Merge pull request #241529 from MicrosoftDocs/main

6/14/2023 10AM Publishing

Author: huypub

.openpublishing.redirection.json

@@ -17568,6 +17568,41 @@
             "redirect_url": "/azure/vpn-gateway/point-to-site-about",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/vpn-gateway/scripts/vpn-gateway-sample-vnet-vnet-powershell.md",
+            "redirect_url": "/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-ps",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/vpn-gateway/scripts/vpn-gateway-sample-site-to-site-powershell.md",
+            "redirect_url": "/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/vpn-gateway/scripts/vpn-gateway-sample-point-to-site-certificate-authentication-powershell.md",
+            "redirect_url": "/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/vpn-gateway/scripts/vpn-gateway-sample-point-to-site-radius-authentication-powershell.md",
+            "redirect_url": "/azure/vpn-gateway/point-to-site-how-to-radius-ps",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/vpn-gateway/scripts/vpn-gateway-sample-site-to-site-download-devicescript-powershell.md",
+            "redirect_url": "/azure/vpn-gateway/vpn-gateway-download-vpndevicescript",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/vpn-gateway/scripts/vpn-gateway-sample-create-vpn-gateway-powershell.md",
+            "redirect_url": "/azure/vpn-gateway/create-routebased-vpn-gateway-powershell",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/vpn-gateway/powershell-samples.md",
+            "redirect_url": "/azure/vpn-gateway/vpn-gateway-about-vpngateways",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security/fundamentals/ddos-best-practices.md",
             "redirect_url": "/azure/ddos-protection/fundamental-best-practices",

articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md

@@ -31,7 +31,7 @@ Yes, a customer can detect, mitigate, and monitor the risk of 'backdoor' account
 
 ## Where can customers access Permissions Management?
 
-Customers can access the Permissions Management interface with a link from the Azure AD extension in the Azure portal.
+Customers can access the Permissions Management interface from the [Microsoft Entra admin center](https://entra.microsoft.com/) .
 
 ## Can non-cloud customers use Permissions Management on-premises?
 
@@ -128,7 +128,7 @@ No, Permissions Management doesn't have access to sensitive personal data.
 
 ## Where can I find more information about Permissions Management?
 
-You can read our blog and visit our web page. You can also get in touch with your Microsoft point of contact to schedule a demo.
+You can read our [blog](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/bg-p/Identity) and visit our [web page](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-permissions-management). You can also get in touch with your Microsoft point of contact to schedule a demo.
 
 ## What is the data destruction/decommission process? 
 
@@ -152,7 +152,7 @@ Although Permissions Management supports all resources, Microsoft only requires
 
 ## How do I figure out how many resources I have? 
 
-To find out how many resources you have across your multicloud infrastructure, view the Billable Resources tab in Permissions Management.
+To find out how many resources you have across your multicloud infrastructure, select Settings (gear icon) and view the Billable Resources tab in Permissions Management.
 
 ## What do I do if I’m using Public Preview version of Entra Permissions Management?  
 

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -42,7 +42,6 @@ Administrators can assign a Conditional Access policy to the following cloud app
 - Microsoft Application Insights Analytics
 - [Microsoft Azure Information Protection](/azure/information-protection/faqs#i-see-azure-information-protection-is-listed-as-an-available-cloud-app-for-conditional-accesshow-does-this-work)
 - [Microsoft Azure Management](#microsoft-azure-management)
-- Microsoft Azure Subscription Management
 - Microsoft Defender for Cloud Apps
 - Microsoft Commerce Tools Access Control Portal
 - Microsoft Commerce Tools Authentication Service

articles/active-directory/conditional-access/concept-conditional-access-users-groups.md

@@ -55,6 +55,9 @@ The following options are available to include when creating a Conditional Acces
 > [!WARNING]
 > Conditional Access policies do not support users assigned a directory role [scoped to an administrative unit](../roles/admin-units-assign-roles.md) or directory roles scoped directly to an object, like through [custom roles](../roles/custom-create.md).
 
+> [!NOTE]
+> When targeting policies to B2B direct connect external users, these policies will also be applied to B2B collaboration users accessing Teams or SharePoint Online who are also eligible for B2B direct connect. The same applies for policies targeted to B2B collaboration external users, meaning users accessing Teams shared channels will have B2B collaboration policies apply if they also have a guest user presence in the tenant.
+
 ## Exclude users
 
 When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. Exclusions are commonly used for emergency access or break-glass accounts. More information about emergency access accounts and why they're important can be found in the following articles: 

articles/active-directory/develop/app-objects-and-service-principals.md

@@ -49,7 +49,7 @@ To access resources that are secured by an Azure AD tenant, the entity that requ
 
 There are three types of service principal:
 
-- **Application** - The type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
+- **Application** - This type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
 
   When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. When you register an application using the Azure portal, a service principal is created automatically. You can also create service principal objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools.
 

articles/active-directory/devices/device-management-azure-portal.md

@@ -145,14 +145,19 @@ The exported list includes these device identity attributes:
 
 If you want to manage device identities by using the Azure portal, the devices need to be either [registered or joined](overview.md) to Azure AD. As an administrator, you can control the process of registering and joining devices by configuring the following device settings.
 
-You must be assigned one of the following roles to view or manage device settings in the Azure portal:
+You must be assigned one of the following roles to view device settings in the Azure portal:
 
 - Global Administrator
 - Global Reader
 - Cloud Device Administrator
-- Intune administrator
-- Windows 365 administrator
-- Directory reviewer
+- Intune Administrator
+- Windows 365 Administrator
+- Directory Reviewer
+
+You must be assigned one of the following roles to manage device settings in the Azure portal:
+
+- Global Administrator
+- Cloud Device Administrator
 
 ![Screenshot that shows device settings related to Azure AD.](./media/device-management-azure-portal/device-settings-azure-portal.png)
 
@@ -178,7 +183,7 @@ You must be assigned one of the following roles to view or manage device setting
 This option is a premium edition capability available through products like Azure AD Premium and Enterprise Mobility + Security.
 - **Enable Azure AD Local Administrator Password Solution (LAPS) (preview)**: LAPS is the management of local account passwords on Windows devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Azure AD and Hybrid Azure AD join devices. To learn how to manage LAPS in Azure AD, see [the overview article](howto-manage-local-admin-passwords.md).
 
-- **Restrict non-admin users from recovering the BitLocker key(s) for their owned devices (preview)**: In this preview, admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices.
+- **Restrict non-admin users from recovering the BitLocker key(s) for their owned devices**: Admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices. You must be a Global Administrator or Privileged Role Administrator to update this setting. 
 
 - **Enterprise State Roaming**: For information about this setting, see [the overview article](enterprise-state-roaming-overview.md).
 

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -78,6 +78,10 @@ Azure China 21Vianet:
 - `https://login.chinacloudapi.cn`: For authentication flows.
 - `https://pas.chinacloudapi.cn`: For Azure RBAC flows.
 
+### Authentication requirements
+
+[Azure AD Guest accounts](https://learn.microsoft.com/azure/active-directory/external-identities/what-is-b2b) cannot connect to Azure Bastion via Azure AD authentication.
+
 ## Enable Azure AD login for a Windows VM in Azure
 
 To use Azure AD login for a Windows VM in Azure, you must: 

articles/active-directory/external-identities/customers/how-to-add-attributes-to-token.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: ciam
 ms.topic: how-to
-ms.date: 05/08/2023
+ms.date: 06/14/2023
 ms.author: mimart
 ms.custom: it-pro
 
@@ -45,7 +45,7 @@ You can specify which built-in or custom attributes you want to include as claim
 
 ### To add a built-in attribute to the token as a claim
 
-1. On the **Manage claim** page, select **Add new claim**.
+1. On the **Attributes & Claims** page, select **Add new claim**.
 1. Enter a **Name**.
 1. Next to **Source**, select **Attribute**. Then use the drop down list to select the built-in attribute.
 
@@ -55,7 +55,7 @@ You can specify which built-in or custom attributes you want to include as claim
 
 ### To add a custom attribute to the token as a claim
 
-1. On the **Manage claim** page, select **Add new claim**.
+1. On the **Attributes & Claims** page, select **Add new claim**.
 1. Enter a **Name**.
 1. Next to **Source**, select **Directory schema extension (Preview)**.
 
@@ -71,11 +71,13 @@ You can specify which built-in or custom attributes you want to include as claim
 
 ### Update the application manifest to accept mapped claims
 
-Ensure that **"allowPublicClient": true** is set in the application manifest.
-
-1. In the left menu, under **Manage**, select **Manifest** to open application manifest.
-
-1. Find the **acceptMappedClaims** key and ensure its value is set to **true**.
+1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**.
+1. Select **Applications** > **App registrations**.
+1. Select your application in the list to open the application's **Overview** page.
+1. In the left menu, under **Manage**, select **Manifest** to open the application manifest.
+1. Find the **acceptMappedClaims** key and set its value to **true**.
+1. Find the **allowPublicClient** key and set its value to **true**.
+1. Select **Save**.
 
 ## Next steps
 

articles/active-directory/external-identities/customers/how-to-facebook-federation-customers.md

@@ -45,10 +45,10 @@ If you don't already have a Facebook account, sign up at [https://www.facebook.c
 1. From the menu, select **Facebook Login**, select **Settings**.
 1. In **Valid OAuth redirect URIs**, enter the following URIs, replacing `<tenant-ID>` with your customer tenant ID and `<tenant-name>` with your customer tenant name:
    - `https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp`
-   - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/www.facebook.com`
-    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/www.facebook.com`
-    - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2`
-    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`
+   - `https://<tenant-name>.ciamlogin.com/<tenant-ID>/federation/oidc/www.facebook.com`
+    - `https://<tenant-name>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/www.facebook.com`
+    - `https://<tenant-name>.ciamlogin.com/<tenant-ID>/federation/oauth2`
+    - `https://<tenant-name>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`
    > [!NOTE]
    > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.
 1. Select **Save Changes** at the bottom of the page.
@@ -65,8 +65,8 @@ After you create the Facebook application, in this step you set the Facebook cli
    <!-- ![Screenshot that shows how to add Facebook identity provider in Azure AD.](./media/sign-in-with-facebook/configure-facebook-idp.png)-->
 
 1. Enter a **Name**. For example, *Facebook*.
-1. For the **Client ID**, enter the Client ID of the Facebook application that you created earlier.
-1. For the **Client secret**, enter the Client Secret that you recorded.
+1. For the **Client ID**, enter the App ID of the Facebook application that you created earlier.
+1. For the **Client secret**, enter the App Secret that you recorded.
 1. Select **Save**.
 
 To configure Facebook federation by using PowerShell, follow these steps: