Merge pull request #231206 from MicrosoftDocs/main

3/17 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -22440,6 +22440,11 @@
             "source_path": "articles/private-multi-access-edge-compute-mec/metaswitch-fusion-core-overview.md",
             "redirect_URL": "/azure/private-5g-core",
             "redirect_document_id": false
+        },
+        {
+            "source_path": "articles/communications-gateway/rotate-secrets.md",
+            "redirect_URL": "/azure/communications-gateway/whats-new",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -64,3 +64,4 @@ The following video provides an overview of on-premises provisoning.
 - [App provisioning](user-provisioning.md)
 - [Generic SQL connector](on-premises-sql-connector-configure.md)
 - [Tutorial: ECMA Connector Host generic SQL connector](tutorial-ecma-sql-connector.md)
+- [Known issues](known-issues.md)

articles/active-directory/app-provisioning/scim-validator-tutorial.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 09/13/2022
+ms.date: 03/17/2023
 ms.custom: template-tutorial
 ms.reviewer: arvinh
 ---
@@ -41,7 +41,7 @@ The first step is to select a testing method to validate your SCIM endpoint.
 
 **Use default attributes** - The system provides the default attributes, and you modify them to meet your need.
 
-**Discover schema** - If your end point supports /Schema, this option will allow the tool to discover the supported attributes. We recommend this option as it reduces the overhead of updating your app as you build it out.
+**Discover schema** - If your end point supports /Schema, this option lets the tool discover the supported attributes. We recommend this option as it reduces the overhead of updating your app as you build it out.
 
 **Upload Azure AD Schema** - Upload the schema you've downloaded from your sample app on Azure AD.
 
@@ -75,7 +75,7 @@ Finally, you need to test and validate your endpoint.
 
 ### Use Postman to test endpoints (optional)
 
-In addition to using the SCIM Validator tool, you can also use Postman to validate an endpoint. This example provides a set of tests in Postman that validate CRUD (create, read, update, and delete) operations on users and groups, filtering, updates to group membership, and disabling users.
+In addition to using the SCIM Validator tool, you can also use Postman to validate an endpoint. This example provides a set of tests in Postman. The example validates create, read, update, and delete (CRUD) operations. The operations are validated on users and groups, filtering, updates to group membership, and disabling users.
 
 The endpoints are in the `{host}/scim/` directory, and you can use standard HTTP requests to interact with them. To modify the `/scim/` route, see *ControllerConstant.cs* in **AzureADProvisioningSCIMreference** > **ScimReferenceApi** > **Controllers**.
 
@@ -120,10 +120,10 @@ If you created any Azure resources in your testing that are no longer needed, do
 ## Known Issues with Azure AD SCIM Validator
 
 - Soft deletes (disables) aren’t yet supported.
-- The time zone format is randomly generated and will fail for systems that try to validate it.
-- The preferred language format is randomly generated and will fail for systems that try to validate it.
+- The time zone format is randomly generated and fails for systems that try to validate it.
+- The preferred language format is randomly generated and fails for systems that try to validate it.
 - The patch user remove attributes may attempt to remove mandatory/required attributes for certain systems. Such failures should be ignored.
 
 
 ## Next steps
-- [Learn how to add an app that is not in the Azure AD app gallery](../manage-apps/overview-application-gallery.md)
+- [Learn how to add an app that's not in the Azure AD app gallery](../manage-apps/overview-application-gallery.md)

articles/active-directory/app-provisioning/use-scim-to-build-users-and-groups-endpoints.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/16/2023
+ms.date: 03/17/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -102,7 +102,7 @@ That's it! Your SCIM endpoint is now published, and you can use the Azure App Se
 
 ## Test your SCIM endpoint
 
-Requests to a SCIM endpoint require authorization. The SCIM standard has multiple options for authentication and authorization, including cookies, basic authentication, TLS client authentication, or any of the methods listed in [RFC 7644](https://tools.ietf.org/html/rfc7644#section-2).
+Requests to a SCIM endpoint require authorization. The SCIM standard has multiple options available.  Requests can use cookies, basic authentication, TLS client authentication, or any of the methods listed in [RFC 7644](https://tools.ietf.org/html/rfc7644#section-2).
 
 Be sure to avoid methods that aren't secure, such as username and password, in favor of a more secure method such as OAuth. Azure AD supports long-lived bearer tokens (for gallery and non-gallery applications) and the OAuth authorization grant (for gallery applications).
 

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 03/16/2023
+ms.date: 03/17/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---

articles/active-directory/devices/concept-primary-refresh-token.md

@@ -36,7 +36,7 @@ The following Windows components play a key role in requesting and using a PRT:
 A PRT contains claims found in most Azure AD refresh tokens. In addition, there are some device-specific claims included in the PRT. They are as follows:
 
 * **Device ID**: A PRT is issued to a user on a specific device. The device ID claim `deviceID` determines the device the PRT was issued to the user on. This claim is later issued to tokens obtained via the PRT. The device ID claim is used to determine authorization for Conditional Access based on device state or compliance.
-* **Session key**: The session key is an encrypted symmetric key, generated by the Azure AD authentication service, issued as part of the PRT. The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications.
+* **Session key**: The session key is an encrypted symmetric key, generated by the Azure AD authentication service, issued as part of the PRT. The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications. Session key is rolled on  Windows 10 or newer Azure AD joined or Hybrid Azure AD joined devices if it's older than 30 days.
 
 ### Can I see what’s in a PRT?
 
@@ -133,6 +133,9 @@ A PRT can get a multifactor authentication (MFA) claim in specific scenarios. Wh
 
 Windows 10 or newer maintain a partitioned list of PRTs for each credential. So, there’s a PRT for each of Windows Hello for Business, password, or smartcard. This partitioning ensures that MFA claims are isolated based on the credential used, and not mixed up during token requests.
 
+> [!NOTE]
+> When using password to sign into Windows 10 or newer Azure AD joined or Hybrid Azure AD joined device, MFA during WAM interactive sign in may be required after session key associated with PRT is rolled.
+
 ## How is a PRT invalidated?
 
 A PRT is invalidated in the following scenarios:

articles/active-directory/governance/what-is-provisioning.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 08/01/2022
+ms.date: 01/05/2023
 ms.subservice: compliance
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -56,6 +56,8 @@ For more information, see [What is HR driven provisioning?](../app-provisioning/
 
 In Azure AD, the term **[app provisioning](../app-provisioning/user-provisioning.md)** refers to automatically creating copies of user identities in the applications that users need access to, for applications that have their own data store, distinct from Azure AD or Active Directory. In addition to creating user identities, app provisioning includes the maintenance and removal of user identities from those apps, as the user's status or roles change. Common scenarios include provisioning an Azure AD user into applications like [Dropbox](../saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../saas-apps/servicenow-provisioning-tutorial.md), as each of these applications have their own user repository distinct from Azure AD.
 
+Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://aka.ms/scimoverview), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](https://learn.microsoft.com/azure/active-directory/app-provisioning/on-premises-scim-provisioning) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](https://learn.microsoft.com/azure/active-directory/app-provisioning/on-premises-ldap-connector-configure) user store or a [SQL](https://learn.microsoft.com/azure/active-directory/app-provisioning/on-premises-sql-connector-configure) database, Azure AD can support those as well.
+
 For more information, see [What is app provisioning?](../app-provisioning/user-provisioning.md)
 
 ## Inter-directory provisioning
@@ -76,4 +78,4 @@ For more information, see [What is inter-directory provisioning?](../hybrid/what
 - [What is identity lifecycle management?](what-is-identity-lifecycle-management.md)
 - [What is HR driven provisioning?](../app-provisioning/what-is-hr-driven-provisioning.md)
 - [What is app provisioning?](../app-provisioning/user-provisioning.md)
-- [What is inter-directory provisioning?](../hybrid/what-is-inter-directory-provisioning.md)
+- [What is inter-directory provisioning?](../hybrid/what-is-inter-directory-provisioning.md)

articles/active-directory/privileged-identity-management/groups-activate-roles.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 01/12/2023
+ms.date: 3/15/2023
 ms.author: amsliu
 ms.reviewer: ilyal
 ms.custom: pim
@@ -23,6 +23,11 @@ In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privi
 
 This article is for eligible members or owners who want to activate their group membership or ownership in PIM.
 
+>[!IMPORTANT]
+>When a group membership or ownership is activated, Azure AD PIM temporarily adds an active assignment. Azure AD PIM creates an active assignment (adds user as member or owner of the group) within seconds. When deactivation (manual or through activation time expiration) happens, Azure AD PIM removes user’s group membership or ownership within seconds as well.
+>
+>Application may provide access to users based on their group membership. In some situations, application access may not immediately reflect the fact that user was added to the group or removed from it. If application previously cached the fact that user is not member of the group – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user is member of the group – when group membership is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help to get access added or removed.
+
 ## Activate a role
 
 When you need to take on a group membership or ownership, you can request activation by using the **My roles** navigation option in PIM.
@@ -76,15 +81,6 @@ You can view the status of your pending requests to activate. It is specifically
 
 When you select **Cancel**, the request will be canceled. To activate the role again, you will have to submit a new request for activation.
 
-## Troubleshoot
-
-### Permissions are not granted after activating a role
-
-When you activate a role in PIM, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.
-
-1. Sign out of the Azure portal and then sign back in.
-1. In PIM, verify that you are listed as the member of the role.
-
 ## Next steps
 
 - [Approve activation requests for group members and owners (preview)](groups-approval-workflow.md)

articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md

@@ -6,14 +6,13 @@ documentationcenter: ''
 author: amsliu
 manager: amycolannino
 editor: ''
-
 ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: pim
-ms.date: 02/02/2022
+ms.date: 3/15/2023
 ms.author: amsliu
-ms.reviewer: shaunliu
+ms.reviewer: ilyal
 ms.custom: pim
 ms.collection: M365-identity-device-management
 ---
@@ -25,6 +24,11 @@ If you have been made *eligible* for an administrative role, then you must *acti
 
 This article is for administrators who need to activate their Azure AD role in Privileged Identity Management.
 
+>[!IMPORTANT]
+>When a role is activated, Azure AD PIM temporarily adds active assignment for the role. Azure AD PIM creates active assignment (assigns user to a role) within seconds. When deactivation (manual or through activation time expiration) happens, Azure AD PIM removes the active assignment within seconds as well.
+>
+>Application may provide access based on the role the user has. In some situations, application access may not immediately reflect the fact that user got role assigned or removed. If application previously cached the fact that user does not have a role – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user has a role – when role is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help get access added or removed.
+
 ## Activate a role
 
 When you need to assume an Azure AD role, you can request activation by opening **My roles** in Privileged Identity Management.
@@ -230,13 +234,7 @@ If you don't require activation of a role that requires approval, you can cancel
 
 ## Deactivate a role assignment
 
-When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. When you select **Deactivate**, there's a short time lag before the role is deactivated. Also, you can't deactivate a role assignment within five minutes after activation.
-
-## Troubleshoot portal delay
-
-### Permissions aren't granted after activating a role
-
-When you activate a role in Privileged Identity Management, the activation might not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may cause a delay before the change takes effect. If your activation is delayed, sign out of the portal you're trying to perform the action and then sign back in. In the Azure portal, PIM signs you out and back in automatically.
+When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation.
 
 ## Next steps
 

articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 3/1/2023
+ms.date: 3/15/2023
 ms.author: amsliu
 ms.reviewer: rianakarim
 ms.custom: pim
@@ -26,6 +26,11 @@ This article is for members who need to activate their Azure resource role in Pr
 >[!NOTE]
 >As of March 2023, you may now activate your assignments and view your access directly from blades outside of PIM in the Azure portal. Read more [here](pim-resource-roles-activate-your-roles.md#activate-with-azure-portal).
 
+>[!IMPORTANT]
+>When a role is activated, Azure AD PIM temporarily adds active assignment for the role. Azure AD PIM creates active assignment (assigns user to a role) within seconds. When deactivation (manual or through activation time expiration) happens, Azure AD PIM removes the active assignment within seconds as well.
+>
+>Application may provide access based on the role the user has. In some situations, application access may not immediately reflect the fact that user got role assigned or removed. If application previously cached the fact that user does not have a role – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user has a role – when role is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help get access added or removed.
+
 ## Activate a role
 
 When you need to take on an Azure resource role, you can request activation by using the **My roles** navigation option in Privileged Identity Management.
@@ -215,7 +220,7 @@ If you do not require activation of a role that requires approval, you can cance
 
 ## Deactivate a role assignment
 
-When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. When you select **Deactivate**, there's a short time lag before the role is deactivated. Also, you can't deactivate a role assignment within five minutes after activation.
+When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation.
 
 ## Activate with Azure portal
 
@@ -233,15 +238,6 @@ In Access control (IAM) for a resource, you can now select “View my access”
 
 By integrating PIM capabilities into different Azure portal blades, this new feature allows you to gain temporary access to view or edit subscriptions and resources more easily.
 
-## Troubleshoot
-
-### Permissions are not granted after activating a role
-
-When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.
-
-1. Sign out of the Azure portal and then sign back in.
-1. In Privileged Identity Management, verify that you are listed as the member of the role.
-
 ## Next steps
 
 - [Extend or renew Azure resource roles in Privileged Identity Management](pim-resource-roles-renew-extend.md)