Merge pull request #254853 from MicrosoftDocs/main

10/12/2023 PM Publish

Author: Taojunshen

.openpublishing.publish.config.json

@@ -32,6 +32,12 @@
   "need_preview_pull_request": true,
   "contribution_branch_mappings": {},
   "dependent_repositories": [
+    {
+      "path_to_root": "azure-functions-dapr-extension",
+      "url": "https://github.com/Azure/azure-functions-dapr-extension",
+      "branch": "master",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "azure-docs-snippets-pr",
       "url": "https://github.com/MicrosoftDocs/azure-docs-snippets-pr",

.openpublishing.redirection.azure-monitor.json

@@ -6349,6 +6349,11 @@
             "redirect_url": "/azure/azure-monitor/app/release-and-work-item-insights?tabs=release-annotations",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/opentelemetry-nodejs-exporter.md",
+            "redirect_url": "/azure/azure-monitor/app/opentelemetry-enable?tabs=nodejs",
+            "redirect_document_id": false
+            },
         {
             "source_path_from_root": "/articles/azure-monitor/app/work-item-integration.md",
             "redirect_url": "/azure/azure-monitor/app/release-and-work-item-insights?tabs=work-item-integration",

articles/active-directory/architecture/auth-ssh.md

@@ -51,4 +51,4 @@ The system includes the following components:
 
 ## Next steps
 
-* To implement SSH with Microsoft Entra ID, see [Log in to a Linux VM by using Microsoft Entra credentials](../devices/howto-vm-sign-in-azure-ad-linux.md). 
+* To implement SSH with Microsoft Entra ID for your users or guest users, see [Log in to a Linux VM by using Microsoft Entra credentials](../devices/howto-vm-sign-in-azure-ad-linux.md). 

articles/active-directory/external-identities/media/self-service-sign-up-user-flow/enable-self-service-sign-up.png

@@ -23,17 +23,17 @@ ms.collection: M365-identity-device-management
 
 # Plan a Microsoft Entra access reviews deployment
 
-[Microsoft Entra access reviews](access-reviews-overview.md) help your organization keep the network more secure by managing its [resource access lifecycle](identity-governance-overview.md). With access reviews, you can:
+[Microsoft Entra access reviews](access-reviews-overview.md) help your organization keep the Enterprise more secure by managing its [resource access lifecycle](identity-governance-overview.md). With access reviews, you can:
 
-* Schedule regular reviews or do ad-hoc reviews to see who has access to specific resources, such as applications and groups.
+* Schedule regular reviews or do ad-hoc reviews to discover who has access to specific resources, such as applications and groups.
 * Track reviews for insights, compliance, or policy reasons.
 * Delegate reviews to specific admins, business owners, or users who can self-attest to the need for continued access.
 * Use the insights to efficiently determine if users should continue to have access.
 * Automate review outcomes, such as removing users' access to resources.
 
   ![Diagram that shows the access reviews flow.](./media/deploy-access-review/1-planning-review.png)
 
-Access reviews are an [Microsoft Entra ID Governance](identity-governance-overview.md) capability. The other capabilities are [entitlement management](entitlement-management-overview.md), [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md), and [terms of use](../conditional-access/terms-of-use.md). Together, they help you address these four questions:
+Access reviews are an [Microsoft Entra ID Governance](identity-governance-overview.md) capability. The other capabilities are [entitlement management](entitlement-management-overview.md), [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md), lifecycle workflows, provisioning and [terms of use](../conditional-access/terms-of-use.md). Together, they help you address these four questions:
 
 * Which users should have access to which resources?
 * What are those users doing with that access?
@@ -66,7 +66,7 @@ The following videos help you learn about access reviews:
 [!INCLUDE [active-directory-p2-governance-license.md](../../../includes/active-directory-p2-governance-license.md)]
 
 >[!NOTE]
->Creating a review on inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license.
+>To create a review of inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license.
 
 ## Plan the access reviews deployment project
 
@@ -83,6 +83,12 @@ For access reviews, you'll likely include representatives from the following tea
    * Reviews privileged access to infrastructure and apps, including Microsoft 365 and Microsoft Entra ID.
    * Schedules and runs access reviews on groups that are used to maintain exception lists or IT pilot projects to maintain up-to-date access lists.
    * Ensures that programmatic (scripted) access to resources through service principals is governed and reviewed.
+   * Automate processes like user onboarding and offboarding, access requests, and access certifications.
+ 
+* **Security teams** ensure the plan meets the security requirements of your organization and enforces Zero Trust. This team:
+   * Reduces risk and strengthens security
+   * Enforces least privilege access to resources and applications
+   * Uses tools to see a centralized authoritative source, of who has access to what, and for how long.
 
 * **Development teams** build and maintain applications for your organization. This team:
 
@@ -94,15 +100,19 @@ For access reviews, you'll likely include representatives from the following tea
 
    * Reviews and approves or denies access to groups and applications for internal and external users.
    * Schedules and does reviews to attest continued access for employees and external identities such as business partners.
+   * Need employees to have access to the apps required for their work.
+   * Permits departments to manage access for their users.
 
 * **Corporate governance** ensures that the organization follows internal policy and complies with regulations. This team:
 
    * Requests or schedules new access reviews.
    * Assesses processes and procedures for reviewing access, which includes documentation and record keeping for compliance.
    * Reviews results of past reviews for most critical resources.
+   * Validates the right controls are in place to meet mandatory security and privacy policies.
+   * Requires repeatable access processes that are easy to audit and report.
 
 > [!NOTE]
-> For reviews that require manual evaluations, plan for adequate reviewers and review cycles that meet your policy and compliance needs. If review cycles are too frequent, or there are too few reviewers, quality might be lost and too many or too few people might have access.
+> For reviews that require manual evaluations, plan for adequate reviewers and review cycles that meet your policy and compliance needs. If review cycles are too frequent, or there are too few reviewers, quality might be lost and too many or too few people might have access. We recommend you establish clear responsibilities for the various stakeholders and departments engaged in the access reviews. All teams and individuals participating should understand their respective roles and obligations to uphold the principle of least privilege.
 
 ### Plan communications
 
@@ -177,6 +187,9 @@ The creator of the access review decides at the time of creation who will do the
 * Users who self-attest to their need for continued access.
 * Managers review their direct reports' access to the resource.
 
+>[!NOTE]
+>When you select Resource owners or Managers, administrators designate fallback reviewers, who are contacted if the primary contact isn’t available. 
+
 When you create an access review, administrators can choose one or more reviewers. All reviewers can start and carry out a review by choosing users for continued access to a resource or removing them.
 
 ### Components of an access review
@@ -238,7 +251,7 @@ External identities can be granted access to company resources. They can be:
 
 For more information, see [sample script](https://github.com/microsoft/access-reviews-samples/tree/master/ExternalIdentityUse). The script shows where external identities invited into the tenant are used. You can see an external user's group membership, role assignments, and application assignments in Microsoft Entra ID. The script won't show any assignments outside of Microsoft Entra ID, for example, direct rights assignment to SharePoint resources, without the use of groups.
 
-When you create an access review for groups or applications, you can choose to let the reviewer focus on **Everyone with access** or **Guest users only**. By selecting **Guest users only**, reviewers are given a focused list of external identities from Microsoft Entra business to business (B2B) that have access to the resource.
+When you create an access review for groups or applications, you can choose to let the reviewer focus on **All users** or **Guest users only**. By selecting **Guest users only**, reviewers are given a focused list of external identities from Microsoft Entra business to business (B2B) that have access to the resource.
 
  ![Screenshot that shows reviewing guest users.](./media/deploy-access-review/4-review-guest-users-admin-ui.png)
 
@@ -347,7 +360,7 @@ Review the following role assignments regularly:
 
 Roles that are reviewed include permanent and eligible assignments.
 
-In the **Reviewers** section, select one or more people to review all the users. Or you can select **Members (self)** to have the members review their own access.
+In the **Reviewers** section, select one or more people to review all the users. Or you can select **Manager**, to have a manager review their employees’ access, or **Members (self)** to have the members review their own access.
 
  ![Screenshot that shows selecting reviewers.](./media/deploy-access-review/7-plan-azure-resources-reviewers-selection.png)
 

articles/active-directory/governance/deploy-access-reviews.md

@@ -125,7 +125,7 @@ For more information, see [Compare groups](/office365/admin/create-groups/compar
 
 You can have Microsoft Entra ID automatically assign users access to a Microsoft Entra enterprise application, including both SaaS applications and your organization's applications integrated with Microsoft Entra ID, when a user is assigned an access package. For applications that integrate with Microsoft Entra ID through federated single sign-on, Microsoft Entra ID issues federation tokens for users assigned to the application.
 
-Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md).
+Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md). If you're using the Microsoft Authentication Libraries, there is also a [code sample](../develop/sample-v2-code.md) for how to use app roles for access control.
 
 > [!NOTE]
 > If an application has multiple roles, and more than one role of that application are in an access package, then the user will receive all those application's roles.  If instead you want users to only have some of the application's roles, then you will need to create multiple access packages in the catalog, with separate access packages for each of the application roles.

articles/active-directory/governance/entitlement-management-access-package-resources.md

@@ -26,7 +26,7 @@ ms.collection: M365-identity-device-management
 In Microsoft Entra ID, you can use role models to manage access at scale through identity governance.
 
  * You can use access packages to represent [organizational roles](identity-governance-organizational-roles.md) in your organization, such as "sales representative". An access package representing that organizational role would include all the access rights that a sales representative might typically need, across multiple resources.
- * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md).
+ * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson" in its manifest, you could then [include that role from the app manifest in an access package](entitlement-management-access-package-resources.md).  Applications can also use security groups in scenarios where a user could have multiple application-specific roles simultaneously.
  * You can use roles for delegating administrative access.  If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role.
 
 This article discusses how to use roles to manage aspects within Microsoft Entra entitlement management, for controlling access to the entitlement management resources.

articles/active-directory/governance/entitlement-management-delegate.md

@@ -76,7 +76,7 @@ Once an access package is configured with a verified ID requirement, end-users w
 
 The requestor steps are as follows:
 
-1. Go to [myaccess.microsoft.com](../develop/configure-app-multi-instancing.md) and sign in.
+1. Go to [myaccess.microsoft.com](HTTPS://myaccess.microsoft.com) and sign in.
 
 1. Search for the access package you want to request access to (you can browse the listed packages or use the search bar at the top of the page) and select **Request**.
 

articles/active-directory/governance/entitlement-management-verified-id-settings.md

@@ -63,7 +63,7 @@ Next, if the application implements a provisioning protocol, then you should con
      | Integrated Windows Auth (IWA) | Deploy the [application proxy](../app-proxy/application-proxy.md), configure an application for [Integrated Windows authentication SSO](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md), and set firewall rules to prevent access to the application's endpoints except via the proxy.|
      | header-based authentication | Deploy the [application proxy](../app-proxy/application-proxy.md) and configure an application for [header-based SSO](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md) |
 
-1. If your application has multiple roles, and relies upon Microsoft Entra ID to send a user's application-specific role as a claim of a user signing into the application, then configure those application roles in Microsoft Entra ID on your application.  You can use  the [app roles UI](../develop/howto-add-app-roles-in-apps.md#app-roles-ui) to add those roles to the application manifest.
+1. If your application has multiple roles, each user has only one role in the application, and the application relies upon Microsoft Entra ID to send a user's single application-specific role as a claim of a user signing into the application, then configure those application roles in Microsoft Entra ID on your application, and then assign each user to the application role. You can use  the [app roles UI](../develop/howto-add-app-roles-in-apps.md#app-roles-ui) to add those roles to the application manifest.  If you're using the Microsoft Authentication Libraries, there is a [code sample](../develop/sample-v2-code.md) for how to use app roles inside your application for access control.  If a user could have multiple roles simultaneously, then you may wish to implement the application to check security groups, either in the token claims or available via Microsoft Graph, instead of using application roles from the app manifest for access control.
 
 1. If the application supports provisioning, then [configure provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of assigned users and groups from Microsoft Entra ID to that application.  If this is a private or custom application, you can also select the integration that's most appropriate, based on the location and capabilities of the application.
 

articles/active-directory/governance/identity-governance-applications-integrate.md

@@ -24,6 +24,7 @@ Microsoft Entra ID Governance allows you to balance your organization's need for
 Organizations with compliance requirements or risk management plans have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements.  As part of your organization's controls for managing access, you can use Microsoft Entra features to
 
 * set up appropriate access
+* provision users to applications
 * enforce access checks
 * produce reports to demonstrate how those controls are being used to meet your compliance and risk management objectives.
 
@@ -37,7 +38,7 @@ In addition to the application access governance scenario, you can also use iden
 Microsoft Entra ID Governance can be integrated with many applications, using [standards](../architecture/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP.  Through these standards, you can use Microsoft Entra ID  with many popular SaaS applications, on-premises applications, and applications that your organization has developed. Once you've prepared your Microsoft Entra environment, as described in the section below, the three step plan covers how to connect an application to Microsoft Entra ID and enable identity governance features to be used for that application.
 
 1. [Define your organization's policies for governing access to the application](identity-governance-applications-define.md)
-1. [Integrate the application with Microsoft Entra ID](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed
+1. [Integrate the application with Microsoft Entra ID](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed. This allows authentication and user provisioning
 1. [Deploy those policies](identity-governance-applications-deploy.md) for controlling single sign-on (SSO) and automating access assignments for that application
 
 <a name='prerequisites-before-configuring-azure-ad-for-identity-governance'></a>