Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

.openpublishing.redirection.defender-for-iot.json

@@ -1,5 +1,44 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-on-premises-management-console.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-management",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-sensor.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-sensor",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-deploy-certificates.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-sensor#deploy-an-ssltls-certificate",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-enhance-port-and-vlan-name-resolution.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/how-to-control-what-traffic-is-monitored#customize-port-and-vlan-names",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-gain-insight-into-global-regional-and-local-threats.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/monitor-zero-trust",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/traffic-mirroring/configure-mirror-tap.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/best-practices/traffic-mirroring-methods#active-or-passive-aggregation-tap",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/pre-deployment-checklist.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/ot-deploy-path",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-troubleshoot-the-sensor-and-on-premises-management-console.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/how-to-troubleshoot-sensor",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-set-up-your-network.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/best-practices/plan-prepare-deploy",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-work-with-device-notifications.md",
             "redirect_url": "/azure/defender-for-iot/organizations/how-to-work-with-the-sensor-device-map#manage-device-notifications-from-an-ot-sensor-device-map",
@@ -136,7 +175,7 @@
         },
         {
             "source_path_from_root": "/articles/defender-for-iot/how-to-set-up-your-network.md",
-            "redirect_url": "/azure/defender-for-iot/organizations/how-to-set-up-your-network",
+            "redirect_url": "/azure/defender-for-iot/organizations/best-practices/plan-prepare-deploy",
             "redirect_document_id": false
         },
         {
@@ -151,7 +190,7 @@
         },
         {
             "source_path_from_root": "/articles/defender-for-iot/how-to-activate-and-set-up-your-on-premises-management-console.md",
-            "redirect_url": "/azure/defender-for-iot/organizations/how-to-activate-and-set-up-your-on-premises-management-console",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-management",
             "redirect_document_id": false
         },
         {
@@ -256,7 +295,7 @@
         },
         {
             "source_path_from_root": "/articles/defender-for-iot/how-to-gain-insight-into-global-regional-and-local-threats.md",
-            "redirect_url": "/azure/defender-for-iot/organizations/how-to-gain-insight-into-global-regional-and-local-threats",
+            "redirect_url": "/azure/defender-for-iot/organizations/monitor-zero-trust",
             "redirect_document_id": false
         },
         {
@@ -677,5 +716,3 @@
     ]
 }
 
-
-

articles/active-directory/authentication/how-to-mfa-authenticator-lite.md

@@ -19,8 +19,6 @@ ms.collection: M365-identity-device-management
 ---
 # How to enable Microsoft Authenticator Lite for Outlook mobile (preview)
 
->[!NOTE]
->Rollout has not yet completed across Outlook applications. If this feature is enabled in your tenant, your users may not yet be prompted for the experience. To minimize user disruption, we recommend enabling this feature when the rollout completes.
 
 Microsoft Authenticator Lite is another surface for Azure Active Directory (Azure AD) users to complete multifactor authentication by using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in [Outlook mobile](https://www.microsoft.com/microsoft-365/outlook-mobile-for-android-and-ios). 
 
@@ -38,8 +36,8 @@ Users receive a notification in Outlook mobile to approve or deny sign-in, or th
 
   | Operating system | Outlook version |
   |:----------------:|:---------------:|
-  |Android           | 4.2309.1        |
-  |iOS               | 4.2309.0        |
+  |Android           | 4.2310.1        |
+  |iOS               | 4.2312.1        |
 
 ## Enable Authenticator Lite
 
@@ -52,7 +50,8 @@ By default, Authenticator Lite is [Microsoft managed](concept-authentication-def
 
 To enable Authenticator Lite in the Azure portal, complete the following steps:
 
-  1. In the Azure portal, click Security > Authentication methods > Microsoft Authenticator.
+  1. In the Azure portal, click Azure Active Directory > Security > Authentication methods > Microsoft Authenticator.
+     In the Entra admin center, on the sidebar select Azure Active Directory > Protect & Secure > Authentication methods > Microsoft Authenticator.
 
   2. On the Enable and Target tab, click Yes and All users to enable the policy for everyone or add selected users and groups. Set the Authentication mode for these users/groups to Any or Push.
 

articles/active-directory/develop/security-best-practices-for-app-registration.md

@@ -62,6 +62,7 @@ Certificates and secrets, also known as credentials, are a vital part of an appl
 Consider the following guidance related to certificates and secrets:
 
 - Always use [certificate credentials](./active-directory-certificate-credentials.md) whenever possible and don't use password credentials, also known as *secrets*. While it's convenient to use password secrets as a credential, when possible use x509 certificates as the only credential type for getting tokens for an application.
+  - Configure [application authentication method policies](/graph/api/resources/applicationauthenticationmethodpolicy) to govern the use of secrets by limiting their lifetimes or blocking their use altogether.
 - Use Key Vault with [managed identities](../managed-identities-azure-resources/overview.md) to manage credentials for an application.
 - If an application is used only as a Public Client App (allows users to sign in using a public endpoint), make sure that there are no credentials specified on the application object.
 - Review the credentials used in applications for freshness of use and their expiration. An unused credential on an application can result in a security breach. Rollover credentials frequently and don't share credentials across applications. Don't have many credentials on one application.

articles/active-directory/governance/configure-logic-app-lifecycle-workflows.md

@@ -5,7 +5,7 @@ author: owinfreyATL
 ms.author: owinfrey
 ms.service: active-directory
 ms.topic: reference
-ms.date: 01/26/2023
+ms.date: 03/17/2023
 ms.custom: template-how-to
 ---
 
@@ -15,16 +15,32 @@ ms.custom: template-how-to
 
 Before you can use an existing Azure Logic App with the custom task extension feature of Lifecycle Workflows, it must first be made compatible. This reference guide provides a list of steps that must be taken to make the Azure Logic App compatible. For a guide on creating a new compatible Logic App via the Lifecycle Workflows portal, see [Trigger Logic Apps based on custom task extensions (preview)](trigger-custom-task.md).
 
+## Determine type of token security of your custom task extension
+
+Before configuring your Azure Logic App custom extension for use with Lifecycle Workflows, you must first figure out what type of token security it has. The two token security types can either be:
+
+- Normal
+- Proof of Possession(POP)
+
+
+To determine the security token type of your custom task extension, you'd check the **Custom extensions (Preview)** page:
+
+:::image type="content" source="media/configure-logic-app-lifecycle-workflows/custom-task-extension-token-type.png" alt-text="Screenshot of custom task extension and token type.":::
+
+
+> [!NOTE]
+> New custom task extensions will only have Proof of Possession(POP) token security type. Only task extensions created before the inclusion of the Proof of Possession token security type will have a type of Normal.
+
 ## Configure existing Logic Apps for LCW use
 
 Making an Azure Logic app compatible to run with the **Custom Task Extension** requires the following steps:
 
 - Configure the logic app trigger
-- Configure the callback action (only applicable to the callback scenario)
-- Enable system assigned managed identity.
-- Configure AuthZ policies.
+- Configure the callback action (Only applicable to the callback scenario.)
+- Enable system assigned managed identity (Always required for Normal security token type extensions. This is also the default for callback scenarios with custom task extensions. For more information on this, and other, custom task extension deployment scenarios, see: [Custom task extension deployment scenarios](lifecycle-workflow-extensibility.md#custom-task-extension-deployment-scenarios).)
+- Configure AuthZ policies
 
-To configure those you'll follow these steps:
+To configure those you follow these steps:
 
 1. Open the Azure Logic App you want to use with Lifecycle Workflow. Logic Apps may greet you with an introduction screen, which you can close with the X in the upper right corner.
 
@@ -202,21 +218,59 @@ To configure those you'll follow these steps:
 
 1. Select Save.    
 
-1. For Logic Apps authorization policy, we'll need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure portal** to find the required Application ID.
+## Configure authorization policy for custom task extension with POP security token type
+If the security token type is **Proof of Possession (POP)** for your custom task extension, you'd set the authorization policy by following these steps:
+
+1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.
 
 1. Go back to the logic app you created, and select **Authorization**.
 
-1. Create two authorization policies based on the tables below:
+1. Create two authorization policies based on these tables:
 
-    Policy name: AzureADLifecycleWorkflowsAuthPolicy   
+    Policy name: POP-Policy
+    
+    Policy type: (Preview) AADPOP   
+    
+    |Claim  |Value  |
+    |---------|---------|
+    |Issuer     |  https://sts.windows.net/(Tenant ID)/       |
+    |appid     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
+    |m     |  POST   |
+    |u     |  management.azure.com   |
+    |p     |  /subscriptions/(subscriptionId)/resourceGroups/(resourceGroupName)/providers/Microsoft.Logic/workflows/(LogicApp name)   |
+
+
+1. Save the Authorization policy.
+
+
+> [!CAUTION]
+> Please pay attention to the details as minor differences can lead to problems later.
+-	For Issuer, ensure you did include the slash after your Tenant ID
+-	For appid, ensure the custom claim is “appid” in all lowercase. The appid value represents Lifecycle Workflows and is always the same.
+
+## Configure authorization policy for custom task extension with normal security token type
+
+If the security token type is **Normal** for your custom task extension, you'd set the authorization policy by following these steps:
+
+1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.
+
+1. Go back to the logic app you created, and select **Authorization**.
+
+1. Create two authorization policies based on these tables:
+
+    Policy name: AzureADLifecycleWorkflowsAuthPolicy 
+
+    Policy type: AAD  
     
     |Claim  |Value  |
     |---------|---------|
     |Issuer     |  https://sts.windows.net/(Tenant ID)/       |
     |Audience     | Application ID of your Logic Apps Managed Identity       |
     |appid     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
 
-    Policy name: AzureADLifecycleWorkflowsAuthPolicyV2App   
+    Policy name: AzureADLifecycleWorkflowsAuthPolicyV2App 
+
+    Policy type: AAD   
  
     |Claim  |Value  |
     |---------|---------|
@@ -225,8 +279,6 @@ To configure those you'll follow these steps:
     |azp     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
 
 1. Save the Authorization policy.
-> [!NOTE]
-> Due to a current bug in the Logic Apps UI you may have to save the authorization policy after each claim before adding another.
 
 > [!CAUTION]
 > Please pay attention to the details as minor differences can lead to problems later.

articles/active-directory/governance/entitlement-management-logic-apps-integration.md

@@ -70,7 +70,7 @@ These triggers to Logic Apps are controlled in a tab within access package polic
 1. The **Extension Configuration** tab allows you to decide if your extension has “launch and continue” or “launch and wait” behavior. With “Launch and continue” the linked policy action on the access package, such as a request, triggers the Logic App attached to the custom extension. After the Logic App is triggered, the entitlement management process associated with the access package will continue. For “Launch and wait”, we'll pause the associated access package action until after the Logic App linked to the extension completes its task, and a resume action is sent by the admin to continue the process. If no response is sent back in the wait time period defined, this process would be considered a failure. This process is further described below in its own section [Configuring custom extensions that pause entitlement management processes](entitlement-management-logic-apps-integration.md#configuring-custom-extensions-that-pause-entitlement-management-processes). 
 
 
-1. In the **Details** tab, choose whether you’d like to use an existing Logic App. Selecting Yes in the field “Create new logic app” (default) creates a new blank Logic App that is already linked to this custom extension. Regardless, you need to provide: 
+1. In the **Details** tab, choose whether you’d like to use an existing consumption plan Logic App. Selecting Yes in the field “Create new logic app” (default) creates a new blank consumption plan Logic App that is already linked to this custom extension. Regardless, you need to provide: 
 
     1. An Azure subscription.
 
@@ -161,7 +161,7 @@ A new update to the custom extensions feature is the ability to pause the access
 
 This pause process allows admins to have control of workflows they’d like to run before continuing with access lifecycle tasks in entitlement management. The only exception to this is if a timeout occurs. Launch and wait processes require a timeout of up to 14 days noted in minutes, hours, or days. If a resume response isn't sent back to entitlement management by the time the “timeout” period elapses, the entitlement management request workflow process pauses. 
 
-The admin is responsible for configuring an automated process that is able to send the API **resume request** payload back to entitlement management, once the Logic App workflow has completed. To send back the resume request payload, follow the instructions here in the graph API documents. See information here on the [resume request](/graph/api/accesspackageassignmentrequest-resume)
+The admin is responsible for configuring an automated process that is able to send the API **resume request** payload back to entitlement management, once the Logic App workflow has completed. To send back the resume request payload, follow the instructions here in the graph API documents. See information here on the [resume request](/graph/api/accesspackageassignmentrequest-resume).
 
 Specifically, when an access package policy has been enabled to call out a custom extension and the request processing is waiting for the callback from the customer, the customer can initiate a resume action. It's performed on an [accessPackageAssignmentRequest](/graph/api/resources/accesspackageassignmentrequest) object whose **requestStatus** is in a **WaitingForCallback** state. 
 
@@ -171,12 +171,25 @@ The resume request can be sent back for the following stages:
 microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestCreated 
 microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestApproved 
 microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestGranted 
-Microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestRemoved
+microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestRemoved
 ``
 
 The following flow diagram shows the entitlement management callout to Logic Apps workflow:
-:::image type="content" source="media/entitlement-management-logic-apps/extensibility-diagram-flow.png" alt-text="A screenshot of the extensibility user diagram." lightbox="media/entitlement-management-logic-apps/extensibility-diagram-flow.png":::
+:::image type="content" source="media/entitlement-management-logic-apps/extensibility-diagram-flow.png" alt-text="A diagram of the entitlement management call to the logic apps workflow." lightbox="media/entitlement-management-logic-apps/extensibility-diagram-flow.png":::
 
+The diagram flow diagram shows:
+
+1. The user creates a custom endpoint able to receive the call from the Identity Service
+1. The identity service makes a test call to confirm the endpoint can be called by the Identity Service
+1. The User calls Graph API to request to add a user to an access package
+1. The Identity Service is added to the queue triggering the backend workflow
+1. Entitlement Management Service request processing calls the logic app with the request payload
+1. Workflow expects the accepted code
+1. The Entitlement Management Service waits for the blocking custom action to resume
+1. The customer system calls the request resume API to the identity service to resume processing the request
+1. The identity service adds the  resume request message to the Entitlement Management Service queue resuming the backend workflow
+1. The Entitlement Management Service is resumed from the blocked state
+
 An example of a resume request payload is:
 
 ``` http

articles/active-directory/governance/media/configure-logic-app-lifecycle-workflows/custom-task-extension-token-type.png

@@ -81,3 +81,15 @@
     - name: Application management
       tocHref: /azure/app-provisioning/
       topicHref: /azure/active-directory/manage-apps/index
+
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:  
+  - name: Active Directory
+    tocHref: /azure/active-directory-b2c/
+    topicHref: /azure/active-directory/index
+    items:
+    - name: Application management
+      tocHref: /azure/active-directory-b2c/
+      topicHref: /azure/active-directory/manage-apps/index