Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into pim3

Author: billmath

.openpublishing.redirection.active-directory.json

@@ -1715,6 +1715,21 @@
       "redirect_url": "/azure/active-directory/external-identities/customers/tutorial-daemon-node-call-api-prepare-tenant",
       "redirect_document_id": false 
     },
+    {
+      "source_path_from_root": "/articles/active-directory/external-identities/customers/how-to-web-app-dotnet-sign-in-prepare-tenant.md",
+      "redirect_url": "/azure/active-directory/external-identities/customers/tutorial-web-app-dotnet-sign-in-prepare-tenant",
+      "redirect_document_id": false 
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/external-identities/customers/how-to-web-app-dotnet-sign-in-prepare-app.md",
+      "redirect_url": "/azure/active-directory/external-identities/customers/tutorial-web-app-dotnet-sign-in-prepare-app",
+      "redirect_document_id": false 
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/external-identities/customers/how-to-web-app-dotnet-sign-in-sign-out.md",
+      "redirect_url": "/azure/active-directory/external-identities/customers/tutorial-web-app-dotnet-sign-in-sign-out",
+      "redirect_document_id": false 
+    },
     {
       "source_path_from_root": "/articles/active-directory/external-identities/conditional-access.md",
       "redirect_url": "/azure/active-directory/external-identities/authentication-conditional-access",
@@ -13561,6 +13576,11 @@
       "source_path_from_root": "/articles/active-directory/fundamentals/add-users-azure-active-directory.md",
       "redirect_url": "/azure/active-directory/fundamentals/add-users",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/privileged-identity-management/subscription-requirements.md",
+      "redirect_url": "/azure/active-directory/governance/licensing-fundamentals",
+      "redirect_document_id": false
     }
 
   ]

articles/active-directory-b2c/enable-authentication-spa-app.md

@@ -215,7 +215,7 @@ To specify your Azure AD B2C user flows, do the following:
 
 1. Replace `B2C_1_SUSI` with your sign-in Azure AD B2C Policy name.
 1. Replace `B2C_1_EditProfile` with your edit profile Azure AD B2C policy name.
-1. Replace all instances of `contoso` with your [Azure AD B2C tenant name](./ tenant-management-read-tenant-name.md#get-your-tenant-name).
+1. Replace all instances of `contoso` with your [Azure AD B2C tenant name](./tenant-management-read-tenant-name.md#get-your-tenant-name).
 
 ## Step 7: Use the MSAL to sign in the user
 

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -348,7 +348,7 @@ Selecting this option forces a resynchronization of all users while the provisio
 - The attribute `IsSoftDeleted` is often part of the default mappings for an application. `IsSoftdeleted` can be true in one of four scenarios: 1) The user is out of scope due to being unassigned from the application. 2) The user is out of scope due to not meeting a scoping filter. 3) The user has been soft deleted in Azure AD. 4) The property `AccountEnabled` is set to false on the user. It's not recommended to remove the `IsSoftDeleted` attribute from your attribute mappings.
 - The Azure AD provisioning service doesn't support provisioning null values.
 - They primary key, typically "ID", shouldn't be included as a target attribute in your attribute mappings. 
-- The role attribute typically needs to be mapped using an expression, rather than a direct mapping. For more information about role mapping, see [Provisioning a role to a SCIM app](#Provisioning a role to a SCIM app). 
+- The role attribute typically needs to be mapped using an expression, rather than a direct mapping. For more information about role mapping, see [Provisioning a role to a SCIM app](#provisioning-a-role-to-a-scim-app). 
 - While you can disable groups from your mappings, disabling users isn't supported. 
 
 ## Next steps

articles/active-directory/architecture/deployment-plans.md

@@ -2,7 +2,7 @@
 title: Azure Active Directory deployment plans
 description: Guidance on Azure Active Directory deployment, such as authentication, devices, hybrid scenarios, governance, and more.
 services: active-directory
-author: gargisinha
+author: gargi-sinha
 manager: martinco
 ms.service: active-directory
 ms.subservice: fundamentals

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md

@@ -81,12 +81,12 @@ To enable Controller mode **On** for any projects, add these roles to the specif
 - Role Administrators
 - Security Admin 
 
-The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GPC console.
+The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GCP console.
 
 3. Select **Next**.
 
 #### Option 2: Enter authorization systems 
-You have the ability to specify only certain GCP member projects to manage and monitor with MEPM (up to 100 per collector). Follow the steps to configure these GCP member projects to be monitored: 
+You have the ability to specify only certain GCP member projects to manage and monitor with Permissions Management (up to 100 per collector). Follow the steps to configure these GCP member projects to be monitored: 
 1. In the **Permissions Management Onboarding - GCP Project Ids** page, enter the **Project IDs**.
 
     You can enter up to comma separated 100 GCP project IDs. 
@@ -109,7 +109,7 @@ To enable Controller mode **On** for any projects, add these roles to the specif
 - Role Administrators
 - Security Admin 
 
-The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GPC console.
+The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GCP console.
 
 3. Select **Next**.
 

articles/active-directory/develop/quickstart-v2-netcore-daemon.md

@@ -100,7 +100,7 @@ ms.custom: devx-track-csharp, aaddev, identityplatformtop40, "scenarios:getting-
 > > [!div class="sxs-lookup"]
 > ### How the sample works
 >
-> ![Diagram that shows how the sample app generated by this quickstart works.](./configure-app-multi-instancing.md netcore-daemon-intro.svg)
+> ![Diagram that shows how the sample app generated by this quickstart works.](./media/quickstart-v2-netcore-daemon/netcore-daemon-intro.svg)
 >
 > ### Microsoft.Identity.Web.GraphServiceClient
 >

articles/active-directory/develop/quickstart-web-app-python-sign-in.md

@@ -89,7 +89,7 @@ You can also use an integrated development environment to open the folder.
 
 1. Create a virtual environment for the app:
 
-    [!INCLUDE [Virtual environment setup](<../../app-service/includes/quickstart-python/virtual-environment-setup.md>)]
+    [!INCLUDE [Virtual environment setup](../../app-service/includes/quickstart-python/virtual-environment-setup.md)]
 
 1. Install the requirements using `pip`:
 

articles/active-directory/external-identities/cross-cloud-settings.md

@@ -49,7 +49,7 @@ After each organization has completed these steps, Azure AD B2B collaboration be
 
 In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service.
 1. Select **External Identities**, and then select **Cross-tenant access settings**.
 1. Select **Microsoft cloud settings**.
 1. Select the checkboxes next to the external Microsoft Azure clouds you want to enable.

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -123,7 +123,7 @@ To collaborate with a partner tenant in a different Microsoft Azure cloud, both
 > [!IMPORTANT]
 > Changing the default inbound or outbound settings to block access could block existing business-critical access to apps in your organization or partner organizations. Be sure to use the tools described in this article and consult with your business stakeholders to identify the required access.
 
-- To configure cross-tenant access settings in the Azure portal, you'll need an account with a Global administrator or Security administrator role.
+- To configure cross-tenant access settings in the Azure portal, you'll need an account with a Global administrator, Security administrator, or a [custom role](#custom-roles-for-managing-cross-tenant-access-settings) you've defined.
 
 - To configure trust settings or apply access settings to specific users, groups, or applications, you'll need an Azure AD Premium P1 license. The license is required on the tenant that you configure. For B2B direct connect, where mutual trust relationship with another Azure AD organization is required, you'll need an Azure AD Premium P1 license in both tenants. 
 
@@ -144,6 +144,78 @@ To collaborate with a partner tenant in a different Microsoft Azure cloud, both
 
 - If you block access to all apps by default, users will be unable to read emails encrypted with Microsoft Rights Management Service (also known as Office 365 Message Encryption or OME). To avoid this issue, we recommend configuring your outbound settings to allow your users to access this app ID: 00000012-0000-0000-c000-000000000000. If this is the only application you allow, access to all other apps will be blocked by default.
 
+## Custom roles for managing cross-tenant access settings
+
+Cross-tenant access settings can be managed with custom roles defined by your organization. This enables you to [define your own finely-scoped roles](../roles/custom-create.md) to manage cross-tenant access settings instead of using one of the built-in roles for management.
+Your organization can define custom roles to manage cross-tenant access settings. This allows you to create [your own finely-scoped roles](../roles/custom-create.md) to manage cross-tenant access settings instead of using built-in roles for management.
+### Recommended custom roles
+
+#### Cross-tenant access administrator
+
+This role can manage everything in cross-tenant access settings, including default and organizational based settings. This role should be assigned to users who need to manage all settings in cross-tenant access settings.
+
+Please find the list of recommended actions for this role below.
+
+| Actions |
+| ------- |
+| microsoft.directory.tenantRelationships/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update |
+| microsoft.directory/crossTenantAccessPolicy/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update |
+| microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update |
+| microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update |
+| microsoft.directory/crossTenantAccessPolicy/default/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/delete |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update |
+
+#### Cross-tenant access reader
+This role can read everything in cross-tenant access settings, including default and organizational based settings. This role should be assigned to users who only need to review settings in cross-tenant access settings, but not manage them.
+
+Please find the list of recommended actions for this role below.
+
+| Actions |
+| ------- |
+| microsoft.directory.tenantRelationships/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/default/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/standard/read |
+
+#### Cross-tenant access partner administrator
+This role can manage everything relating to partners and read the default settings. This role should be assigned to users who need to manage organizational based settings but not be able to change default settings.
+
+Please find the list of recommended actions for this role below.
+
+| Actions |
+| ------- |
+| microsoft.directory.tenantRelationships/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/default/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/delete |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update |
+
+## Protect cross-tenant access administrative actions
+Any actions that modify cross-tenant access settings are considered protected actions and can be additionally protected with Conditional Access policies. For more information and configuration steps see [protected actions](../roles/protected-actions-overview.md).
+
 ## Identify inbound and outbound sign-ins
 
 Several tools are available to help you identify the access your users and partners need before you set inbound and outbound access settings. To ensure you don’t remove access that your users and partners need, you should examine current sign-in behavior. Taking this preliminary step will help prevent loss of desired access for your end users and partner users. However, in some cases these logs are only retained for 30 days, so we strongly recommend you speak with your business stakeholders to ensure required access isn't lost.

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -37,7 +37,7 @@ Use External Identities cross-tenant access settings to manage how you collabora
 
  Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings.  If you want to modify the Azure AD-provided default settings, follow these steps.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service.
 1. Select **External Identities**, and then select **Cross-tenant access settings**.
 1. Select the **Default settings** tab and review the summary page.