MicrosoftDocs
diff --git a/‎.openpublishing.redirection.active-directory.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.active-directory.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory/conditional-access/troubleshoot-policy-changes-audit-log.md
Lines changed: 7 additions & 6 deletions b/‎articles/active-directory/conditional-access/troubleshoot-policy-changes-audit-log.md
Lines changed: 7 additions & 6 deletions
diff --git a/‎articles/active-directory/fundamentals/whats-new-sovereign-clouds.md
Lines changed: 104 additions & 0 deletions b/‎articles/active-directory/fundamentals/whats-new-sovereign-clouds.md
Lines changed: 104 additions & 0 deletions
diff --git a/‎articles/active-directory/governance/entitlement-management-access-package-create.md
Lines changed: 85 additions & 2 deletions b/‎articles/active-directory/governance/entitlement-management-access-package-create.md
Lines changed: 85 additions & 2 deletions
diff --git a/‎articles/active-directory/governance/entitlement-management-access-package-request-policy.md
Lines changed: 40 additions & 1 deletion b/‎articles/active-directory/governance/entitlement-management-access-package-request-policy.md
Lines changed: 40 additions & 1 deletion
@@ -10921,6 +10921,11 @@
       "redirect_url": "/azure/azure-percept/index",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/howto-install-use-log-analytics-views.md",
+      "redirect_url": "/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/fundamentals/active-directory-groups-create-azure-portal.md",
       "redirect_url": "/azure/active-directory/fundamentals/how-to-manage-groups",
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: troubleshooting
-ms.date: 08/22/2022
+ms.date: 12/02/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -32,11 +32,12 @@ Find these options in the **Azure portal** > **Azure Active Directory**, **Diagn
 
 1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
 1. Browse to **Azure Active Directory** > **Audit logs**.
-1. Select the **Date** range you want to query in.
-1. Select **Activity** and choose one of the following
-   1. **Add conditional access policy** - This activity lists newly created policies
-   1. **Update conditional access policy** - This activity lists changed policies
-   1. **Delete conditional access policy** - This activity lists deleted policies
+1. Select the **Date** range you want to query.
+1. From the **Service** filter, select **Conditional Access** and select the **Apply** button.
+
+    The audit logs display all activities, by default. Open the **Activity** filter to narrow down the activities. For a full list of the audit log activities for Conditional Access, see the [Audit log activities](../reports-monitoring/reference-audit-activities.md#conditional-access).
+
+1. Select a row to view the details. The **Modified Properties** tab lists the modified JSON values for the selected audit activity.
 
 :::image type="content" source="media/troubleshoot-policy-changes-audit-log/old-and-new-policy-properties.png" alt-text="Audit log entry showing old and new JSON values for Conditional Access policy" lightbox="media/troubleshoot-policy-changes-audit-log/old-and-new-policy-properties.png":::
 
 
@@ -22,6 +22,110 @@ Azure AD receives improvements on an ongoing basis. To stay up to date with the
 This page is updated monthly, so revisit it regularly.
 
 
+## November 2022
+
+### General availability - Windows Hello for Business, cloud Kerberos trust deployment
+
+
+
+**Type:** New feature  
+**Service category:** Authentications (Logins)     
+**Product capability:** User Authentication   
+
+We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, we’ve made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+
+---
+
+### General availability - Expression builder with Application Provisioning
+
+**Type:** Changed feature  
+**Service category:** Provisioning  
+**Product capability:** Outbound to SaaS Applications  
+ 
+
+Accidental deletion of users in your apps or in your on-premises directory could be disastrous. We’re excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. You can then accept or reject the deletions and have time to update the job’s scope if necessary. For more information, see [Understand how expression builder in Application Provisioning works](../app-provisioning/expression-builder.md).
+ 
+
+---
+
+### General availability - SSPR writeback is now available for disconnected forests using Azure AD Connect Cloud sync
+
+
+
+**Type:** New feature  
+**Service category:** Azure AD Connect Cloud Sync   
+**Product capability:** Identity Lifecycle Management 
+
+Azure AD Connect Cloud Sync Password writeback now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
+
+---
+
+### General availability - Prevent accidental deletions
+
+
+
+**Type:** New feature  
+**Service category:** Provisioning  
+**Product capability:** Outbound to SaaS Applications 
+
+
+
+Accidental deletion of users in any system could be disastrous. We’re excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service will pause, provide you visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.
+
+For more information, see: [Enable accidental deletions prevention in the Azure AD provisioning service](../app-provisioning/accidental-deletions.md)
+
+---
+
+### General availability - Create group in administrative unit
+
+**Type:** New feature  
+**Service category:** RBAC       
+**Product capability:** AuthZ/Access Delegation    
+ 
+
+Groups Administrators and other roles scoped to an administrative unit can now create groups within the administrative unit.  Previously, creating a new group in administrative unit required a two-step process to first create the group, then add the group to the administrative unit.  The second step required a Privileged Role Administrator or Global Administrator.  Now, groups can be directly created in an administrative unit by anyone with appropriate roles scoped to the administrative unit, and this no longer requires a higher privilege admin role. For more information, see: [Add users, groups, or devices to an administrative unit](../roles/admin-units-members-add.md).
+ 
+---
+
+### General availability - Number matching for Microsoft Authenticator notifications
+
+
+
+**Type:** New feature  
+**Service category:** Microsoft Authenticator App      
+**Product capability:** User Authentication   
+
+To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an MFA notification in the Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update we have also added the highly requested ability for admins to exclude user groups from each feature. 
+
+The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature applying the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.
+
+
+For more information, see: [How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy](../authentication/how-to-mfa-number-match.md).
+
+---
+
+### General availability - Additional context in Microsoft Authenticator notifications
+
+
+
+**Type:** New feature  
+**Service category:** Microsoft Authenticator App      
+**Product capability:** User Authentication 
+
+Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Customers can enhance notifications with the following:
+
+- Application Context: This feature will show users which application they're signing into.
+- Geographic Location Context: This feature will show users their sign-in location based on the IP address of the device they're signing into. 
+
+The feature is available for both MFA and Password-less Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app. We've also refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update, we've also added the highly requested ability for admins to exclude user groups from certain features. 
+
+We highly encourage our customers to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.
+
+
+For more information, see: [How to use additional context in Microsoft Authenticator notifications - Authentication methods policy](../authentication/how-to-mfa-additional-context.md).
+
+---
+
 
 ## October 2022
 
 
@@ -134,13 +134,96 @@ On the **Review + create** tab, you can review your settings and check for any v
 
 ## Creating an access package programmatically
 
-You can also create an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to
+There are two ways to create an access package programmatically, through Microsoft Graph and through the PowerShell cmdlets for Microsoft Graph.
+
+### Creating an access package with Microsoft Graph
+
+You can create an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to
 
 1. [List the accessPackageResources in the catalog](/graph/api/entitlementmanagement-list-accesspackagecatalogs?tabs=http&view=graph-rest-beta&preserve-view=true) and [create an accessPackageResourceRequest](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?tabs=http&view=graph-rest-beta&preserve-view=true) for any resources that aren't yet in the catalog.
 1. [List the accessPackageResourceRoles](/graph/api/accesspackage-list-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta&preserve-view=true) of each accessPackageResource in an accessPackageCatalog. This list of roles will then be used to select a role, when later creating an accessPackageResourceRoleScope.
 1. [Create an accessPackage](/graph/tutorial-access-package-api).
-1. [Create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-accesspackageassignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for each policy needed in the access package.
 1. [Create an accessPackageResourceRoleScope](/graph/api/accesspackage-post-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta&preserve-view=true) for each resource role needed in the access package.
+1. [Create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-accesspackageassignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for each policy needed in the access package.
+
+
+### Creating an access package with Microsoft PowerShell
+
+You can also create an access package in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or later.  This script illustrates using the Graph `beta` profile.
+
+First, you would retrieve the ID of the catalog, and of the resources and their roles in that catalog that you wish to include in the access package, using a script similar to the following.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
+Select-MgProfile -Name "beta"
+$catalog = Get-MgEntitlementManagementAccessPackageCatalog -Filter "displayName eq 'Marketing'"
+
+$rsc = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResource -AccessPackageCatalogId $catalog.Id -Filter "resourceType eq 'Application'" -ExpandProperty "accessPackageResourceScopes"
+$filt = "(originSystem eq 'AadApplication' and accessPackageResource/id eq '" + $rsc[0].Id + "')"
+$rr = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResourceRole -AccessPackageCatalogId $catalog.Id -Filter $filt -ExpandProperty "accessPackageResource"
+```
+
+Then, create the access package.
+
+```powershell
+$params = @{
+	CatalogId = $catalog.id
+	DisplayName = "sales reps"
+	Description = "outside sales representatives"
+}
+
+$ap = New-MgEntitlementManagementAccessPackage -BodyParameter $params
+```
+Once the access package has been created, assign the resource roles to the access package.  For example, if you wished to include the second resource role of the first resource returned earlier as a resource role of the new access package, you would use a script similar to the following.
+
+```powershell
+$rparams = @{
+	AccessPackageResourceRole = @{
+	   OriginId = $rr[2].OriginId
+	   DisplayName = $rr[2].DisplayName
+	   OriginSystem = $rr[2].OriginSystem
+	   AccessPackageResource = @{
+	      Id = $rsc[0].Id
+	      ResourceType = $rsc[0].ResourceType
+	      OriginId = $rsc[0].OriginId
+	      OriginSystem = $rsc[0].OriginSystem
+	   }
+	}
+	AccessPackageResourceScope = @{
+	   OriginId = $rsc[0].OriginId
+	   OriginSystem = $rsc[0].OriginSystem
+	}
+}
+New-MgEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $ap.Id -BodyParameter $rparams
+```
+
+Finally, create the policies.  In this policy, only the administrator can assign access, and there are no access reviews.  See [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for more examples.
+
+```powershell
+
+$pparams = @{
+	AccessPackageId = $ap.Id
+	DisplayName = "direct"
+	Description = "direct assignments by administrator"
+	AccessReviewSettings = $null
+	RequestorSettings = @{
+		ScopeType = "NoSubjects"
+		AcceptRequests = $true
+		AllowedRequestors = @(
+		)
+	}
+	RequestApprovalSettings = @{
+		IsApprovalRequired = $false
+		IsApprovalRequiredForExtension = $false
+		IsRequestorJustificationRequired = $false
+		ApprovalMode = "NoApproval"
+		ApprovalStages = @(
+		)
+	}
+}
+New-MgEntitlementManagementAccessPackageAssignmentPolicy -BodyParameter $pparams
+
+```
 
 ## Next steps
 
 
@@ -211,7 +211,46 @@ To change the request and approval settings for an access package, you need to o
 
 ## Creating an access package assignment policy programmatically
 
-You can also create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API.
+There are two ways to create an access package assignment policy programmatically, through Microsoft Graph and through the PowerShell cmdlets for Microsoft Graph.
+
+### Creating an access package assignment policy through Graph
+
+You can create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API.
+
+### Creating an access package assignment policy through PowerShell
+
+You can also create an access package in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or later.  
+
+This script below illustrates using the `beta` profile, to create a policy for direct assignment to an access package. In this policy, only the administrator can assign access, and there are no access reviews.  See [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for more examples.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
+Select-MgProfile -Name "beta"
+
+$apid = "cdd5f06b-752a-4c9f-97a6-82f4eda6c76d"
+
+$pparams = @{
+	AccessPackageId = $apid
+	DisplayName = "direct"
+	Description = "direct assignments by administrator"
+	AccessReviewSettings = $null
+	RequestorSettings = @{
+		ScopeType = "NoSubjects"
+		AcceptRequests = $true
+		AllowedRequestors = @(
+		)
+	}
+	RequestApprovalSettings = @{
+		IsApprovalRequired = $false
+		IsApprovalRequiredForExtension = $false
+		IsRequestorJustificationRequired = $false
+		ApprovalMode = "NoApproval"
+		ApprovalStages = @(
+		)
+	}
+}
+New-MgEntitlementManagementAccessPackageAssignmentPolicy -BodyParameter $pparams
+```
 
 ## Prevent requests from users with incompatible access