Merge pull request #247884 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

.openpublishing.redirection.azure-monitor.json

@@ -6279,6 +6279,26 @@
             "source_path_from_root": "/articles/azure-monitor/essentials/prometheus-authorization-proxy.md",
             "redirect_url": "/azure/azure-monitor/containers/prometheus-authorization-proxy",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/containers/container-insights-hybrid-setup.md",
+            "redirect_url": "/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/containers/container-insights-optout-openshift-v3.md",
+            "redirect_url": "/azure/azure-monitor/containers/container-insights-optout",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/containers/container-insights-optout-openshift-v4.md",
+            "redirect_url": "/azure/azure-monitor/containers/container-insights-optout",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/containers/container-insights-optout-hybrid.md",
+            "redirect_url": "/azure/azure-monitor/containers/container-insights-optout",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md

@@ -8,24 +8,24 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 06/16/2023
+ms.date: 08/09/2023
 ms.author: jfields
 ---
 
 # Onboard a Google Cloud Platform (GCP) project
 
-This article describes how to onboard a Google Cloud Platform (GCP) project on Permissions Management.
+This article describes how to onboard a Google Cloud Platform (GCP) project in Microsoft Entra Permissions Management.
 
 > [!NOTE]
 > A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
 
 ## Explanation
 
-For GCP, permissions management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, like a subscription in Azure, albeit with further configurations you can perform such as application registrations and OIDC configurations.
+For GCP, Permissions Management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, like a subscription in Azure, but with further configurations you can perform such as application registrations and OIDC configurations.
 
 <!-- Diagram from Gargi-->
 
-There are several moving parts across GCP and Azure, which are required to be configured before onboarding.
+There are several moving parts across GCP and Azure, which should be configured before onboarding.
 
 * An Azure AD OIDC App
 * A Workload Identity in GCP
@@ -39,7 +39,7 @@ There are several moving parts across GCP and Azure, which are required to be co
 
     - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
 
-1. On the **Data Collectors** tab, select **GCP**, and then select **Create Configuration**.
+1. On the **Data Collectors** tab, select **GCP**, then select **Create Configuration**.
 
 ### 1. Create an Azure AD OIDC app.
 
@@ -50,7 +50,7 @@ There are several moving parts across GCP and Azure, which are required to be co
 1. To create the app registration, copy the script and run it in your command-line app.
 
     > [!NOTE]
-    > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.
+    > 1. To confirm the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.
     > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your GCP account.
     > 1. Return to the Permissions Management window, and in the **Permissions Management Onboarding - Azure AD OIDC App Creation**, select **Next**.
 
@@ -73,15 +73,15 @@ Choose from three options to manage GCP projects.
 
 #### Option 1: Automatically manage 
 
-The automatically manage option allows projects to be automatically detected and monitored without extra configuration. Steps to detect list of projects and onboard for collection:  
+The automatically manage option allows you to automatically detect and monitor projects without extra configuration. Steps to detect a list of projects and onboard for collection:  
 
-1. Firstly, grant **Viewer** and **Security Reviewer** role to service account created in previous step at organization, folder or project scope. 
+1. Grant **Viewer** and **Security Reviewer** roles to a service account created in the previous step at a project, folder or organization level. 
 
-To enable controller mode 'On' for any projects, add following roles to the specific projects:
+To enable Controller mode **On** for any projects, add these roles to the specific projects:
 - Role Administrators
 - Security Admin 
 
-2. Once done, the steps are listed in the screen, which shows how to further configure in the GPC console, or programmatically with the gCloud CLI.
+The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GPC console.
 
 3. Select **Next**.
 
@@ -93,34 +93,36 @@ You have the ability to specify only certain GCP member projects to manage and m
 
 2. You can choose to download and run the script at this point, or you can do it via Google Cloud Shell.
 
-    To enable controller mode 'On' for any projects, add following roles to the specific projects:
+    To enable controller mode 'On' for any projects, add these roles to the specific projects:
     - Role Administrators
     - Security Admin 
 
 3. Select **Next**.
 
 #### Option 3: Select authorization systems 
 
-This option detects all projects that are accessible by the Cloud Infrastructure Entitlement Management application.  
+This option detects all projects accessible by the Cloud Infrastructure Entitlement Management application.  
 
-1. Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope
+1. Grant **Viewer** and **Security Reviewer** roles to a service account created in the previous step at a project, folder or organization level. 
+
+To enable Controller mode **On** for any projects, add these roles to the specific projects:
+- Role Administrators
+- Security Admin 
+
+The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GPC console.
 
-    To enable controller mode 'On' for any projects, add following roles to the specific projects:
-    - Role Administrators
-    - Security Admin 
-2.  Once done, the steps are listed in the screen to do configure manually in the GPC console, or programmatically with the gCloud CLI
 3. Select **Next**.
 
 
 ### 3. Review and save.
 
 - In the **Permissions Management Onboarding – Summary** page, review the information you've added, and then select **Verify Now & Save**.
 
-    The following message appears: **Successfully Created Configuration.**
+    The following message appears: **Successfully Created Configuration**.
 
     On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**
 
-    You have now completed onboarding GCP, and Permissions Management has started collecting and processing your data.
+    You've completed onboarding GCP, and Permissions Management has started collecting and processing your data.
 
 ### 4. View the data.
 

articles/active-directory/external-identities/customers/toc.yml

@@ -202,6 +202,8 @@ items:
                 href: tutorial-desktop-app-maui-sign-in-prepare-app.md
               - name: Sign in and sign out
                 href: tutorial-desktop-app-maui-sign-in-sign-out.md
+              - name: Use role-based access control
+                href: tutorial-desktop-maui-role-based-access-control.md
           - name: .NET WPF
             items:
               - name: Prepare tenant
@@ -219,6 +221,8 @@ items:
             href: tutorial-mobile-app-maui-sign-in-prepare-app.md
           - name: Sign in and sign out
             href: tutorial-mobile-app-maui-sign-in-sign-out.md
+          - name: Use role-based access control
+            href: tutorial-mobile-maui-role-based-access-control.md
       - name: Command-line interface (CLI) app
         items:
           - name: Node.js - sign in users

articles/active-directory/external-identities/customers/tutorial-desktop-app-maui-sign-in-sign-out.md

@@ -47,7 +47,6 @@ The next steps will organize our code so that the `main view` is defined.
 1. Select **Add**.
 1. The _MainView.xaml_ file will open in a new document tab, displaying all of the XAML markup that represents the UI of the page. Replace the XAML markup with the following markup:
 
-
    :::code language="xaml" source="~/ms-identity-ciam-dotnet-tutorial/1-Authentication/2-sign-in-maui/Views/MainView.xaml" :::
 
 1. Save the file.
@@ -69,7 +68,7 @@ The next step is to add the code for the button's `Clicked` event.
 
    :::code language="csharp" source="~/ms-identity-ciam-dotnet-tutorial/1-Authentication/2-sign-in-maui/Views/MainView.xaml.cs" :::
 
-The `MainView` class is a content page responsible for displaying the main view of the app. In the constructor, it retrieves the cached user account using the `MSALClientHelper` from the `PublicClientSingleton` instance and enables the sign-in button, if no cached user account is found. 
+The `MainView` class is a content page responsible for displaying the main view of the app. In the constructor, it retrieves the cached user account using the `MSALClientHelper` from the `PublicClientSingleton` instance and enables the sign-in button, if no cached user account is found.
 
 When the sign-in button is clicked, it calls the `AcquireTokenSilentAsync` method to acquire a token silently and navigates to the `claimsview` page using the `Shell.Current.GoToAsync` method. Additionally, the `OnBackButtonPressed` method is overridden to return true, indicating that the back button is disabled for this view.
 
@@ -84,14 +83,13 @@ The next steps will organize the code so that `ClaimsView` page is defined. The
 1. Select **Add**.
 1. The _ClaimsView.xaml_ file will open in a new document tab, displaying all of the XAML markup that represents the UI of the page. Replace the XAML markup with the following markup:
 
-
    :::code language="xaml" source="~/ms-identity-ciam-dotnet-tutorial/1-Authentication/2-sign-in-maui/Views/ClaimsView.xaml" :::
 
-    This XAML markup code represents the UI layout for a claim view in a .NET MAUI app. It starts by defining the `ContentPage` with a title and disabling the back button behavior. 
-    
-    Inside a `VerticalStackLayout`, there are several `Label` elements displaying static text, followed by a `ListView` named `Claims` that binds to a collection called `IdTokenClaims` to display the claims found in the ID token. Each claim is rendered within a `ViewCell` using a `DataTemplate` and displayed as a centered `Label` within a Grid. 
-    
-    Lastly, there's a `Sign Out` button centered at the bottom of the layout, which triggers the `SignOutButton_Clicked` event handler when clicked.
+   This XAML markup code represents the UI layout for a claim view in a .NET MAUI app. It starts by defining the `ContentPage` with a title and disabling the back button behavior.
+
+   Inside a `VerticalStackLayout`, there are several `Label` elements displaying static text, followed by a `ListView` named `Claims` that binds to a collection called `IdTokenClaims` to display the claims found in the ID token. Each claim is rendered within a `ViewCell` using a `DataTemplate` and displayed as a centered `Label` within a Grid.
+
+   Lastly, there's a `Sign Out` button centered at the bottom of the layout, which triggers the `SignOutButton_Clicked` event handler when clicked.
 
 #### Handle the ClaimsView data
 
@@ -101,7 +99,7 @@ The next step is to add the code to handle `ClaimsView` data.
 
    :::code language="csharp" source="~/ms-identity-ciam-dotnet-tutorial/1-Authentication/2-sign-in-maui/Views/ClaimsView.xaml.cs" :::
 
-   The _ClaimsView.xaml.cs_ code represents the code-behind for a claim view in a .NET MAUI app. It starts by importing the necessary namespaces and defining the `ClaimsView` class, which extends `ContentPage`. The `IdTokenClaims` property is an enumerable of strings, initially set to a single string indicating no claims found. 
+   The _ClaimsView.xaml.cs_ code represents the code-behind for a claim view in a .NET MAUI app. It starts by importing the necessary namespaces and defining the `ClaimsView` class, which extends `ContentPage`. The `IdTokenClaims` property is an enumerable of strings, initially set to a single string indicating no claims found.
 
    The `ClaimsView` constructor sets the binding context to the current instance, initializes the view components, and calls the `SetViewDataAsync` method asynchronously. The `SetViewDataAsync` method attempts to acquire a token silently, retrieves the claims from the authentication result, and sets the `IdTokenClaims` property to display them in the `ListView` named `Claims`. If a `MsalUiRequiredException` occurs, indicating that user interaction is needed for authentication, the app navigates to the claims view.
 
@@ -161,7 +159,7 @@ To create `appsettings.json`, follow these steps:
 Set the **Debug Target** in the Visual Studio toolbar to the device you want to debug and test with. The following steps demonstrate setting the **Debug Target** to _Windows_:
 
 1. Select **Debug Target** drop-down.
-1. Select **Framework** 
+1. Select **Framework**
 1. Select **net7.0-windows...**
 
 Run the app by pressing _F5_ or select the _play button_ at the top of Visual Studio.
@@ -180,5 +178,5 @@ Run the app by pressing _F5_ or select the _play button_ at the top of Visual St
 
 ## Next Steps
 
-- [Customize the default branding](how-to-customize-branding-customers.md).
-- [Configure sign-in with Google](how-to-google-federation-customers.md).
+> [!div class="nextstepaction"] 
+> [Tutorial: Add app roles to .NET MAUI app and receive them in the ID token](tutorial-desktop-maui-role-based-access-control.md)

articles/active-directory/external-identities/customers/tutorial-desktop-maui-role-based-access-control.md

@@ -0,0 +1,76 @@
+---
+title: "Tutorial: Use role-based access control in your .NET MAUI"
+description: This tutorial demonstrates how to add app roles to .NET Multi-platform App UI (.NET MAUI) shell and receive them in the ID token.
+author: henrymbuguakiarie
+manager: mwongerapk
+
+ms.author: henrymbugua
+ms.service: active-directory
+ms.topic: tutorial
+ms.subservice: ciam
+ms.date: 07/17/2023
+---
+
+# Tutorial: Use role-based access control in your .NET MAUI
+
+This tutorial demonstrates how to add app roles to .NET Multi-platform App UI (.NET MAUI) and receive them in the ID token.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+>
+> - Access the roles in the ID token.
+
+## Prerequisites
+
+- [Tutorial: Sign in users in .NET MAUI shell app](tutorial-desktop-app-maui-sign-in-sign-out.md)
+- [Using role-based access control for applications](how-to-use-app-roles-customers.md)
+
+## Receive groups and roles claims in .NET MAUI
+
+Once you configure your customer's tenant, you can retrieve your roles and groups claims in your client app. The roles and groups claims are both present in the ID token and the access token. Access tokens are only validated in the web APIs for which they were acquired by a client. The client shouldn't validate access tokens.
+
+The .NET MAUI needs to check for the app roles claims in the ID token to implement authorization in the client side.
+
+In this tutorial series, you created a .NET MAUI app where you developed the [_ClaimsView.xaml.cs_](tutorial-desktop-app-maui-sign-in-sign-out.md#handle-the-claimsview-data) to handle `ClaimsView` data. In this file, we inspect the contents of ID tokens. The value of the roles claim is checked in the following code snippet:
+
+To access the role claim, you can modify the code snippet as follows:
+
+```csharp
+var idToken = PublicClientSingleton.Instance.MSALClientHelper.AuthResult.IdToken;
+var handler = new JwtSecurityTokenHandler();
+var token = handler.ReadJwtToken(idToken);
+// Get the role claim value
+var roleClaim = token.Claims.FirstOrDefault(c => c.Type == "roles")?.Value;
+
+if (!string.IsNullOrEmpty(roleClaim))
+{
+    // If the role claim exists, add it to the IdTokenClaims
+    IdTokenClaims = new List<string> { roleClaim };
+}
+else
+{
+    // If the role claim doesn't exist, add a message indicating that no role claim was found
+    IdTokenClaims = new List<string> { "No role claim found in ID token" };
+}
+
+Claims.ItemsSource = IdTokenClaims;
+```
+
+> [!NOTE] 
+> To read the ID token, you must install the `System.IdentityModel.Tokens.Jwt` package.
+
+If you assign a user to multiple roles, the roles string contains all roles separated by a comma, such as `Orders.Manager, Store.Manager,...`. Make sure you build your application to handle the following conditions:
+
+- Absence of roles claims in the token
+- User hasn't been assigned to any role
+- Multiple values in the roles claim when you assign a user to multiple roles
+
+When you define app roles for your app, it is your responsibility to implement authorization logic for those roles.
+
+## Next steps
+
+For more information about group claims and making informed decisions regarding the usage of app roles or groups, see:
+
+- [Configuring group claims and app roles in tokens](/security/zero-trust/develop/configure-tokens-group-claims-app-roles)
+- [Choose an approach](../../develop/custom-rbac-for-developers.md#choose-an-approach)