You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/whats-new-archive.md
-122Lines changed: 0 additions & 122 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1794,8 +1794,6 @@ We're announcing the public preview of following MS Graph APIs and PowerShell cm
1794
1794
|Update federation settings for a federated domain |[Update internalDomainFederation](/graph/api/internaldomainfederation-update?view=graph-rest-beta&preserve-view=true)|[Update-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true)|
1795
1795
1796
1796
1797
-
If using older MSOnline cmdlets ([Get-MsolDomainFederationSettings](/powershell/module/msonline/get-msoldomainfederationsettings?view=azureadps-1.0&preserve-view=true) and [Set-MsolDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0&preserve-view=true)), we highly recommend transitioning to the latest MS Graph APIs and PowerShell cmdlets.
1798
-
1799
1797
For more information, see [internalDomainFederation resource type - Microsoft Graph beta](/graph/api/resources/internaldomainfederation?view=graph-rest-beta&preserve-view=true).
1800
1798
1801
1799
---
@@ -1865,123 +1863,3 @@ You can now automate creating, updating, and deleting user accounts for these ne
1865
1863
For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md)
1866
1864
1867
1865
---
1868
-
1869
-
1870
-
1871
-
## March 2022
1872
-
1873
-
1874
-
### Tenant enablement of combined security information registration for Azure Active Directory
We announced in April 2020 General Availability of our new combined registration experience, enabling users to register security information for multi-factor authentication and self-service password reset at the same time, which was available for existing customers to opt in. We're happy to announce the combined security information registration experience will be enabled to all nonenabled customers after September 30, 2022. This change doesn't impact tenants created after August 15, 2020, or tenants located in the China region. For more information, see: [Combined security information registration for Azure Active Directory overview](../authentication/concept-registration-mfa-sspr-combined.md).
1883
-
1884
-
1885
-
---
1886
-
1887
-
1888
-
### Public preview - New provisioning connectors in the Azure AD Application Gallery - March 2022
1889
-
1890
-
**Type:** New feature
1891
-
**Service category:** App Provisioning
1892
-
**Product capability:** Third Party Integration
1893
-
1894
-
1895
-
1896
-
You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
1908
-
1909
-
1910
-
---
1911
-
1912
-
1913
-
### Public preview - Azure AD Recommendations
1914
-
1915
-
**Type:** New feature
1916
-
**Service category:** Reporting
1917
-
**Product capability:** Monitoring & Reporting
1918
-
1919
-
1920
-
1921
-
Azure AD Recommendations is now in public preview. This feature provides personalized insights with actionable guidance to help you identify opportunities to implement Azure AD best practices, and optimize the state of your tenant. For more information, see: [What is Azure Active Directory recommendations](../reports-monitoring/overview-recommendations.md)
1922
-
1923
-
1924
-
---
1925
-
1926
-
1927
-
### Public Preview: Dynamic administrative unit membership for users and devices
1928
-
1929
-
**Type:** New feature
1930
-
**Service category:** RBAC role
1931
-
**Product capability:** Access Control
1932
-
1933
-
1934
-
Administrative units now support dynamic membership rules for user and device members. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership is automatically maintained by Azure AD. For more information, see:[Administrative units in Azure Active Directory](../roles/administrative-units.md).
1935
-
1936
-
1937
-
---
1938
-
1939
-
1940
-
### Public Preview: Devices in Administrative Units
1941
-
1942
-
**Type:** New feature
1943
-
**Service category:** RBAC role
1944
-
**Product capability:** AuthZ/Access Delegation
1945
-
1946
-
1947
-
Devices can now be added as members of administrative units. This enables scoped delegation of device permissions to a specific set of devices in the tenant. Built-in and custom roles are also supported. For more information, see: [Administrative units in Azure Active Directory](../roles/administrative-units.md).
1948
-
1949
-
1950
-
---
1951
-
1952
-
1953
-
### New Federated Apps available in Azure AD Application gallery - March 2022
1954
-
1955
-
**Type:** New feature
1956
-
**Service category:** Enterprise Apps
1957
-
**Product capability:** Third Party Integration
1958
-
1959
-
1960
-
In March 2022 we've added the following 29 new applications in our App gallery with Federation support:
You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,
1965
-
1966
-
For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
1967
-
1968
-
---
1969
-
1970
-
1971
-
### Public Preview - New APIs for fetching transitive role assignments and role permissions
1972
-
1973
-
**Type:** New feature
1974
-
**Service category:** RBAC role
1975
-
**Product capability:** Access Control
1976
-
1977
-
1978
-
1.**transitiveRoleAssignments** - Last year the ability to assign Azure AD roles to groups was created. Originally it took four calls to fetch all direct, and transitive, role assignments of a user. This new API call allows it all to be done via one API call. For more information, see:
1979
-
[List transitiveRoleAssignment - Microsoft Graph beta](/graph/api/rbacapplication-list-transitiveroleassignments).
1980
-
1981
-
2.**unifiedRbacResourceAction** - Developers can use this API to list all role permissions and their descriptions in Azure AD. This API can be thought of as a dictionary that can help build custom roles without relying on UX. For more information, see:
1982
-
[List resourceActions - Microsoft Graph beta](/graph/api/unifiedrbacresourcenamespace-list-resourceactions).
Ensure that your directory has at least as many Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance licenses as you have:
146
-
147
-
- Member users who *can* request an access package.
148
-
- Member users who *request* an access package.
149
-
- Member users who *approve requests* for an access package.
150
-
- Member users who *review assignments* for an access package.
151
-
- Member users who have a *direct assignment* or an *automatic assignment* to an access package.
152
-
153
-
For guest users, licensing needs will depend on the [licensing model](../external-identities/external-identities-pricing.md) you’re using. However, the below guest users’ activities are considered Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance usage:
154
-
- Guest users who *request* an access package.
155
-
- Guest users who *approve requests* for an access package.
156
-
- Guest users who *review assignments* for an access package.
157
-
- Guest users who have a *direct assignment* to an access package.
158
-
159
-
Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance licenses are **not** required for the following tasks:
160
-
161
-
- No licenses are required for users with the Global Administrator role who set up the initial catalogs, access packages, and policies, and delegate administrative tasks to other users.
162
-
- No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager.
163
-
- No licenses are required for guests who have **a privilege to request access packages** but they **do not choose** to request them.
164
-
165
-
For more information about licenses, see [Assign or remove licenses using the Azure portal](../fundamentals/license-users-groups.md).
166
-
167
-
### Example license scenarios
168
-
169
-
Here are some example license scenarios to help you determine the number of licenses you must have.
170
-
171
-
| Scenario | Calculation | Number of licenses |
172
-
| --- | --- | --- |
173
-
| A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to six other users. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. | 2,000 employees who **can** request the access packages | 2,000 |
174
-
| A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to six other users. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. Another policy specifies that some users from **Users from partner Contoso** (guests) can request the same access packages subject to approval. Contoso has 30,000 users. 150 employees request the access packages and 10,500 users from Contoso request access. | 2,000 employees need licenses, guest users are billed on a monthly active user basis and no additional licenses are required for them. * | 2,000 |
175
-
176
-
\* Azure AD External Identities (guest user) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you'll be automatically billed using the MAU-based billing model. For more information, see [Billing model for Azure AD External Identities](../external-identities/external-identities-pricing.md).
Copy file name to clipboardExpand all lines: articles/active-directory/governance/licensing-fundamentals.md
+34-20Lines changed: 34 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ ms.author: billmath
20
20
The following tables show the licensing requirements for Microsoft Entra ID Governance features
21
21
22
22
## Types of licenses
23
-
The following licenses are available for use with Microsoft Entra ID Governance. The choice of licenses you need in a tenant will depend on the features you're using in that tenant.
23
+
The following licenses are available for use with Microsoft Entra ID Governance. The choice of licenses you need in a tenant depends on the features you're using in that tenant.
24
24
25
25
-**Free** - Included with Microsoft cloud subscriptions such as Microsoft Azure, Microsoft 365, and others.
26
26
-**Microsoft Azure AD P1** - Azure Active Directory Premium P1 (becoming Microsoft Entra ID P1) is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses.
@@ -102,44 +102,58 @@ The following table shows what features are available with each license. Note t
102
102
|Insights and reporting - Inactive guest accounts (Preview)||||x|
103
103
104
104
105
-
## Privileged Identity Management
105
+
## Entitlement Management
106
+
107
+
### Example license scenarios
108
+
109
+
Here are some example license scenarios to help you determine the number of licenses you must have.
110
+
111
+
| Scenario | Calculation | Number of licenses |
112
+
| --- | --- | --- |
113
+
| An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. | 2,000 employees who **can** request the access packages | 2,000 |
114
+
| An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. | 2,000 employees need licenses. | 2,000 |
115
+
| An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. They create an auto-assignment policy that grants **All members of the Sales department** (350 employees) access to a specific set of access packages. 350 employees are auto-assigned to the access packages. | 350 employees need licenses. | 351 |
116
+
117
+
## Access reviews
106
118
107
-
To use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses:
119
+
### Example license scenarios
108
120
121
+
Here are some example license scenarios to help you determine the number of licenses you must have.
109
122
110
-
### Valid licenses for PIM
123
+
| Scenario | Calculation | Number of licenses |
124
+
| --- | --- | --- |
125
+
| An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. | 1 license for the group owner as reviewer | 1 |
126
+
| An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers. | 3 licenses for each group owner as reviewers | 3 |
127
+
| An administrator creates an access review of Group B with 500 users. Makes it a self-review. | 500 licenses for each user as self-reviewers | 500 |
128
+
| An administrator creates an access review of Group C with 50 member users. Makes it a self-review. | 50 licenses for each user as self-reviewers.*| 50 |
129
+
| An administrator creates an access review of Group D with 6 member users. Makes it a self-review. | 6 licenses for each user as self-reviewers. No additional licenses are required. * | 6 |
111
130
112
-
You'll need either Microsoft Entra ID Governance licenses or Azure AD Premium P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles with a Microsoft Entra Premium P2 or Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required.
131
+
## Lifecycle Workflows
113
132
114
-
### Licenses you must have for PIM
115
-
Ensure that your directory has Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses for the following categories of users:
133
+
With Entra Governance licenses for Lifecycle Workflows, you can:
116
134
117
-
- Users with eligible and/or time-bound assignments to Azure AD or Azure roles managed using PIM
118
-
- Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
119
-
- Users able to approve or reject activation requests in PIM
120
-
- Users assigned to an access review
121
-
- Users who perform access reviews
135
+
- Create, manage, and delete workflows up to the total limit of 50 workflows.
136
+
- Trigger on-demand and scheduled workflow execution.
137
+
- Manage and configure existing tasks to create workflows that are specific to your needs.
138
+
- Create up to 100 custom task extensions to be used in your workflows.
122
139
140
+
## Privileged Identity Management
123
141
124
142
### Example license scenarios for PIM
125
143
126
144
Here are some example license scenarios to help you determine the number of licenses you must have.
127
145
128
146
| Scenario | Calculation | Number of licenses |
129
147
| --- | --- | --- |
130
-
| Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
148
+
| Woodgrove Bank has 10 administrators for different departments and 2 Identity Governance Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
131
149
| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 |
132
150
| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 |
133
151
134
-
### When a license expires for PIM
152
+
##Licensing FAQs
135
153
136
-
If a Microsoft Azure AD Premium P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory:
154
+
### Do licenses need to be assigned to users to use Identity Governance features?
137
155
138
-
- Permanent role assignments to Azure AD roles will be unaffected.
139
-
- The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
140
-
- Eligible role assignments of Azure AD roles will be removed, as users will no longer be able to activate privileged roles.
141
-
- Any ongoing access reviews of Azure AD roles will end, and Privileged Identity Management configuration settings will be removed.
142
-
- Privileged Identity Management will no longer send emails on role assignment changes.
156
+
Users do not need to be assigned an Identity Governance license, but there needs to be as many licenses in the tenant to include all users in scope of, or who configures, the Identity Governance features.
143
157
144
158
## Next steps
145
159
-[What is Microsoft Entra ID Governance?](identity-governance-overview.md)
0 commit comments