Merge pull request #244664 from MicrosoftDocs/main

7/11/2023 PM Publish

Author: Taojunshen

.openpublishing.redirection.api-management.json

@@ -1,5 +1,79 @@
 {
   "redirections": [
+    {
+        "source_path_from_root": "/articles/api-management/policies/authorize-request-using-external-authorizer.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },{
+        "source_path_from_root": "/articles/api-management/policies/add-correlation-id.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/authorize-request-based-on-jwt-claims.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/cache-response.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/filter-ip-addresses-when-using-appgw.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/filter-response-content.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/generate-shared-access-signature.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/get-x-csrf-token-from-sap-gateway.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/index.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/log-errors-to-stackify.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/route-requests-based-on-size.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/send-request-context-info-to-backend-service.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/set-cache-duration.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },      
+    {
+        "source_path_from_root": "/articles/api-management/policies/set-header-to-enable-backend-to-construct-urls.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/policies/use-oauth2-for-authorization.md",
+        "redirect_url": "https://github.com/Azure/api-management-policy-snippets",
+        "redirect_document_id": false
+    },
     {
         "source_path_from_root": "/articles/api-management/api-management-access-restriction-policies.md",
         "redirect_url": "/azure/api-management/api-management-policies#access-restriction-policies",

.openpublishing.redirection.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path": "articles/cloud-services-extended-support/deploy-visual-studio.md",
+            "redirect_url": "/visualstudio/azure/cloud-services-extended-support?context=%2Fazure%2Fcloud-services-extended-support%2Fcontext%2Fcontext",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/storsimple/storsimple-configure-backup-target-using-backup-exec.md",
             "redirect_url": "/azure/storsimple/storsimple-overview",

.whatsnew/.external-identities-ciam.json

@@ -0,0 +1,24 @@
+{
+    "$schema": "https://whatsnewapi.azurewebsites.net/schema",
+    "docSetProductName": "Azure Active Directory for customers (CIAM)",
+    "rootDirectory": "articles/active-directory/external-identities/customers/",
+    "docLinkSettings": {
+        "linkFormat": "relative",
+        "relativeLinkPrefix": "/azure/active-directory/external-identities/customers"
+    },
+    "inclusionCriteria": {
+        "omitPullRequestTitles" : false,
+        "minAdditionsToFile" : 10,
+        "maxFilesChanged": 50,
+        "labels": [
+            "label:active-directory/svc",
+            "label:ciam/subsvc"
+        ]
+    },
+    "areas": [
+        {
+            "names": [ "."],
+            "heading": "Azure Active Directory for customers"
+        }
+    ]
+}

.whatsnew/.external-identities.json

@@ -7,7 +7,7 @@
         "relativeLinkPrefix": "/azure/active-directory/external-identities"
     },
     "inclusionCriteria": {
-        "omitPullRequestTitles" : true,
+        "omitPullRequestTitles" : false,
         "minAdditionsToFile" : 10,
         "maxFilesChanged": 50,
         "labels": [

articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md

@@ -43,7 +43,7 @@ At this point, the MIM Sync server is no longer needed.
 
 ## Import a connector configuration
 
- 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#3-install-and-configure-the-azure-ad-connect-provisioning-agent) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) articles.
+ 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#3-install-and-configure-the-azure-ad-connect-provisioning-agent) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#install-and-configure-the-azure-ad-connect-provisioning-agent) articles.
  1. Sign in to the Windows server as the account that the Azure AD ECMA Connector Host runs as.
  1. Change to the directory C:\Program Files\Microsoft ECMA2host\Service\ECMA. Ensure there are one or more DLLs already present in that directory. Those DLLs correspond to Microsoft-delivered connectors.
  1. Copy the MA DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory.

articles/active-directory/conditional-access/TOC.yml

@@ -49,6 +49,8 @@
     items:
     - name: CAE for users
       href: concept-continuous-access-evaluation.md
+    - name: CAE strict enforcement
+      href: concept-continuous-access-evaluation-strict-enforcement.md
     - name: CAE for workload identities
       href: concept-continuous-access-evaluation-workload.md
   - name: Filter for devices

articles/active-directory/conditional-access/concept-continuous-access-evaluation-strict-enforcement.md

@@ -0,0 +1,119 @@
+---
+title: Continuous access evaluation strict location enforcement in Azure AD
+description: Responding to changes in user state faster with continuous access evaluation strict location enforcement in Azure AD
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 07/10/2023
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: amycolannino
+ms.reviewer: eolasunkanmi
+
+ms.collection: M365-identity-device-management
+---
+# Strictly enforce location policies using continuous access evaluation (preview)
+
+Strictly enforce location policies is a new enforcement mode for continuous access evaluation (CAE), used in Conditional Access policies. This new mode provides protection for resources, immediately stopping access if the IP address detected by the resource provider isn't allowed by Conditional Access policy. This option is the highest security modality of CAE location enforcement, and requires that administrators understand the routing of authentication and access requests in their network environment. See our [Introduction to continuous access evaluation](concept-continuous-access-evaluation.md) for a review of how CAE-capable clients and resource providers, like the Outlook email client and Exchange Online evaluate location changes.  
+
+| Location enforcement mode | Recommended network topology | If the IP address detected by the Resource isn't in the allowed list | Benefits | Configuration |
+| --- | --- | --- | --- | --- |
+| Standard (Default) | Suitable for all topologies | A short-lived token is issued only if Azure AD detects an allowed IP address. Otherwise, access is blocked | Falls back to the pre-CAE location detection mode in split tunnel network deployments where CAE enforcement would affect productivity. CAE still enforces other events and policies. | None (Default Setting) |
+| Strictly enforced location policies | Egress IP addresses are dedicated and enumerable for both Azure AD and all resource provider traffic | Access blocked | Most secure, but requires well understood network paths | 1. Test IP address assumptions with a small population <br><br> 2. Enable “Strictly enforce” under Session controls |
+
+> [!NOTE] 
+> The **IP address (seen by resource)** is blank when that IP matches the IP address.
+
+## Configure strictly enforced location policies
+
+### Step 1 - Configure a Conditional Access location based policy for your target users
+
+Before administrators create a Conditional Access policy requiring strict location enforcement, they must be comfortable using policies like the one described in [Conditional Access location based policies](howto-conditional-access-policy-location.md). Policies like this one should be tested with a subset of users before proceeding to the next step. Administrators can avoid discrepancies between the allowed and actual IP addresses seen by Azure AD during authentication, by testing before enabling strict enforcement.
+
+### Step 2 - Test policy on a small subset of users
+
+![Screenshot showing a Conditional Access policy with "Strictly enforce location policies" enabled.](./media/concept-continuous-access-evaluation-strict-enforcement/conditional-access-policy-strictly-enforce-location-policies.png)
+
+After enabling policies requiring strict location enforcement on a subset of test users, validate your testing experience using the filter **IP address (seen by resource)** in the Azure AD Sign-in logs. This validation allows administrators to find scenarios where strict location enforcement may block users with an unallowed IP seen by the CAE-enabled resource provider.
+
+   - Admins must ensure all authentication traffic towards Azure AD and access traffic to resource providers are from dedicated egress IPs that are known. 
+      - Like Exchange Online, Teams, SharePoint Online, and Microsoft Graph
+   - Before administrators turn on Conditional Access policies requiring strict location enforcement, they should ensure that all IP addresses from which your users can access Azure AD and resource providers are included in their [IP-based named locations](location-condition.md#ipv4-and-ipv6-address-ranges).
+
+If administrators don't perform this validation, their users may be negatively impacted. If traffic to Azure AD or a CAE supported resource is through a shared or undefinable egress IP, don't enable strict location enforcement in your Conditional Access policies.
+
+### Step 3 - Identify IP addresses that should be added to your named locations 
+
+If the filter search of **IP address (seen by resource)** in the Azure AD Sign-in logs isn't empty, you might have a split-tunnel network configuration. To ensure your users aren't accidentally locked out by policies requiring strict location enforcement, administrators should: 
+
+- Investigate and identify any IP addresses identified in the Sign-in logs.
+- Add public IP addresses associated with known organizational egress points to their defined [named locations](location-condition.md#named-locations).
+
+     [ ![Screenshot of sign-in logs with an example of IP address seen by resource filter.](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png) ](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png#lightbox)
+
+The following screenshot shows an example of a client’s access to a resource being blocked. This block is due to policies requiring CAE strict location enforcement being triggered revoking the client’s session. 
+
+   ![Screenshot of the message a user sees if they are blocked by strict location enforcement.](./media/concept-continuous-access-evaluation-strict-enforcement/blocked-due-to-strict-enforcement.png)
+
+This behavior can be verified in the sign-in logs. Look for **IP address (seen by resource)** and investigate adding this IP to [named locations](location-condition.md#named-locations) if experiencing unexpected blocks from Conditional Access on users.
+
+   ![Screenshot of an sign-in log entry with both IP address and IP address seen by resource.](./media/concept-continuous-access-evaluation-strict-enforcement/activity-details-ip-differs.png)
+
+Looking at the **Conditional Access Policy details** tab provides more details of blocked sign-in events. 
+
+   ![Screenshot of Conditional Access Policy detail with the locations that were seen.](./media/concept-continuous-access-evaluation-strict-enforcement/conditional-access-policy-details.png)
+
+### Step 4 - Continue deployment
+
+Repeat steps 2 and 3 with expanding groups of users until Strictly Enforce Location Policies are applied across your target user base. Roll out carefully to avoid impacting user experience. 
+
+## Troubleshooting with Sign-in logs
+
+Administrators can investigate the Sign-in logs to find cases with **IP address (seen by resource)**.
+
+1. Sign in to the **Azure portal** as at least a Global Reader.
+1. Browse to **Azure Active Directory** > **Sign-ins**.
+1. Find events to review by adding filters and columns to filter out unnecessary information.
+   1. Add the **IP address (seen by resource)** column and filter out any blank items to narrow the scope.
+
+      [ ![Screenshot showing an example of how to find more information in the sign-in logs.](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png) ](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png#lightbox)
+
+**IP address (seen by resource)** contains filter isn't empty in the following examples: 
+
+### Initial authentication
+
+1. Authentication succeeds using a CAE token. 
+
+   ![Screenshot showing a successful sign in with a CAE token.](./media/concept-continuous-access-evaluation-strict-enforcement/activity-details-sign-ins-initial-authentication-success.png)
+
+1. The **IP address (seen by resource)** is different from the IP address seen by Azure AD. Although the IP address seen by the resource is known, there's no enforcement until the resource redirects the user for reevaluation of the IP address seen by the resource.
+
+   ![Screenshot showing IP address and IP address seen by resource in the sign-in log.](./media/concept-continuous-access-evaluation-strict-enforcement/activity-details-ip-differs.png)
+
+1. Azure AD authentication is successful because strict location enforcement isn't applied at the resource level.
+
+   ![Screenshot showing that a Conditional Access policy wasn't applied because the location is excluded.](./media/concept-continuous-access-evaluation-strict-enforcement/conditional-access-policy-details-authentication-success.png)
+ 
+### Resource redirect for reevaluation
+
+1. Authentication fails and a CAE token isn't issued.  
+
+   ![Screenshot showing a failed authentication.](./media/concept-continuous-access-evaluation-strict-enforcement/activity-details-sign-ins-authentication-fails.png)
+
+1. **IP address (seen by resource)** is different from the IP seen by Azure AD. 
+
+   ![Screenshot showing a mismatch in IP addresses.](./media/concept-continuous-access-evaluation-strict-enforcement/activity-details-ip-differs.png)
+
+1. Authentication isn't successful because **IP address (seen by resource)** isn't a known [named location](location-condition.md#named-locations) in Conditional Access. 
+
+   ![Screenshot showing a Conditional Access policy applied, because the IP address was included in a block rule.](./media/concept-continuous-access-evaluation-strict-enforcement/conditional-access-policy-details-authentication-block.png)
+
+## Next steps
+
+- [Continuous access evaluation in Azure AD](concept-continuous-access-evaluation.md)
+- [Claims challenges, claims requests, and client capabilities](../develop/claims-challenge.md)
+- [How to use continuous access evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md)
+- [Monitor and troubleshoot sign-ins with continuous access evaluation](howto-continuous-access-evaluation-troubleshoot.md#potential-ip-address-mismatch-between-azure-ad-and-resource-provider)