Merge branch 'main' into release-preview-flow-logs

Author: v-alje

.openpublishing.redirection.active-directory.json

@@ -13479,6 +13479,84 @@
       "redirect_url": "/azure/active-directory/managed-identities-azure-resources/services-id-authentication-support",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-accesscontrol-requirements.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-business-needs.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-contentmgt-requirements.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/aplan-hybrid-identity-design-considerations-data-protection-strategy.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-dataprotection-requirements.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-hybrid-id-management-tasks.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-identity-adoption-strategy.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-lifecycle-adoption-strategy.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-data-protection-strategy.md",
+      "redirect_url": "/azure/active-directory/hybrid/connect/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-directory-sync-requirements.md",
+      "redirect_url": "/azure/active-directory/hybrid/connect/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-multifactor-auth-requirements.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-incident-response-requirements.md",
+      "redirect_url": "/azure/active-directory/hybrid/connect/index",
+      "redirect_document_id": false
+    },
+
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-nextsteps.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-overview.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-tools-comparison.md",
+      "redirect_url": "/azure/active-directory/hybrid/index",
+      "redirect_document_id": false
+    },
+
+
     {
       "source_path_from_root": "/articles/active-directory/fundamentals/add-users-azure-active-directory.md",
       "redirect_url": "/azure/active-directory/fundamentals/add-users",

articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md

@@ -15,7 +15,7 @@ ms.reviewer: chmutali
 
 # How Azure Active Directory provisioning integrates with SAP SuccessFactors 
 
-[Azure Active Directory user provisioning service](../app-provisioning/user-provisioning.md) integrates with [SAP SuccessFactors Employee Central](https://www.successfactors.com/products-services/core-hr-payroll/employee-central.html) to manage the identity life cycle of users. Azure Active Directory offers three prebuilt integrations: 
+[Azure Active Directory user provisioning service](../app-provisioning/user-provisioning.md) integrates with [SAP SuccessFactors Employee Central](https://www.sap.com/products/hcm/employee-central-payroll.html) to manage the identity life cycle of users. Azure Active Directory offers three prebuilt integrations: 
 
 * [SuccessFactors to on-premises Active Directory user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)
 * [SuccessFactors to Azure Active Directory user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)
@@ -414,7 +414,7 @@ If you want to exclude processing of prehires in the Onboarding module, update y
 1. Save the mapping and validate that the scoping filter works using provisioning on demand. 
 
 ### Enabling OData API Audit logs in SuccessFactors
-The Azure AD SuccessFactors connector uses SuccessFactors OData API to retrieve changes and provision users. If you observe issues with the provisioning service and want to confirm what data was retrieved from SuccessFactors, you can enable OData API Audit logs in SuccessFactors. To enable audit logs, follow the steps documented in [SAP support note 2680837](https://userapps.support.sap.com/sap/support/knowledge/en/2680837). Retrieve the request payload sent by Azure AD from the audit logs. To troubleshoot, you can copy this request payload in a tool like [Postman](https://www.postman.com/downloads/), set it up to use the same API user that is used by the connector and see if it returns the desired changes from SuccessFactors. 
+The Azure AD SuccessFactors connector uses SuccessFactors OData API to retrieve changes and provision users. If you observe issues with the provisioning service and want to confirm what data was retrieved from SuccessFactors, you can enable OData API Audit logs in SuccessFactors. Retrieve the request payload sent by Azure AD from the audit logs. To troubleshoot, you can copy this request payload in a tool like [Postman](https://www.postman.com/downloads/), set it up to use the same API user that is used by the connector and see if it returns the desired changes from SuccessFactors. 
 
 ## Writeback scenarios
 This section covers different write-back scenarios. It recommends configuration approaches based on how email and phone number is set up in SuccessFactors.

articles/active-directory/authentication/TOC.yml

@@ -156,18 +156,18 @@
             href: certificate-based-authentication-federation-android.md
           - name: Use on iOS Devices
             href: certificate-based-authentication-federation-ios.md
-      - name: Use a Temporary Access Pass
-        href: howto-authentication-temporary-access-pass.md
-      - name: Use SMS-based authentication
-        items:  
-        - name: Manage
-          href: howto-authentication-sms-signin.md
-        - name: Supported apps for SMS-based authentication
-          href: how-to-authentication-sms-supported-apps.md
-        - name: Two-way SMS unsupported
-          href: how-to-authentication-two-way-sms-unsupported.md
-      - name: Use email address sign-in
-        href: howto-authentication-use-email-signin.md
+  - name: Use a Temporary Access Pass
+    href: howto-authentication-temporary-access-pass.md
+  - name: Use SMS-based authentication
+    items:  
+    - name: Manage
+      href: howto-authentication-sms-signin.md
+    - name: Supported apps for SMS-based authentication
+      href: how-to-authentication-sms-supported-apps.md
+    - name: Two-way SMS unsupported
+      href: how-to-authentication-two-way-sms-unsupported.md
+  - name: Use email address sign-in
+    href: howto-authentication-use-email-signin.md
   - name: Self-service password reset
     items:
     - name: Deployment guide

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -131,7 +131,6 @@ The following providers offer FIDO2 security keys of different form factors that
 | [IDmelon Technologies Inc.](https://www.idmelon.com/#idmelon) | ![y] | ![y]| ![y]| ![y]| ![n] |
 | [Kensington](https://www.kensington.com/solutions/product-category/why-biometrics/) | ![y] | ![y]| ![n]| ![n]| ![n] |
 | [KONA I](https://konai.com/business/security/fido) | ![y] | ![n]| ![y]| ![y]| ![n] |
-| [Movenda](https://www.movenda.com/en/authentication/fido2/overview) | ![y] | ![n]| ![y]| ![y]| ![n] |
 | [NeoWave](https://neowave.fr/en/products/fido-range/) | ![n] | ![y]| ![y]| ![n]| ![n] |
 | [Nymi](https://www.nymi.com/nymi-band) | ![y] | ![n]| ![y]| ![n]| ![n] |
 | [Octatco](https://octatco.com/) | ![y] | ![y]| ![n]| ![n]| ![n] |

articles/active-directory/authentication/tutorial-enable-sspr.md

@@ -29,6 +29,10 @@ In this tutorial you learn how to:
 > * Set up authentication methods and registration options
 > * Test the SSPR process as a user
 
+> [!IMPORTANT]
+> In March 2023, we announced the deprecation of managing authentication methods in the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies. Beginning September 30, 2024, authentication methods can't be managed in these legacy MFA and SSPR policies. We recommend customers use the manual migration control to migrate to the Authentication methods policy by the deprecation date.
+
+
 ## Video tutorial
 
 You can also follow along in a related video: [How to enable and configure SSPR in Azure AD](https://www.youtube.com/embed/rA8TvhNcCvQ?azure-portal=true).

articles/active-directory/conditional-access/concept-token-protection.md

@@ -4,7 +4,7 @@ description: Learn how to use token protection in Conditional Access policies.
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 07/18/2023
+ms.date: 08/14/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 
 Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant. 
 
-Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means is that a policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource.
+Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means: A policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource.
 
 > [!IMPORTANT]
 > Token protection is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
@@ -35,28 +35,35 @@ With this preview, we're giving you the ability to create a Conditional Access p
 
 ## Requirements
 
-This preview supports the following configurations:
+This preview supports the following configurations for access to resources with Token Protection conditional access policies applied:
 
 * Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
 * OneDrive sync client version 22.217 or later
 * Teams native client version 1.6.00.1331 or later 
+* Power BI desktop version 2.117.841.0 (May 2023) or later
+* Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
 * Office Perpetual clients aren't supported
 
 ### Known limitations
 
 - External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
 - The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
-   - Power BI Desktop client 
    - PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
    - PowerQuery extension for Excel
    - Extensions to Visual Studio Code which access Exchange or SharePoint
-   - Visual Studio
-   - The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in an August release.
+   - The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in a future service update.
 - The following Windows client devices aren't supported:
    - Windows Server 
    - Surface Hub
    - Windows-based Microsoft Teams Rooms (MTR) systems
 
+## Licensing requirements
+
+[!INCLUDE [Active Directory P2 license](../../../includes/active-directory-p2-license.md)]
+
+> [!NOTE]
+> Token Protection enforcement is part of Microsoft Entra ID Protection and will be part of the P2 license at general availability. 
+
 ## Deployment
 
 For users, the deployment of a Conditional Access policy to enforce token protection should be invisible when using compatible client platforms on registered devices and compatible applications.    
@@ -135,7 +142,7 @@ You can also use [Log Analytics](../reports-monitoring/tutorial-log-analytics-wi
 Here's a sample Log Analytics query searching the non-interactive sign-in logs for the last seven days, highlighting **Blocked** versus **Allowed** requests by **Application**. These queries are only samples and are subject to change.
 
 > [!NOTE]
-> **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change.
+> **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change. The examples cover both values to include historical data.
 
 ```kusto
 //Per Apps query 
@@ -150,10 +157,10 @@ AADNonInteractiveUserSignInLogs
 //Add userPrinicpalName if you want to filter  
 // | where UserPrincipalName =="<user_principal_Name>" 
 | mv-expand todynamic(ConditionalAccessPolicies) 
-| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]' 
+| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Binding"]' or ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]' 
 | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" 
 | extend SessionNotSatisfyResult = ConditionalAccessPolicies["sessionControlsNotSatisfied"] 
-| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow') 
+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection' or SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')
 | summarize by Id,UserPrincipalName, AppDisplayName, Result 
 | summarize Requests = count(), Users = dcount(UserPrincipalName), Block = countif(Result == "Block"), Allow = countif(Result == "Allow"), BlockedUsers = dcountif(UserPrincipalName, Result == "Block") by AppDisplayName 
 | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) 
@@ -179,10 +186,10 @@ AADNonInteractiveUserSignInLogs
 //Add userPrincipalName if you want to filter  
 // | where UserPrincipalName =="<user_principal_Name>" 
 | mv-expand todynamic(ConditionalAccessPolicies) 
-| where ConditionalAccessPolicies.enforcedSessionControls contains '["SignInTokenProtection"]' 
+| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Binding"]' or ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]'
 | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" 
 | extend SessionNotSatisfyResult = ConditionalAccessPolicies.sessionControlsNotSatisfied 
-| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow') 
+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection' or SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')
 | summarize by Id, UserPrincipalName, AppDisplayName, ResourceDisplayName,Result  
 | summarize Requests = count(),Block = countif(Result == "Block"), Allow = countif(Result == "Allow") by UserPrincipalName, AppDisplayName,ResourceDisplayName 
 | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) 

articles/active-directory/develop/app-sign-in-flow.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 02/17/2023
+ms.date: 08/11/2023
 ms.author: ryanwi
 ms.reviewer: jmprieur, saeeda, sureshja, ludwignick
 ms.custom: aaddev, identityplatformtop40, scenarios:getting-started

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -322,9 +322,9 @@ The AADLoginForWindows extension must be installed successfully for the VM to co
 
    | Command to run | Expected output |
    | --- | --- |
-   | `curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"` | Correct information about the Azure VM |
-   | `curl -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"` | Valid tenant ID associated with the Azure subscription |
-   | `curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"` | Valid access token issued by Azure Active Directory for the managed identity that is assigned to this VM |
+   | `curl.exe -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"` | Correct information about the Azure VM |
+   | `curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"` | Valid tenant ID associated with the Azure subscription |
+   | `curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"` | Valid access token issued by Azure Active Directory for the managed identity that is assigned to this VM |
 
    > [!NOTE]
    > You can decode the access token by using a tool like [calebb.net](http://calebb.net/). Verify that the `oid` value in the access token matches the managed identity that's assigned to the VM.