Merge pull request #250182 from MicrosoftDocs/main

Stacyrch140 · web-flow · commit 5d929e75347f · 2023-09-03T19:17:22.000-04:00
Publish to live, Sunday 4:00PM PDT, 9/3
diff --git a/articles/active-directory/roles/custom-create.md b/articles/active-directory/roles/custom-create.md
@@ -59,10 +59,10 @@ Your custom role will show up in the list of available roles to assign.
 
 ### Connect to Azure
 
-To connect to Azure Active Directory, use the following command:
+To connect to Microsoft Graph PowerShell, use the following command:
 
 ``` PowerShell
-Connect-AzureAD
+Connect-MgGraph -Scopes "RoleManagement.Read.All"
 ```
 
 ### Create the custom role
@@ -81,10 +81,10 @@ $allowedResourceAction =
     "microsoft.directory/applications/basic/update",
     "microsoft.directory/applications/credentials/update"
 )
-$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}
+$rolePermissions = @(@{AllowedResourceActions= $allowedResourceAction})
  
 # Create new custom admin role
-$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true
+$customAdmin = New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -IsEnabled -Description $description -TemplateId $templateId
 ```
 
 ### Assign the custom role using PowerShell
@@ -93,15 +93,15 @@ Assign the role using the below PowerShell script:
 
 ``` PowerShell
 # Get the user and role definition you want to link
-$user = Get-AzureADUser -Filter "userPrincipalName eq 'cburl@f128.info'"
-$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Application Support Administrator'"
+$user = Get-MgUser -Filter "userPrincipalName eq 'cburl@f128.info'"
+$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Application Support Administrator'"
 
 # Get app registration and construct resource scope for assignment.
-$appRegistration = Get-AzureADApplication -Filter "displayName eq 'f/128 Filter Photos'"
+$appRegistration = Get-MgApplication -Filter "Displayname eq 'POSTMAN'"
 $resourceScope = '/' + $appRegistration.objectId
 
 # Create a scoped role assignment
-$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
+$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId $resourcescope -RoleDefinitionId $roledefinition.Id -PrincipalId $user.Id
 ```
 
 ## Create a role with the Microsoft Graph API
diff --git a/articles/active-directory/roles/manage-roles-portal.md b/articles/active-directory/roles/manage-roles-portal.md
@@ -101,65 +101,69 @@ Follow these steps to assign Azure AD roles using PowerShell.
 1. Open a PowerShell window and use [Import-Module](/powershell/module/microsoft.powershell.core/import-module) to import the AzureADPreview module. For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md).
 
     ```powershell
-    Import-Module -Name AzureADPreview -Force
+    Import-Module -Name Microsoft.Graph.Identity.Governance -Force
     ```
 
-1. In a PowerShell window, use [Connect-AzureAD](/powershell/module/azuread/connect-azuread) to sign in to your tenant.
+1. In a PowerShell window, use [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0&preserve-view=true) to sign in to your tenant.
 
     ```powershell
-    Connect-AzureAD
+    Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
     ```
 
-1. Use [Get-AzureADUser](/powershell/module/azuread/get-azureaduser) to get the user you want to assign a role to.
+1. Use [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser?view=graph-powershell-1.0&preserve-view=true) to get the user you want to assign a role to.
 
     ```powershell
-    $user = Get-AzureADUser -Filter "userPrincipalName eq 'user@contoso.com'"
+    $user = Get-MgUser -Filter "userPrincipalName eq 'johndoe@contoso.com'"
     ```
 
 ### Assign a role
 
-1. Use [Get-AzureADMSRoleDefinition](/powershell/module/azuread/get-azureadmsroledefinition) to get the role you want to assign.
+1. Use [Get-MgRoleManagementDirectoryRoleDefinition](/powershell/module/microsoft.graph.identity.governance/get-mgrolemanagementdirectoryroledefinition?view=graph-powershell-1.0&preserve-view=true) to get the role you want to assign.
 
     ```powershell
-    $roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Billing Administrator'"
+    $roledefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Billing Administrator'"
     ```
 
-1. Use [New-AzureADMSRoleAssignment](/powershell/module/azuread/new-azureadmsroleassignment) to assign the role.
+1. Use [New-MgRoleManagementDirectoryRoleAssignment](/powershell/module/microsoft.graph.identity.governance/new-mgrolemanagementdirectoryroleassignment?view=graph-powershell-1.0&preserve-view=true) to assign the role.
 
     ```powershell
-    $roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
+    $roleassignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roledefinition.Id -PrincipalId $user.Id
     ```
 
 ### Assign a role as eligible using PIM
 
 If PIM is enabled, you have additional capabilities, such as making a user eligible for a role assignment or defining the start and end time for a role assignment. These capabilities use a different set of PowerShell commands. For more information about using PowerShell and PIM, see [PowerShell for Azure AD roles in Privileged Identity Management](../privileged-identity-management/powershell-for-azure-ad-roles.md).
 
 
-1. Use [Get-AzureADMSRoleDefinition](/powershell/module/azuread/get-azureadmsroledefinition) to get the role you want to assign.
+1. Use [Get-MgRoleManagementDirectoryRoleDefinition](/powershell/module/microsoft.graph.identity.governance/get-mgrolemanagementdirectoryroledefinition?view=graph-powershell-1.0&preserve-view=true) to get the role you want to assign.
 
     ```powershell
-    $roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Billing Administrator'"
+    $roledefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Billing Administrator'"
     ```
 
-1. Use [Get-AzureADMSPrivilegedResource](/powershell/module/azuread/get-azureadmsprivilegedresource) to get the privileged resource. In this case, your tenant.
+1. Use the following command to create a hash table to store all the necessary attributes required to assign the role to the user. The Principal ID will be the user id to which you want to assign the role. In this example, the assignment will be valid only for **10 hours**.
 
     ```powershell
-    $aadTenant = Get-AzureADMSPrivilegedResource -ProviderId aadRoles
-    ```
-
-1. Use [New-Object](/powershell/module/microsoft.powershell.utility/new-object) to create a new `AzureADMSPrivilegedSchedule` object to define the start and end time of the role assignment.
-
-    ```powershell
-    $schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
-    $schedule.Type = "Once"
-    $schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
-    $schedule.EndDateTime = "2021-07-25T20:00:00.000Z"
+    $params = @{
+      "PrincipalId" = "053a6a7e-4a75-48bc-8324-d70f50ec0d91"
+      "RoleDefinitionId" = "b0f54661-2d74-4c50-afa3-1ec803f12efe"
+      "Justification" = "Add eligible assignment"
+      "DirectoryScopeId" = "/"
+      "Action" = "AdminAssign"
+      "ScheduleInfo" = @{
+        "StartDateTime" = Get-Date
+        "Expiration" = @{
+          "Type" = "AfterDuration"
+          "Duration" = "PT10H"
+          }
+        }
+       }
     ```
 
-1. Use [Open-AzureADMSPrivilegedRoleAssignmentRequest](/powershell/module/azuread/open-azureadmsprivilegedroleassignmentrequest) to assign the role as eligible.
+1. Use [New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest](/powershell/module/microsoft.graph.identity.governance/new-mgrolemanagementdirectoryroleeligibilityschedulerequest?view=graph-powershell-1.0&preserve-view=true) to assign the role as eligible. Once the role has been assigned, it will reflect on the Azure portal under **Privileged Identity Management -> Azure AD Roles -> Assignments -> Eligible Assignments** section.
 
     ```powershell
-    $roleAssignmentEligible = Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $aadTenant.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $user.objectId -Type 'AdminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "Review billing info"
+    New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params | Format-List Id, Status, Action, AppScopeId, DirectoryScopeId, RoleDefinitionId, IsValidationOnly, Justification, PrincipalId, CompletedDateTime, CreatedDateTime
     ```
 
 ## Microsoft Graph API
diff --git a/articles/azure-monitor/logs/basic-logs-configure.md b/articles/azure-monitor/logs/basic-logs-configure.md
@@ -190,7 +190,7 @@ All custom tables created with or migrated to the [data collection rule (DCR)-ba
 | Container Apps | [ContainerAppConsoleLogs](/azure/azure-monitor/reference/tables/containerappconsoleLogs) |
 | Container Insights | [ContainerLogV2](/azure/azure-monitor/reference/tables/containerlogv2) |
 | Container Apps Environments | [AppEnvSpringAppConsoleLogs](/azure/azure-monitor/reference/tables/AppEnvSpringAppConsoleLogs) |
-| Communication Services | [ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallAutomationMediaSummary](/azure/azure-monitor/reference/tables/ACSCallAutomationMediaSummary)<br>[ACSCallRecordingIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallRecordingIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/ACSCallRecordingSummary)<br>[ACSCallSummary](/azure/azure-monitor/reference/tables/ACSCallSummary)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) |
+| Communication Services | [ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallAutomationMediaSummary](/azure/azure-monitor/reference/tables/ACSCallAutomationMediaSummary)<br>[ACSCallRecordingIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallRecordingIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/ACSCallRecordingSummary)<br>[ACSCallSummary](/azure/azure-monitor/reference/tables/ACSCallSummary)<br>[ACSJobRouterIncomingOperations](/azure/azure-monitor/reference/tables/ACSJobRouterIncomingOperations)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) |
 | Confidential Ledgers | [CCFApplicationLogs](/azure/azure-monitor/reference/tables/CCFApplicationLogs) |
 | Data Manager for Energy | [OEPDataplaneLogs](/azure/azure-monitor/reference/tables/OEPDataplaneLogs) |
 | Dedicated SQL Pool | [SynapseSqlPoolSqlRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolsqlrequests)<br>[SynapseSqlPoolRequestSteps](/azure/azure-monitor/reference/tables/synapsesqlpoolrequeststeps)<br>[SynapseSqlPoolExecRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolexecrequests)<br>[SynapseSqlPoolDmsWorkers](/azure/azure-monitor/reference/tables/synapsesqlpooldmsworkers)<br>[SynapseSqlPoolWaits](/azure/azure-monitor/reference/tables/synapsesqlpoolwaits) |
diff --git a/articles/defender-for-cloud/just-in-time-access-usage.md b/articles/defender-for-cloud/just-in-time-access-usage.md
@@ -4,7 +4,7 @@ description: Learn how just-in-time VM access (JIT) in Microsoft Defender for Cl
 ms.topic: how-to
 author: dcurwin
 ms.author: dacurwin
-ms.date: 06/29/2023
+ms.date: 08/27/2023
 ---
 
 # Enable just-in-time access on VMs
@@ -13,7 +13,7 @@ You can use Microsoft Defender for Cloud's just-in-time (JIT) access to protect
 
 Learn more about [how JIT works](just-in-time-access-overview.md) and the [permissions required to configure and use JIT](#prerequisites).
 
-In this article, you learn you how to include JIT in your security program, including how to:
+In this article, you learn how to include JIT in your security program, including how to:
 
 - Enable JIT on your VMs from the Azure portal or programmatically
 - Request access to a VM that has JIT enabled from the Azure portal or programmatically
@@ -30,11 +30,11 @@ In this article, you learn you how to include JIT in your security program, incl
 
 ## Prerequisites
 
-- JIT Requires [Microsoft Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md#plan-features) to be enabled on the subscription. 
+- JIT requires [Microsoft Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md#plan-features) to be enabled on the subscription. 
 
 - **Reader** and **SecurityReader** roles can both view the JIT status and parameters.
 
-- If you want to create custom roles that can work with JIT, you need the details from the following table:
+- If you want to create custom roles that  work with JIT, you need the details from the following table:
 
     | To enable a user to: | Permissions to set|
     | --- | --- |
@@ -50,9 +50,13 @@ In this article, you learn you how to include JIT in your security program, incl
     > [!TIP]
     > To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages. 
 
+
+> [!NOTE]
+> In order to successfully create a custom JIT policy, the policy name, together with the targeted VM name, must not exceed a total of 56 characters. 
+
 ## Work with JIT VM access using Microsoft Defender for Cloud
 
-You can use Defender for Cloud or you can programmatically enable JIT VM access with your own custom options, or you can enable JIT with default, hard-coded parameters from Azure Virtual machines.
+You can use Defender for Cloud or you can programmatically enable JIT VM access with your own custom options, or you can enable JIT with default, hard-coded parameters from Azure virtual machines.
 
 **Just-in-time VM access** shows your VMs grouped into:
 
@@ -69,13 +73,13 @@ You can use Defender for Cloud or you can programmatically enable JIT VM access
 
 ### Enable JIT on your VMs from Microsoft Defender for Cloud
 
-:::image type="content" source="./media/just-in-time-access-usage/configure-just-in-time-access.gif" alt-text="Screenshot showing configuring JIT VM access in Microsoft Defender for Cloud.":::
+:::image type="content" source="./media/just-in-time-access-usage/configure-just-in-time-access.gif" alt-text="Screenshot showing configuring JIT VM access in Microsoft Defender for Cloud." lightbox="media/just-in-time-access-usage/configure-just-in-time-access.gif":::
 
 From Defender for Cloud, you can enable and configure the JIT VM access.
 
 1. Open the **Workload protections** and, in the advanced protections, select **Just-in-time VM access**.
 
-1. In the **Not configured** virtual machines, mark the VMs to protect with JIT and select **Enable JIT on VMs**. 
+1. In the **Not configured** virtual machines tab, mark the VMs to protect with JIT and select **Enable JIT on VMs**. 
 
     The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting:
     - 22 - SSH
@@ -102,7 +106,7 @@ To edit the existing JIT rules for a VM:
 
 1. Open the **Workload protections** and, in the advanced protections, select **Just-in-time VM access**.
 
-1. In the **Configured** virtual machines, right-click on a VM and select edit. 
+1. In the **Configured** virtual machines tab, right-click on a VM and select **Edit**. 
 
 1. In the **JIT VM access configuration**, you can either edit the list of port or select **Add** a new custom port.
 
@@ -114,7 +118,7 @@ When a VM has a JIT enabled, you have to request access to connect to it. You ca
 
 1. From the **Just-in-time VM access** page, select the **Configured** tab.
 
-1. Select the VMs you want to access.
+1. Select the VMs you want to access:
 
     - The icon in the **Connection Details** column indicates whether JIT is enabled on the network security group or firewall. If it's enabled on both, only the firewall icon appears.
 
@@ -126,8 +130,8 @@ When a VM has a JIT enabled, you have to request access to connect to it. You ca
 
 1. Select **Open ports**.
 
-> [!NOTE]
-> If a user who is requesting access is behind a proxy, you can enter the IP address range of the proxy.
+    > [!NOTE]
+    > If a user who is requesting access is behind a proxy, you can enter the IP address range of the proxy.
 
 ## Other ways to work with JIT VM access
 
@@ -163,7 +167,7 @@ You can enable JIT on a VM from the Azure virtual machines pages of the Azure po
 
     1. From Defender for Cloud's menu, select **Just-in-time VM access**.
 
-    1. From the **Configured** tab, right-click on the VM to which you want to add a port, and select edit. 
+    1. From the **Configured** tab, right-click on the VM to which you want to add a port, and select **Edit**. 
 
         ![Editing a JIT VM access configuration in Microsoft Defender for Cloud.](./media/just-in-time-access-usage/jit-policy-edit-security-center.png)
 
