Merge pull request #231868 from MicrosoftDocs/main

3/23 AM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -996,7 +996,7 @@
   "articles/iot-develop/.openpublishing.redirection.iot-develop.json",
   "articles/iot-dps/.openpublishing.redirection.iot-dps.json",
   "articles/iot-edge/.openpublishing.redirection.iot-edge.json",
-  "articles/iot-fundamentals/.openpublishing.redirection.iot-fundamentals.json",
+  "articles/iot/.openpublishing.redirection.iot.json",
   "articles/iot-hub/.openpublishing.redirection.iot-hub.json",
   "articles/load-testing/.openpublishing.redirection.azure-load-testing.json",
   "articles/logic-apps/.openpublishing.redirection.logic-apps.json",

.openpublishing.redirection.json

@@ -12510,12 +12510,12 @@
         },
         {
             "source_path_from_root": "/articles/security/fundamentals/iot-overview.md",
-            "redirect_url": "/azure/iot-fundamentals/iot-security-architecture",
+            "redirect_url": "/azure/iot/iot-security-architecture",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/security/fundamentals/iot-best-practices.md",
-            "redirect_url": "/azure/iot-fundamentals/iot-security-best-practices",
+            "redirect_url": "/azure/iot/iot-security-best-practices",
             "redirect_document_id": false
         },
         {

articles/active-directory/app-provisioning/provision-on-demand.md

@@ -173,6 +173,7 @@ There are currently a few known limitations to on-demand provisioning. Post your
 * Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft delete a user with on-demand provisioning and then restore the user, it can result in duplicate users.
 * On-demand provisioning of roles isn't supported.
 * On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users won't appear when you search for a user.
+* On-demand provisioning does not support nested groups that are not directly assigned to the application.
 
 ## Next steps
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 03/23/2023
 
 ms.author: justinha
 author: justinha
 manager: amycolannino
-ms.reviewer: jsimmons
+ms.reviewer: mimanans
 
 ms.collection: M365-identity-device-management
 ---
@@ -95,6 +95,7 @@ The following core requirements apply:
 
 > [!NOTE]
 > Some endpoints, such as the CRL endpoint, are not addressed in this article. For a list of all supported endpoints, see [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).
+>In addition, other endpoints are required for Azure portal authentication. For more information, see [Azure portal URLs for proxy bypass](/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-urls-for-proxy-bypass).
 
 ### Azure AD Password Protection DC agent
 
@@ -248,6 +249,8 @@ To install the Azure AD Password Protection proxy service, complete the followin
 
     Registration of the Azure AD Password Protection proxy service is necessary only once in the lifetime of the service. After that, the Azure AD Password Protection proxy service will automatically perform any other necessary maintenance.
 
+1. To make sure that the changes have taken effect, run `Test-AzureADPasswordProtectionDCAgentHealth -TestAll`. For help resolving errors, see [Troubleshoot: On-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-troubleshoot.md).
+
 1. Now register the on-premises Active Directory forest with the necessary credentials to communicate with Azure by using the `Register-AzureADPasswordProtectionForest` PowerShell cmdlet.
 
     > [!NOTE]
@@ -301,6 +304,8 @@ To install the Azure AD Password Protection proxy service, complete the followin
     
     For `Register-AzureADPasswordProtectionForest` to succeed, at least one DC running Windows Server 2012 or later must be available in the Azure AD Password Protection proxy server's domain. The Azure AD Password Protection DC agent software doesn't have to be installed on any domain controllers prior to this step.
 
+1. To make sure that the changes have taken effect, run `Test-AzureADPasswordProtectionDCAgentHealth -TestAll`. For help resolving errors, see [Troubleshoot: On-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-troubleshoot.md).
+
 ### Configure the proxy service to communicate through an HTTP proxy
 
 If your environment requires the use of a specific HTTP proxy to communicate with Azure, use the following steps to configure the Azure AD Password Protection service.

articles/active-directory/develop/troubleshoot-required-resource-access-limits.md

@@ -14,7 +14,7 @@ ms.reviewer: phsignor, jawoods
 
 # Troubleshooting the configured permissions limits
 
-The `RequiredResourceAccess` collection (RRA) on an application object contains all the configured API permissions that an app requires for its default consent request. This collection has various limits depending on which types of identities the app supports, For more information on the limits for supported account types, see [Validation differences by supported account types](supported-accounts-validation.md).
+The `RequiredResourceAccess` collection (RRA) on an application object contains all the configured API permissions that an app requires for its default consent request. This collection has various limits depending on which types of identities the app supports. For more information on the limits for supported account types, see [Validation differences by supported account types](supported-accounts-validation.md).
 
 The limits on maximum permissions were updated in May 2022, so some apps may have more permissions in their RRA than are now allowed. In addition, apps that change their supported account types after configuring permissions may exceed the limits of the new setting. When apps exceed the configured permissions limit, no new permissions may be added until the number of permissions in the `RequiredResourceAccess` collection is brought back under the limits.
 
@@ -35,7 +35,6 @@ If you still need the application or are unsure, the following steps will help y
 1. **Remove duplicate permissions.** In some cases, the same permission is listed multiple times. Review the required permissions and remove permissions that are listed two or more times. See the related PowerShell script on the [additional resources](#additional-resources) section of this article.
 2. **Remove unused permissions.** Review the permissions required by the application and compare them to what the application or service does. Remove permissions that are configured in the app registration, but which the application or service doesn’t require. For more information on how to review permissions, see [Review application permissions](../manage-apps/manage-application-permissions.md)
 3. **Remove redundant permissions.** In many APIs, including Microsoft Graph, some permissions aren't necessary when other more privileged permissions are included. For example, the Microsoft Graph permission User.Read.All (read all users) isn't needed when an application also has User.ReadWrite.All (read, create and update all users). To learn more about Microsoft Graph permissions, see [Microsoft Graph permissions reference](/graph/permissions-reference). 
-4. **Use multiple app registrations.** If a single app or service requires more than 400 permissions in the required permissions list, the app will need to be configured to use two (or more) different app registrations, each one with 400 or fewer permissions configured on the app registration. 
 
 ## Frequently asked questions (FAQ)
 
@@ -147,4 +146,4 @@ process {
 
 - Learn about API permissions and the Microsoft identity platform: [Overview of permissions and consent in the Microsoft identity platform](permissions-consent-overview.md)
 - Understand the permissions available for Microsoft Graph: [Microsoft Graph permissions reference](/graph/permissions-reference)
-- Review the limitations to application configurations: [Validation differences by supported account types](supported-accounts-validation.md)
+- Review the limitations to application configurations: [Validation differences by supported account types](supported-accounts-validation.md)

articles/active-directory/manage-apps/manage-application-permissions.md

@@ -58,7 +58,7 @@ Each option generates PowerShell scripts that enable you to control user access
 Use the following Azure AD PowerShell script to revoke all permissions granted to an application.
 
 ```powershell
-Connect-AzureAD -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All" "AppRoleAssignment.ReadWrite.All", 
+Connect-AzureAD 
 
 # Get Service Principal using objectId
 $sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"
@@ -85,7 +85,7 @@ $spApplicationPermissions | ForEach-Object {
 Remove appRoleAssignments for users or groups to the application using the following scripts.
 
 ```powershell
-Connect-AzureAD -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
+Connect-AzureAD
 
 # Get Service Principal using objectId
 $sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"

articles/active-directory/verifiable-credentials/admin-api.md

@@ -24,11 +24,29 @@ The Microsoft Entra Verified ID Admin API enables you to manage all aspects of t
 
 ## Base URL
 
-The Admin API is server over HTTPS. All URLs referenced in the documentation have the following base: `https://verifiedid.did.msidentity.com`. 
+The Admin API is server over HTTPS. All URLs referenced in the documentation have the following base: `https://verifiedid.did.msidentity.com`.
 
 ## Authentication
 
-The API is protected through Azure Active Directory and uses OAuth2 bearer tokens. The app registration needs to have the API Permission for `Verifiable Credentials Service Admin` and then when acquiring the access token the app should use scope `6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access`. The access token must be for a user with the [global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or the [authentication policy administrator](../../active-directory/roles/permissions-reference.md#authentication-policy-administrator) role.
+The API is protected through Azure Active Directory and uses OAuth2 bearer tokens. The access token can be for a user or for an application.
+
+### User bearer tokens
+
+The app registration needs to have the API Permission for `Verifiable Credentials Service Admin` and then when acquiring the access token the app should use scope `6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access`. The access token must be for a user with the [global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or the [authentication policy administrator](../../active-directory/roles/permissions-reference.md#authentication-policy-administrator) role. A user with role [global reader](../../active-directory/roles/permissions-reference.md#global-reader) can perform read-only API calls.
+
+### Application bearer tokens
+
+The `Verifiable Credentials Service Admin` service supports the following application permissions.
+
+| Permission | Description |
+| ---------- | ----------- |
+| VerifiableCredential.Authority.ReadWrite | Permission to read/write authority object(s) |
+| VerifiableCredential.Contract.ReadWrite | Permission to read/write contract object(s) |
+| VerifiableCredential.Credential.Search | Permission to search for a credential to revoke |
+| VerifiableCredential.Credential.Revoke | Permission to [revoke a previously issued credential](how-to-issuer-revoke.md) |
+| VerifiableCredential.Network.Read | Permission to read entries from the [Verified ID Network](vc-network-api.md) |
+
+The app registration needs to have the API Permission for `Verifiable Credentials Service Admin` and permissions required from the above table. When acquiring the access token, via the [client credentials flow](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md), the app should use scope `6a8b4b39-c021-437c-b060-5a14a3fd65f3/.default`.
 
 ## Onboarding
 
@@ -66,7 +84,7 @@ Content-type: application/json
 }
 ```
 
-Repeatedly calling this API will result in the exact same return message.
+Repeatedly calling this API results in the exact same return message.
 
 ## Authorities
 
@@ -171,7 +189,7 @@ We support two different didModels. One is `ion` and the other supported method
 | `recoveryKeys` | string array | URL to the recovery key  |
 | `encryptionKeys` | string array | URL to the encryption key |
 | `linkedDomainUrls` | string array | Domains linked to this DID |
-| `didDocumentStatus` | string | status of the DID, `published` when it's written to ION otherwise it will be `submitted`|
+| `didDocumentStatus` | string | status of the DID, `published` when it's written to ION otherwise it is `submitted`|
 
 #### Web
 
@@ -287,7 +305,7 @@ Content-type: application/json
 
 ### Create authority
 
-This call creates a new **private key**, recovery key and update key, stores these in the specified Azure Key Vault and sets the permissions to this Key Vault for the verifiable credential service and a create new **DID** with corresponding DID Document and commits that to the ION network.
+This call creates a new **private key**, recovery key and update key, stores these keys in the specified Azure Key Vault and sets the permissions to this Key Vault for the verifiable credential service and a create new **DID** with corresponding DID Document and commits that to the ION network.
 
 #### HTTP request
 
@@ -478,7 +496,7 @@ Content-type: application/json
 Accepted
 ```
 
-The didDocumentStatus will switch to `submitted` it will take a while before the change is committed to the ION network.
+The didDocumentStatus switches to `submitted` it will take a while before the change is committed to the ION network.
 
 If you try to submit a change before the operation is completed, you'll get the following error message:
 
@@ -585,7 +603,7 @@ Content-type: application/json
 }
 ```
 
-Save this result with the file name did-configuration.json and upload this file to the correct folder and website. If you specify a domain not linked to this DID/DID Document, you'll receive an error:
+Save this result with the file name did-configuration.json and upload this file to the correct folder and website. If you specify a domain not linked to this DID/DID Document, you receive an error:
 
 ```
 HTTP/1.1 400 Bad Request
@@ -834,7 +852,7 @@ The response contains the following properties
 |`vc`| vcType array | types for this contract |
 |`customStatusEndpoint`| [customStatusEndpoint] (#customstatusendpoint-type) (optional) | status endpoint to include in the verifiable credential for this contract |
 
-If the property `customStatusEndpoint` property isn't specified then the `anonymous` status endpoint is used.
+If the property `customStatusEndpoint` property isn't specified, then the `anonymous` status endpoint is used.
 
 #### attestations type
 
@@ -1081,7 +1099,7 @@ example message:
 ### Create contract
 
 When creating a contract the name has to be unique in the tenant. In case you have created multiple authorities, the contract name has to be unique across all authorities.
-The name of the contract will be part of the contract URL which is used in the issuance requests.
+The name of the contract will be part of the contract URL, which is used in the issuance requests.
 
 #### HTTP request