Merge pull request #221604 from MicrosoftDocs/main

Publish to Live, Thursday 4AM PST, 12/15

Author: PMEds28

.openpublishing.redirection.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/backup/backup-afs.md",
+            "redirect_url": "/azure/backup/backup-azure-files",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/backup/backup-create-rs-vault.md",
             "redirect_url": "/azure/backup/backup-create-recovery-services-vault",
@@ -9813,11 +9818,6 @@
             "redirect_url": "/azure/baremetal-infrastructure/concepts-baremetal-infrastructure-overview",
             "redirect_document_id": false
         },
-        {
-            "source_path_from_root": "/articles/backup/backup-azure-files.md",
-            "redirect_url": "/azure/backup/backup-afs",
-            "redirect_document_id": false
-        },
         {
             "source_path_from_root": "/articles/backup/tutorial-backup-azure-files.md",
             "redirect_url": "/azure/backup/backup-afs",

articles/active-directory/develop/app-objects-and-service-principals.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/02/2022
+ms.date: 12/14/2022
 ms.author: ryanwi
 ms.custom: contperf-fy21q4-portal, aaddev, identityplatformtop40
 ms.reviewer: sureshja
@@ -23,7 +23,7 @@ This article describes application registration, application objects, and servic
 
 To delegate identity and access management functions to Azure AD, an application must be registered with an Azure AD tenant. When you register your application with Azure AD, you're creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app in the Azure portal, you choose whether it's a [single tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), or [multi-tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), and can optionally set a [redirect URI](reply-url.md). For step-by-step instructions on registering an app, see the [app registration quickstart](quickstart-register-app.md).
 
-When you've completed the app registration, you've a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.
+When you've completed the app registration, you've a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.
 
 If you register an application in the portal, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.
 

articles/active-directory/develop/workload-identities-overview.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/02/2022
+ms.date: 12/15/2022
 ms.author: ryanwi
 ms.reviewer: udayh, ilanas
 ms.custom: aaddev 
@@ -46,7 +46,7 @@ Here are some ways you can use workload identities:
 - Access Azure AD protected resources without needing to manage secrets for workloads that run on Azure using [managed identity](../managed-identities-azure-resources/overview.md).
 - Access Azure AD protected resources without needing to manage secrets for supported scenarios such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure using [workload identity federation](workload-identity-federation.md).
 - Review service principals and applications that are assigned to privileged directory roles in Azure AD using [access reviews for service principals](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md).
-- Apply Conditional Access policies to service principals owned by your organization using [Conditional Access for workload identities](../conditional-access/workload-identity.md).
+- Apply Conditional Access policies to service principals owned by your organization using [Conditional Access for workload identities](../conditional-access/workload-identity.md), and [Continuous access evaluation for workload identities](../conditional-access/concept-continuous-access-evaluation-workload.md).
 - Secure workload identities with [Identity Protection](../identity-protection/concept-workload-identity-risk.md).
 
 

articles/active-directory/standards/configure-cmmc-level-2-access-control.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 12/13/2022
+ms.date: 12/14/2022
 ms.author: jricketts
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
@@ -42,7 +42,7 @@ The following table provides a list of control IDs and associated customer respo
 
 | *Control* | *Guidance* |
 | - | - |
-| AC.L2-3.1.3 | Configure Conditional Access policies to control the flow of CUI from trusted locations, trusted devices, approved applications and require app protection policy. For finer grained authorization to CUI, configure app-enforced restrictions(Exchange/SharePoint Online), App Control (with Microsoft Defender for Cloud Apps), Authentication Context. Deploy Azure AD Application Proxy to secure access to on-premises applications.<br>[Location condition in Azure Active Directory Conditional Access ](../conditional-access/location-condition.md)<br>[Grant controls in Conditional Access policy - Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require approved client app](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require app protection policy](../conditional-access/concept-conditional-access-grant.md)<br>[Session controls in Conditional Access policy - Application enforced restrictions](../conditional-access/concept-conditional-access-session.md)<br>[Protect with Microsoft Defender for Cloud Apps Conditional Access App Control](/defender-cloud-apps/proxy-intro-aad)<br>[Cloud apps, actions, and authentication context in Conditional Access policy ](../conditional-access/concept-conditional-access-cloud-apps.md)<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md)<br><br>**Authentication Context**<br>[Configuring Authentication context & Assign to Conditional Access Policy](../conditional-access/concept-conditional-access-cloud-apps.md)<br><br>**Information Protection**<br>Know your data<br>Protect your data<br>Prevent data loss <br><br>**Conditional Access**<br>[Conditional Access for Azure information protection (AIP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/conditional-access-policies-for-azure-information-protection/ba-p/250357) <br><br>**Application Proxy**<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md) |
+| AC.L2-3.1.3 | Configure Conditional Access policies to control the flow of CUI from trusted locations, trusted devices, approved applications and require app protection policy. For finer grained authorization to CUI, configure app-enforced restrictions(Exchange/SharePoint Online), App Control (with Microsoft Defender for Cloud Apps), Authentication Context. Deploy Azure AD Application Proxy to secure access to on-premises applications.<br>[Location condition in Azure Active Directory Conditional Access ](../conditional-access/location-condition.md)<br>[Grant controls in Conditional Access policy - Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require approved client app](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require app protection policy](../conditional-access/concept-conditional-access-grant.md)<br>[Session controls in Conditional Access policy - Application enforced restrictions](../conditional-access/concept-conditional-access-session.md)<br>[Protect with Microsoft Defender for Cloud Apps Conditional Access App Control](/defender-cloud-apps/proxy-intro-aad)<br>[Cloud apps, actions, and authentication context in Conditional Access policy ](../conditional-access/concept-conditional-access-cloud-apps.md)<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md)<br><br>**Authentication Context**<br>[Configuring Authentication context & Assign to Conditional Access Policy](../conditional-access/concept-conditional-access-cloud-apps.md)<br><br>**Information Protection**<br>Know and protect your data; help prevent data loss.<br>[Protect your sensitive data with Microsoft Purview](/microsoft-365/compliance/information-protection?view=o365-worldwide&preserve-view=true)<br><br>**Conditional Access**<br>[Conditional Access for Azure information protection (AIP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/conditional-access-policies-for-azure-information-protection/ba-p/250357) <br><br>**Application Proxy**<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md) |
 |AC.L2-3.1.4 | Ensuring adequate separation of duties by scoping appropriate access. Configure Entitlement Management Access packages to govern access to applications, groups, Teams and SharePoint sites. Configure Separation of Duties checks within access packages to avoid a user obtaining excessive access. In Azure AD entitlement management, you can configure multiple policies, with different settings for each user community that will need access through an access package. This configuration includes restrictions such that a user of a particular group, or already assigned a different access package, isn't assigned other access packages, by policy.<br><br>Configure administrative units in Azure Active Directory to scope administrative privilege so that administrators with privileged roles are scoped to only have those privileges on limited set of directory objects(users, groups, devices).<br>[What is entitlement management?](../governance/entitlement-management-overview.md)<br>[What are access packages and what resources can I manage with them?](../governance/entitlement-management-overview.md)<br>[Configure separation of duties for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-incompatible.md)<br>[Administrative units in Azure Active Directory](../roles/administrative-units.md)|
 | AC.L2-3.1.5 | You're responsible for implementing and enforcing the rule of least privilege. This action can be accomplished with Privileged Identity Management for configuring enforcement, monitoring, and alerting. Set requirements and conditions for role membership.<br><br>Once privileged accounts are identified and managed, use [Entitlement Lifecycle Management](../governance/entitlement-management-overview.md) and [Access reviews](../governance/access-reviews-overview.md) to set, maintain and audit adequate access. Use the [MS Graph API](/graph/api/directoryrole-list-members?view=graph-rest-1.0&tabs=http&preserve-view=true) to discover and monitor directory roles.<br><br>**Assign roles**<br>[Assign Azure AD roles in PIM](../privileged-identity-management/pim-how-to-add-role-to-user.md)<br>[Assign Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-assign-roles.md)<br>[Assign eligible owners and members for privileged access groups](../privileged-identity-management/groups-assign-member-owner.md)<br><br>**Set role settings** <br>[Configure Azure AD role settings in PIM](../privileged-identity-management/pim-how-to-change-default-settings.md)<br>[Configure Azure resource role settings in PIM](../privileged-identity-management/pim-resource-roles-configure-role-settings.md)<br>[Configure privileged access groups settings in PIM](../privileged-identity-management/groups-role-settings.md)<br><br>**Set up alerts**<br>[Security alerts for Azure AD roles in PIM](../privileged-identity-management/pim-how-to-configure-security-alerts.md)<br>[Configure security alerts for Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-configure-alerts.md) |
 | AC.L2-3.1.6<br><br>AC.L2-3.1.7 |Requirements in AC.L2-3.1.6 and AC.L2-3.1.7 complement each other. Require separate accounts for privilege and non-privileged use. Configure Privileged Identity Management (PIM) to bring just-in-time(JIT) privileged access and remove standing access. Configure role based conditional access policies to limit access to productivity application for privileged users. For highly privileged users, secure devices as part of the privileged access story. All privileged actions are captured in the Azure AD Audit logs.<br>[Securing privileged access overview](/security/compass/overview)<br>[Configure Azure AD role settings in PIM](../privileged-identity-management/pim-how-to-change-default-settings.md)<br>[Users and groups in Conditional Access policy](../conditional-access/concept-conditional-access-users-groups.md)<br>[Why are privileged access devices important](/security/compass/privileged-access-devices) |