Merge branch 'main' into release-vnet-encryption

Author: v-alje

.openpublishing.redirection.healthcare-apis.json

@@ -479,9 +479,14 @@
       },
       {
           "source_path_from_root": "/articles/healthcare-apis/data-transformation/convert-data.md",
-          "redirect_url": "/azure/healthcare-apis/fhir/convert-data",
-          "redirect_document_id": true
+          "redirect_url": "/azure/healthcare-apis/fhir/overview-of-convert-data",
+          "redirect_document_id": false
       },
+      {
+          "source_path_from_root": "/articles/healthcare-apis/fhir/convert-data.md",
+          "redirect_url": "/azure/healthcare-apis/fhir/overview-of-convert-data",
+          "redirect_document_id": true
+      },    
       {
           "source_path_from_root": "/articles/healthcare-apis/fhir/bulk-importing-fhir-data.md",
           "redirect_url": "/azure/healthcare-apis/fhir/configure-import-data",

articles/active-directory/authentication/how-to-mfa-server-migration-utility.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 05/01/2023
+ms.date: 06/29/2023
 
 ms.author: justinha
 author: justinha
@@ -217,7 +217,13 @@ The **Settings** option allows you to change the settings for the migration proc
 
 :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/settings.png" alt-text="Screenshot of settings.":::
 
-- Migrate – This setting allows you to specify which method(s) should be migrated for the selection of users
+- Migrate – there are three options for migrating the user's default authentication method:
+  - Always migrate
+  - Only migrate if not already set in Azure AD
+  - Set to the most secure method available if not already set in Azure AD
+  
+  These options provide flexibility when you migrate the default method. In addition, the Authentication methods policy is checked during migration. If the default method being migrated isn't allowed by policy, it's set to the most secure method available instead.
+
 - User Match – Allows you to specify a different on-premises Active Directory attribute for matching Azure AD UPN instead of the default match to userPrincipalName:
   - The migration utility tries direct matching to UPN before using the on-premises Active Directory attribute.  
   - If no match is found, it calls a Windows API to find the Azure AD UPN and get the SID, which it uses to search the MFA Server user list. 

articles/active-directory/develop/certificate-credentials.md

@@ -138,4 +138,4 @@ Client assertions can be used anywhere a client secret would be used. For exampl
 
 The [MSAL.NET library handles this scenario](msal-net-client-assertions.md) in a single line of code.
 
-The [.NET Core daemon console application using Microsoft identity platform](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub shows how an application uses its own credentials for authentication. It also shows how you can [create a self-signed certificate](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph#optional-use-the-automation-script) using the `New-SelfSignedCertificate` PowerShell cmdlet. You can also use the [app creation scripts](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/AppCreationScripts-withCert/AppCreationScripts.md) in the sample repo to create certificates, compute the thumbprint, and so on.
+The [.NET Core daemon console application using Microsoft identity platform](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub shows how an application uses its own credentials for authentication. It also shows how you can [create a self-signed certificate](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph#optional-use-the-automation-script) using the `New-SelfSignedCertificate` PowerShell cmdlet. You can also use the [app creation scripts](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/AppCreationScripts/AppCreationScripts.md) in the sample repo to create certificates, compute the thumbprint, and so on.

articles/active-directory/develop/sample-v2-code.md

@@ -49,7 +49,7 @@ You've now completed the registration of your single-page application (SPA) and
 
 Follow the [tutorial](tutorial-v2-javascript-auth-code.md) for further guidance.
 
-## Redirect URI: [MSAL.js 1.0 with implicit flow](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core)
+## Redirect URI: [MSAL.js 1.0 with implicit flow](/javascript/api/overview/msal-overview)
 
 Follow these steps to add a redirect URI for a single-page app that uses MSAL.js 1.3 or earlier and the implicit grant flow. Applications that use MSAL.js 1.3 or earlier do not support the auth code flow.
 

articles/active-directory/develop/scenario-spa-app-registration.md

@@ -34,7 +34,7 @@ The choice between a pop-up or redirect experience depends on your application f
 
 - If you don't want users to move away from your main application page during authentication, we recommend the pop-up method. Because the authentication redirect happens in a pop-up window, the state of the main application is preserved.
 
-- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md#popups).
+- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](/azure/active-directory/develop/msal-js-use-ie-browser).
 
 ## Sign-in with a pop-up window
 

articles/active-directory/develop/scenario-spa-sign-in.md

@@ -1,11 +1,12 @@
 ---
-title: Clean up stale guest accounts
-description: Clean up stale guest accounts using access reviews 
+title: Monitor and clean up stale guest accounts
+description: Monitor and clean up stale guest accounts using access reviews 
 services: active-directory 
-author: gargi-sinha
-ms.author: gasinh
-manager: martinco
-ms.date: 08/29/2022
+author: billmath
+ms.author: billmath
+manager: amycolannino
+ms.date: 06/29/2023
+ms.reviewer: gasinh
 ms.topic: how-to
 ms.service: active-directory
 ms.subservice: enterprise-users
@@ -14,19 +15,45 @@ ms.custom: it-pro
 ms.collection: M365-identity-device-management
 ---
 
-# Clean up stale guest accounts using access reviews
+# Monitor and clean up stale guest accounts using access reviews 
 
-As users collaborate with external partners, it’s possible that many guest accounts get created in Azure Active Directory (Azure AD) tenants over time. When collaboration ends and the users no longer access your tenant, the guest accounts may become stale. Admins can use Access Reviews to automatically review inactive guest users and block them from signing in, and later, delete them from the directory.
+As users collaborate with external partners, it’s possible that many guest accounts get created in Azure Active Directory (Azure AD) tenants over time. When collaboration ends and the users no longer access your tenant, the guest accounts may become stale. Administrators can monitor guest accounts at scale using inactive guest insights. Administrators can also use Access Reviews to automatically review inactive guest users, block them from signing in, and, delete them from the directory.
 
 Learn more about [how to manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md).
 
-There are a few recommended patterns that are effective at cleaning up stale guest accounts:
+There are a few recommended patterns that are effective at monitoring and cleaning up stale guest accounts:
 
-1. Create a multi-stage review whereby guests self-attest whether they still need access. A second-stage reviewer assesses results and makes a final decision. Guests with denied access are disabled and later deleted.
+1. Monitor guest accounts at scale with intelligent insights into inactive guests in your organization using inactive guest report. Customize the inactivity threshold depending on your organization’s needs, narrow down the scope of guest users you want to monitor and identify the guest users that may be inactive.
 
-2. Create a review to remove inactive external guests. Admins define inactive as period of days. They disable and later delete guests that don’t sign in to the tenant within that time frame. By default, this doesn't affect recently created users. [Learn more about how to identify inactive accounts](../reports-monitoring/howto-manage-inactive-user-accounts.md#how-to-detect-inactive-user-accounts).
+2. Create a multi-stage review whereby guests self-attest whether they still need access. A second-stage reviewer assesses results and makes a final decision. Guests with denied access are disabled and later deleted.
+
+3. Create a review to remove inactive external guests. Admins define inactive as period of days. They disable and later delete guests that don’t sign in to the tenant within that time frame. By default, this doesn't affect recently created users. [Learn more about how to identify inactive accounts](../reports-monitoring/howto-manage-inactive-user-accounts.md#how-to-detect-inactive-user-accounts).
+
+Use the following instructions to learn how to enhance monitoring of inactive guest accounts at scale and create Access Reviews that follow these patterns. Consider the configuration recommendations and then make the needed changes that suit your environment.
+
+## Monitor guest accounts at scale with inactive guest insights (Preview)
+1. Sign in to the Azure portal and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.
+
+2. Access the inactive guest account report by navigating to "Guest access governance" card and click on "View inactive guests"
+
+3. You will see the inactive guest report which will provide insights about inactive guest users based on 90 days of inactivity. The threshold is set to 90 days by default but can be configured using "Edit inactivity threshold" based on your organization's needs.
+
+4. The following insights are provided as part of this report:
+   
+   - Guest account overview (total guests and inactive guests with further categorization of guests who have never signed in or signed in at least once)
+   - Guest inactivity distribution (Percentage distribution of guest users based on days since last sign in)
+   - Guest inactivity overview (Guest inactivity guidance to configure inactivity threshold)
+   - Guest accounts summary (A tabular view with details of all guest accounts with insights into their activity state. The Activity state could be active or inactive based on the configured inactivity threshold)
+
+5. The inactive days are calculated based on last sign in date if the user has signed in atleast once. For users who have never signed in, the inactive days are calculated based on creation date.
+
+ ### License requirements
+[!INCLUDE [active-directory-entra-governance-license.md](../../../includes/active-directory-entra-governance-license.md)]
+
+> [!NOTE]
+> When you access the report for the first time, the insights in this report may not be available immediately and may take some time to generate. If you are getting an error, please follow the instructions ensuring you have Microsoft Entra ID Governance license or wait for some time to see the report generated.  
+> The inactive days calculation is based on the 2 parameters (last sign in date and creation date). If both of the dates are not available in the system, then we consider User state change date i.e. the date when the user state was last changed. This will give us the closest accurate inactivity duration for those special situations.
 
-Use the following instructions to learn how to create Access Reviews that follow these patterns. Consider the configuration recommendations and then make the needed changes that suit your environment.
 
 ## Create a multi-stage review for guests to self-attest continued access