Merge pull request #173711 from MicrosoftDocs/master

9/27 PM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -9,6 +9,16 @@
         "source_path_from_root": "/articles/active-directory/reports-monitoring/howto-remediate-users-flagged-for-risk.md",
         "redirect_url": "/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock",
         "redirect_document_id": false
+      },
+      {
+        "source_path_from_root": "/articles/active-directory/develop/registration-config-multi-tenant-application-add-to-gallery-how-to.md",
+        "redirect_url": "/azure/active-directory/develop/v2-howto-app-gallery-listing",
+        "redirect_document_id": false
+      },
+      {
+        "source_path_from_root": "/articles/active-directory/develop/active-directory-v2-registration-portal.md",
+        "redirect_url": "/azure/active-directory/develop/quickstart-register-app",
+        "redirect_document_id": false
       }
     ]
 }

.openpublishing.redirection.synapse-analytics.json

@@ -39,6 +39,11 @@
             "source_path_from_root": "/articles/synapse-analytics/sql-data-warehouse/guidance-for-loading-data.md",
             "redirect_url": "/azure/synapse-analytics/sql/data-loading-best-practices",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/synapse-analytics/sql/develop-best-practices.md",
+            "redirect_url": "/azure/synapse-analytics/sql/best-practices-dedicated-sql-pool",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory/app-provisioning/accidental-deletions.md

@@ -0,0 +1,99 @@
+---
+title: Enable accidental deletions prevention in Application Provisioning in Azure Active Directory
+description: Enable accidental deletions prevention in Application Provisioning in Azure Active Directory.
+services: active-directory
+author: kenwith
+manager: mtillman
+ms.service: active-directory
+ms.subservice: app-provisioning
+ms.topic: how-to
+ms.workload: identity
+ms.date: 09/27/2021
+ms.author: kenwith
+ms.reviewer: arvinh
+---
+
+# Enable accidental deletions prevention in the Azure AD provisioning service (Preview)
+
+The Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users are not disabled or deleted in an application unexpectedly. 
+
+The feature lets you specify a deletion threshold, above which an admin 
+needs to explicitly choose to allow the deletions to be processed.
+
+> [!NOTE]
+> Accidental deletions are not supported for our Workday / SuccessFactors integrations. It is also not supported for changes in scoping (e.g. changing a scoping filter or changing from "sync all users and groups" to "sync assigned users and groups". Until the accidental deletions prevention feature is fully released, you will need to access the Azure portal using this URL: https://portal.azure.com/?Microsoft_AAD_IAM_userProvisioningDeleteThreshold=true 
+
+
+## Configure accidental deletion prevention
+To enable accidental deletion prevention:
+1.  In the Azure portal, select **Azure Active Directory**.
+2.  Select **Enterprise applications** and then select your app.
+3.  Select **Provisioning** and then on the provisioning page select **Edit provisioning**.
+4. Under **Settings**, select the **Prevent accidental deletions** checkbox and specify a deletion 
+threshold. Also, be sure the notification email address is completed. If the deletion threshold his met and email will be sent.
+5. Select **Save**, to save the changes.
+
+When the deletion threshold is met, the job will go into quarantine and a notification email will be sent. The quarantined job can then be allowed or rejected. To learn more about quarantine behavior, see [Application provisioning in quarantine status](application-provisioning-quarantine-status.md).
+
+## Known limitations
+There are two key limitations to be aware of and are actively working to address:
+- HR-driven provisioning from Workday and SuccessFactors do not support the accidental deletions feature. 
+- Changes to your provisioning configuration (e.g. changing scoping) is not supported by the accidental deletions feature. 
+
+## Recovering from an accidental deletion
+If you encounter an accidental deletion you will see it on the provisioning status page.  It will say **Provisioning has been quarantined. See quarantine details for more information.**.
+
+You can click either **Allow deletes** or **View provisioning logs**.
+
+### Allowing deletions
+
+The **Allow deletes** action will delete the objects that triggered the accidental delete threshold.  Use the following procedure to accept the deletes.  
+
+1. Select **Allow deletes**.
+2. Click **Yes** on the confirmation to allow the deletions.
+3. You will see confirmation that the deletions were accepted and the status will return to healthy with the next cycle.
+
+### Rejecting deletions
+
+If you do not want to allow the deletions, you need to do the following:
+- Investigate the source of the deletions. You can use the provisioning logs for details.
+- Prevent the deletion by assigning the user / group to the app again, restoring the user / group, or updating your provisioning configuration.
+- Once you've made the necessary changes to prevent the user / group from being deleted, restart provisioning. Please do not restart provisioning until you've made the necessary changes to prevent the users / groups from being deleted. 
+
+
+### Test deletion prevention
+You can test the feature by triggering disable / deletion events by setting the threshold to a low number, for example 3, and then changing scoping filters, un-assigning users, and deleting users from the directory (see common scenarios in next section). 
+
+Let the provisioning job run (20 – 40 mins) and navigate back to the provisioning page. You will see the provisioning job in quarantine and can choose to allow the deletions or review the provisioning logs to understand why the deletions occurred.
+
+## Common de-provisioning scenarios to test
+- Delete a user / put them into the recycle bin.
+- Block sign in for a user.
+- Unassign a user or group from the application.
+- Remove a user from a group that’s providing them access to the app.
+
+To learn more about de-provisioning scenarios, see [How Application Provisioning Works](how-provisioning-works.md#de-provisioning).
+
+## Frequently Asked Questions
+
+### What scenarios count toward the deletion threshold?
+When a user is set to be removed from the target application, it will be counted against the 
+deletion threshold. Scenarios that could lead to a user being removed from the target 
+application could include: unassigning the user from the application, changing the sync scope 
+from “sync all” to “sync assigned” to soft / hard deleting a user in the directory. Groups 
+evaluated for deletion count towards the deletion threshold. In addition to deletions, the same functionality also works for disables.
+
+### What is the interval that the deletion threshold is evaluated on?
+It is evaluated each cycle. If the number of deletions does not exceed the threshold during a 
+single cycle, the “circuit breaker” won’t be triggered. If multiple cycles are needed to reach a 
+steady state, the deletion threshold will be evaluated per cycle.
+
+### How are these deletion events logged?
+You can find users that should be disabled / deleted but haven’t due to the deletion threshold. 
+Navigation to **Provisioning logs** and then filter **Action** with *StagedAction* or *StagedDelete*.
+
+
+## Next steps 
+
+- [How application provisioning works](how-provisioning-works.md)
+- [Plan an application provisioning deployment](plan-auto-user-provisioning.md)

articles/active-directory/app-provisioning/toc.yml

@@ -60,6 +60,8 @@
         href: ../reports-monitoring/concept-provisioning-logs.md?context=%2fazure%2factive-directory%2fapp-provisioning%2fcontext%2fapp-provisioning-context
     - name: Automate configuration using MS Graph
       href: application-provisioning-configuration-api.md
+    - name: Enable accidental deletions prevention
+      href: accidental-deletions.md
     - name: Troubleshoot application provisioning
       items:
       - name: Known issues

articles/active-directory/develop/active-directory-v2-registration-portal.md

@@ -22,11 +22,11 @@ ms.custom: aaddev
 
 ## Configure logging in MSAL.NET
 
-In MSAL 4.x, logging is set per application at app creation using the `.WithLogging` builder modifier. This method takes optional parameters:
+In MSAL logging is set at application creation using the `.WithLogging` builder modifier. This method takes optional parameters:
 
 - `Level` enables you to decide which level of logging you want. Setting it to Errors will only get errors
-- `PiiLoggingEnabled` enables you to log personal and organizational data if set to true. By default this is set to false, so that your application does not log personal data.
-- `LogCallback` is set to a delegate that does the logging. If `PiiLoggingEnabled` is true, this method will receive the messages twice: once with the `containsPii` parameter equals false and the message without personal data, and a second time with the `containsPii` parameter equals to true and the message might contain personal data. In some cases (when the message does not contain personal data), the message will be the same.
+- `PiiLoggingEnabled` enables you to log personal and organizational data (PII) if set to true. By default this is set to false, so that your application does not log personal data.
+- `LogCallback` is set to a delegate that does the logging. If `PiiLoggingEnabled` is true, this method will receive messages that can have PII, in which case the `containsPii` flag will be set to true.
 - `DefaultLoggingEnabled` enables the default logging for the platform. By default it's false. If you set it to true it uses Event Tracing in Desktop/UWP applications, NSLog on iOS and logcat on Android.
 
 ```csharp

articles/active-directory/develop/msal-logging-dotnet.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 05/06/2019
+ms.date: 09/27/2021
 ms.author: ryanwi
 ms.custom: aaddev
 #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
@@ -50,4 +50,4 @@ The MSAL Angular wrapper takes advantage of the HTTP interceptor to automaticall
 
 ## Next steps
 
-Move on to the next article in this scenario, [Move to production](scenario-spa-production.md).
+Move on to the next article in this scenario, [Move to production](scenario-spa-production.md).