Merge pull request #254884 from MicrosoftDocs/main

Publish 10/13 11:00 AM IST

Author: Saisang

articles/active-directory/architecture/architecture-icons.md

@@ -35,14 +35,15 @@ Helping our customers design and architect new solutions is core to the Microsof
 
 | Month | Change description |
 |-------|--------------------|
-| August 2023 | Added a downloadable package that contains the Microsoft Entra architecture icons, branding playbook (which contains guidelines about the Microsoft Security visual identity), and terms of use. |
+| October 12, 2023 | Updated the downloadable package to include more Microsoft Entra product icons and updated branding playbook. |
+| August 15, 2023 | Added a downloadable package that contains the Microsoft Entra architecture icons, branding playbook (which contains guidelines about the Microsoft Security visual identity), and terms of use. |
 
 ## Icon terms
 
 Microsoft permits the use of these icons in architectural diagrams, training materials, or documentation. You may copy, distribute, and display the icons only for the permitted use unless granted explicit permission by Microsoft. Microsoft reserves all other rights.
 
  > [!div class="button"]
- > [I agree to the above terms. Download icons.](https://download.microsoft.com/download/a/4/2/a4289cad-4eaf-4580-87fd-ce999a601516/Microsoft-Entra-architecture-icons.zip?wt.mc_id=microsoftentraicons_downloadmicrosoftentraicons_content_cnl_csasci)
+ > [I agree to the above terms. Download icons.](https://download.microsoft.com/download/3/1/a/31a56038-856a-4489-88e4-ee5a1c4352be/Microsoft%20Entra%20architecture%20icons%20-%20Oct%202023.zip?wt.mc_id=microsoftentraicons_downloadmicrosoftentraicons_content_cnl_csasci)
 
 ## More icon sets from Microsoft
 

articles/active-directory/cloud-infrastructure-entitlement-management/TOC.yml

@@ -21,14 +21,19 @@
         href: onboard-azure.MD
       - name: Onboard a GCP project
         href: onboard-gcp.md
-      - name: Configure AWS IAM Identity Center as an identity provider
-        href: how-to-configure-aws-iam.md
       - name: Enable or disable the controller after onboarding is complete
         href: onboard-enable-controller-after-onboarding.md
       - name: Add an account/ subscription/ project after onboarding is complete
         href: onboard-add-account-after-onboarding.md
       - name: Create folders to organize your Authorization Systems
         href: how-to-create-folders.md
+    - name: Configure third-party integrations 
+      expanded: false
+      items:
+      - name: Configure AWS IAM Identity Center as an identity provider
+        href: how-to-configure-aws-iam.md
+      - name: Configure Okta as an identity provider
+        href: how-to-configure-okta-as-an-identity-provider.md 
     - name: View information about your Authorization Systems
       expanded: false
       items:

articles/active-directory/cloud-infrastructure-entitlement-management/how-to-configure-okta-as-an-identity-provider.md

@@ -0,0 +1,110 @@
+---
+title: Configure Okta as an identity provider
+description: How to configure Okta as an identity provider in Microsoft Entra Permissions Management.
+services: active-directory
+author: jenniferf-skc
+manager: amycolannino
+ms.service: active-directory 
+ms.subservice: ciem
+ms.workload: identity
+ms.topic: how-to
+ms.date: 10/10/2023
+ms.author: jfields
+---
+
+# Configure Okta as an identity provider (preview)
+
+This article describes how to integrate Okta as an identity provider (IdP) for an Amazon Web Services (AWS) account in Microsoft Entra Permissions Management. 
+
+Permissions Required:
+
+
+| **Account**                  | **Permissions Required**                                         |**Why?**                   |
+|-----------------------|-----------------------------------------------------|---------------------------------|
+| Permissions Management   | Permissions Management Administrator     | Admin can create and edit the AWS authorization system onboarding configuration.   | 
+| Okta                 | API Access Management Administrator     | Admin can add the application in the Okta portal and add or edit the API scope.    |
+| AWS   | AWS permissions explicitly     |  Admin should be able to run the cloudformation stack to create  1. AWS Secret in Secrets Manager; 2. Managed policy to allow the role to read the AWS secret. | 
+
+> [!NOTE]
+> While configuring the Amazon Web Services (AWS) app in Okta, the suggested AWS role group syntax is (```aws#{account alias]#{role name}#{account #]```).
+> Sample RegEx pattern for the group filter name are:
+> - ```^aws\#\S+\#?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$```
+> - ```aws_(?{{accountid}}\d+)_(?{{role}}[a-zA-Z0-9+=,.@\-_]+)```
+> Permissions Management reads default suggested filters. Custom RegEx expression for group syntax is not supported.
+
+## How to configure Okta as an identity provider
+
+1. Log in to the Okta portal with API Access Management Administrator. 
+2. Create a new **Okta API Services Application**. 
+3. In the Admin Console, go to Applications. 
+4. On the Create a new app integration page, select **API Services**.
+5. Enter a name for your app integration and click **Save**. 
+6. Copy the **Client ID** for future use.  
+7. In the **Client Credentials** section of the General tab, click **Edit** to change the client authentication method. 
+8. Select **Public key/Private key** as the Client authentication method. 
+9. Leave the default **Save keys in Okta**, then click **Add key**. 
+10. Click **Add** and in the **Add a public key** dialog, either paste your own public key or click **Generate new key** to autogenerate a new 2048-bit RSA key. 
+11. Copy **Public Key Id** for future use.  
+12. Click **Generate new key** and the public and private keys appear in JWK format. 
+13. Click **PEM**. The private key appears in PEM format. 
+    This is your only opportunity to save the private key. Click **Copy to clipboard** to copy the private key and store it somewhere safe. 
+14. Click **Done**. The new public key is now registered with the app and appears in a table in the **PUBLIC KEYS** section of the **General** tab. 
+15. From the Okta API scopes tab, grant these scopes:
+    - okta.users.read
+    - okta.groups.read
+    - okta.apps.read
+16. Optional. Click the **Application rate limits** tab to adjust the rate-limit capacity percentage for this service application. By default, each new application sets this percentage at 50 percent. 
+
+### Convert public key to a Base64 string
+
+1. See instructions for [using a personal access token (PAT)](https://go.microsoft.com/fwlink/?linkid=2249174).
+
+### Find your Okta URL (also called an Okta domain)
+
+This Okta URL/Okta domain is saved in the AWS secret.
+
+1. Sign in to your Okta organization with your administrator account.
+2. Look for the Okta URL/Okta domain in the global header of the dashboard. 
+Once located, note the Okta URL in an app such as Notepad. You'll need this URL for your next steps. 
+
+### Configure AWS stack details
+
+1. Fill in the following fields on the **CloudFormation Template Specify stack details** screen using the information from your Okta application:
+    - **Stack name** - A name of our choosing
+    - **Or URL** Your organization's Okta URL, example: *https://companyname.okta.com*
+    - **Client Id** - From the **Client Credentials** section of your Okta application
+    - **Public Key Id** - Click **Add > Generate new key**. The public key is generated 
+    - **Private Key (in PEM format)** - Base64 encoded string of the PEM format of the **Private key**
+     > [!NOTE]
+     > You must copy all text in the field before converting to a Base64 string, including the dash before BEGIN PRIVATE KEY and after END PRIVATE KEY.
+2. When the **CloudFormation Template Specify stack details** screen is complete, click **Next**.
+3. On the **Configure stack options** screen, click **Next**.
+4. Review the information you've entered, then click **Submit**.
+5. Select the **Resources** tab, then copy the **Physical ID** (this ID is the Secret ARN) for future use.
+
+### Configure Okta in Microsoft Entra Permissions Management
+
+> [!NOTE]
+> Integrating Okta as an identity provider is an optional step. You can return to these steps to configure an IdP at any time. 
+
+1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches, select **Settings** (gear icon), and then select the **Data Collectors** subtab.
+2. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**.
+    Complete the **Manage Authorization System** steps.
+    > [!NOTE]
+    > If a Data Collector already exists in your AWS account and you want to add Okta integration, follow these steps:
+    >  1. Select the Data Collector for which you want to add Okta integration.
+    >  1. Click on the ellipsis next to the **Authorization System Status**.
+    >  1. Select **Integrate Identity Provider**.
+
+3. On the **Integrate Identity Provider (IdP)** page, select the box for **Okta**.
+4. Select **Launch CloudFormation Template**. The template opens in a new window.
+   > [!NOTE]
+   > Here you'll fill in information to create a secret Amazon Resource Name (ARN) that you'll enter on the **Integrate Identity Provider (IdP)** page. Microsoft does not read or store this ARN.
+5. Return to the Permissions Management **Integrate Identity Provider (IdP)** page and paste the **Secret ARN** in the field provided.
+6. Click **Next** to review and confirm the information you've entered.
+7. Click **Verify Now & Save**.
+   The system returns the populated AWS CloudFormation Template. 
+
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).

articles/active-directory/cloud-infrastructure-entitlement-management/product-permissions-analytics-reports.md

@@ -60,7 +60,7 @@ You can view the Permissions Analytics Report information directly in the Permis
 2. Locate the **Permissions Analytics Report** in the list, then select it.
 3. Select which Authorization System you want to generate the PDF download for (AWS, Azure, or GCP).
    >[!NOTE]
-   > You can download a PDF report for up to 10 authorization systems at one time. The authorization systems must be part of the same cloud environment (for example, 1- 10 authorization systems that are all on Amazon Web Service (AWS)). 
+   > (Preview) You can download a PDF report for up to 10 authorization systems at one time. The authorization systems must be part of the same cloud environment (for example, 1- 10 authorization systems that are all on Amazon Web Service (AWS)). 
     
     The following message displays: **Successfully started to generate PDF report**. 
 

articles/active-directory/fundamentals/new-name.md

@@ -29,7 +29,7 @@ All features and capabilities are still available in the product. Licensing, ter
 
 To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling.
 
-Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID – previously known as Azure AD – continues to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and what’s included are available on the [pricing and free trials page](https://aka.ms/PricingEntra).
+Service plan display names changed on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 are the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID – previously known as Azure AD – continues to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and what’s included are available on the [pricing and free trials page](https://aka.ms/PricingEntra).
 
 :::image type="content" source="./media/new-name/azure-ad-new-name.png" alt-text="Diagram showing the new name for Azure AD and Azure AD External Identities." border="false" lightbox="./media/new-name/azure-ad-new-name-high-res.png":::
 
@@ -109,7 +109,7 @@ You can manage Microsoft Entra ID and all other Microsoft Entra solutions in the
 
 ### What are the display names for service plans and SKUs?
 
-Licensing, pricing, and functionality aren't changing. Display names will be updated October 1, 2023 as follows.
+Licensing, pricing, and functionality aren't changing. Display names were updated October 1, 2023 as follows.
 
 | **Old display name for service plan** | **New display name for service plan** |
 |---------|---------|
@@ -155,7 +155,7 @@ No. Prices, terms and service level agreements (SLAs) remain the same. Pricing d
 
 ### Will Microsoft Entra ID be available as a free service with an Azure subscription?
 
-Customers using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>.
+Customers using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription continue to have access to the same capabilities. This is now called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>.
 
 ### What's changing for Microsoft 365 or Azure AD for Office 365?
 
@@ -251,6 +251,7 @@ Only official product names are capitalized, plus Conditional Access and My * ap
 |            | Azure AD cloud-only identities<br/> Azure Active Directory cloud-only identities | Microsoft Entra cloud-only identities |
 |            | Azure AD Connect<br/> Azure Active Directory Connect | Microsoft Entra Connect |
 |            | Azure AD Connect Sync<br/> Azure Active Directory Connect Sync | Microsoft Entra Connect Sync |
+|            | Azure AD connector<br/> Azure Active Directory connector | Microsoft Entra connector |
 |            | Azure AD domain<br/> Azure Active Directory domain | Microsoft Entra domain |
 |            | Azure AD Domain Services<br/> Azure Active Directory Domain Services | Microsoft Entra Domain Services |
 |            | Azure AD enterprise application<br/> Azure Active Directory enterprise application | Microsoft Entra enterprise application |
@@ -261,6 +262,7 @@ Only official product names are capitalized, plus Conditional Access and My * ap
 |            | Azure AD identity protection<br/> Azure Active Directory identity protection | Microsoft Entra ID Protection |
 |            | Azure AD integrated authentication<br/> Azure Active Directory integrated authentication | Microsoft Entra integrated authentication |
 |            | Azure AD join<br/> Azure AD joined<br/> Azure Active Directory join<br/> Azure Active Directory joined | Microsoft Entra join<br/> Microsoft Entra joined  |
+|            | Azure AD license<br/> Azure Active Directory license | Microsoft Entra ID license or license for Microsoft Entra ID |
 |            | Azure AD login<br/> Azure Active Directory login | Microsoft Entra login |
 |            | Azure AD managed identities<br/> Azure Active Directory managed identities | Microsoft Entra managed identities |
 |            | Azure AD multifactor authentication (MFA)<br/> Azure Active Directory multifactor authentication (MFA) | Microsoft Entra multifactor authentication (MFA)<br/> (Second use: MFA) |
@@ -271,6 +273,7 @@ Only official product names are capitalized, plus Conditional Access and My * ap
 |            | Azure AD password authentication<br/> Azure Active Directory password authentication | Microsoft Entra password authentication |
 |            | Azure AD password hash synchronization (PHS)<br/> Azure Active Directory password hash synchronization (PHS) | Microsoft Entra password hash synchronization |
 |            | Azure AD password protection<br/> Azure Active Directory password protection | Microsoft Entra password protection |
+|            | Azure AD Premium<br/> Azure Active Directory Premium | Microsoft Entra ID P1 or P2 |
 |            | Azure AD principal ID<br/> Azure Active Directory principal ID | Microsoft Entra principal ID |
 |            | Azure AD Privileged Identity Management (PIM)<br/> Azure Active Directory Privileged Identity Management (PIM) | Microsoft Entra Privileged Identity Management (PIM) |
 |            | Azure AD registered<br/> Azure Active Directory registered | Microsoft Entra registered |
@@ -291,6 +294,7 @@ Only official product names are capitalized, plus Conditional Access and My * ap
 
 | Date | Change description |
 |------|--------------------|
+| October 12, 2023 | <br/>&#8226;Updated statement about availability of license plans.  <br/>&#8226; Added three other terms in the glossary: "Azure AD connector", "Azure AD license", and "Azure AD Premium" |
 | September 15, 2023 | Added a link to the new article, [How to: Rename Azure AD](how-to-rename-azure-ad.md), updated the description for Azure AD B2C, and added more info about why the name Azure AD is changing. |
 | August 29, 2023 | <br/>&#8226; In the [glossary](#glossary-of-updated-terminology), corrected the entry for "Azure AD activity logs" to separate "Azure AD audit log", which is a distinct type of activity log. <br/>&#8226; Added Azure AD Sync and DirSync to the [What names aren't changing](#what-names-arent-changing) section. |
 | August 18, 2023 | <br/>&#8226; Updated the article to include a new section [Glossary of updated terminology](#glossary-of-updated-terminology), which includes the old and new terminology.<br/>&#8226; Updated info and added link to usage of the Microsoft Entra ID icon, and updates to verbiage in some sections.  |