Skip to content

Commit 4692edb

Browse files
Merge branch 'main' of http://github.com/MicrosoftDocs/azure-docs-pr into aca/dedicated
2 parents 95b3b43 + 321a331 commit 4692edb

File tree

218 files changed

+2485
-1306
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

218 files changed

+2485
-1306
lines changed

.openpublishing.publish.config.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -984,8 +984,6 @@
984984
".openpublishing.redirection.baremetal-infrastructure.json",
985985
".openpublishing.redirection.defender-for-cloud.json",
986986
".openpublishing.redirection.defender-for-iot.json",
987-
".openpublishing.redirection.deployment-environments.json",
988-
".openpublishing.redirection.dev-box.json",
989987
".openpublishing.redirection.healthcare-apis.json",
990988
".openpublishing.redirection.iot-hub-device-update.json",
991989
".openpublishing.redirection.json",
@@ -1042,6 +1040,8 @@
10421040
"articles/stream-analytics/.openpublishing.redirection.stream-analytics.json",
10431041
"articles/synapse-analytics/.openpublishing.redirection.synapse-analytics.json",
10441042
"articles/virtual-machine-scale-sets/.openpublishing.redirection.virtual-machine-scale-sets.json",
1045-
"articles/virtual-machines/.openpublishing.redirection.virtual-machines.json"
1043+
"articles/virtual-machines/.openpublishing.redirection.virtual-machines.json",
1044+
"articles/dev-box/.openpublishing.redirection.dev-box.json",
1045+
"articles/deployment-environments/.openpublishing.redirection.deployment-environments.json"
10461046
]
10471047
}

.openpublishing.redirection.dev-box.json

Lines changed: 0 additions & 19 deletions
This file was deleted.

articles/active-directory/authentication/concept-system-preferred-multifactor-authentication.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Learn how to use system-preferred multifactor authentication
44
ms.service: active-directory
55
ms.subservice: authentication
66
ms.topic: conceptual
7-
ms.date: 03/22/2023
7+
ms.date: 03/31/2023
88
ms.author: justinha
99
author: justinha
1010
manager: amycolannino
@@ -86,9 +86,9 @@ Content-Type: application/json
8686
}
8787
```
8888

89-
## Known issues
89+
## Known issue
9090

91-
- [FIDO2 security key isn't supported on mobile devices](../develop/support-fido2-authentication.md#mobile). This issue might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on mobile devices.
91+
[FIDO2 security keys](../develop/support-fido2-authentication.md#mobile) on mobile devices and [registration for certificate-based authentication (CBA)](concept-certificate-based-authentication.md) aren't supported due to an issue that might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on mobile devices or registering for CBA. To disable system-preferred MFA for these users, you can either add them to an excluded group or remove them from an included group.
9292

9393
## Common questions
9494

articles/active-directory/cloud-infrastructure-entitlement-management/TOC.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,10 @@
6464
- name: Manage roles/policies and permission requests
6565
expanded: false
6666
items:
67+
- name: View privileged role assignments in your organization
68+
href: product-privileged-role-insights.md
6769
- name: View roles/policies and requests for permission in the Remediation dashboard
68-
href: ui-remediation.md
70+
href: ui-remediation.md
6971
- name: View information about roles/policies
7072
href: how-to-view-role-policy.md
7173
- name: View information about active and completed tasks
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
title: View privileged role assignments in Azure AD Insights
3+
description: How to view current privileged role assignments in the Azure AD Insights tab.
4+
services: active-directory
5+
author: jenniferf-skc
6+
manager: amycolannino
7+
ms.service: active-directory
8+
ms.subservice: ciem
9+
ms.workload: identity
10+
ms.topic: how-to
11+
ms.date: 03/31/2023
12+
ms.author: jfields
13+
---
14+
15+
# View privileged role assignments in your organization (Preview)
16+
17+
The **Azure AD Insights** tab shows you who is assigned to privileged roles in your organization. You can review a list of identities assigned to a privileged role and learn more about each identity.
18+
19+
> [!NOTE]
20+
> Microsoft recommends that you keep two break glass accounts permanently assigned to the global administrator role. Make sure that these accounts don't require the same multi-factor authentication mechanism to sign in as other administrative accounts. This is described further in [Manage emergency access accounts in Microsoft Entra](../roles/security-emergency-access.md).
21+
22+
> [!NOTE]
23+
> Keep role assignments permanent if a user has a an additional Microsoft account (for example, an account they use to sign in to Microsoft services like Skype, or Outlook.com). If you require multi-factor authentication to activate a role assignment, a user with an additional Microsoft account will be locked out.
24+
25+
## View information in the Azure AD Insights tab
26+
27+
1. From the Permissions Management home page, select the **Azure AD Insights** tab.
28+
2. Select **Review global administrators** to review the list of Global administrator role assignments.
29+
3. Select **Review highly privileged roles** or **Review service principals** to review information on principal role assignments for the following roles: *Application administrator*, *Cloud Application administrator*, *Exchange administrator*, *Intune administrator*, *Privileged role administrator*, *SharePoint administrator*, *Security administrator*, *User administrator*.
30+
31+
32+
## Next steps
33+
34+
- For information about managing roles, policies and permissions requests in your organization, see [View roles/policies and requests for permission in the Remediation dashboard](ui-remediation.md).
352 KB
Loading
307 KB
Loading

articles/active-directory/conditional-access/troubleshoot-conditional-access.md

Lines changed: 10 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: conditional-access
88
ms.topic: troubleshooting
9-
ms.date: 08/16/2022
9+
ms.date: 03/31/2023
1010

1111
ms.author: joflore
1212
author: MicrosoftGuyJFlo
@@ -40,17 +40,17 @@ Organizations should avoid the following configurations:
4040

4141
The first way is to review the error message that appears. For problems signing in when using a web browser, the error page itself has detailed information. This information alone may describe what the problem is and that may suggest a solution.
4242

43-
![Sign in error - compliant device required](./media/troubleshoot-conditional-access/image1.png)
43+
![Screenshot showing a sign in error where a compliant device is required.](./media/troubleshoot-conditional-access/image1.png)
4444

4545
In the above error, the message states that the application can only be accessed from devices or client applications that meet the company's mobile device management policy. In this case, the application and device don't meet that policy.
4646

4747
## Azure AD sign-in events
4848

4949
The second method to get detailed information about the sign-in interruption is to review the Azure AD sign-in events to see which Conditional Access policy or policies were applied and why.
5050

51-
More information can be found about the problem by clicking **More Details** in the initial error page. Clicking **More Details** will reveal troubleshooting information that is helpful when searching the Azure AD sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.
51+
More information can be found about the problem by clicking **More Details** in the initial error page. Clicking **More Details** reveals troubleshooting information that is helpful when searching the Azure AD sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.
5252

53-
![More details from a Conditional Access interrupted web browser sign-in.](./media/troubleshoot-conditional-access/image2.png)
53+
![Screenshot showing more details from a Conditional Access interrupted web browser sign-in.](./media/troubleshoot-conditional-access/image2.png)
5454

5555
To find out which Conditional Access policy or policies applied and why do the following.
5656

@@ -63,26 +63,24 @@ To find out which Conditional Access policy or policies applied and why do the f
6363
1. **Username** to see information related to specific users.
6464
1. **Date** scoped to the time frame in question.
6565

66-
![Selecting the Conditional access filter in the sign-ins log](./media/troubleshoot-conditional-access/image3.png)
66+
![Screenshot showing selecting the Conditional access filter in the sign-ins log.](./media/troubleshoot-conditional-access/image3.png)
6767

68-
1. Once the sign-in event that corresponds to the user's sign-in failure has been found select the **Conditional Access** tab. The Conditional Access tab will show the specific policy or policies that resulted in the sign-in interruption.
68+
1. Once the sign-in event that corresponds to the user's sign-in failure has been found select the **Conditional Access** tab. The Conditional Access tab shows the specific policy or policies that resulted in the sign-in interruption.
6969
1. Information in the **Troubleshooting and support** tab may provide a clear reason as to why a sign-in failed such as a device that didn't meet compliance requirements.
70-
1. To investigate further, drill down into the configuration of the policies by clicking on the **Policy Name**. Clicking the **Policy Name** will show the policy configuration user interface for the selected policy for review and editing.
70+
1. To investigate further, drill down into the configuration of the policies by clicking on the **Policy Name**. Clicking the **Policy Name** shows the policy configuration user interface for the selected policy for review and editing.
7171
1. The **client user** and **device details** that were used for the Conditional Access policy assessment are also available in the **Basic Info**, **Location**, **Device Info**, **Authentication Details**, and **Additional Details** tabs of the sign-in event.
7272

7373
### Policy not working as intended
7474

7575
Selecting the ellipsis on the right side of the policy in a sign-in event brings up policy details. This option gives administrators additional information about why a policy was successfully applied or not.
7676

77-
![Sign in event Conditional Access tab](./media/troubleshoot-conditional-access/image5.png)
78-
79-
![Policy details (preview)](./media/troubleshoot-conditional-access/policy-details.png)
77+
:::image type="content" source="media/troubleshoot-conditional-access/activity-details-sign-ins.png" alt-text="Screenshot showing Conditional Access Policy details click thru to see why policy applied or not." lightbox="media/troubleshoot-conditional-access/policy-details.png":::
8078

8179
The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. Conditional Access policies only apply when all conditions are satisfied or not configured.
8280

8381
If the information in the event isn't enough to understand the sign-in results, or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under **Basic info** > **Troubleshoot Event**. For more information about the sign-in diagnostic, see the article [What is the sign-in diagnostic in Azure AD](../reports-monitoring/overview-sign-in-diagnostics.md). You can also [use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md).
8482

85-
If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information will allow Microsoft support to find the specific event you're concerned about.
83+
If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information allows Microsoft support to find the specific event you're concerned about.
8684

8785
### Common Conditional Access error codes
8886

@@ -98,7 +96,7 @@ More information about error codes can be found in the article [Azure AD Authent
9896

9997
## Service dependencies
10098

101-
In some specific scenarios, users are blocked because there are cloud apps with dependencies on resources that are blocked by Conditional Access policy.
99+
In some specific scenarios, users are blocked because there are cloud apps with dependencies on resources blocked by Conditional Access policy.
102100

103101
To determine the service dependency, check the sign-ins log for the application and resource called by the sign-in. In the following screenshot, the application called is **Azure Portal** but the resource called is **Windows Azure Service Management API**. To target this scenario appropriately all the applications and resources should be similarly combined in Conditional Access policy.
104102

articles/active-directory/enterprise-users/domains-manage.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ ms.service: active-directory
1010
ms.subservice: enterprise-users
1111
ms.workload: identity
1212
ms.topic: how-to
13-
ms.date: 11/11/2022
13+
ms.date: 03/31/2023
1414
ms.author: barclayn
1515
ms.reviewer: sumitp
1616

@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
2020
---
2121
# Managing custom domain names in your Azure Active Directory
2222

23-
A domain name is an important part of the identifier for resources in many Azure Active Directory (Azure AD) deployments. It is part of a user name or email address for a user, part of the address for a group, and is sometimes part of the app ID URI for an application. A resource in Azure AD can include a domain name that's owned by the Azure AD organization (sometimes called a tenant) that contains the resource. Only a Global Administrator can manage domains in Azure AD.
23+
A domain name is an important part of the identifier for resources in many Azure Active Directory (Azure AD) deployments. It's part of a user name or email address for a user, part of the address for a group, and is sometimes part of the app ID URI for an application. A resource in Azure AD can include a domain name that's owned by the Azure AD organization (sometimes called a tenant) that contains the resource. [Global Administrators](../roles/permissions-reference.md#global-administrator) and [Domain name administrators](../roles/permissions-reference.md#domain-name-administrator) can manage domains in Azure AD.
2424

2525
## Set the primary domain name for your Azure AD organization
2626

0 commit comments

Comments
 (0)