Merge pull request #220741 from MicrosoftDocs/main

12/07 OOB Publish at 7:45AM

Author: huypub

articles/active-directory/develop/msal-shared-devices.md

@@ -17,24 +17,17 @@ ms.custom: aaddev
 
 # Overview of shared device mode
 
-Shared device mode is a feature of Azure Active Directory that allows you to build applications that support frontline workers and enable shared device mode on the devices deployed to them.
+Shared device mode is a feature of Azure Active Directory(Azure AD) that allows you to build and deploy applications that support frontline workers and educational scenarios that require shared Android and iOS devices.
 
 >[!IMPORTANT]
 > Shared device mode for iOS [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
 
-## What are frontline workers?
-
-Frontline workers are retail employees, maintenance and field agents, medical personnel, and other users that don't sit in front of a computer or use corporate email for collaboration. The following sections introduce the aspects and challenges of supporting frontline workers, followed by an introduction to the features provided by Microsoft that enable your application for use by an organization's frontline workers.
-
-### Challenges of supporting frontline workers
-
-Enabling frontline worker workflows includes challenges not usually presented by typical information workers. Such challenges can include high turnover rate and less familiarity with an organization's core productivity tools. To empower their frontline workers, organizations are adopting different strategies. Some are adopting a bring-your-own-device (BYOD) strategy in which their employees use business apps on their personal phone, while others provide their employees with shared devices like iPads or Android tablets.
 
 ### Supporting multiple users on devices designed for one user
 
 Because mobile devices running iOS or Android were designed for single users, most applications optimize their experience for use by a single user. Part of this optimized experience means enabling single sign-on across applications and keeping users signed in on their device. When a user removes their account from an application, the app typically doesn't consider it a security-related event. Many apps even keep a user's credentials around for quick sign-in. You may even have experienced this yourself when you've deleted an application from your mobile device and then reinstalled it, only to discover you're still signed in.
 
-### Global sign-in and sign-out (SSO)
+### Automatic single sign-in and single sign-out
 
 To allow an organization's employees to use its apps across a pool of devices shared by those employees, developers need to enable the opposite experience. Employees should be able to pick a device from the pool and perform a single gesture to "make it theirs" for the duration of their shift. At the end of their shift, they should be able to perform another gesture to sign out globally on the device, with all their personal and company information removed so they can return it to the device pool. Furthermore, if an employee forgets to sign out, the device should be automatically signed out at the end of their shift and/or after a period of inactivity.
 
@@ -45,7 +38,7 @@ Azure Active Directory enables these scenarios with a feature called **shared de
 As mentioned, shared device mode is a feature of Azure Active Directory that enables you to:
 
 * Build applications that support frontline workers
-* Deploy devices to frontline workers and turn on shared device mode
+* Deploy devices to frontline workers with apps that support shared device mode.
 
 ### Build applications that support frontline workers
 
@@ -60,7 +53,11 @@ Supported features are:
 
 Supporting shared device mode should be considered a feature upgrade for your application, and can help increase its adoption in environments where the same device is used among multiple users.
 
-Your users depend on you to ensure their data isn't leaked to another user. Share Device Mode provides helpful signals to indicate to your application that a change you should manage has occurred. Your application is responsible for checking the state of the user on the device every time the app is used, clearing the previous user's data. This includes if it is reloaded from the background in multi-tasking. On a user change, you should ensure both the previous user's data is cleared and that any cached data being displayed in your application is removed. We recommend you always perform a thorough security review process after adding shared device mode capability to your app.
+Your users depend on you to ensure their data isn't leaked to another user. Share Device Mode provides helpful signals to indicate to your application that a change you should manage has occurred. Your application is responsible for checking the state of the user on the device every time the app is used, clearing the previous user's data. This includes if it is reloaded from the background in multi-tasking. On a user change, you should ensure both the previous user's data is cleared and that any cached data being displayed in your application is removed.
+
+To support all data loss prevention scenarios, we also recommend you integrate with the [Intune App SDK](/mem/intune/developer/app-sdk). By using the Intune App SDK, you can allow your application to support Intune [App Protection Policies](/mem/intune/apps/app-protection-policy). In particular, we recommend that you integrate with Intune's [selective wipe](/mem/intune/developer/app-sdk-android-phase5#selective-wipe) capabilities and [deregister the user on iOS](/mem/intune/developer/app-sdk-ios#deregister-user-accounts) during a sign-out.
+
+Lastly, we recommend you always perform a thorough security review process after adding shared device mode capability to your app.
 
 For details on how to modify your applications to support shared device mode, see the [Next steps](#next-steps) section at the end of this article.
 
@@ -70,6 +67,11 @@ Once your applications support shared device mode and include the required data
 
 An organization's device administrators are able to deploy their devices and your applications to their stores and workplaces through a mobile device management (MDM) solution like Microsoft Intune. Part of the provisioning process is marking the device as a *Shared Device*. Administrators configure shared device mode by deploying the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) and setting shared device mode through configuration parameters. After performing these steps, all applications that support shared device mode will use the Microsoft Authenticator application to manage its user state and provide security features for the device and organization.
 
+### Use App Protection Policies to provide data loss prevention between users.
+For data protection capabilities along with shared device mode, Microsoft’s supported data protection solution for Microsoft 365 applications on Android and iOS is Microsoft Intune Application Protection Policies. For more information about the policies, see [App protection policies overview - Microsoft Intune | Microsoft Learn](/mem/intune/apps/app-protection-policy).
+
+When setting up App protection policies for shared devices, we recommend using [level 2 enterprise enhanced data protection](/mem/intune/apps/app-protection-framework#level-2-enterprise-enhanced-data-protection). With level 2 data protection, you can restrict data transfer scenarios that may cause data to move to parts of the device that are not cleared with shared device mode.
+
 ## Next steps
 
 We support iOS and Android platforms for shared device mode. Review the documentation below for your platform to begin supporting frontline workers in your applications.

articles/active-directory/governance/entitlement-management-delegate-catalog.md

@@ -1,5 +1,5 @@
 ---
-title: Delegate access governance to catalog creators in Microsoft Entra entitlement management - Azure Active Directory
+title: Delegate access governance to catalog creators in entitlement management - Microsoft Entra
 description: Learn how to delegate access governance from IT administrators to catalog creators and project managers so that they can manage access themselves.
 services: active-directory
 documentationCenter: ''
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 
 ---
 
-# Delegate access governance to catalog creators in Microsoft Entra entitlement management
+# Delegate access governance to catalog creators in entitlement management
 
 A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. By default, a Global administrator or an Identity governance administrator can [create a catalog](entitlement-management-catalog-create.md), and can add additional users as catalog owners.
 

articles/active-directory/governance/entitlement-management-delegate-managers.md

@@ -1,5 +1,5 @@
 ---
-title: Delegate access governance to access package managers in Microsoft Entra entitlement management - Azure Active Directory
+title: Delegate access governance to access package managers in entitlement management - Microsoft Entra
 description: Learn how to delegate access governance from IT administrators to access package managers and project managers so that they can manage access themselves.
 services: active-directory
 documentationCenter: ''
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 
 ---
 
-# Delegate access governance to access package managers in Microsoft Entra entitlement management
+# Delegate access governance to access package managers in entitlement management
 
 To delegate the creation and management of access packages in a catalog, you add users to the access package manager role. Access package managers must be familiar with the need for users to request access to resources in a catalog. For example, if a catalog is used for a project, then a project lead might be an access package manager for that catalog.  Access package managers cannot add resources to a catalog, but they can manage the access packages and policies in a catalog.  When delegating to an access package manager, that person can then be responsible for:
 

articles/active-directory/governance/entitlement-management-delegate.md

@@ -21,17 +21,17 @@ ms.collection: M365-identity-device-management
 
 ---
 
-# Delegation and roles in Microsoft Entra entitlement management
+# Delegation and roles in entitlement management
 
 In Azure AD, you can use role models to manage access at scale through identity governance.
 
  * You can use access packages to represent organizational roles in your organization, such as "sales representative". An access package representing that enterprise role would include all the access rights that a sales representative might typically need, across multiple resources.
  * Applications [can define their own roles](../develop/howto-add-app-roles-in-azure-ad-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md).
  * You can use roles for delegating administrative access.  If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role.
 
-This article discusses how to use roles to manage aspects within Microsoft Entra entitlement management.
+This article discusses how to use roles to manage aspects within entitlement management.
 
-By default, Global administrators and Identity governance administrators can create and manage all aspects of Microsoft Entra entitlement management. However, the users in these roles may not know all the situations where access packages are required. Typically it's users within the respective departments, teams, or projects who know who they're collaborating with, using what resources, and for how long. Instead of granting unrestricted permissions to non-administrators, you can grant users the least permissions they need to do their job and avoid creating conflicting or inappropriate access rights.
+By default, Global administrators and Identity governance administrators can create and manage all aspects of entitlement management. However, the users in these roles may not know all the situations where access packages are required. Typically it's users within the respective departments, teams, or projects who know who they're collaborating with, using what resources, and for how long. Instead of granting unrestricted permissions to non-administrators, you can grant users the least permissions they need to do their job and avoid creating conflicting or inappropriate access rights.
 
 This video provides an overview of how to delegate access governance from IT administrator to users who aren't administrators.
 

articles/active-directory/governance/entitlement-management-external-users.md

@@ -1,6 +1,6 @@
 ---
-title: Govern access for external users in Microsoft Entra entitlement management - Azure Active Directory
-description: Learn about the settings you can specify to govern access for external users in Azure Active Directory entitlement management.
+title: Govern access for external users in entitlement management - Microsoft Entra
+description: Learn about the settings you can specify to govern access for external users in entitlement management.
 services: active-directory
 documentationCenter: ''
 author: owinfreyatl
@@ -21,9 +21,9 @@ ms.collection: M365-identity-device-management
 
 ---
 
-# Govern access for external users in Microsoft Entra entitlement management
+# Govern access for external users in entitlement management
 
-Microsoft Entra entitlement management uses [Azure AD business-to-business (B2B)](../external-identities/what-is-b2b.md) to share access so you can collaborate with people outside your organization. With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.
+Entitlement management uses [Azure AD business-to-business (B2B)](../external-identities/what-is-b2b.md) to share access so you can collaborate with people outside your organization. With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.
 
 This article describes the settings you can specify to govern access for external users.
 

articles/active-directory/governance/entitlement-management-group-licenses.md

@@ -1,6 +1,6 @@
 ---
 title: Manage the lifecycle of group-based licenses in Azure AD
-description: This step-by-step tutorial shows how to create an access package for managing group-based licenses in Azure Active Directory entitlement management.
+description: This step-by-step tutorial shows how to create an access package for managing group-based licenses in entitlement management.
 services: active-directory
 documentationCenter: ''
 author: sama
@@ -138,4 +138,4 @@ In this step, you can delete the Office Licenses access package.
 
 Learn how to create access packages to manage access to other types of resources, like applications and sites: 
 
-[Manage access to resources in Microsoft Entra entitlement management](./entitlement-management-access-package-first.md)
+[Manage access to resources in entitlement management](./entitlement-management-access-package-first.md)

articles/active-directory/governance/entitlement-management-logic-apps-integration.md

@@ -1,6 +1,6 @@
 ---
-title: Trigger custom Logic Apps with Microsoft Entra entitlement management
-description: Learn how to configure and use custom Logic Apps in Microsoft Entra entitlement management.
+title: Trigger custom Logic Apps with entitlement management
+description: Learn how to configure and use custom Logic Apps in entitlement management.
 services: active-directory
 documentationCenter: ''
 author: owinfreyatl
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 #Customer intent: As an administrator, I want detailed information about how I can configure and add custom Logic Apps to my catalogs and access packages in entitlement management.
 
 ---
-# Trigger custom Logic Apps with Microsoft Entra entitlement management
+# Trigger custom Logic Apps with entitlement management
 
 
 [Azure Logic Apps](../../logic-apps/logic-apps-overview.md) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.

articles/active-directory/governance/entitlement-management-logs-and-reporting.md

@@ -1,6 +1,6 @@
 ---
 title: Archive & report with Azure Monitor - Microsoft Entra entitlement management
-description: Learn how to archive logs and create reports with Azure Monitor in Microsoft Entra entitlement management.
+description: Learn how to archive logs and create reports with Azure Monitor in entitlement management.
 services: active-directory
 documentationCenter: ''
 author: owinfreyatl
@@ -21,7 +21,7 @@ ms.custom: devx-track-azurepowershell
 #Customer intent: As an administrator, I want to extend data retention in entitlement management past the default period by using Azure Monitor.
 
 ---
-# Archive logs and reporting on Microsoft Entra entitlement management in Azure Monitor
+# Archive logs and reporting on entitlement management in Azure Monitor
 
 Azure AD stores audit events for up to 30 days in the audit log. However, you can keep the audit data for longer than the default retention period, outlined in [How long does Azure AD store reporting data?](../reports-monitoring/reference-reports-data-retention.md), by routing it to an Azure Storage account or using Azure Monitor. You can then use workbooks and custom queries and reports on this data.
 

articles/active-directory/governance/entitlement-management-onboard-external-user.md

@@ -1,6 +1,6 @@
 ---
 title: Tutorial - Onboard external users to Azure AD through an approval process - Azure Active Directory
-description: Step-by-step tutorial for how to create an access package for external users requiring approvals in Azure Active Directory entitlement management.
+description: Step-by-step tutorial for how to create an access package for external users requiring approvals in entitlement management.
 services: active-directory
 documentationCenter: ''
 author: Sammak
@@ -128,4 +128,4 @@ In this step, you can delete the **External user package** access package.
 
 ## Next steps
 
-Learn about creating access packages to manage access to other types of resources such as applications, and sites. [Tutorial: Manage access to resources in Microsoft Entra entitlement management](./entitlement-management-access-package-first.md)
+Learn about creating access packages to manage access to other types of resources such as applications, and sites. [Tutorial: Manage access to resources in entitlement management](./entitlement-management-access-package-first.md)