Merge pull request #238090 from shlipsey3/support-access-requests-051423

support-access-requests-051423

Author: Court72

articles/active-directory/fundamentals/concept-support-access-requests.md

@@ -0,0 +1,42 @@
+---
+title: Support access requests in Microsoft Entra ID
+description: Learn how Microsoft Support engineers can access identity diagnostic information in Microsoft Entra ID.
+services: active-directory
+author: shlipsey3
+manager: amycolannino
+ms.author: sarahlipsey
+ms.reviewer: jeffsta
+ms.service: active-directory
+ms.topic: troubleshooting
+ms.subservice: fundamentals
+ms.workload: identity
+ms.date: 07/31/2023
+ms.collection: M365-identity-device-management
+
+---
+# About Microsoft Support access requests (preview)
+
+Microsoft Support requests are automatically assigned to a support engineer with expertise in solving similar problems. To expedite solution delivery, our support engineers use diagnostic tooling to read [identity diagnostic data](/troubleshoot/azure/active-directory/support-data-collection-diagnostic-logs) for your tenant.
+
+Microsoft Support's access to your identity diagnostic data is granted only with your approval, is read-only, and lasts only as long as we are actively working with you to solve your problem.
+
+For many support requests created in the Microsoft Entra admin center, you can manage the access to your identity diagnostic data by enabling the "Allow collection of advanced diagnostic information" property. If this setting is set to "no" our support engineers must ask *you* to collect the data needed to solve your problem, which could slow down your problem resolution. 
+
+## Microsoft Support access requests
+
+Sometimes support engineers need additional approval from you to access identity diagnostic data to solve your problem. For example, if a support engineer needs to access identity diagnostic data in a different Microsoft Entra tenant than the one in which you created the support request, the engineer must ask you to grant them access to that data.
+
+Microsoft Support access requests (preview) enable you to manage Microsoft Support's access to your identity diagnostic data for support requests where you cannot manage that access in the Microsoft Entra admin center's support request management experience.
+
+## Support access role permissions
+
+To manage Microsoft Support access requests, you must be assigned to a role that has full permission to manage Microsoft Entra support tickets for the tenant. This role permission is included in Azure Active Directory (Azure AD) built-in roles with the action `microsoft.azure.supportTickets/allEntities/allTasks`. You can see which Azure AD roles have this permission in the [Azure AD built-in roles](../roles/permissions-reference.md) article.
+
+Azure Active Directory is being renamed to Microsoft Entra ID. For more information see [New name for Azure Active Directory](../fundamentals/new-name.md).
+
+## Next steps
+
+- [Approve Microsoft Support access requests](how-to-approve-support-access-requests.md)
+- [Manage Microsoft Support access requests](how-to-manage-support-access-requests.md)
+- [View Microsoft Support access request logs](how-to-view-support-access-request-logs.md)
+- [Learn how Microsoft uses data for Azure support](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/)

articles/active-directory/fundamentals/how-to-approve-support-access-requests.md

@@ -0,0 +1,80 @@
+---
+title: Approve Microsoft Support access requests (preview)
+description: How to approve Microsoft Support access requests to Azure Active Directory identity data
+services: active-directory
+author: shlipsey3
+manager: amycolannino
+ms.author: sarahlipsey
+ms.reviewer: jeffsta
+ms.service: active-directory
+ms.topic: troubleshooting
+ms.subservice: fundamentals
+ms.workload: identity
+ms.date: 08/10/2023
+ms.collection: M365-identity-device-management
+
+---
+# Approving Microsoft Support access requests (preview)
+
+In many situations, enabling the collection of **Advanced diagnostic information** during the creation of a support access request is sufficient for Microsoft Support to troubleshoot your issue. In some situations though, a separate approval may be needed to allow Microsoft Support to access your identity diagnostic data.
+
+Microsoft Support access requests (preview) enable you to [give Microsoft Support engineers access to diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft. You can use the Microsoft Entra admin center and the Azure Active Directory (Azure AD) portal to manage Microsoft Support access requests (preview).
+
+This article describes how the process works and how to approve Microsoft Support access requests.
+
+## Prerequisites
+
+Only authorized users in your tenant can view and manage Microsoft Support access requests. To view, approve, and reject Microsoft Support access requests, a role must have the permission `microsoft.azure.supportTickets/allEntities/allTasks`. To see which Azure AD roles have this permission, search the [Azure AD built-in roles](../roles/permissions-reference.md) for the required permission.
+
+## Scenarios and workflow
+
+A support access request may be needed when a support request is submitted to Microsoft Support from a tenant that is different from the tenant where the issue is occurring. This scenario is known as a *cross-tenant* scenario. The *resource tenant* is the tenant where the issue is occurring and the tenant where the support request was created is known as the *support request tenant*.
+
+Let's take a closer look at the workflow for this scenario:
+
+- A support request is submitted from a tenant that is different from the tenant where the issue is occurring. 
+- A Microsoft Support engineer creates a support access request to access identity diagnostic data for the *resource tenant*.
+- An administrator of *both* tenants approves the Microsoft Support access request.
+- With approval, the support engineer has access to the data only in the approved *resource tenant*. 
+- When the support engineer closes the support request, access to your identity data is automatically revoked.
+
+This cross-tenant scenario is the primary scenario where a support access request is necessary. In these scenarios, Microsoft approved access is visible only in the resource tenant. To preserve cross-tenant privacy, an administrator of the *support request tenant* is unable to see whether an administrator of the *resource tenant* has manually removed this approval. 
+
+## View pending requests
+
+When you have a pending support access request, you can view and approve that request from a couple places.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**.
+
+1. Select the link from the banner message at the top of the page...
+
+    ![Screenshot of the Diagnose and solve problems page with the banner notification highlighted.](media/how-to-approve-support-access-requests/diagnose-solve-problems-banner.png)
+
+    ... or scroll to the bottom of the page and select **Manage pending requests** from the **Microsoft Support Access Requests** section.
+
+    :::image type="content" source="media/how-to-approve-support-access-requests/diagnose-solve-problems-access-requests.png" alt-text="Screenshot of the Diagnose and solve problems page with the Manage pending requests link highlighted." lightbox="media/how-to-approve-support-access-requests/diagnose-solve-problems-access-requests-expanded.png":::
+
+1. Select either the **Support request ID** link or **Review for approval** link for the request you need to approve.
+
+    ![Screenshot of the pending request with links to view details highlighted.](media/how-to-approve-support-access-requests/pending-request-view-details-links.png)
+
+## Approve or reject a support request
+
+When viewing the details of a pending support access request, you can approve or reject the request.
+
+- To approve the support access request, select the **Approve** button.
+    - Microsoft Support now has *read-only* access to your identity diagnostic data until your support request is completed.
+- To reject the support access request, select the **Reject** button.
+    - Microsoft Support does *not* have access to your identity diagnostic data.
+    - A message appears, indicating this choice may result in slower resolution of your support request.
+    - Your support engineer may ask you for data needed to diagnose the issue, and you must collect and provide that information to your support engineer. 
+
+![Screenshot of the Support Access requests details page with the Reject and Approve buttons highlighted](media/how-to-approve-support-access-requests/pending-request-details.png)
+
+
+## Next steps
+
+- [How to create a support request](how-to-get-support.md)
+- [Manage Microsoft Support access requests](how-to-manage-support-access-requests.md)
+- [View Microsoft Support access request logs](how-to-view-support-access-request-logs.md)
+- [Learn how Microsoft uses data for Azure support](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/)

articles/active-directory/fundamentals/how-to-manage-support-access-requests.md

@@ -0,0 +1,51 @@
+---
+title: Manage Microsoft Support access requests (preview)
+description: How to view and control support access requests to Azure Active Directory identity data
+services: active-directory
+author: shlipsey3
+manager: amycolannino
+ms.author: sarahlipsey
+ms.reviewer: jeffsta
+ms.service: active-directory
+ms.topic: troubleshooting
+ms.subservice: fundamentals
+ms.workload: identity
+ms.date: 08/10/2023
+ms.collection: M365-identity-device-management
+
+---
+# Manage Microsoft Support access requests (preview)
+
+You can use the Microsoft Entra admin center and the Azure Active Directory (Azure AD) portal to manage Microsoft Support access requests (preview). Microsoft Support access requests enable you to [give Microsoft Support engineers access to identity diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft.
+
+## Prerequisites
+
+Only certain Azure AD roles are authorized to manage Microsoft Support access requests. To manage Microsoft Support access requests, a role must have the permission `microsoft.azure.supportTickets/allEntities/allTasks`. To see which Azure AD roles have this permission, search the [Azure AD built-in roles](../roles/permissions-reference.md) for the required permission.
+
+## View support access requests
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**.
+
+1. Scroll to the bottom of the page and select **Approved access** from the **Microsoft Support Access Requests** section.
+
+    :::image type="content" source="media/how-to-manage-support-access-requests/diagnose-solve-problems-access-requests.png" alt-text="Screenshot of the Diagnose and solve problems page with the Manage pending requests link highlighted." lightbox="media/how-to-manage-support-access-requests/diagnose-solve-problems-access-requests-expanded.png":::
+
+1. Select the **Support request ID** link for the request you need to approve.
+
+    ![Screenshot of the pending request with links to view details highlighted.](media/how-to-manage-support-access-requests/approved-access.png)
+
+## Revoke access to an approved support access request
+
+Closing a support request automatically revokes the support engineer's access to your identity diagnostic data. You can manually revoke Microsoft Support's access to identity diagnostic data for the support request *before* your support request is closed. 
+
+Select the **Remove access** button to revoke access to an approved support access request. 
+
+![Screenshot of the Support access requests history with the Revoke button highlighted](media/how-to-manage-support-access-requests/remove-approved-access.png)
+
+When your support request is closed, the status of an approved Microsoft Support access request is automatically set to **Completed.** Microsoft Support access requests remain in the **Approved access** list for 30 days.
+
+## Next steps
+
+- [Approve Microsoft Support access requests](how-to-approve-support-access-requests.md)
+- [View Microsoft Support access request logs](how-to-view-support-access-request-logs.md)
+- [Learn how Microsoft uses data for Azure support](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/)

articles/active-directory/fundamentals/how-to-view-support-access-request-logs.md

@@ -0,0 +1,67 @@
+---
+title: View activity logs for Microsoft Support access requests (preview)
+description: How to view activity logs for Microsoft Support access requests.
+services: active-directory
+author: shlipsey3
+manager: amycolannino
+ms.author: sarahlipsey
+ms.reviewer: jeffsta
+ms.service: active-directory
+ms.topic: troubleshooting
+ms.subservice: fundamentals
+ms.workload: identity
+ms.date: 08/10/2023
+ms.collection: M365-identity-device-management
+
+---
+# View activity logs for Microsoft Support access requests (preview)
+
+All activities related to Microsoft Support access requests are included in the Microsoft Entra ID audit logs. Activities can include requests from users in your tenant or an automated service. This article describes how to view the different types of activity logs.
+
+## Prerequisites
+
+To access the audit logs for a tenant, you must have one of the following roles: 
+
+- Reports Reader
+- Security Reader
+- Security Administrator
+- Global Administrator
+
+## How to access the logs
+
+You can access a filtered view of audit logs for your tenant from the Microsoft Support access requests area. Select **Audit logs** from the side menu to view the audit logs with the category pre-selected.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**.
+
+1. Scroll to the bottom of the page and select **Manage pending requests** from the **Microsoft Support Access Requests** section.
+
+1. Select **Audit logs** from the side menu.
+
+You can also access these logs from the Microsoft Entra ID Audit logs. Select **Core Directory** as the service and `MicrosoftSupportAccessManagement` as the category.
+
+## Types of requests
+
+There are some details associated with support access request audit logs that are helpful to understand. Knowing the difference between the types of request may help when exploring the logs.
+
+Activity logs for Microsoft Support access requests fall into two categories: user-initiated activities, and automated activities.
+
+### User-initiated activities
+
+There are three user-initiated activities that you can see in your Azure AD audit logs. These are actions requested by administrators of your tenant.
+
+- Approval of a Microsoft Support access request
+- Rejection of a Microsoft Support access request
+- Manual removal of Microsoft Support access before your support request is closed
+
+### Automated requests
+
+There are three activities that can be associated with an automated or system-initiated Microsoft Support access request:
+
+- Creation of a Microsoft Support access *request* in the support request tenant
+- Creation of a Microsoft Support access *approval* in the resource tenant. This is done automatically after a Microsoft Support access request is approved by a user who is an administrator of both the support request tenant, and the resource tenant
+- Removal of Microsoft Support access upon closure of your support request
+
+## Next steps
+
+- [Manage Microsoft Support access requests](how-to-manage-support-access-requests.md)
+- [Learn about audit logs](../../active-directory/reports-monitoring/concept-audit-logs.md)