
+ms.service: active-directory
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: how-to
+ms.subservice: compliance
+ms.date: 11/02/2020
+ms.author: ajburnle
+ms.reviewer: 
+ms.collection: M365-identity-device-management
+
+#Customer intent: As an administrator, I want detailed information about how I can configure and add custom Logic Apps to my catalogs and access packages in entitlement management.
+
+---
+# Trigger custom Logic Apps with Azure AD entitlement management
+
+
+[Azure Logic Apps](https://docs.microsoft.com/azure/logic-apps/logic-apps-overview) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.
+
+These Logic Apps can then be triggered to run in accordance with entitlement management use cases such as when an access package is granted or requested. For example, an admin could create and link a custom Logic App to entitlement management so that when a user requests an access package, a Logic App is triggered that ensures the user is also assigned certain characteristics in a 3rd party SAAS app (like Salesforce) or is sent a custom email.
+
+entitlement management use cases that can be integrated with Logic Apps include:  
+
+- when an access package is requested  
+
+- when an access package request is granted  
+
+- when an access package assignment expires  
+
+These triggers to Logic Apps are controlled in a new tab within access package policies called **Rules**. Additionally, a **Custom Extensions** tab on the Catalog page will show all added Logic Apps for a given Catalog. This article describes how to create and add logic apps to catalogs and access packages in entitlement management.
+
+## Create and add a Logic App to a catalog for use in entitlement management 
+
+**Prerequisite roles:** Global administrator, Identity Governance administrator, Catalog owner or Resource Group Owner 
+
+1. Sign in to the [Azure portal](https://portal.azure.com). 
+
+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**. 
+
+1. In the left menu, select **Catalogs**. 
+
+1. In the left menu, select **Custom Extensions (Preview)**. 
+
+1. In the header navigation bar, select **Add a Custom Extension**.  
+
+1. In the **Basics** tab, enter the name of the custom extension (linked Logic App you are adding) and description of the workflow. These fields will show up in the **Custom Extensions** tab of the Catalog going forward. 
+
+    ![Pane to create a custom extension](./media/entitlement-management-logic-apps/create-custom-extension.png)
+
+
+1. Then go on to the **Details** tab. 
+
+1. Select **Yes** in the field “Create new logic app”. Otherwise, select **No** and move on to step 9 if you are going to use an existing Logic App. If you selected yes, select one of the options below and move on to step 9: 
+
+    1. Select **create new Azure AD application** if you want to use a new application as the basis for the new Logic App, or
+    
+        ![Pane to select new app for logic app](./media/entitlement-management-logic-apps/new-app-selection.png)
+
+    1. select **an existing Azure AD Application** if you want to use an existing application as the basis for the new Logic App.
+    
+        ![Pane to select existing app for logic app](./media/entitlement-management-logic-apps/existing-app-selection.png)
+
+    > [!Note]    
+    > Later, you can edit what your Logic App does in Logic App designer. To do so, select on the Logic App you created in the **Custom Extensions** tab of **Catalogs**.  
+
+1. Next, enter the **Subscription ID**, **Resource group**, **Logic app name**. 
+
+1. Then, select **Validate and Create**. 
+
+1. Review the summary of your custom extension and make sure the details for your Logic App callout are correct. Then select **Create**.
+
+    ![Example of custom extension summary](./media/entitlement-management-logic-apps/custom-extension-summary.png)
+
+1. This custom extension to the linked Logic App will now appear in your Custom Extensions tab under Catalogs. You will be able to call on this in access package policies.
+
+
+## Edit a linked Logic App 
+
+**Prerequisite roles:** Global administrator, Identity Governance administrator, or Catalog owner 
+
+1. Sign in to the [Azure portal](https://portal.azure.com)l. 
+
+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**. 
+
+1. In the left menu, select **Catalogs**. 
+
+1. In the left menu, select **Custom Extensions**. 
+
+1. Here, you can view all custom extensions (Logic Apps) that you have added to this Catalog. To edit a Logic App workflow, or to create a workflow for a newly-added Logic App, select the Logic App custom extension under **Endpoint**. This will open Logic App Designer and allow you to create your workflow.  
+
+ For more information on creating Logic App workflows, see [Create automated workflows with Azure Logic Apps in the Azure portal](https://docs.microsoft.com/azure/logic-apps/quickstart-create-first-logic-app-workflow).
+
+## Add custom extension to access package policy 
+
+**Prerequisite roles:** Global administrator, Identity Governance administrator, Catalog owner, or Access package manager 
+
+1. Sign in to the [Azure portal](https://portal.azure.com). 
+
+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**. 
+
+1. In the left menu, select **Access packages**. 
+
+1. Select **New access package** if you want to add a custom extension (Logic App) to a new access package. Or select the access package you want to add a custom extension (Logic App) to from the list of access packages that have already been created.  
+
+    > [!NOTE]  
+    > For more information about how to create an access package see [Create a new access package in entitlement management](entitlement-management-access-package-create.md).  For more information about how to edit an existing access package, see [Change request settings for an access package in Azure AD entitlement management](entitlement-management-access-package-request-policy.md#open-and-edit-an-existing-policy-of-request-settings). 
+
+1. In the policy settings of the access package, go to the **Rules (Preview)** tab. 
+
+1. In the menu below **When**, select the access package event you wish to use as trigger for this custom extension (Logic App). For example, if you only want to trigger the custom extension Logic App workflow when a user requests the access package, select **when request is created**. 
+
+1. In the menu below **Do**, select the custom extension (Logic App) you want to add to the access package. The do action you select will execute when the event selected in the when field occurs.  
+
+1. Select **Create** if you want to add the custom extension to a new access package. Select **Update** if you want to add it to an existing access package.
+
+    ![Add a logic app to access package](./media/entitlement-management-logic-apps/add-logic-apps-access-package.png)
+
+## Troubleshooting and Validation 
+
+To verify that your custom extension has correctly triggered the associated Logic App when called upon by the access package **Do** option, you can view the Logic App logs. 
+
+The overview page for a specific Logic App will show timestamps of when the Logic App was last executed. Also, the Resource Group overview for a resource group with a linked custom extension will show the name of that custom extension in the overview if it has been configured correctly.  
+
+## Next steps