Merge pull request #215968 from MicrosoftDocs/main

Publish to Live, Wednesday 4AM PST, 10/26

Author: PMEds28

.openpublishing.redirection.json

@@ -11118,6 +11118,11 @@
             "redirect_url": "/azure/databox-online/azure-stack-edge-mini-r-overview",
             "redirect_document_id": false
         },
+        {
+		    "source_path_from_root": "/articles/databox-online/azure-stack-edge-gpu-deploy-arc-data-controller.md",
+		    "redirect_url": "/azure/azure-arc/data/create-data-controller-direct-azure-portal",
+		    "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/databox-online/data-box-edge-manage-access-power-connectivity-mode.md",
             "redirect_url": "/azure/databox-online/azure-stack-edge-manage-access-power-connectivity-mode",
@@ -29259,7 +29264,5 @@
             "redirect_url": "/azure/application-gateway/configuration-frontend-ip",
             "redirect_document_id": false
         }
-
     ]
 }
-

articles/active-directory/governance/create-access-review.md

@@ -139,7 +139,7 @@ If you are reviewing access to an application, then before creating the review,
 
 1. In the **Enable review decision helpers** section choose whether you want your reviewer to receive recommendations during the review process:
     1. If you select **No sign-in within 30 days**, users who have signed in during the previous 30-day period are recommended for approval. Users who haven't signed in during the past 30 days are recommended for denial. This 30-day interval is irrespective of whether the sign-ins were interactive or not. The last sign-in date for the specified user will also display along with the recommendation.
-    1. If you select User-to-Group Affiliation, reviewers will get the recommendation to Approve or Deny access for the users based on user’s average distance in the organization’s reporting-structure. Users who are very distant from all the other users within the group are considered to have "low affiliation" and will get a deny recommendation in the group access reviews.
+    1. If you select **(Preview) User-to-Group Affiliation**, reviewers will get the recommendation to Approve or Deny access for the users based on user’s average distance in the organization’s reporting-structure. Users who are very distant from all the other users within the group are considered to have "low affiliation" and will get a deny recommendation in the group access reviews.
 
    > [!NOTE]
    > If you create an access review based on applications, your recommendations are based on the 30-day interval period depending on when the user last signed in to the application rather than the tenant. 

articles/active-directory/governance/media/review-recommendations-group-access-reviews/org-chart-example.png

@@ -10,7 +10,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: how-to
 ms.subservice: compliance
-ms.date: 8/5/2022
+ms.date: 10/25/2022
 ms.author: amsliu
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
@@ -29,7 +29,26 @@ For more information, see [License requirements](access-reviews-overview.md#lice
 ## Inactive user recommendations
 A user is considered 'inactive' if they have not signed into the tenant within the last 30 days. This behavior is adjusted for reviews of application assignments, which checks each user's last activity in the app as opposed to the entire tenant. When inactive user recommendations are enabled for an access review, the last sign-in date for each user will be evaluated once the review starts, and any user that has not signed-in within 30 days will be given a recommended action of Deny. Additionally, when these decision helpers are enabled, reviewers will be able to see the last sign-in date for all users being reviewed. This sign-in date (as well as the resulting recommendation) is determined when the review begins and will not get updated while the review is in-progress.
 
+## User-to-Group Affiliation (preview)
+Making the review experience easier and more accurate empowers IT admins and reviewers to make more informed decisions. This Machine Learning based recommendation opens the journey to automate access reviews, thereby enabling intelligent automation and reducing access rights attestation fatigue.
+
+User-to-Group Affiliation in an organization’s chart is defined as two or more users who share similar characteristics in an organization's reporting structure.
+
+This recommendation detects user affiliation with other users within the group, based on organization's reporting-structure similarity. The recommendation relies on a scoring mechanism which is calculated by computing the user’s average distance with the remaining users in the group. Users who are very distant from all the other group members based on their organization's chart, are considered to have "low affiliation" within the group.
+
+If this decision helper is enabled by the creator of the access review, reviewers can receive User-to-Group Affiliation recommendations for group access reviews.
+
+> [!NOTE]
+> This feature is only available for users in your directory. A user should have a manager attribute and should be a part of an organizational hierarchy for the User-to-group Affiliation to work.
+
+The following image has an example of an organization's reporting structure in a cosmetics company: 
+
+![Screenshot that shows a fictitious hierarchial organization chart for a cosmetics company.](./media/review-recommendations-group-access-reviews/org-chart-example.png)
+
+Based on the reporting structure in the example image, users who are statistically significant amount of distance away from other users within the group, would get a "Deny" recommendation by the system if  the User-to-Group Affiliation recommendation was selected by the reviewer for group access reviews. 
+
+For example, Phil who works within the Personal care division is in a group with Debby, Irwin, and Emily who all work within the Cosmetics division. The group is called *Fresh Skin*. If an Access Review for the group Fresh Skin is performed, based on the reporting structure and distance away from the other group members, Phil would be considered to have low affiliation. The system will create a **Deny** recommendation in the group access review.
+
 ## Next Steps
 - [Create an access review](create-access-review.md)
-- [Review access to groups or applications](perform-access-review.md)
-
+- [Review access to groups or applications](perform-access-review.md)

articles/active-directory/governance/review-recommendations-access-reviews.md

@@ -118,6 +118,8 @@
       href: custom-consent-permissions.md
     - name: Device management permissions
       href: custom-device-permissions.md
+    - name: User management permissions
+      href: custom-user-permissions.md
     - name: Group management permissions
       href: custom-group-permissions.md
   - name: Azure AD service limits

articles/active-directory/roles/TOC.yml

@@ -0,0 +1,193 @@
+---
+title: User management permissions for Azure AD custom roles (preview) - Azure Active Directory
+description: User management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API.
+services: active-directory
+author: rolyon
+manager: amycolannino
+ms.service: active-directory
+ms.workload: identity
+ms.subservice: roles
+ms.topic: reference
+ms.date: 10/26/2022
+ms.author: rolyon
+ms.reviewer: 
+ms.custom: it-pro
+---
+
+# User management permissions for Azure AD custom roles (preview)
+
+> [!IMPORTANT]
+> User management permissions for Azure AD custom roles is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+User management permissions can be used in custom role definitions in Azure Active Directory (Azure AD) to grant fine-grained access such as the following:
+
+- Read or update basic properties of users
+- Read or update identity of users
+- Read or update job information of users
+- Update contact information of users
+- Update parental controls of users
+- Update settings of users
+- Read direct reports of users
+- Update extension properties of users
+- Read device information of users
+- Read or manage licenses of users
+- Update password policies of users
+- Read assignments and memberships of users
+
+This article lists the permissions you can use in your custom roles for different user management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md).
+
+## License requirements
+
+[!INCLUDE [License requirement for using custom roles in Azure AD](../../../includes/active-directory-p1-license.md)]
+
+## Read or update basic properties of users
+
+The following permissions are available to read or update basic properties of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/standard/read | Read basic properties on users. |
+> | microsoft.directory/users/basic/update | Update basic properties on users. |
+
+## Read or update identity of users
+
+The following permissions are available to read or update identity of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/identities/read | Read identities of users. |
+> | microsoft.directory/users/identities/update | Update the identity properties of users, such as name and user principal name. |
+
+## Read or update job information of users
+
+The following permissions are available to read or update job information of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/manager/read | Read manager of users. |
+> | microsoft.directory/users/manager/update | Update manager for users. |
+> | microsoft.directory/users/jobInfo/update | Update the job info properties of users, such as job title, department, and company name. |
+
+## Update contact information of users
+
+The following permissions are available to update contact information of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/contactInfo/update | Update the contact info properties of users, such as address, phone, and email. |
+
+## Update parental controls of users
+
+The following permissions are available to update parental controls of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/parentalControls/update | Update parental controls of users. |
+
+## Update settings of users
+
+The following permissions are available to update settings of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/usageLocation/update | Update usage location of users. |
+
+## Read direct reports of users
+
+The following permissions are available to read direct reports of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/directReports/read | Read the direct reports for users. |
+
+## Update extension properties of users
+
+The following permissions are available to update extension properties of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/extensionProperties/update | Update extension properties of users. |
+
+## Read device information of users
+
+The following permissions are available to read device information of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/ownedDevices/read | Read owned devices of users |
+> | microsoft.directory/users/registeredDevices/read | Read registered devices of users |
+> | microsoft.directory/users/deviceForResourceAccount/read | Read deviceForResourceAccount of users. |
+
+## Read or manage licenses of users
+
+The following permissions are available to read or manage licenses of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/licenseDetails/read | Read license details of users. |
+> | microsoft.directory/users/assignLicense | Manage user licenses. |
+> | microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for users. |
+
+## Update password policies of users
+
+The following permissions are available to update password policies of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/passwordPolicies/update | Update password policies properties of users. |
+
+## Read assignments and memberships of users
+
+The following permissions are available to read assignments and memberships of users.
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/appRoleAssignments/read | Read application role assignments for users |
+> | microsoft.directory/users/scopedRoleMemberOf/read | Read user's membership of an Azure AD role, that is scoped to an administrative unit |
+> | microsoft.directory/users/memberOf/read | Read the group memberships of users |
+
+## Full list of permissions
+
+> [!div class="mx-tableFixed"]
+> | Permission | Description |
+> | ---------- | ----------- |
+> | microsoft.directory/users/appRoleAssignments/read | Read application role assignments for users. |
+> | microsoft.directory/users/assignLicense | Manage user licenses. |
+> | microsoft.directory/users/basic/update | Update basic properties on users. |
+> | microsoft.directory/users/contactInfo/update | Update the contact info properties of users, such as address, phone, and email. |
+> | microsoft.directory/users/deviceForResourceAccount/read | Read deviceForResourceAccount of users. |
+> | microsoft.directory/users/directReports/read | Read the direct reports for users. |
+> | microsoft.directory/users/extensionProperties/update | Update extension properties of users. |
+> | microsoft.directory/users/identities/read | Read identities of users. |
+> | microsoft.directory/users/identities/update | Update the identity properties of users, such as name and user principal name. |
+> | microsoft.directory/users/jobInfo/update | Update the job info properties of users, such as job title, department, and company name. |
+> | microsoft.directory/users/licenseDetails/read | Read license details of users. |
+> | microsoft.directory/users/manager/read | Read manager of users. |
+> | microsoft.directory/users/manager/update | Update manager for users. |
+> | microsoft.directory/users/memberOf/read | Read the group memberships of users. |
+> | microsoft.directory/users/ownedDevices/read | Read owned devices of users. |
+> | microsoft.directory/users/parentalControls/update | Update parental controls of users. |
+> | microsoft.directory/users/passwordPolicies/update | Update password policies properties of users. |
+> | microsoft.directory/users/registeredDevices/read | Read registered devices of users. |
+> | microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for users. |
+> | microsoft.directory/users/scopedRoleMemberOf/read | Read user's membership of an Azure AD role, that is scoped to an administrative unit. |
+> | microsoft.directory/users/standard/read | Read basic properties on users. |
+> | microsoft.directory/users/usageLocation/update | Update usage location of users. |
+
+## Next steps
+
+- [Create and assign a custom role in Azure Active Directory](custom-create.md)
+- [List Azure AD role assignments](view-assignments.md)

articles/active-directory/roles/custom-user-permissions.md

@@ -3154,6 +3154,8 @@
         href: tribeloo-provisioning-tutorial.md
       - name: Twingate
         href: twingate-provisioning-tutorial.md
+      - name: Uber
+        href: uber-provisioning-tutorial.md
       - name: UNIFI
         href: unifi-provisioning-tutorial.md
       - name: Velpic